|
PureBytes Links
Trading Reference Links
|
On Tue, Jul 08, 2003 at 9:15:07AM -0600, Gary Fritz wrote:
> The only way you can get any idea where the virus actually came
> from is to look at the full headers of the message and trace the
> "Received:" lines. For example:
>
> > Received: from ma101.mailarmory.com (ma101.mailarmory.com
> > [216.17.128.129])
> > by deimos.frii.net (8.12.9/8.12.9) with ESMTP id h680QU1B011393;
> > Mon, 7 Jul 2003 18:26:30 -0600 (MDT)
> > ...
> > Received: from [17.206.14.107] (xxx5.apple.com [17.206.14.107])
> > by scv1.apple.com (8.12.9/8.12.9) with ESMTP id h680Pvdi008514;
> > Mon, 7 Jul 2003 17:25:57 -0700 (PDT)
>
> You read the headers from the bottom up...
>
> These headers can't be forged by the spammer or virus, because
> they're added by individual mail-forwarding systems AFTER the
> message leaves the original mailing host. So I know 100% for
> certain that the message originated on xxx5.apple.com, regardless
> of what the "From:" header says.
One caveat: though it's not common with viruses, it IS possible to
forge Received lines appearing BELOW the sender's relay, and in fact
this sort of forgery is not uncommon with spammers. So, it's really
only the topmost Received header you can absolutely trust, plus any
below that that you know are trustworthy.
> Note, though, that mail through the Omega list has all headers from
> (wherever) to eskimo.com removed.
When necessary, I can retreive the full headers of recent postings.
> Different mailers have different ways of showing the headers.
> You'll have to look at your mailer's help to find out how to
> display the headers.
This is something every email user should know how to do.
FWIW,
Jim
|