Is it possible to fake 'received' field in the e-mail?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
2
down vote

favorite












I've received some strange e-mail recently. The e-mail has different From and Reply-To fields. It has also To set to Undisclosed recipients but it's not crucial.



At first I thought it's fake, but then I've read this post which mentions that Received field can't be faked. It seems that received is proper in case of the e-mail I'm talking about:



Received: (wp-smtpd mx.tlen.pl 14490 invoked from network); 2 Oct 2018 07:19:36 +0200
Received: from mx.beniculturali.it ([194.242.241.200])
 (envelope-sender <pm-pie.aglie@beniculturali.it>)
 by mx.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP
 for <myemail@10g.pl>; 2 Oct 2018 07:19:36 +0200
Received: from sea2.mail.beniculturali.it (localhost.localdomain [127.0.0.1])
 by localhost (Email Security Appliance) with SMTP id 15EE31ECEEA_BB2FFE8B;
 Tue, 2 Oct 2018 05:19:36 +0000 (GMT)
Received: from MB2.mail.beniculturali.it (mb2.mail.beniculturali.it [192.168.123.122])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (Client CN "email.beniculturali.it", Issuer "Actalis Authentication CA G3" (not verified))
 by sea2.mail.beniculturali.it (Sophos Email Appliance) with ESMTPS id 1C9BD1E9E28_BB2FFE7F;
 Tue, 2 Oct 2018 05:19:35 +0000 (GMT)
Received: from MB2.mail.beniculturali.it (192.168.123.122) by
 MB2.mail.beniculturali.it (192.168.123.122) with Microsoft SMTP Server (TLS)
 id 15.0.1395.4; Tue, 2 Oct 2018 07:19:30 +0200
Received: from ca4.mail.beniculturali.it (192.168.123.144) by
 MB2.mail.beniculturali.it (192.168.123.122) with Microsoft SMTP Server (TLS)
 id 15.0.1395.4 via Frontend Transport; Tue, 2 Oct 2018 07:19:29 +0200
Received: from MDC.mail.beniculturali.it ([192.168.123.171]) by
 ca4.mail.beniculturali.it ([192.168.123.144]) with mapi; Tue, 2 Oct 2018
 07:19:29 +0200


Is it possible to spoof Received field somehow, perhaps using advanced techniques?






email email-spoofing







share|improve this question







New contributor




Landeeyo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • You could export a email from one inbox (e.g., *.eml format) and import it into another mailbox. Many clients won't complain. An email could be put into your inbox server side, it's just a file. I will let someone else go into more detail about why a server may accept or not accept fake headers when it receives it from a sender.
    – Eric G
    1 hour ago
















up vote
2
down vote

favorite












I've received some strange e-mail recently. The e-mail has different From and Reply-To fields. It has also To set to Undisclosed recipients but it's not crucial.



At first I thought it's fake, but then I've read this post which mentions that Received field can't be faked. It seems that received is proper in case of the e-mail I'm talking about:



Received: (wp-smtpd mx.tlen.pl 14490 invoked from network); 2 Oct 2018 07:19:36 +0200
Received: from mx.beniculturali.it ([194.242.241.200])
 (envelope-sender <pm-pie.aglie@beniculturali.it>)
 by mx.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP
 for <myemail@10g.pl>; 2 Oct 2018 07:19:36 +0200
Received: from sea2.mail.beniculturali.it (localhost.localdomain [127.0.0.1])
 by localhost (Email Security Appliance) with SMTP id 15EE31ECEEA_BB2FFE8B;
 Tue, 2 Oct 2018 05:19:36 +0000 (GMT)
Received: from MB2.mail.beniculturali.it (mb2.mail.beniculturali.it [192.168.123.122])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (Client CN "email.beniculturali.it", Issuer "Actalis Authentication CA G3" (not verified))
 by sea2.mail.beniculturali.it (Sophos Email Appliance) with ESMTPS id 1C9BD1E9E28_BB2FFE7F;
 Tue, 2 Oct 2018 05:19:35 +0000 (GMT)
Received: from MB2.mail.beniculturali.it (192.168.123.122) by
 MB2.mail.beniculturali.it (192.168.123.122) with Microsoft SMTP Server (TLS)
 id 15.0.1395.4; Tue, 2 Oct 2018 07:19:30 +0200
Received: from ca4.mail.beniculturali.it (192.168.123.144) by
 MB2.mail.beniculturali.it (192.168.123.122) with Microsoft SMTP Server (TLS)
 id 15.0.1395.4 via Frontend Transport; Tue, 2 Oct 2018 07:19:29 +0200
Received: from MDC.mail.beniculturali.it ([192.168.123.171]) by
 ca4.mail.beniculturali.it ([192.168.123.144]) with mapi; Tue, 2 Oct 2018
 07:19:29 +0200


Is it possible to spoof Received field somehow, perhaps using advanced techniques?






email email-spoofing







share|improve this question







New contributor




Landeeyo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • You could export a email from one inbox (e.g., *.eml format) and import it into another mailbox. Many clients won't complain. An email could be put into your inbox server side, it's just a file. I will let someone else go into more detail about why a server may accept or not accept fake headers when it receives it from a sender.
    – Eric G
    1 hour ago












up vote
2
down vote

favorite









up vote
2
down vote

favorite











I've received some strange e-mail recently. The e-mail has different From and Reply-To fields. It has also To set to Undisclosed recipients but it's not crucial.



At first I thought it's fake, but then I've read this post which mentions that Received field can't be faked. It seems that received is proper in case of the e-mail I'm talking about:



Received: (wp-smtpd mx.tlen.pl 14490 invoked from network); 2 Oct 2018 07:19:36 +0200
Received: from mx.beniculturali.it ([194.242.241.200])
 (envelope-sender <pm-pie.aglie@beniculturali.it>)
 by mx.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP
 for <myemail@10g.pl>; 2 Oct 2018 07:19:36 +0200
Received: from sea2.mail.beniculturali.it (localhost.localdomain [127.0.0.1])
 by localhost (Email Security Appliance) with SMTP id 15EE31ECEEA_BB2FFE8B;
 Tue, 2 Oct 2018 05:19:36 +0000 (GMT)
Received: from MB2.mail.beniculturali.it (mb2.mail.beniculturali.it [192.168.123.122])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (Client CN "email.beniculturali.it", Issuer "Actalis Authentication CA G3" (not verified))
 by sea2.mail.beniculturali.it (Sophos Email Appliance) with ESMTPS id 1C9BD1E9E28_BB2FFE7F;
 Tue, 2 Oct 2018 05:19:35 +0000 (GMT)
Received: from MB2.mail.beniculturali.it (192.168.123.122) by
 MB2.mail.beniculturali.it (192.168.123.122) with Microsoft SMTP Server (TLS)
 id 15.0.1395.4; Tue, 2 Oct 2018 07:19:30 +0200
Received: from ca4.mail.beniculturali.it (192.168.123.144) by
 MB2.mail.beniculturali.it (192.168.123.122) with Microsoft SMTP Server (TLS)
 id 15.0.1395.4 via Frontend Transport; Tue, 2 Oct 2018 07:19:29 +0200
Received: from MDC.mail.beniculturali.it ([192.168.123.171]) by
 ca4.mail.beniculturali.it ([192.168.123.144]) with mapi; Tue, 2 Oct 2018
 07:19:29 +0200


Is it possible to spoof Received field somehow, perhaps using advanced techniques?






email email-spoofing







share|improve this question







New contributor




Landeeyo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I've received some strange e-mail recently. The e-mail has different From and Reply-To fields. It has also To set to Undisclosed recipients but it's not crucial.



At first I thought it's fake, but then I've read this post which mentions that Received field can't be faked. It seems that received is proper in case of the e-mail I'm talking about:



Received: (wp-smtpd mx.tlen.pl 14490 invoked from network); 2 Oct 2018 07:19:36 +0200
Received: from mx.beniculturali.it ([194.242.241.200])
 (envelope-sender <pm-pie.aglie@beniculturali.it>)
 by mx.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP
 for <myemail@10g.pl>; 2 Oct 2018 07:19:36 +0200
Received: from sea2.mail.beniculturali.it (localhost.localdomain [127.0.0.1])
 by localhost (Email Security Appliance) with SMTP id 15EE31ECEEA_BB2FFE8B;
 Tue, 2 Oct 2018 05:19:36 +0000 (GMT)
Received: from MB2.mail.beniculturali.it (mb2.mail.beniculturali.it [192.168.123.122])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (Client CN "email.beniculturali.it", Issuer "Actalis Authentication CA G3" (not verified))
 by sea2.mail.beniculturali.it (Sophos Email Appliance) with ESMTPS id 1C9BD1E9E28_BB2FFE7F;
 Tue, 2 Oct 2018 05:19:35 +0000 (GMT)
Received: from MB2.mail.beniculturali.it (192.168.123.122) by
 MB2.mail.beniculturali.it (192.168.123.122) with Microsoft SMTP Server (TLS)
 id 15.0.1395.4; Tue, 2 Oct 2018 07:19:30 +0200
Received: from ca4.mail.beniculturali.it (192.168.123.144) by
 MB2.mail.beniculturali.it (192.168.123.122) with Microsoft SMTP Server (TLS)
 id 15.0.1395.4 via Frontend Transport; Tue, 2 Oct 2018 07:19:29 +0200
Received: from MDC.mail.beniculturali.it ([192.168.123.171]) by
 ca4.mail.beniculturali.it ([192.168.123.144]) with mapi; Tue, 2 Oct 2018
 07:19:29 +0200


Is it possible to spoof Received field somehow, perhaps using advanced techniques?






email email-spoofing




email email-spoofing






share|improve this question







New contributor




Landeeyo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




Landeeyo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




Landeeyo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 4 hours ago









Landeeyo

1113




1113




New contributor




Landeeyo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Landeeyo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Landeeyo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











  • You could export a email from one inbox (e.g., *.eml format) and import it into another mailbox. Many clients won't complain. An email could be put into your inbox server side, it's just a file. I will let someone else go into more detail about why a server may accept or not accept fake headers when it receives it from a sender.
    – Eric G
    1 hour ago
















  • You could export a email from one inbox (e.g., *.eml format) and import it into another mailbox. Many clients won't complain. An email could be put into your inbox server side, it's just a file. I will let someone else go into more detail about why a server may accept or not accept fake headers when it receives it from a sender.
    – Eric G
    1 hour ago















You could export a email from one inbox (e.g., *.eml format) and import it into another mailbox. Many clients won't complain. An email could be put into your inbox server side, it's just a file. I will let someone else go into more detail about why a server may accept or not accept fake headers when it receives it from a sender.
– Eric G
1 hour ago




You could export a email from one inbox (e.g., *.eml format) and import it into another mailbox. Many clients won't complain. An email could be put into your inbox server side, it's just a file. I will let someone else go into more detail about why a server may accept or not accept fake headers when it receives it from a sender.
– Eric G
1 hour ago










1 Answer
1






active

oldest

votes

















up vote
4
down vote













It is possible to add arbitrary fields to the mail and this includes Received header. But, any proper mail transport server will add new Received header on top of the mail which means that depending on the exact delivery infrastructure the attacker can at most fully fake all bot the top most Received header. In your specific example the top Received header seems to be some internal server and the next Received header is the one from your mail server at the perimeter which accepts mails from outside. All other Received headers might be faked.



And even the Received header added by the server at the perimeter might contain fake information. It is common that it includes the hostname claimed by the SMTP client within the EHLO or HELO command. Thus, in your specific example mx.beniculturali.it might be faked by the attacker while ([194.242.241.200]) is added by the receiving mail server to show from which source IP the mail was received and cannot be faked.






share|improve this answer




















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    Landeeyo is a new contributor. Be nice, and check out our Code of Conduct.









     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194980%2fis-it-possible-to-fake-received-field-in-the-e-mail%23new-answer', 'question_page');

    );

    Post as a guest

















    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    4
    down vote













    It is possible to add arbitrary fields to the mail and this includes Received header. But, any proper mail transport server will add new Received header on top of the mail which means that depending on the exact delivery infrastructure the attacker can at most fully fake all bot the top most Received header. In your specific example the top Received header seems to be some internal server and the next Received header is the one from your mail server at the perimeter which accepts mails from outside. All other Received headers might be faked.



    And even the Received header added by the server at the perimeter might contain fake information. It is common that it includes the hostname claimed by the SMTP client within the EHLO or HELO command. Thus, in your specific example mx.beniculturali.it might be faked by the attacker while ([194.242.241.200]) is added by the receiving mail server to show from which source IP the mail was received and cannot be faked.






    share|improve this answer
























      up vote
      4
      down vote













      It is possible to add arbitrary fields to the mail and this includes Received header. But, any proper mail transport server will add new Received header on top of the mail which means that depending on the exact delivery infrastructure the attacker can at most fully fake all bot the top most Received header. In your specific example the top Received header seems to be some internal server and the next Received header is the one from your mail server at the perimeter which accepts mails from outside. All other Received headers might be faked.



      And even the Received header added by the server at the perimeter might contain fake information. It is common that it includes the hostname claimed by the SMTP client within the EHLO or HELO command. Thus, in your specific example mx.beniculturali.it might be faked by the attacker while ([194.242.241.200]) is added by the receiving mail server to show from which source IP the mail was received and cannot be faked.






      share|improve this answer






















        up vote
        4
        down vote










        up vote
        4
        down vote









        It is possible to add arbitrary fields to the mail and this includes Received header. But, any proper mail transport server will add new Received header on top of the mail which means that depending on the exact delivery infrastructure the attacker can at most fully fake all bot the top most Received header. In your specific example the top Received header seems to be some internal server and the next Received header is the one from your mail server at the perimeter which accepts mails from outside. All other Received headers might be faked.



        And even the Received header added by the server at the perimeter might contain fake information. It is common that it includes the hostname claimed by the SMTP client within the EHLO or HELO command. Thus, in your specific example mx.beniculturali.it might be faked by the attacker while ([194.242.241.200]) is added by the receiving mail server to show from which source IP the mail was received and cannot be faked.






        share|improve this answer












        It is possible to add arbitrary fields to the mail and this includes Received header. But, any proper mail transport server will add new Received header on top of the mail which means that depending on the exact delivery infrastructure the attacker can at most fully fake all bot the top most Received header. In your specific example the top Received header seems to be some internal server and the next Received header is the one from your mail server at the perimeter which accepts mails from outside. All other Received headers might be faked.



        And even the Received header added by the server at the perimeter might contain fake information. It is common that it includes the hostname claimed by the SMTP client within the EHLO or HELO command. Thus, in your specific example mx.beniculturali.it might be faked by the attacker while ([194.242.241.200]) is added by the receiving mail server to show from which source IP the mail was received and cannot be faked.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 4 hours ago









        Steffen Ullrich

        107k12182247




        107k12182247




















            Landeeyo is a new contributor. Be nice, and check out our Code of Conduct.









             

            draft saved


            draft discarded


















            Landeeyo is a new contributor. Be nice, and check out our Code of Conduct.












            Landeeyo is a new contributor. Be nice, and check out our Code of Conduct.











            Landeeyo is a new contributor. Be nice, and check out our Code of Conduct.













             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194980%2fis-it-possible-to-fake-received-field-in-the-e-mail%23new-answer', 'question_page');

            );

            Post as a guest
































































            Comments

            Post a Comment

            Popular posts from this blog

            What does second last employer means? [closed]

            Image
            Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote -3 down vote favorite Say, for example I have worked in the following companies, Company A => 2010 - 2011 Company B => 2011 - 2012 Company C => 2012 - Till Date Company D => Have offer Now assume Company D is asking to submit documents from my second last employer. So from the list of companies given, which company would be qualified as second last employer? software-industry employer share | improve this question asked Aug 10 '14 at 5:16 Rajaprabhu Aravindasamy 559 1 6 13 closed as off-topic by Jim G., jmort253 ♦ Aug 11 '14 at 1:58 This question appears to be off-topic. The users who voted to close gave this specific reason: "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address...
            Read more

            List of Gilmore Girls characters

            Image
            The season three cast—(Back row): Lane, Michel, Paris, Emily, Richard, Sookie, Miss Patty, Kirk; Front row: Jess, Luke, Lorelai, Rory, Dean This is a list of characters for the comedy-drama television series Gilmore Girls . Contents 1 Main characters 1.1 Lorelai Gilmore 1.2 Rory Gilmore 1.3 Sookie St. James 1.4 Lane Kim 1.5 Michel Gerard 1.6 Luke Danes 1.7 Emily Gilmore 1.8 Richard Gilmore 1.9 Paris Geller 1.10 Dean Forester 1.11 Jess Mariano 1.12 Kirk Gleason 1.13 Jason Stiles 1.14 Logan Huntzberger 2 Major recurring characters 2.1 Christopher Hayden 2.2 Jackson Belleville 2.3 Mrs. Kim 2.4 Tristin DuGray 2.5 Max Medina 2.6 Taylor Doose 2.7 Dave Rygalski 2.8 Marty 3 Recurring characters 3.1 Stars Hollow 3.2 Chilton 3.3 Yale 3.4 Other 4 Notable guest stars 5 Unseen characters 6 Notes 7 References Main characters Actor Character Appearances Season 1 Season 2 Season 3 Season 4 Season 5 Season 6 Season 7 A Year in the Life Lauren Graham Lorelai Gilmore...
            Read more

            Confectionery

            Image
            Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of ...
            Read more