[ale] Another Email question Reading Headers.

Ben Coleman oloryn at benshome.net
Mon Jun 26 15:47:10 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

H. A. Story wrote:
> Looking at this header from an email I just got.
> 
> Received: from localhost (localhost [127.0.0.1])
> 	by PC002.haswes.homelinux.org (Postfix) with ESMTP id CF04F176D12
> 	for <adrin at localhost>; Sat, 24 Jun 2006 11:31:11 -0400 (EDT)
> Received: from mail.bellsouth.net [205.152.59.17]
> 	by localhost with POP3 (fetchmail-6.2.5.2)
> 	for adrin at localhost (single-drop); Sat, 24 Jun 2006 11:31:11 -0400 (EDT)

Yes, these two are you receiving the message via fetchmail.

> Received: from ibm15aec.bellsouth.net ([208.141.108.121])
>           by imf02aec.mail.bellsouth.net with ESMTP
>           id <20060624152806.LDLP2126.imf02aec.mail.bellsouth.net at ibm15aec.bellsouth.net>;
>           Sat, 24 Jun 2006 11:28:06 -0400
> Received: from soaserver3.architecture.local ([208.141.108.121])
>           by ibm15aec.bellsouth.net with ESMTP
>           id
<20060624152803.SXCX22161.ibm15aec.bellsouth.net at soaserver3.architecture.local>;
>           Sat, 24 Jun 2006 11:28:03 -0400

ibm15aec.bellsouth.net does not resolve (and imf02aec.mail.bellsouth.net,
which you can be fairly sure is actually a bellsouth email server, does), and
208.141.108.121 reverse resolves to so-gw.tranquility.net and is in fact
inside tranquility.net's netblock.  The email server at 208.141.108.121 in
fact identifies itself as soaserver3.architecture.local.  To my mind, the fact
that both header lines purportedly are received from 208.141.108.121 makes the
servers at so-gw.tranquility.net look suspicious.  Either the second of these
two headers (and the following ones) is completely forged or the email server
at so-gw.tranquility.net (a.k.a. soaserver3.architecture.local) is forwarding
bellsouth email to a ficticious "bellsouth" server inside its own local
network, and letting that forward email to bellsouth.  This looks strange, to
say the least.

> Received: from hci1 ([68.33.211.140]) by soaserver3.architecture.local with Microsoft SMTPSVC(6.0.3790.1830);
> 	 Sat, 24 Jun 2006 10:28:01 -0500

If this isn't a forged header, this would seem to indicate the email
originated from a comcast.net host, perhaps a zombie.


> And the to: only shows undisclosed-recipients.

That's only the "header to:", which is pretty well for display only.  It's the
'envelope to' (the RCPT TO: address in the SMTP protocol) that actually
determines where the email is delivered.

Ben "Man, does Received: header parsing bring back memories, most of them bad"
Coleman
- --
Ben Coleman oloryn at benshome.net    | The attempt to legislatively
http://oloryn.home.mindspring.com/ | micromanage equality results, at best,
Amateur Radio NJ8J                 | in equal misery and mediocrity for all.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEoDm+QBcsLKrSBE8RAoo2AJsHJ253mn9OjpPJ/qiMv6tsOq9TLACfSnbS
DNdd/j5gPk8CMBCHrpifdZo=
=z3OJ
-----END PGP SIGNATURE-----



More information about the Ale mailing list