OT: Bad web site
Kenneth Brody
kenbrody at spamcop.net
Fri Jan 27 08:40:30 PST 2017
On 1/27/2017 11:03 AM, Fairlight via Filepro-list wrote:
> On Fri, Jan 27, 2017 at 10:43:04AM -0500, Kenneth Brody thus spoke:
>> On 1/27/2017 9:50 AM, Fairlight via Filepro-list wrote:
>>> How would they do that?
>>>
>>> Received: headers are added at the MTA level. By that time, the message
>>> has already left the control of the scammer's MUA.
>> [...]
>>
>> So how do you explain this line from the post you just quoted?
>>
>> =====
>> Received: from ovaloffice (ovaloffice [192.168.1.237])
>> by outgoing.whitehouse.gov (Postfix) with ESMTP id E1234567890F
>> for <filepro-list at lists.celestial.com>;
>> Thu, 26 Jan 2017 12:15:27 -0500
>> =====
>
> That one is trivial. Even when looking at it, it didn't show up with the
> rest of the Received: headers in the MTA-generated, contiguous block. It
> showed up as a Received: header, alright, but it was separated by a bunch
> of other headers. It basically came in as a user-supplied header that was
> even spatially divorced from the actual legitimate block. It was so far
> divorced that I had to re-scan to actually notice its presence.
>
> Given how that happened, I'm not sure you could even force that header to
> come in at the appropriate injection point. All it takes is one MUA or MTA
> header between them to see it's not part of the real block. Considering
> Message-ID was one of those headers, the odds of being able to do it shrink
> considerably.
>
> It was easily discerned as a fake, though.
Easily discerned as fake, yes, if you know what you're looking at. My point
was that a simple "look at the last 'Received' line" is insufficient.
--
Kenneth Brody
More information about the Filepro-list
mailing list