Guide to email headers? How easily can these be forged?

[prowsej]

Background:
I was contacted be someone who got my name from eBay and wanted to sell me a product. When I asked for confirmation of his identity, he said that he would get eBay to send me an email confirming who he was. I suspected that the email I received was forged because there were grammar errors in the text. I emailed eBay and they have confirmed that the email did not originate from them after looking at the headers.

Questions:

• What is the different between the Return-Path, X-Mail-from, From, and Sender fields. Why is there so much redundancy?
• Why are a whole bunch of fields prefixed with an "X-"? How did this originate and why was it done?

These must be common questions, but a cursory Google search did not yield answers. If you could point me to a page with quick answers, that'd be great (I just don't want to read an entire book on this ). The header of the spoofed email is below. My email address is "prowsej@fastmail.fm".

Quote:

Return-Path: <aw-confirm@eBay.com>
Received: from frontend1.messagingengine.com (frontend1.internal [10.202.2.150])
by server2.fastmail.fm (Cyrus v2.1.9) with LMTP; Sat, 09 Aug 2003 12:02:05 -0400
X-Sieve: CMU Sieve 2.2
Received: from mail.messagingengine.com (localhost [127.0.0.1])
by localhost.localdomain (Postfix) with ESMTP id 60F7890717
for <prowsej@fastmail.fm>; Sat, 9 Aug 2003 12:02:07 -0400 (EDT)
Received: from 10.202.2.150 ([10.202.2.150] helo=mail.messagingengine.com) by messagingengine.com
with SMTP; Sat, 09 Aug 2003 12:02:07 -0400
X-Mail-from: aw-confirm@eBay.com
X-Delivered-to: <prowsej@fastmail.fm>
Received: from yourwebsite.com (tcmy.o.catv.onix.ro [80.96.131.25])
by mail.messagingengine.com (Postfix) with SMTP id 65CA1901ED
for <prowsej@fastmail.fm>; Sat, 9 Aug 2003 12:02:06 -0400 (EDT)
Reply-To: aw-confirm@eBay.com
From: aw-confirm@eBay.com
To: prowsej@fastmail.fm
Subject: Seller Confirmation
Sender: aw-confirm@eBay.com
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Date: Sun, 9 Dec 2001 06:24:22 +0200
Message-Id: <20030809160206.65CA1901ED@mail.messagingengine.com>

[usf]

Quote:

Originally posted by prowsej
Background:
...snip...

Questions:

• What is the different between the Return-Path, X-Mail-from, From, and Sender fields. Why is there so much redundancy?
• Why are a whole bunch of fields prefixed with an "X-"? How did this originate and why was it done?

These must be common questions, but a cursory Google search did not yield answers. If you could point me to a page with quick answers, that'd be great (I just don't want to read an entire book on this ). The header of the spoofed email is below. My email address is "prowsej@fastmail.fm".

Please refer the below link. It may help you.
http://www.stopspam.org/email/headers/headers.html

[CyberSmurf]

The From & Reply-to addresses can be forged really easily. They are whatever you set up in your e-mail client account/persona.

I believe that the "X-Mail-from" header is a result of the particular client or method used to send the e-mail.
Eudora sends an "X-Sender" header that is a combination of the "Login Name" and Incoming Mail "Server".

[CyberSmurf]

Should I mention that the "Received:" headers are normally read from the bottom up.

In other words ...

Quote:

Received: from yourwebsite.com (tcmy.o.catv.onix.ro [80.96.131.25])
by mail.messagingengine.com (Postfix) with SMTP id 65CA1901ED
for <@fastmail.fm>; Sat, 9 Aug 2003 12:02:06 -0400 (EDT)

... is the one that you should look the hardest at.
When I "ping -a 80.96.131.25" I get "tcmy.o.catv.onix.ro [80.96.131.25]", which actually matches the url in the header. Looks like Romania.
If you want to pursue this you could try forwarding your e-mail to "abuse@onix.ro". I don't know if that is a valid address, but it's a place to start.

[Adrian Bell]

Also, you might want to edit your post to disguise your e-mail address as one way that spammers get hold of it is by trawling webpages like this one.

[DrStrabismus]

Most of your questions are covered usf's link, but:

Quote:

What is the different between the Return-Path, X-Mail-from, From, and Sender fields. Why is there so much redundancy?

From is your choice of real name and email address that you want the reader to see.

Sender/x-sender is supposed to represent the sending account,but its largely obsolete.

Return-path is added at the receiving end, from the SMTP "mail from", it is the address that delivery failures should go to.

X-Mail-from is Fastmail's own header that contains the SMTP "mail from". I've never seen the point of it since it duplicates return-path. I guess there may be cases where multiple return-paths are added and it might be useful for filtering.

[prowsej]

Thank you for all of the help everyone, especially DrStrabismus. I have a better idea of what to look for when determining the authenticity of a sender now.

[hadaso]

Quote:

Originally posted by DrStrabismus
X-Mail-from is Fastmail's own header that contains the SMTP "mail from". I've never seen the point of it since it duplicates return-path. I guess there may be cases where multiple return-paths are added and it might be useful for filtering.

The X-Mail-from header is added whan the email message enters FastMail's system. The Return-path header is supposed to be added by the server that makes the final delivery (when the message "leaves the SMTP world", to quote RFC 821). So theoretically they are not the same, though practically the return-path doesn't change when the message is transfered locally between FastMail's servers. If the message is redirected (by Sieve) outside of FastMail, then the final server somewhere else would add the return-path header. It should still be the same unless FastMail doesn't use this address in the MAIL FROM command use to relay the message (or some other SMTP server later in the chain alters the return-path). So theoretically there can be a difference.

[DrStrabismus]

The "mail from" is usually left unchanged when an email is redirected in real-time and altered when it's redirected after delivery. In the latter case there will be resent headers, and most servers don't bother to remove older return-path headers anyway.

In practice I've not really found a use for x-mail-from.

[hahngu]

Quote:

Originally posted by CyberSmurf
If you want to pursue this you could try forwarding your e-mail to "abuse@onix.ro". I don't know if that is a valid address, but it's a place to start.

I guess you mean abuse@iana.org.
http://network.csudh.edu/spam.html

Regards,
ha.h.ngu

[CyberSmurf]

Wow, that's reviving an old thread. &nbsp;


I believe that the intent of my post was that they could alert the provider about a customer running a scam.

[DavidJ]

Quote:

Originally Posted by prowsej

What is the different between the Return-Path, X-Mail-from, From, and Sender fields.

According to http://people.dsv.su.se/~jpalme/ietf...ttributes.html , which looks good,

the "From:" header represents "Authors or persons taking responsibility for the message. "

The "Sender:" header represents "The person or agent submitting the message to the network...."

For example: If you use your Gmail account to send an email from your own domain, Google will use you@yourdomain.com as the From header and yourgmail@gmail.com as the Sender header.

Quote:

Originally Posted by prowsej

Why is there so much redundancy?

Too hard for me.

Quote:

Originally Posted by prowsej

Why are a whole bunch of fields prefixed with an "X-"?

In plain English, these are non-official headers, not defined by any official Internet standard. For example, I have seen several cPanel-based email systems which add a whole bunch of X- headers to outgoing mail for abuse tracking and control.

Quote:

Originally Posted by prowsej

How did this originate and why was it done?

The general idea already appears several times in an early Internet [pre-]standard, http://www.ietf.org/rfc/rfc1521.txt . The punchline is: "'X-' fields may be created for experimental or private purposes, with the recognition that the information they contain may be lost at some gateways." To understand this intuitively, look at their example starting with the words

X-Weird-Header-1: Foo

Thanks.
D.

[Bamb0]

Quote:

Originally Posted by penelopa99

Thanks for letting me know about other good stuff !
very often old threads prove usefull then

Yes they often do

Welcome to the site!

[anjana]

I am new to this site. But I should say that this is a very useful and informative page. I was searching for some information on “mail from” option and was glad to find a very good explanation of it.

[SethM]

The only thing you can really trust is the immediate IP address your server or your provider's server accepted the connection from.