Well, it may not be that hard, and I may be able to provide with some background...
This is the actual
source of a mail:
Quote:
Return-path: <user@example.com>
Received: from mac.com ([10.13.11.252])
by ms031.mac.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28
2007)) with ESMTP id <0JMI007ZN7PETGC0@ms031.mac.com> for user@example.com; Thu,
09 Aug 2007 04:24:50 -0700 (PDT)
Received: from mail.dsis.net (mail.dsis.net [70.183.59.5])
by mac.com (Xserve/smtpin22/MantshX 4.0) with ESMTP id l79BOnNS000101
for <user@example.com>; Thu, 09 Aug 2007 04:24:49 -0700 (PDT)
Received: from [192.168.2.77] (70.183.59.6) by mail.dsis.net with ESMTP
(EIMS X 3.3.2) for <user@example.com>; Thu, 09 Aug 2007 04:24:49 -0700
Date: Thu, 09 Aug 2007 04:24:57 -0700
From: Frank Sender <sender@example.com>
Subject: Test
To: Joe User <user@example.com>
Message-id: <61086DBD-252B-46D2-A54C-263FE5E02B41@example.com>
MIME-version: 1.0 (Apple Message framework v752.2)
X-Mailer: Apple Mail (2.752.2)
Content-type: text/plain; charset=US-ASCII; format=flowed
Content-transfer-encoding: 7bit
|
I marked the points of interest for you. Differences in these fields could mean a spoofed mail...
I suggest a grep tru the source text to find out where the differences are...
Just some loose thoughts...I had a sunday's worth of entertainment with this too, once...
Oh, and by the way, this method will of course not be able to detect/filter messages from a hacked mail account, there the returnpathe and from fiels should be the same...
Good luck
Thor
(maybe a better example is called for)
