>> But, in general, that information is essential to identifying spoofed header >> fields: it's by tracing the chain of "from" addresses in Received header >> fields that one can determine that someone is attempting to do something >> fraudulent. > >Can you cite a real-world example of a case where you did something like this >recently, and explain how you were able to do what you >claim, above, is possible using just the header fields in the message?
Spam filters have been doing Received chain analysis for about 20 years. The principle is straightforward, the source in each header should match the recipient in the header below it, and timestamps should be in the right order. There's also heuristics based on knowing what real headers from popular mail systems should look like. The scripts I use to send off spam complaints do header analysis to figure out who to complain to, and not to complain to addresses in fake headers, so I'd say I do this about 100 times a day, every day, in addition to spamassassin doing it on every incoming message that it filters. If you want to look at some code, spamassassin is at http://spamassassin.apache.org/. R's, John _______________________________________________ Shutup mailing list [email protected] https://www.ietf.org/mailman/listinfo/shutup
