How can I tell if these email headers are forged?


#1

I look at the header this email, and it looks to me like it’s not forged. Any easy way to tell?

From: chris7582@wenval.com
Subject: Don`t worry, be happy!
Date: September 11, 2004 12:00:00 PM PDT
To: aret@example.com
Return-Path: chris7582@wenval.com
Delivered-To: m2590xx8@pippin.dreamhost.com
Received: from mail.giraffedesign.com (wvdm32.wenatcheevalley.com [66.119.221.83]) by pippin.dreamhost.com (Postfix) with SMTP id 65B6616D21E for aret@example.com; Sat, 11 Sep 2004 20:40:07 -0700 (PDT)
Message-Id: x483711671.4627169630619731999@revosupnd
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_17772_1233021.8532204184208"
X-Priority: 3

Thanks.


#2

[quote]I look at the header this email, and it looks to me like it’s not forged. Any easy way to tell?
[…]
Received: from mail.giraffedesign.com (wvdm32.wenatcheevalley.com [66.119.221.83]) by pippin.dreamhost.com (Postfix) with SMTP id 65B6616D21E for aret@example.com; Sat, 11 Sep 2004 20:40:07 -0700 (PDT)[/quote]
Forged in what sense?

In this case, there is only one Received line; it’s the one added by our machine, so it’s (hopefully) trustworthy. However, Received headers below that line could potentially be forged.

In that line, the first item (mail.giraffedesign.com) is the HELO string sent during the SMTP transaction. The second (wvdm32.wenatcheevalley.com) is the reverse DNS lookup on the client IP address (the point where the mail hit our system). The third is the most useful piece of information - the client IP (66.119.221.83).


#3

that’s what I was thinking… the ISP at 66.119.221.83 is telling me that the header is forged. So you are verifying that the 66.119.221.83 IP is the originating mail server?


#4

Which ISP? noanet.net?

And that’s definitely the originating mail server.


#5

lookup is showing it as wenatcheevalley.com - which is an ISP. Their upstream is noanet.net (then verio). I contacted wenatcheevalley.com. Should I have contacted noanet.net?

Thanks.


#6

Yeah - I’d contact both wenval.com and noanet.net.

Not exactly. They (noanet) have connections (peering and / or transit) to a number of providers.


#7

thanks.

wenval.com insists the header is false. I’ll be taking this up with noanet.