Date: Fri, 1 Aug 2003 21:47:03 -0400 (EDT)<br>

<pre>
how to tell if mail addresses are forged.

People are getting junk mail, spam, and virus' that look like they
come from reliable sources.  So how can you tell if some
mail isn't what is says that it is?  Well, the From: address 
is useless - it is easy to forge, and freshmen have great fun
ssending each other messages with forged From: and Reply-to:
addresses.

The secret is the "Received:" lines that you will see if you
can convince you mail reader to show you *all* the headers.
Really long lines are continued to the next line with a tab at 
the beginning of each continuation, so only the lines up
against the left margin are the real beginnings of the line.
these lines look like this:

> From admin@cs.dartmouth.edu  Fri Aug  1 18:34:16 2003
> Return-Path: <admin@cs.dartmouth.edu>
> Received: from mailhub.Dartmouth.EDU (mailhub.Dartmouth.EDU [129.170.16.6])
>         by mail.cs.dartmouth.edu (8.12.8/8.12.8) with ESMTP id h71MYGrb003274
>         for <vinnie@cs.dartmouth.edu>; Fri, 1 Aug 2003 18:34:16 -0400
> Received: from localhost (dhcp-ftcbldg5pc-oae-aah081.fc.hp.com [15.238.7.81])
>         by mailhub.Dartmouth.EDU (8.9.3+DND/8.9.3) with SMTP id SAA25503
>         for <vinnie@cs.dartmouth.edu>; Fri, 1 Aug 2003 18:34:01 -0400 (EDT)
 
and are like postmarks on an envelope traveling through the mail.
The starting lines are on the bottom, and lines get added on the
top as the message passes on its way.  You can see on the lower Received:
line that the mail came from "localhost" which is in the hp.com
domain.  This is quite different from the "From admin@cs.dartmouth.edu"
line.

here is a valid pair of Received: lines:

> From service@REI.COM  Tue Jul  8 03:30:37 2003
> Return-Path: <service@REI.COM>
> Received: from AS400DC.REI.COM (ahq_p.rei.com [206.81.222.24])
>         by mail.cs.dartmouth.edu (8.12.8/8.12.8) with ESMTP id h687Ua9E011143
>         for <vinnie@cs.dartmouth.edu>; Tue, 8 Jul 2003 03:30:36 -0400
> Received: by AS400DC.REI.COM (IBM OS/400 ANYMAIL/400 MIME V5R2M0) Tue,  8 Jul 
2003  00:30:03 -0700
 
 
 See how the From line and lowest Received: lines both say rei.com

Note that a clever forger can add her own Received: line at the bottom,
but she can not delete or change any of the real Received: lines.
You should be able to see each mail handoff from one computer to another
in these lines.

These lines are really helpful in tracking email, and if you ask for
help I may need to see those lines.  So please forward them to me
when you have mail problems, or save your whole message (without opening the
enclosures!) so that I can see the Received: lines.

        Wayne




</pre>