That's why I mentioned using the mailer's (often hidden) ability to view *all* the headers.
With virii and spam that have forged From lines, the Received headers will tell the real story.
The virii never forge those. And even wwith the spammers that do forge them, it's possible to spot where the forged lines start with a bit of work.
Here's tyhe *complete* headers (and start of the message) from the viruses attempt I got the other day:
Return-Path: <rwagner49@comcast.net> Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by draq.pmaco.net (8.10.2/8.10.2) with ESMTP id h8J0otI26545 for <brooke@shadowgard.com>; Thu, 18 Sep 2003 17:50:55 -0700 Message-Id: <200309190050.h8J0otI26545@draq.pmaco.net> Received: from sccrmhc12.comcast.net (localhost[127.0.0.1]) by comcast.net (sccrmhc12) with ESMTP id <200309190050460120032vl9e>; Fri, 19 Sep 2003 00:50:46 +0000 X-Comment: AT&T Maillennium special handling codes - xc Date: Fri, 19 Sep 2003 00:42:24 +0000 (GMT) X-Comment: Sending client does not conform to RFC822 minimum requirements X-Comment: Date has been added by Maillennium. Received: from rnaa (pcp04369429pcs.nrockv01.md.comcast.net[69.140.213.219]) by comcast.net (sccrmhc12) with SMTP id <2003091900421901200hfuo6e>; Fri, 19 Sep 2003 00:42:22 +0000 X-Comment: AT&T Maillennium special handling code - c FROM: "Network Security Center" TO: "Client" <client@pzvufi.net> SUBJECT: Newest Network Update Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="yeaipsvlsglw" X-PMFLAGS: 570949760 0 1 P256D0.CNM
this is the latest version of security update, the "September 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install now to continue keeping your computer secure from these vulnerabilities, the most serious of which could allow an malicious user to run executable on your system. This update includes the functionality = of all previously released patches.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
momijizukamori and
no subject
Date: 19 Sep 2003 18:59 (UTC)With virii and spam that have forged From lines, the Received headers will tell the real story.
The virii never forge those. And even wwith the spammers that do forge them, it's possible to spot where the forged lines start with a bit of work.
Here's tyhe *complete* headers (and start of the message) from the viruses attempt I got the other day:
Return-Path: <rwagner49@comcast.net>
Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56])
by draq.pmaco.net (8.10.2/8.10.2) with ESMTP id h8J0otI26545
for <brooke@shadowgard.com>; Thu, 18 Sep 2003 17:50:55 -0700
Message-Id: <200309190050.h8J0otI26545@draq.pmaco.net>
Received: from sccrmhc12.comcast.net (localhost[127.0.0.1])
by comcast.net (sccrmhc12) with ESMTP
id <200309190050460120032vl9e>; Fri, 19 Sep 2003 00:50:46 +0000
X-Comment: AT&T Maillennium special handling codes - xc
Date: Fri, 19 Sep 2003 00:42:24 +0000 (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from rnaa (pcp04369429pcs.nrockv01.md.comcast.net[69.140.213.219])
by comcast.net (sccrmhc12) with SMTP
id <2003091900421901200hfuo6e>; Fri, 19 Sep 2003 00:42:22 +0000
X-Comment: AT&T Maillennium special handling code - c
FROM: "Network Security Center"
TO: "Client" <client@pzvufi.net>
SUBJECT: Newest Network Update
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="yeaipsvlsglw"
X-PMFLAGS: 570949760 0 1 P256D0.CNM
--yeaipsvlsglw
Content-Type: multipart/related; boundary="sthjkfjznh";
type="multipart/alternative"
--sthjkfjznh
Content-Type: multipart/alternative; boundary="apfmqvszufedmgc"
--apfmqvszufedmgc
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
MS Client
this is the latest version of security update, the
"September 2003, Cumulative Patch" update which eliminates
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities.
Install now to continue keeping your computer secure
from these vulnerabilities, the most serious of which could
allow an malicious user to run executable on your system.
This update includes the functionality =
of all previously released patches.