1
I've received some strange e-mail recently. The e-mail has different From
and Reply-To
fields. It has also To
set to Undisclosed recipients
but it's not crucial.
At first I thought it's fake, but then I've read this post which mentions that Received
field can't be faked. It seems that received is proper in case of the e-mail I'm talking about:
Received: (wp-smtpd mx.tlen.pl 14490 invoked from network); 2 Oct 2018 07:19:36 +0200
Received: from mx.beniculturali.it ([194.242.241.200])
(envelope-sender <pm-pie.aglie@beniculturali.it>)
by mx.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP
for <myemail@10g.pl>; 2 Oct 2018 07:19:36 +0200
Received: from sea2.mail.beniculturali.it (localhost.localdomain [127.0.0.1])
by localhost (Email Security Appliance) with SMTP id 15EE31ECEEA_BB2FFE8B;
Tue, 2 Oct 2018 05:19:36 +0000 (GMT)
Received: from MB2.mail.beniculturali.it (mb2.mail.beniculturali.it [192.168.123.122])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
(Client CN "email.beniculturali.it", Issuer "Actalis Authentication CA G3" (not verified))
by sea2.mail.beniculturali.it (Sophos Email Appliance) with ESMTPS id 1C9BD1E9E28_BB2FFE7F;
Tue, 2 Oct 2018 05:19:35 +0000 (GMT)
Received: from MB2.mail.beniculturali.it (192.168.123.122) by
MB2.mail.beniculturali.it (192.168.123.122) with Microsoft SMTP Server (TLS)
id 15.0.1395.4; Tue, 2 Oct 2018 07:19:30 +0200
Received: from ca4.mail.beniculturali.it (192.168.123.144) by
MB2.mail.beniculturali.it (192.168.123.122) with Microsoft SMTP Server (TLS)
id 15.0.1395.4 via Frontend Transport; Tue, 2 Oct 2018 07:19:29 +0200
Received: from MDC.mail.beniculturali.it ([192.168.123.171]) by
ca4.mail.beniculturali.it ([192.168.123.144]) with mapi; Tue, 2 Oct 2018
07:19:29 +0200
Is it possible to spoof Received
field somehow, perhaps using advanced techniques?
1Actually, the answer you linked says "Note that an email passing through multiple hops can have some of the deeper headers spoofed as well." and in the context I read it, the author was referring directly to the Received field. – acejavelin – 2018-10-03T01:05:21.100
1
While his question is fine here, you should also be aware of https://security.stackexchange.com/
– Mawg says reinstate Monica – 2018-10-03T07:09:53.907Although it's true any Received headers 'before' (below) a leading subsequence of trusted hosts can be faked, I don't see anything in your post that looks suspicious. Be aware there is no requirement that From and Reply-to are the same, or that either (or both) is the same as the host that actually sends the mail. One common and wholly legitimate case where they differ -- and usually recipients are hidden also -- is a mailing-list server. – dave_thompson_085 – 2018-10-03T08:11:59.383
... and on checking I see both of these were already explained in the post you linked. – dave_thompson_085 – 2018-10-03T08:20:19.167