About forging Received: headers

If you've ever been phished, or "spammed yourself", you know how easily spammers can forge the From: headers.  If you've ever gotten a message "cc'ed to" a whole bunch of addresses, which doesn't include yours, you know that To: and CC: headers can be forged, or used to obscure who's actually getting the message.

Forging Received headers is a little different.  You see, From or To, you can totally obliterate where the message actually came from, or where it's actually going to.  With Received headers, you can't get rid of the real ones.  But you can add fake ones.  

Fake Received: headers must be the "oldest" Received headers -- on the message before any real Received: headers are added.  Since Received: headers are read from newest to oldest, with the newest at the top, that means fake headers are at the bottom.

So, how can you tell which Received: headers are real, and which are fake?  Generally speaking, they're always real.  But, Received: headers should  reflect a series of handoffs; if you see a mismatch, that can also be an indication of a forgery.  (See our page on the elements of a Received: header for more details.)  Or, if a header is from something a little too straightforward, like google.com, it could also raise suspicions.

 

Was this article helpful?
1 out of 2 found this helpful