從 59.120.37.184 連到 hotmail 網頁, cross@hotmail.com 寄給 cross@ssorc.tw
Return-Path: <xxx@hotmail.com>
X-Original-To: cross@ssorc.tw
Delivered-To: cross@ssorc.tw
Received: from bay0-omc3-s17.bay0.hotmail.com (bay0-omc3-s17.bay0.hotmail.com [65.54.246.217])
by ssorc.tw (Postfix) with ESMTP id 88E883B0099A # ssorc.tw 的 mail server 收到的是這組 65.54.246.217 IP
for <cross@ssorc.tw>; Sun, 14 Oct 2007 12:34:45 +0800 (CST)
Received: from BAY120-W39 ([207.46.9.202]) by bay0-omc3-s17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Sat, 13 Oct 2007 21:32:26 -0700
Message-ID: <BAY120-W392C3B33CB06BB8B3AA0A6BBA20@phx.gbl>
Content-Type: multipart/alternative;
boundary=”_d3d33635-0e9e-4875-a97b-f537c0965fb2_”
X-Originating-IP: [59.120.37.184] # 寄件者對外 IP
From: =?big5?B?pECkU0AgY3Jvc3N=?= <xxx@hotmail.com>
To: <cross@ssorc.tw>
Subject: =?big5?B?s2+sT6RAq8q0+rjVq0j=?=
Date: Sun, 14 Oct 2007 12:32:25 +0800
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 14 Oct 2007 04:32:26.0255 (UTC) FILETIME=[38F511F0:01C80E1B]
從 59.120.37.184 用 OUtlook 寄信, cross@xxx.com.tw 寄給 cross@ssorc.tw
Return-Path: cross@xxx.com.tw # 回信時回給誰
X-Original-To: cross@ssorc.tw # 原收件者
Delivered-To: cross@ssorc.tw # 傳遞給收件者
Received: from host.xx2.com (host.xx2.com [61.xx.xx.xx]) # 這裡當是 host.xx2.com 傳給 ssorc.tw 的 mail server 時,
by ssorc.tw (Postfix) with ESMTP id 3E7A43B0021B # 由 ssorc.tw 來標上表頭的
for <cross@ssorc.tw>; Sun, 14 Oct 2007 12:09:44 +0800 (CST)
Received: from [59.120.37.184] (helo=xxx031CROSS) # 首先由 host.xx2.com,
by host.xx2.com with esmtp (Exim 4.63) # 也就是 xxx.com.tw 的 mail server 接收標上表頭,
(envelope-from <cross@xxx.com.tw>) # 得知從 59.120.37.184 發送過來的,要寄給 cross@ssorc.tw
id 1IgulF-0001O7-4Y
for cross@ssorc.tw; Sun, 14 Oct 2007 12:07:29 +0800
From: =?big5?B?V0lTILbXtLwgQ3Jvc3M=?= <cross@xxx.com.tw> # 郵件的寄件者是誰
To: <cross@ssorc.tw> # 郵件的收件者
Subject: =?big5?B?s2+sT6RAq8q0+rjVq0g=?= # 郵件主旨
Date: Sun, 14 Oct 2007 12:07:24 +0800
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAANIF5tTJcAhKvjJYIr/QVl3CgAAAEAAAAE2ZKXGesGhFsFWNwW5aZsoBAAAAAA==@xxx.com.tw>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_000_0000_01C80E5A.C868DC60″
X-Mailer: Microsoft Office Outlook 11 # 得知是使用 OutLook 程式寄信
Thread-Index: AcgOF7oC4Yn9QTv7QbWsOEiFTM5D3w==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Disposition-Notification-To: =?big5?B?V0lTILbXtLwgQ3Jvc3M=?= <cross@xxx.com.tw>
X-Antivirus-Scanner: Scanned with Exiscan. You should still use an antivirus.
Received:
Quote: http://phorum.study-area.org/viewtopic.php?p=155926&sid=e76940762c3a1ad6c63071dad92da869
這個欄位應該是告訴你這封信經過幾的mail server relay
所以只要找最先的一個應該就對了
經由他的說法,再驗證後,為由上往下的最後一個才是
Quote: http://www.ascc.sinica.edu.tw/nl/89/1603/3.txt
而Received:的格式大致可以讀成:
於Mon, 24 Jan 2000 17:32:01 +0800,beta.wsl.sinica.edu.tw
收到k17.kimo.com.tw(k17.kimo.com.tw [139.175.68.196])
寄出的垃圾信。至於第二個Received是說:
於 Mon, 24 Jan 2000 17:32:01 +0800, k17.kimo.com.tw
收到12([210.244.69.54])寄出的垃圾信。由以上的mail header,我們可以看出12 ([210.244.69.54]),
這12是個假名字。而垃圾信來源真正的IP address是210.244.69.54
卻無法藏匿。這才是真正發垃圾信的來處。由 210.244.69.54利用
k17.kimo.com.tw的系統漏洞(沒將mail relay設好)轉信給筆者。
事實上,我們也無從得知真正發信者是誰。接著我們可以使用
nslookup來看看這IP可能是那個ISP提供的。
該花時間補一下 Email郵件標頭揭密(Email header) http://forum.shareget.com/showthread.php?t=287261
怎樣由信封部分檢查是否一封信是否是偽造的
Quote: http://www.host01.com/article/php/00030007/0542814432248060.htm
11. 怎樣由信封部分檢查是否一封信是否是偽造的?
a. received行的關聯性。
現在的SMTP郵件傳輸系統,在信封部分除了兩端的內部主机處理的之個,考慮兩個公司防火墻之間
的部分,若兩台防火墻机器分別為A和B,但接收者檢查信封received:行時發現經過了C.則是偽造的。
b. received:行中的主机和IP地址對是否對應如:
Receibed: from galangal.org (turmeric.com [104.128.23.115] by mail .bieberdorf.edu….
c. 被人手動添加在最后面的received行:
Received: from galangal.org ([104.128.23.115]) by mail .bieberdorf.edu (8.8.5)
Received: from lemongrass.org by galangal.org (8.7.3)
Received: from graprao.com by lemongrass.org (8.6.4)
留言