[sf-lug] Bot-generated nonsense

Rick Moen rick at linuxmafia.com
Fri Dec 30 22:35:59 PST 2022 

Quoting Todd Hawley (celticdm at gmail.com):

> I'm not sure what "full SMTP header" means myself, but I'm going to guess
> you are referring to the relay points any email takes in its journey from
> the
> originator to its end point.

Pretty much.  The "Received:" and some others are crucial in 
knowing what really happened, and are particularly important if there's 
the possibility of SMTP forgery by a bad actor.  Forged mails require
some expertise to analyse accurately, e.g., the bad actor _can_ if
really good at his/her trade, inject a few bogus Received: headers, 
but the skilled readers should be able to at least find the last-hop
IP/FQDN, despite the disinformation.

Anyway, here are headers from a mail with a _typical_ sort of
abbreviated headers, as shown to me by the mutt MUA.  (Mutt's 
display of headers can be adjusted as desired in the .muttrc file.)
Then, following that, are full headers, as I received them, from the
same e-mail.

In this case, there is exactly one Received: header (an honest one), 
because this was literally a one-hop delivery, directly from SMTP 
host mta94-use2.e-activist.com (IP address 66.187.205.238) to SMTP 
host linuxmafia.com .

Notice, though, that for purposes of presentation,
mta94-use2.e-activist.com said the mail was from hostname
enbounce.savingplaces.org, and that the mail was from
email at savingplaces.org -- which is perfectly legitimate, by the way.
mta94-use2.e-activist.com probably sends out mail professing to be from
many associated domains.

We're getting into the weeds, but notice also that there is both a 
"From " header and a "From: " header.  The former is the "envelope" 
header, and the latter an internal header inside the SMTP envelope.

(I won't bother to include the message text, but you know what it
says:  They want money. ;->  )




Date: Fri, 30 Dec 2022 09:07:39 -0500 (EST)
>From us-bounces at enbounce.savingplaces.org Fri Dec 30 06: 8:12 2022
From: "Elizabeth Bruns, National Trust for Historic Preservation" <email at savingplaces.org>
To: rick at linuxmafia.com
Subject: Important update on our End-of-Year match campaign ???
Reply-To: National Trust for Historic Preservation <email at savingplaces.org>



>From us-bounces at enbounce.savingplaces.org Fri Dec 30 06: 8:12 2022
Return-path: <us-bounces at enbounce.savingplaces.org>
Envelope-to: rick at linuxmafia.com
Delivery-date: Fri, 30 Dec 2022 06:08:12 -0800
Received: from mta94-use2.e-activist.com ([66.187.205.238])
        by linuxmafia.com with esmtp (Exim 4.72)
        (envelope-from <us-bounces at enbounce.savingplaces.org>)
        id 1pBG2z-0000yq-Ss
        for rick at linuxmafia.com; Fri, 30 Dec 2022 06:08:12 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=enkey1; d=savingplaces.org;
        h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:
        List-Unsubscribe-Post:Feedback-ID; i=email at savingplaces.org;
        bh=IrW6puDZCScXxJYN7DEXdHUtPkP5rS021XIf99CGqZ0=;

+b=hm3bCj/7AOWEitgOymlCiCioNriGiqDVmCB+h/n+HQKZ0z2dECwOsUE1JOuIg3shDgrnUZfCMfk0

+MT0QTDb0L1KKzd3z6wr1ZSaYk1GjrRUpBnH28b0l4IDwiuFSz0jG9bVE+YK1+C4wlF82kD6MgcQj
        VWUCl/aw3nMfDEgcI0k=
Received: by mta94-use2.e-activist.com id hlroam31f00m for
        <rick at linuxmafia.com>; Fri, 30 Dec 2022 09:07:39 -0500 (envelope-from
        <us-bounces at enbounce.savingplaces.org>)
Date: Fri, 30 Dec 2022 09:07:39 -0500 (EST)
From: "Elizabeth Bruns, National Trust for Historic Preservation" <email at savingplaces.org>
Reply-To: National Trust for Historic Preservation <email at savingplaces.org>
To: rick at linuxmafia.com
Message-ID: <438715317.51981343.1672409259010 at use2-prd-job2>
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_Part_51981342_1881122489.1672409259010"
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Feedback-ID: 211557:10028:engaging
campaignerId: 16808173
X-Auto-Response-Suppress: OOF
x-dkim-options: key-list=enlist1; s=enkey1; d=savingplaces.org
x-job: national_trust_for_211557
broadcastSendId: 211557;
X-Virtual-MTA: mta94-use2
Subject: Important update on our End-of-Year match campaign ???

More information about the sf-lug mailing list