OT: Bad web site
Fairlight
fairlite at fairlite.com
Fri Jan 27 08:03:00 PST 2017
On Fri, Jan 27, 2017 at 10:43:04AM -0500, Kenneth Brody thus spoke:
> On 1/27/2017 9:50 AM, Fairlight via Filepro-list wrote:
> >How would they do that?
> >
> >Received: headers are added at the MTA level. By that time, the message
> >has already left the control of the scammer's MUA.
> [...]
>
> So how do you explain this line from the post you just quoted?
>
> =====
> Received: from ovaloffice (ovaloffice [192.168.1.237])
> by outgoing.whitehouse.gov (Postfix) with ESMTP id E1234567890F
> for <filepro-list at lists.celestial.com>;
> Thu, 26 Jan 2017 12:15:27 -0500
> =====
That one is trivial. Even when looking at it, it didn't show up with the
rest of the Received: headers in the MTA-generated, contiguous block. It
showed up as a Received: header, alright, but it was separated by a bunch
of other headers. It basically came in as a user-supplied header that was
even spatially divorced from the actual legitimate block. It was so far
divorced that I had to re-scan to actually notice its presence.
Given how that happened, I'm not sure you could even force that header to
come in at the appropriate injection point. All it takes is one MUA or MTA
header between them to see it's not part of the real block. Considering
Message-ID was one of those headers, the odds of being able to do it shrink
considerably.
It was easily discerned as a fake, though.
mark->
--
Audio panton, cogito singularis.
More information about the Filepro-list
mailing list