Re: a question on email headers

[Al Davis <ad19@freeelectron.net>]

On Tuesday 15 April 2003 02:34 am, Al Davis wrote:
> Received: from foo.bar.edu ([192.168.99.199])
>         by my.computer.net with esmtp (Exim 3.35 #1 (Debian))
>         id 195LgM-0001Yv-00
>         for <me@my.computer.net>; Tue, 15 Apr 2003 02:20:46
> Received: (from davialbe@localhost)
>         by foo.bar.edu (8.11.6/8.11.6) id h3F8Lu930444
>         for me@my.computer.net; Tue, 15 Apr 2003 02:21:56

On Tuesday 15 April 2003 03:17 am, Alvin Oga wrote:
> given the info, i'd guess
> a. you sent from your davialbe acct
> b. you received on your foo.bar.edu acct

No.  received by me@my.computer.net.


The second one was placed there by the sending system.  I 
realize that that one and any before it can be faked.

The first one was generated by mine.  I know that the name 
(foo.bar.edu) comes from the "HELO" command by the MTA, and it 
could say anything there.

I suppose, as Anders said, that the IP number is almost 
guaranteed to be valid.  It is the address of the system that 
logged into port 25.  Thinking about it a little more...  A 
particular system would be on some subnet.  If it claims to be 
something completely different, it would be a different subnet, 
and would be blocked.

So, it seems to me that it IS possible to claim to be a 
different machine on the same subnet.

> am thinking, there should be another received line entry
> between these 2 headers  unless you used your "laptop" to
> send email to your bar.edu acct from inside their lan

No.  That's all.  Only 2.  The sending computer has its own MTA 
and does not rely on a smart host.  Both are directly on the 
net.

If there is a middle one, that could be faked.