On Thu, May 20, 2004 at 09:21:24AM -0500, Dale Haman wrote: > Forgive me if this is not the right list for this. I am fairly new to SA > and linux email in general. My question is how to interpret a rejected > message like this section for instance: > > The mail originated from: <[EMAIL PROTECTED]> > > According to the 'Received:' trace, the message originated at: > info.com (host-XX-XX-220-24.midco.net [24.220.XX.XX]) > > Which one did it actually come from? Hotmail or Midco.net? I have > received many of these with several different " The mail originated > from:" but the " According to the 'Received:' trace" is from the same > address. Do I believe the originated from or the trace?
The answer is: maybe neither. I don't know where you got the "mail originated from" info. That's not a header. Presumably that's information you inferred from some header, or maybe it is information added to the body of the email by some host which handled the mail. Spammers can, and do, forge both "From:" and "Received:" headers. What you need to know is that the "Received:" headers are added, from bottom to top, by the hosts the mail traverses. So you can believe the topmost "Received:" header, the one added by your own host. You may be able to believe headers lower down, added by earlier hosts. You have to evaluate the credibility of each in the context of the header above it. Commonly where a spammer has added "Received:" headers of their own, there'll be a break where a header makes no sense at all in terms of the header above it. Many of the mails I've seen containing forged "Received:" headers have a single forged header, the lowest (earliest) in the email, or at most two or three. -- Dan Wilder
