[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 30/03/13 07:15, tom wrote: > > Does your server write this to the header or just accept what its given? The Received headers are written by the server that received it oddly enough, and in order, thus we trust Pi, so we trust its received headers. The reverse DNS suggests it is Yahoo, you need to check reverse DNS with a forward lookup since the reverse DNS can point to anything the address owner says. A quick whois also shows it is a Yahoo address. Strictly whois can be faked, but it is less likely (does happen with big spammers), forward DNS for the same name is more reliable since that would require co-operation (or negligence) from the managers of the yahoo.com domain name to forge. Typically you trust the received headers whilst the received headers are inserted by your machines (unless you've reason to believe your machines are the insert point, or the mail log disagrees with the headers). That a Yahoo server says it was injected using a Yahoo webmail client, and that it emailed only addresses that the corresponding Yahoo webmail account has emailed before, is good evidence it is a compromise of security somewhere at Yahoo (end user of systemic). If it were the only such email I'd received this month I'd be more suspicious, but the evidence is quite clear on the likely origin. The other received headers are consistent with injection by the IP address listed by the first Yahoo server in the chain. So worked exercise for the curious: Email received claiming to be from the DCGLUG list sent by a Tom Potts... Received: from pi.a-squared.co.uk (pi.a-squared.co.uk [37.128.189.136]) by lintel.vm.bytemark.co.uk (Postfix) with ESMTPS id 15BB31E464 for <simon@xxxxxxxxxxxxxx>; Sat, 30 Mar 2013 07:16:05 +0000 (GMT) The top header says it came from pi.a-squared.co.uk (the IP address is trustworthy, the name might be wrong depending what checks the mail server performs). In this case I can check the name easily enough. $ dig +short pi.a-squared.co.uk 37.128.189.136 Received: from localhost ([127.0.0.1] helo=pi.a-squared.co.uk) by pi.a-squared.co.uk with esmtp (Exim 4.72) (envelope-from <list-bounces@xxxxxxxxxxxxx>) id 1ULq16-0004WK-Fv; Sat, 30 Mar 2013 07:15:56 +0000 Hmm that is slightly odd for a normal email, Pi got it from "localhost", again I trust Pi, so presumably it is sent from a script (the DCGLUG mailing list software), but also you might see spam filters or virus checkers sending email from localhost. Received: from smtp.hosts.co.uk ([85.233.160.19]) by pi.a-squared.co.uk with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <tompotts@xxxxxxxxxxxxxxxxxxxxxx>) id 1ULq15-0004WD-SG for list@xxxxxxxxxxxxx; Sat, 30 Mar 2013 07:15:55 +0000 Pi reporting how it got the email. Again I trust Pi, so I trust the IP address, but the name and envelope-from are potentially from the sending machine and not immediately reliable. Quick "dig" confirms the name "smtp.hosts.co.uk" maps to the address given. Received: from [213.246.94.96] (helo=[192.168.2.33]) by smtp.hosts.co.uk with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.72) (envelope-from <tompotts@xxxxxxxxxxxxxxxxxxxxxx>) id 1ULq15-0001xV-7z for list@xxxxxxxxxxxxx; Sat, 30 Mar 2013 07:15:55 +0000 Okay so smtp.hosts.co.uk is not known to me (well lets pretend so anyway), and a suspiciously generic server name. But a quick check with dig, and whois, show the domain and address are both registered to "NAMESCO" who are reputable UK company. So I'm inclined to trust they are accurate. The "helo" here is suspicious. 192.168.2.33 is an RFC1918 reserved private address. HELO is suppose to be unique. My email server would probably (it weighs its options) reject an incoming email with such a "HELO". In this case it would appear to okay, since it is the first Received header, so an example of email being injected at the origin as we expect with SMTP, such a record in the middle of a list of Received headers might suggest fakery. The IP address 213.245.94.96 is in NAMESCO-DSL7, so seems likely it is a ADSL line. At this point the chain is complete. A keen spam checking tool could establish that the email addresses associated DNS records (MX,A) all point to NAMESCO hosted servers, adding consistency to the mail receiving experience. Although Received headers can be faked, my experience is that this is currently very unusual. They are onerous to fake well (easy to fake badly), and since in most cases where you care (spam filtering) you initially look to addressing the first untrusted server that handed you the email, faking them doesn't really gain spammers much. Particularly if they are using botnets, when even if it is reported and fixed it is likely one of thousands. Some spam filters check Received headers for known spam sources, but faking them would only allow you to add known spam sources, so would only increase, and not decrease your chance of spam being filtered as spam. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq