User Tools

Site Tools


how_to:seeing_where_a_message_came_from

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
how_to:seeing_where_a_message_came_from [2011/10/21 10:05]
paul
how_to:seeing_where_a_message_came_from [2018/11/14 10:45] (current)
Line 24: Line 24:
 X-VPOP3-ORIGRCPT:​ paul@pscs.co.uk</​code>​ X-VPOP3-ORIGRCPT:​ paul@pscs.co.uk</​code>​
  
-This passed through ​+This has three ''​Received''​ lines. In order of occurring they are:
  
 +  - Received: from [192.168.1.101] ([127.31.11.95]) by example.com (Postfix) with ESMTP id 891688127.17872.3016;​ Thu, 20 Oct 2011 04:36:25 -0400
 +  - Received: by example.com (Postfix) for support@pscs.co.uk;​ Thu, 20 Oct 2011 04:36:27 -0400
 +  - Received: from mail.example.com ([127.221.14.44]) by lmail.pscs.co.uk ([217.155.61.13] running VPOP3) with ESMTP for <​support@pscs.co.uk>;​ Thu, 20 Oct 2011 09:36:35 +0100
  
 +In fact, the first two of these are probably together, so just one server at the sender'​s end. The last line is the local mail server receiving the message from the sender'​s server.
  
 +In this case, the only information we can totally trust is that added by the local server. The remote server may not be well behaved, and may have added misleading information. So, what we know for definite is that the message came from a server at '​127.221.14.44'​ which was called '​mail.example.com'​. It arrived at our server at 9:36:35 (in the GMT+1hr timezone - or BST in this case).
 +
 +If we know the sender'​s server, or are in contact with them, the other ''​Received''​ lines may help there as well. So, from those lines we can tell that the message reached the sender'​s server at 4:36:25 (in the GMT-4hrs timezone) - this is just 10 seconds before it arrived at our local server. The **127.31.11.95** address in the first ''​Received''​ line is the IP address of the sender as the first mail server saw it. The **192.168.1.101** is what the sending software was calling itself.
 +
 +See [[http://​tools.ietf.org/​html/​rfc5321#​section-4.4|Section 4.4 of RFC 5321]] for details on the ''​Received''​ header line format. Note that as this line is not intended to be parsed by a computer the recommended format is not always strictly used, so a bit of intelligence is required when reading it.
 +
 +Note that the ''​Received''​ line times are based on the relevant server'​s computer clock, so may not be accurate, so don't panic if a message appears to time travel. However, most server clocks are accurate within a few seconds.
 +
 +
 +=====SMTP Authentication=====
  
 If the message came from your local VPOP3 and you use SMTP authentication,​ you can also check the ''​X-Authenticated-Sender''​ header line, which shows which user logged in to send the message. (Note that if the passwords are weak, someone may have guessed their password and be using their account without their knowledge) If the message came from your local VPOP3 and you use SMTP authentication,​ you can also check the ''​X-Authenticated-Sender''​ header line, which shows which user logged in to send the message. (Note that if the passwords are weak, someone may have guessed their password and be using their account without their knowledge)
 +
 +If the message came from a remote server, there may be similar authentication header lines, but there is no standard for those, and they could have been forged or changed since the message was originally sent, so should not be trusted 100%.
how_to/seeing_where_a_message_came_from.txt ยท Last modified: 2018/11/14 10:45 (external edit)