Forged Headers

Now consider an example where the headers have been forged to make the message appear to come from another source. The following headers are taken from a message that purported to come from the FBI, telling me that I had been visiting illegal web sites. In fact, the message contained a virus and was sent from an infected computer.

    Return-Path: <Web@fbi.gov>
    Received: from nvwyu.gov (i528C1073.versanet.de [82.140.16.115])
            by gateway.craic.com (8.11.6/8.11.6)
            with SMTP id j1R0aU702669
            for <XYZ@craic.com>; Sat, 26 Feb 2005 16:36:30 -0800
    From: Web@fbi.gov
    To: XYZ@craic.com
    Date: Sat, 26 Feb 2005 23:17:43 GMT
    Subject: You visit illegal websites
    Message-ID: <dea28bde431c7ce0c@fbi.gov>
    [...]

At face value, this looks like a message from the FBI with the From, Return-Path, and Message-ID headers all referring to the domain fbi.gov. But the single Received header tells a different story. The message was received by gateway and because I control this machine, I trust it to report the correct IP address of the sending MTA. The hostname within the parentheses is the result of a DNS lookup by my server, so I also trust this. This is clearly not an FBI host. The domain is owned by an ISP located in Germany, and the alphanumeric string used as the hostname (i528C1073) has the look of an address assigned to an subscriber’s computer, most likely at home. Preceding the parentheses is a fictitious domain, nvwyu.gov, which has been created by the sender.

This illustrates how some email ...

Get Internet Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.