Email Header Preceedence
|
|
| Minimum Default Email Headers |
- Email Headers Required for Delivery of Emails
|
| Spam Tracing -- Email headers |
|
| Email Headers |
RFC-Editor.org RFC 822 - Mail header format
ftp.ISI.edu RFC 822 - Mail header format
ftp.ISI.edu RFC 1123 - Requirements for Internet Hosts
- To view ALL the emailheaders, use a text editor..
NOT an email client that will hide stuff from you
- To is required(?) -- nah
- UndisclosedRecepient@any-domain.com
- Cc is required(?) -- nah
- you dont need to CC yourself or anybody else
- X-anything none of this is needed/required for email
Rahul.net MailTrack - good header description ( local copy )
StopSpam.org header Info at bottom
- From
- always the first line in the headers
- Easily forged
- inserted by your MUA upon receipt of incoming emails
- From: the one with ":"
- Easily forged
- Defined on the email program you are using to send outgoing messages
- Message-Id:
- Easily forged
- Format of "unique_string@YourDomain.com" at the time the msg is created
- Reply-To:
- Easily forged
- Spammer will insert it if they want to receive your orders via email ( "reply-to" )
- Return-Path:
- Received:
- Very reliable
- Not too easy to forge
( spammer would need some significant MTA skills )
- List of mail servers the messaged passed thru from the sender to arrive to you
- Each server adds its own Received: header to the email
- Sender:
- MTAs are supposed to insert Sender: if the user modifies From:
- sometimes X-Sender:
|
Verify the Reply Address -- Validate the Sender
|
- Turn on auth (port 113)
on your local mta to validate the sender,
but there are tons of fake identd
- Received headers on your own incoming email server
with identd
From nobody@nowhere.com Sun Apr 1 hh:mm:ss year
Return-Path: nobody@nowhere.com
Received: from nowhere.com (smith@localhost [127.0.0.1]) by mail.AnotherDomain.com (8.12.6/8.12.6) with SMTP
Received: ... more stuff ...
Date: Sun, 1 Apr year hh:mm:ss -0500
From: Nobody
To: Santa Claus
- Notice that "smith@localhost" sent it ( from their own pc/workstation )
- Received headers on your own incoming email server
with-out identd
From nobody@nowhere.com Sun Apr 1 hh:mm:ss year
Return-Path: nobody@nowhere.com
Received: from nowhere.com (localhost [127.0.0.1]) by mail.AnotherDomain.com (8.12.6/8.12.6) with SMTP
Received: ... more stuff ...
Date: Sun, 1 Apr year hh:mm:ss -0500
From: Nobody
To: Santa Claus
- Notice that "somebody" sent it form their own pc/worstation
- Verify that we can reply back to the Sender
|
| More Details on Received |
- Received: is typically dependent on the Server
- To quickly check where your incoming emails are from
- grep "^Received: " /var/log/maillog
- From .... somebody... date.. time...
- First Received: line on the top is you ( your ISP )
- Last Received: line is the sender's ISP
- or in case of spammers, their hacked machine or open relay
- From: ...
- To: ...
- Subject: ...
- A typical free format Received header
"Received: from someDomain.com by yourDomain.com MessageID at 09:09:09 11 Jan 2003"
- A fake server named FakeDomain.com would NOT be at an ip# 1.2.3.4
"Received: from FakeDomain.com ( 1.2.3.4 ) by MoreDomains.com MessageID at 10:10:10 11 Jan 2003"
- use dig, nslookup on FakeDomain.com and on the ip#
- the email is probably forged/suspect/spam if the ip# doesnt doesnt match
- A Spammer using a (real) BrokenServer at 2.3.4.5
"Received: from AnyDomain.com ( BrokenServer.com 2.3.4.5 ) by MoreDomains.com MessageID at 20:21:22 11 Jan 2003"
- The real server name is BrokenDomain.com at ip# 2.3.4.5
|
| More Details on Received - From |
- Received: from root@localhost
- your machine is doing some work and email itself
- Received: from blueraja.scyld.com (dsl093-058-083.blt1.dsl.speakeasy.net [66.93.58.83])
- I happen to know it's a mailing list hosted on speakeasy.net
- Received: from imo-r02.mx.aol.com (imo-r02.mx.aol.com [152.163.225.98])
- a real email passing thru AOL's mail server
- Received: from elin.scali.no (IDENT:root@elin.scali.no [62.70.89.10])
- the user on elin.scali.no identified itself as the user root
- Received: from unknown (HELO catalina) (200.83.164.160)
|
| More Email Header Analysis |
|
| Where Did the Mail Come From |
- Last "Received" line in the list of "Received" headers
|
| Where to Reply To |
- Replies to incoming Emails
- Values the User can change at will
- Am guesssing ... am clueless on which comes first ...
- From(?) by default, replies goes to "From "
- Inserted by your own mail client by who it thought was sending it
- From:(?) will override "From "
- Typically override by majordomo "-l ListName"
- Reply(?) will override From:
- Reply-To(?) will override Reply
- Typically override by
- majordomo "-r ListName", replies goes to the list
- user can define "Reply-To" in their email app
- Return-Path(?) will override Reply-To
- bounces goes back to Return-Path
- Group Replies to incoming Emails
|
| MTA - Configuring Your Outgoing Mail Server |
- Changing Your Outgoing From Mail Server
- exim
- postfix
- sendmail -- DjMailServer.YourDomain.com
|
| MLA - Configuring Your Mail List Manager |
- Changing To "Reply to List" vs "Reply to Sender-Only" Address
- Majordomo ---- wrapper resend -r ListName -l ListName ...
- Reply to ListName@MailingList.com
- Show email came from ListName@MailingList.com
- Majordomo-1.94.5 Example ( my configuration scheme )
- From owner-ML@MailingList.com .....
- Return-Path: owner-ML@MailingList.com
- Reply-To: ML@MailingList.com
- From: UserID@Real.Your-Domain.com -- ( you )
- To: ML@MailingList.com
- Sender: Owner-ML@MailingList.com
- X-Sender: userID@Real.Your-Domain.com -- ( you )
- Pine and elm both see the original email sender as
- Pine and elm both see any replies posted as
"Original RespondingUser" ( you )
- mailman --
|
| MUA - Configuring Your Mail Clients |
- Changing Your Outgoing From Mail Server
- elm --- ~joe/.elm/elmrc -- or -- ~joe/.elm/elmheaders
- #
- # I, the spammer, want to get the order via email
- #
- Reply-To: joe@RealDomain.COM
- # Return-Path: joe@RealDomain.COM
- mutt -- ~/.muttrc
- pine -- ~/.pinerc
- #
- # Spammer pretending to be coming from Ebay.com
- #
- user-domain=CustommerSupport.Ebay.com
- netscape/mozilla config -- "pic"
- outlook config -- "pic"
|
| Email Ettiquette |
- Munging Headers
- Replying to Emails - Quoting, Trimming
- Top Posting, Inline Replies, Bottom Posting
|