On 8/23/2018 9:04 AM, Denis Heidtmann wrote: > I have no idea how the spammer managed > to change her reply-to field
It is trivially easy to forge/modify headers except those added by servers traversed after the message leaves the sending mail transfer agent. When reading headers they are in most-recent first order, so anything after (in reading order) the last (earliest) "Received: from ..." was created by the sender and is untrustworthy in the case of SPAM. This includes From:, To:, Reply-to:, Date:, Subject:, Sender:, etc. Here's a sample set of headers showing the breakdown between what is trustworthy and what is not > Return-Path: <[email protected]> > X-Original-To: [[redacted]] > Delivered-To: [[redacted]] > X-Greylist: whitelisted by SQLgrey-1.8.0 > DKIM-Filter: OpenDKIM Filter v2.11.0 smtp.[[redacted]] D68E040323 > Received: from acmsmtp02.acm.org (ACMSMTP02.acm.org [64.238.159.79]) > (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) > (No client certificate requested) > by smtp.[[redacted]] (Postfix) with ESMTPS id D68E040323 > for <[[redacted]]>; Thu, 23 Aug 2018 10:29:48 -0400 (EDT) > Received: from in-004.mia.mailroute.net > by acmsmtp02.acm.org (ACM Email Forwarding Service) with ESMTP id > 2201808231029476520 > for <[[redacted]]>; Thu, 23 Aug 2018 10:29:47 -0400 > Received: from localhost (004.mia.mailroute.net [127.0.0.1]) > by in-004.mia.mailroute.net (Postfix) with ESMTP id 41x6Hq6sptzHp7M > for <[[redacted]]>; Thu, 23 Aug 2018 14:29:43 +0000 (UTC) > X-Virus-Scanned: by MailRoute > X-Spam-Flag: NO > X-Spam-Score: 2.721 > X-Spam-Level: ** > X-Spam-Status: No, score=2.721 tagged_above=-9999 tests=[BAYES_00=-1.9, > BTC_ENCODED_SUB=0.1, KAM_LAZY_DOMAIN_SECURITY=1, KAM_LINKBAIT=2.5, > MISSING_HEADERS=1.021] autolearn=no autolearn_force=no > X-Spam-ASN: > X-Spam-Language: > X-Spam-Relay-Countries: US ** US > Received: from in-004.mia.mailroute.net ([199.89.3.7]) > by localhost (004.mia [127.0.0.1]) (mroute_mailscanner, port 10024) > with LMTP id qiKHiQZpuG_1; Thu, 23 Aug 2018 14:29:30 +0000 (UTC) > Received: from utm.njea.org (utm.njea.org [208.84.250.36]) > (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) > (No client certificate requested) > by in-004.mia.mailroute.net (Postfix) with ESMTPS id 41x6HX19cLzHp7n; > Thu, 23 Aug 2018 14:29:27 +0000 (UTC) > ******** Above here generated by servers outside of spammer's control ******** ************** Below here MAY be forged with some difficulty **************** > > Received: from SP50.njea.org ([169.254.2.7]) by SP50.njea.org > ([192.168.40.50]) with mapi id 14.03.0248.002; Thu, 23 Aug 2018 10:29:13 > -0400 ******************* Below here can be trivially forged ************************* > From: Renee Ahern <[email protected]> > Subject: Microsoft Outlook > Thread-Topic: Microsoft Outlook > Thread-Index: AdQ67am/r3zLggSIQzGDwsaKZ3eSSg== > Date: Thu, 23 Aug 2018 14:29:13 +0000 > Message-ID: <[email protected]> > Accept-Language: en-US > Content-Language: en-US > X-MS-Has-Attach: > X-MS-TNEF-Correlator: > x-originating-ip: [5.62.47.11] > Content-Type: text/plain; charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > MIME-Version: 1.0 _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
