[conspire] The difference full SMTP headers makes

Rick Moen rick at linuxmafia.com
Mon Jul 30 15:32:39 PDT 2018 

Following up on the scam-mail example of earlier:  We longtime Internet
denizens are often boggled at how many people fall for Internet bullsh**
of various sorts, and in particular at how badly even longtime Internet
users fail to catch SMTP _forgery_, i.e., mail that claims to be from
somewhere impressive or personally significant but is very obviously not
from there at all.  It turns out, WAY too many such people (Internet
users) have absolutely no idea how to show & examine full SMTP headers,
and thus are clueless about forgery.

People write to me in my listadmin or SMTP admin capacity and make
unlikely claims about mail my system has allegedly sent, and I ask for
examples with full SMTP headers -- and get sent (if anything) examples
_without_ those.  And, I think, yet again, wow, you're kidding.  You 
not only didn't know how, you also didn't try, and didn't even ask for
help?

So, to illustrate the difference, here's a pathetic fraud-mail just
received here.  The mutt mailer, which I prefer, defaults to showing 
abbreviated headers like just about all other user mail programs.  
_Below_ the example that follows is the _same_ mail after using mutt's
'h' command toggle to re-display the mail with full headers:



----- Forwarded message from "reply at google.com" <reply at googlemail.com> -----

Date: Mon, 30 Jul 2018 14:47:37 -0700
>From reply at googlemail.com Mon Jul 30 14: 4:17 2018
From: "reply at google.com" <reply at googlemail.com>
Subject: Re: Subject: Official Winning Notification
Reply-To: sp.gpateam at gmail.com
X-Mailer: Microsoft Outlook Express 6.00.2600.0000

[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.3K --]

Google Inc
1600 Amphitheatre Parkway
Mountain View, CA 94043

Good day Sir/Madam.

You have successfully been picked as one of our 12 Lucky Winners in this
months
+Lottery Draw, Please see attached file for more details.

Sincerely,
Sundar Pichai
CEO
Google Inc.

[-- Attachment #2: Official Winning Notification.jpg --]
[-- Type: image/jpeg, Encoding: base64, Size: 549K --]

[-- image/jpeg is unsupported (use 'v' to view this part) --]

----- End forwarded message -----



I haven't bothered to look at the attached JPEG image.  I really don't
care.  It's obvious to me that this is just another totally lame fraud
mail -- but the clincher doesn't arrive until you show _full_ headers,
as follows:





----- Forwarded message from "reply at google.com" <reply at googlemail.com> -----

Return-path: <reply at googlemail.com>
Envelope-to: rick at linuxmafia.com
Delivery-date: Mon, 30 Jul 2018 14:54:17 -0700
Received: from mx1.softhost.ro ([188.211.236.100])
	by linuxmafia.com with esmtp (Exim 4.72)
	(envelope-from <reply at googlemail.com>)
	id 1fkG7G-0003bn-JM
	for rick at linuxmafia.com; Mon, 30 Jul 2018 14:54:17 -0700
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mx1.softhost.ro (Postfix) with ESMTP id 80FF21DE256;
	Tue, 31 Jul 2018 00:47:39 +0300 (EEST)
X-Virus-Scanned: amavisd-new at h01.softhost.ro
Received: from mx1.softhost.ro ([127.0.0.1])
	by localhost (mx1.softhost.ro [127.0.0.1]) (amavisd-new, port 20026)
	with ESMTP id D9YVwZfkr4Ry; Tue, 31 Jul 2018 00:47:39 +0300 (EEST)
Received: from User (cm-84.209.48.106.getinternet.no [84.209.48.106])
	(Authenticated sender: office at nutritech.ro)
	by mx1.softhost.ro (Postfix) with ESMTPA id AC1E527D901;
	Tue, 31 Jul 2018 00:47:12 +0300 (EEST)
Reply-To: sp.gpateam at gmail.com
From: "reply at google.com" <reply at googlemail.com>
Subject: Re: Subject: Official Winning Notification
Date: Mon, 30 Jul 2018 14:47:37 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_005D_01C2A9A6.16CDE4D0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20180730214739.80FF21DE256 at mx1.softhost.ro>
X-SA-Exim-Connect-IP: 188.211.236.100
X-SA-Exim-Mail-From: reply at googlemail.com
X-SA-Exim-Scanned: No (on linuxmafia.com); Message bigger than SAmaxbody
	(512000)

Google Inc
1600 Amphitheatre Parkway
Mountain View, CA 94043

Good day Sir/Madam.

You have successfully been picked as one of our 12 Lucky Winners in this months Lottery Draw, Please see attached file for more details.

Sincerely,
Sundar Pichai
CEO
Google Inc.



----- End forwarded message -----



The mail arrived at my linuxmafia.com SMTP server from IP address
188.211.236.100, which as shown has reverse-DNS identity mx1.softhost.ro
(in Romania).  All the rubbish about google.com and googlemail.com 
is forged information.

More information about the conspire mailing list