The mail originated from: <[EMAIL PROTECTED]>
According to the 'Received:' trace, the message originated at: info.com (host-XX-XX-220-24.midco.net [24.220.XX.XX])
Which one did it actually come from? Hotmail or Midco.net? I have received many of these with several different " The mail originated from:" but the " According to the 'Received:' trace" is from the same address. Do I believe the originated from or the trace?
Neither is trustworthy, at least not without some qualifications. However the Received: is going to contain more trustworthy information than the From:
From: is trivially forgeable, and definitely NOT trustworthy. Ever. Spam and viruses are using forged From, Return-path and X-Original-Sender headers close to 100% of the time.
Tracing received back too far isn't trustworthy either. Spammers can insert extra Received: headers to obfuscate the originating host.
The the only message headers you can trust are the ones your server adds. Thus the only part of the Received trace you can trust is the Received: line added by YOUR mailserver. If you know and trust the operator of that server, then you can trust it's header too, but as soon as you hit an untrusted host in the received chain, you can't trust anything it says.
For example, look at these spam headers I got:
Received: from bb220-255-42-90.singnet.com.sg (bb220-255-42-90.singnet.com.sg [220.255.42.90])
by xanadu.evi-inc.com (8.12.8/8.12.8) with SMTP id i4F74wQj017374
for <[EMAIL PROTECTED]>; Sat, 15 May 2004 03:05:03 -0400
Received: from [56.34.214.164] by 220.255.42.90 with lev SMTP;
Sat, 15 May 2004 02:16:55 -0600
Now, based on those, I can definitely trust that the mail came in via 220.255.42.90. I operate xanadu, and trust it's header to not be forged.
However, I don't know the operator of 220.255.42.90. Thus, I can't trust that the message came from 56.34.214.164. An untrusted server CLAIMS it got the message from there, but this could be a lie.
In this case, it's unlikely to be a lie, but it's quite common for there to be a second received: header claiming to be from some "big company" ISP's mail exchanger.
An obvious example would be a Chinese host claiming it got the message from AOL's mail exchanger. AOL doesn't relay mail via china when dropping it off here at EVI. Of course, if it claimed it got it from an AOL dialup node, that might be possible, but it's still untrustworthy.
