On Fri, 28 Aug 2003, Bret Comstock Waldow wrote: > If there's a definitive way to be sure of the origin of an email, I'd > like to know that's so, and how to determine it.
Try a little test. Mail yourself an absolutely minimal message by doing an smtp session manually and see what arrives. eg: <bash> [EMAIL PROTECTED] telnet a2.scoop.co.nz 25 Trying 203.96.152.68... Connected to a2.scoop.co.nz. Escape character is '^]'. 220 a2.scoop.co.nz ESMTP Sendmail; Fri, 29 Aug 2003 12:11:54 +1200 (NZST) helo foobar 250 a2.scoop.co.nz Hello eth1383.nsw.adsl.internode.on.net [150.101.203.102], pleased to meet you mail from: <andrew> 553 5.5.4 <andrew>... Domain name required for sender address andrew mail from: <[EMAIL PROTECTED]> 250 2.1.0 <[EMAIL PROTECTED]>... Sender ok rcpt to: <[EMAIL PROTECTED]> 250 2.1.5 <[EMAIL PROTECTED]>... Recipient ok data 354 Enter mail, end with "." on a line by itself . 250 2.0.0 h7T0BsgV076791 Message accepted for delivery quit 221 2.0.0 a2.scoop.co.nz closing connection Connection closed by foreign host. </bash> I then recieve the following. Exactly what you recieve will depend somewhat on which mail software you run. <message> Return-Path: <[EMAIL PROTECTED]> Received: from foobar (eth1383.nsw.adsl.internode.on.net [150.101.203.102]) by a2.scoop.co.nz (8.12.9/8.12.9) with SMTP id h7T0BsgV076791 for <[EMAIL PROTECTED]>; Fri, 29 Aug 2003 12:12:30 +1200 (NZST) (envelope-from [EMAIL PROTECTED]) Date: Fri, 29 Aug 2003 12:11:54 +1200 (NZST) From: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> To: undisclosed-recipients:; X-Loop: [EMAIL PROTECTED] X-Spam: unknown; 0.00; foobar:01 example:12 com:30 X-Bogosity: No, tests=bogofilter, spamicity=0.025957, version=0.13.7.2 X-DCC-SdV-Metrics: a2.scoop.co.nz 1179; Body=0 </message> Looking at the Recieved header (the top one if there's more than one), you can tell which machine delivered it to your server (150.101.203.102). The name it reports for itself (foobar) might as well not be displayed, and the name found by DNS lookup (eth1383.nsw.adsl.internode.on.net) may not be reliable if the spammer has control over the appropriate DNS PTR record. The Date, From, To and Message-ID headers here have been added by my system, but if they were present in the original, then they would have been passed through un-modified. They should not be relied upon. Message-ID used to be a surprisingly good way to catch spammers out, but that's a long time ago now. All those X-* headers are added by my procmail rules or things added from there. Everything else is generated by my mail daemon based on the limited info it recieved from the SMTP session. This is the most important bit: *any* other header that might appear in another recieved message was part of the body of the delivered message and cannot be trusted. It might be that the message has been relayed through a bascially trustworthy server whose headers you can trust, but then again those headers might be spoofed. You really don't have much you can rely on besides the IP of the machine (from the Recieved header) which sent the email to your server. In the case of Sobig.F however, this is the IP of the infected machine. That's good information, but you still don't have a contact address for the user. Supposing you want to chase this up, the only thing you can really do is to chase down the owner of that block of IP addresses and ask them to pass on the message. They'll need the IP and the time when it happened (for dynamic IPs). They probably won't bother with it unless you send full headers, and even then they get so many of these they may not bother anyway. Don't expect them to tell you what they do or don't do. Andrew McNaughton -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton In Sydney Working on a Product Recommender System [EMAIL PROTECTED] Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug