Jest to post mojego autorstwa, opublikowany rowniez na innych forach. Mysle ze i tu moze sie przydac taka informacja.
------------------------------------------------
Postanowilem napisac tego posta, chocby po to aby ludzie nie wklejali masowo tresci maili z pytaniem "o co chodzi"
Ostatnio miala miejsce fala maili, niby od Liberty Reserve, czy tez JBP ktore sa zwyklym spamem i proba wyludzenia danych badz okradzenia ludzi z pieniedzy. Jak poznac ktore to real, a ktore fake? najprosciej analizujac naglowek wiadomosci. Kazdy klient poczty ma taka mozliwosc, mysle ze kazdy da rade znalesc ta opcje, ja korzystam z Gmaila wiec na jego przykladzie, aby zobaczyc naglowek wiadomosci nalezy kliknac "wiecej" - przycisk znajduje sie na gorze wiadomosci, po prawej stonie razem z data otrzymania, nastepnie jest ikonka "gwiazdka" przycisk "odpowiedz" zobrazowany jako strzalka w lewo, oraz mala strzaleczka "w dol" po kliknieciu ktorej pokazuje sie menu kontekstowe, nas interesuje opcja "Pokaz oryginal".
Przykladowo, najpierw wkleje naglowek autentycznego maila od Liberty Reserve (potwierdzenie otwarcia konta).
Cytat:Delivered-To: (naszmail)@gmail.com
Received: by 10.60.132.115 with SMTP id ot19csp166683oeb;
Thu, 15 Mar 2012 12:11:26 -0700 (PDT)
Received: by 10.213.29.2 with SMTP id o2mr585930ebc.53.1331838685701;
Thu, 15 Mar 2012 12:11:25 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mail.libertyreserve.com (mail.libertyreserve.com. [213.163.65.37])
by mx.google.com with ESMTP id d12si911145eei.106.2012.03.15.12.11.25;
Thu, 15 Mar 2012 12:11:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 213.163.65.37 as permitted sender) client-ip=213.163.65.37;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 213.163.65.37 as permitted sender) [email protected]; dkim=pass [email protected]
Message-Id: <[email protected]>
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=libertyreserve.com;
s=dk; t=1331838020; bh=lt0ZHbaRnMHtdIp1mCsD0BYLYCZ6n53FioAXDj22DHM=;
h=MIME-Version:From:To:Date:Subject:Content-Type:
Content-Transfer-Encoding;
b=l3fE7P10tUCXaamEMPAYM/ls9ahLYKftAUX7AAyLcCdo48erATauQTd9QdwdXl1JU
TKhs2TPpg/lTm5BLcEOiG1AjzwDjG7jyuSEM48gxSz0mxqyC12O6l6LRq79kFD2Qwp
6PdElcjYZaq/vmzJ76/+CbfINPK+YMxrqjj1NoJw=
Authentication-Results: mail.libertyreserve.com; dkim=none (no signature)
header.i=unknown; x-dkim-adsp=discard
MIME-Version: 1.0
From: [email protected]
To: (naszmail)@gmail.com
Date: 15 Mar 2012 19:12:38 +0000
Subject: Successful Liberty Reserve Registration
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
(ponizej tresc maila)
Oraz ewidentny fake (w tym przypadku informacja o niby zablokowanym koncie ktora pewnie wiekszosc z was dostala)
Cytat:Delivered-To: (naszmail)@gmail.com
Received: by 10.60.37.133 with SMTP id y5csp15322oej;
Wed, 6 Jun 2012 03:56:02 -0700 (PDT)
Received: by 10.204.155.154 with SMTP id s26mr11563525bkw.129.1338980161620;
Wed, 06 Jun 2012 03:56:01 -0700 (PDT)
Return-Path: <[email protected]>
Received: from helium.brandedinternet.net (122.137.business-adsl.cybersmart.co.za. [196.41.122.137])
by mx.google.com with ESMTPS id x6si1538164wiw.36.2012.06.06.03.56.00
(version=TLSv1/SSLv3 cipher=OTHER);
Wed, 06 Jun 2012 03:56:01 -0700 (PDT)
Received-SPF: neutral (google.com: 196.41.122.137 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=196.41.122.137;
Authentication-Results: mx.google.com; spf=neutral (google.com: 196.41.122.137 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Date: Wed, 06 Jun 2012 03:56:01 -0700 (PDT)
Message-Id: <[email protected]>
Received: from [77.120.120.131] (helo=s2.zavtra.com.ua)
by helium.brandedinternet.net with esmtpa (Exim 4.69)
(envelope-from <[email protected]>)
id 1ScD8R-0002Ku-4e
for (naszmail)@gmail.com; Wed, 06 Jun 2012 12:06:39 +0200
Content-Type: multipart/alternative;
boundary="===============5262804270431227092=="
MIME-Version: 1.0
Subject: Your account has been blocked.
From: "Liberty Reserve" <[email protected]>
(ponizej tresc maila)
Na co nalezy zwrocic uwage? Oprocz tresci maila, w ktorej mamy napisane wyraznie (zarowno w tych prawdziwych jak i fake mailach od LR)
Cytat:Please note that in all e-mails from Liberty Reserve we will:
1. Always address you by your first name.
2. Never send you any links or attached files.
3. Never ask you to send us your password and/or login PIN.
Gdzie pierwsze dwa punkty sa ewidentnie lamane (o czym pisalem juz gdzies na forum) oraz literowkach w adresach mailowych (w przykladzie mamy libertyrese
ure) prosze zwrocic uwage na pogrubione tresci w obu naglowkach. W przypadku fake`a widac jak na tacy, ze nadawca nie jest LR. Nie jestem "specem informatycznym" dlatego nie bede sie wglebial dokladnie w tresc naglowka jednak daja one wystarczajace informacje aby stwierdzic ktory jest "real" a ktory "fake".
Sprawa ma sie podobnie z mailami od JBP. Jako pierwszy, spojrzmy na prawdziwy mail od JBP (prosba o potwierdzenie maila, pierwszy mail jaki dostalem od JBP na dlugo zanim nastala "plaga" fake-maili).
Cytat:Delivered-To: (naszmail)@gmail.com
Received: by 10.60.132.115 with SMTP id ot19csp10888oeb;
Sun, 11 Mar 2012 10:48:31 -0700 (PDT)
Received: by 10.14.136.75 with SMTP id v51mr1402228eei.73.1331488111064;
Sun, 11 Mar 2012 10:48:31 -0700 (PDT)
Return-Path: <[email protected]>
Received: from www.justbeenpaid.com ([84.38.232.202])
by mx.google.com with ESMTPS id r6si5378251eef.88.2012.03.11.10.48.30
(version=TLSv1/SSLv3 cipher=OTHER);
Sun, 11 Mar 2012 10:48:31 -0700 (PDT)
Received-SPF: neutral (google.com: 84.38.232.202 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=84.38.232.202;
Authentication-Results: mx.google.com; spf=neutral (google.com: 84.38.232.202 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: from www.justbeenpaid.com (localhost [127.0.0.1])
by www.justbeenpaid.com (8.13.8/8.13.8) with ESMTP id q2BHmUu1004821
for <(naszmail)@gmail.com>; Sun, 11 Mar 2012 18:48:30 +0100
Received: (from apache@localhost)
by www.justbeenpaid.com (8.13.8/8.13.8/Submit) id q2BHmURQ004819;
Sun, 11 Mar 2012 18:48:30 +0100
Date: Sun, 11 Mar 2012 18:48:30 +0100
Message-Id: <[email protected]>
From: [email protected]
To: (naszmail)@gmail.com
Subject: Please Confirm Your E-mail Address for JustBeenPaid!
(ponizej tresc maila)
Oraz fake (wygrales 250 LR USD)
Cytat:Delivered-To: (naszmail)@gmail.com
Received: by 10.60.37.133 with SMTP id y5csp88317oej;
Tue, 5 Jun 2012 04:37:38 -0700 (PDT)
Received: by 10.68.222.133 with SMTP id qm5mr37161318pbc.113.1338896257882;
Tue, 05 Jun 2012 04:37:37 -0700 (PDT)
Return-Path: <[email protected]>
Received: from bizwebkorea.co.kr ([121.78.93.153])
by mx.google.com with ESMTPS id nv6si1905402pbc.298.2012.06.05.04.37.37
(version=TLSv1/SSLv3 cipher=OTHER);
Tue, 05 Jun 2012 04:37:37 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 121.78.93.153 as permitted sender) client-ip=121.78.93.153;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning [email protected] does not designate 121.78.93.153 as permitted sender) [email protected]
Received: from localhost.localdomain (ns2 [127.0.0.1])
by bizwebkorea.co.kr (8.13.8/8.13.8) with ESMTP id q55BbP22024537
for <(naszmail)@gmail.com>; Tue, 5 Jun 2012 20:37:25 +0900
Received: (from daemon@localhost)
by localhost.localdomain (8.13.8/8.13.8/Submit) id q55BbPJQ024534;
Tue, 5 Jun 2012 20:37:25 +0900
Date: Tue, 5 Jun 2012 20:37:25 +0900
Message-Id: <[email protected]>
To: (naszmail)@gmail.com
Subject: Just Been Paid - You won 250 usd
From: JustBeenPaid <[email protected]>
(ponizej tresc maila)
Tutaj juz nie ma literowek w adresie mailowym, co moze sie tez zdarzyc z z fake mailami udajacymi LR, jednak prosze zwrocic uwage na pogrubiona tresc. Smialo mozna powiedziec, ze ten fake dotarl do mnie z Korei
W duzym skrocie - wazne sa pola Return-Path oraz Received: from
To sa tylko przyklady majace pokazac jak odroznic fake/real, naglowki wiadomosci ktore Ty otrzymasz moga sie roznic o tych ktore ja otrzymalem (spam wysylany z roznych domen), chcialem jedynie zobrazowac w jaki latwy sposob mozna sprawdzic takiego maila.
Mam nadzieje ze sie przyda
i jak ktos ma wieksza wiedze na temat zawartosci naglowkow mailowych (i nie tylko), niech sie smialo dzieli wiedza - tak abysmy mogli w przyszlosci, gdy spamerzy beda bardziej "pro", sprawniej identyfikowac fake maile