Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

"John Levine" <> Mon, 30 November 2015 03:12 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A36001A6F41 for <>; Sun, 29 Nov 2015 19:12:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 2.667
X-Spam-Level: **
X-Spam-Status: No, score=2.667 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, KHOP_DYNAMIC=1.004, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EIoSG5QDgckm for <>; Sun, 29 Nov 2015 19:12:13 -0800 (PST)
Received: from ( [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4FFD81A6F40 for <>; Sun, 29 Nov 2015 19:12:13 -0800 (PST)
Received: (qmail 93662 invoked from network); 30 Nov 2015 03:12:12 -0000
Received: from unknown ( by with QMQP; 30 Nov 2015 03:12:12 -0000
Date: 30 Nov 2015 03:11:50 -0000
Message-ID: <20151130031150.10420.qmail@ary.lan>
From: "John Levine" <>
In-Reply-To: <>
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 30 Nov 2015 03:12:14 -0000

>> But, in general, that information is essential to identifying spoofed header
>> fields: it's by tracing the chain of "from" addresses in Received header
>> fields that one can determine that someone is attempting to do something
>> fraudulent.
>Can you cite a real-world example of a case where you did something like this recently, and explain how you were able to do what you
>claim, above, is possible using just the header fields in the message?

Spam filters have been doing Received chain analysis for about 20
years.  The principle is straightforward, the source in each header
should match the recipient in the header below it, and timestamps
should be in the right order.  There's also heuristics based on
knowing what real headers from popular mail systems should look like.

The scripts I use to send off spam complaints do header analysis to
figure out who to complain to, and not to complain to addresses in
fake headers, so I'd say I do this about 100 times a day, every day,
in addition to spamassassin doing it on every incoming message that
it filters.

If you want to look at some code, spamassassin is at