Forged Headers
Now consider an example where the headers have been forged to make the message appear to come from another source. The following headers are taken from a message that purported to come from the FBI, telling me that I had been visiting illegal web sites. In fact, the message contained a virus and was sent from an infected computer.
Return-Path: <Web@fbi.gov> Received: from nvwyu.gov (i528C1073.versanet.de [82.140.16.115]) by gateway.craic.com (8.11.6/8.11.6) with SMTP id j1R0aU702669 for <XYZ@craic.com>; Sat, 26 Feb 2005 16:36:30 -0800 From: Web@fbi.gov To: XYZ@craic.com Date: Sat, 26 Feb 2005 23:17:43 GMT Subject: You visit illegal websites Message-ID: <dea28bde431c7ce0c@fbi.gov> [...]
At face value, this looks like a message from the FBI with the
From
, Return-Path
, and Message-ID
headers all referring to the domain
fbi.gov
. But the single Received
header tells a different story. The
message was received by gateway
and
because I control this machine, I trust it to report the correct IP
address of the sending MTA. The hostname within the parentheses is the
result of a DNS lookup by my server, so I also trust this. This is
clearly not an FBI host. The domain is owned by an ISP located in
Germany, and the alphanumeric string used as the hostname (i528C1073
) has the look of an address assigned
to an subscriberâs computer, most likely at home. Preceding the
parentheses is a fictitious domain, nvwyu.gov
, which has been created by the
sender.
This illustrates how some email ...
Get Internet Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.