Notes on Forged Addresses

By Lars Magne Ingebrigtsen

By now, most people are aware that spammers and viruses commonly forge headers to make it difficult to trace the spammers. What some people don't know is that spam now often use a real, existing address in the From header -- but this address has been forged, making it look like the spam came from this person.

The reason I'm writing this page is that I (somewhat frequently) get messages out of the blue, accusing me of various crimes, and it almost always comes back to forged spam. As someone who has his email address plastered over half the net, it loses its charm after a while.

Here's how to tell forged mail from real mail: Look at the complete header of the spam you get; not just the From header. The most important header is the Received header; it (somewhat reliably) tells you what path the mail took to reach you.

Here's an example.

Received: from ( [])
	by (8.12.8p1/8.12.8) with ESMTP id hBT0ktOn011282
	for ; Mon, 29 Dec 2003 01:46:56 +0100 (CET)
Received: from ( [])
	by (Postfix) with SMTP id B642A3A003B
	for ; Sun, 28 Dec 2003 18:46:47 -0600 (CST)
Received: from [] by 530000x.netIP with HTTP;
	Sun, 28 Dec 2003 07:39:04 -0500
From: "Lars Ingebrigtsen" 
Subject: Give V1agra to your inkjet printer

The most important line here is that final Received line. This line can be forged, too, but usually isn't. It tells us that the message came from, which is Now, a real message from me would look like this:

Received: from ( [])
	by (8.12.8p1/8.12.8) with ESMTP id hBT8mGOn014127
	for ; Mon, 29 Dec 2003 09:48:16 +0100 (CET)
Received: from larsi by with local (Exim 3.35 #1 (Debian))
	id 1Aat46-0007QI-00
	for ; Mon, 29 Dec 2003 09:47:54 +0100
From: Lars Magne Ingebrigtsen 
Subject: Don't give V1agra to your inkjet printer

The important bit here being that the final Received line says that the message came through, and the first line agrees with that. If the last Received lines point to hosts that are "far" from the address in the From header, it's not unlikely that the address in the From header has been forged.

(This is a very short lesson in reading forged mail headers, and does not take into account all the subtleties of SMTP.)

Feel free to use this page if you, too, are plagued by people complaining about spam apparently "from you".

Last modified: Mon Dec 29 09:33:03 CET 2003