我被要求检查来自 gmail.com 和 bol.com.br 的两封电子邮件,据说来自两家企业,我需要检查它们是否合法,以及是否有可能知道它们是否来自同一来源。虽然我不熟悉邮件协议,但它们被发送到同一个 gmail 帐户:
Delivered-To: [email protected]
Received: by 10.100.170.5 with SMTP id i5csp2396916pjd;
Thu, 21 Sep 2017 11:22:10 -0700 (PDT)
X-Google-Smtp-Source: AOwi7QBEZqkl8wJDZ7obTe6gyOyEG9u6q5XnTB2r72YoOaw/m/IXHPZ93WGOCNpngiPLzOWbl/hn
X-Received: by 10.55.212.28 with SMTP id l28mr4236850qki.259.1506018130061;
Thu, 21 Sep 2017 11:22:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1506018130; cv=none;
d=google.com; s=arc-20160816;
b=FQqMHXXegopvOr8UQ/uG1GE8EKXHjYITnrVQqgQbeCMUHj1jHD30LhV2Rjgge75zTt
1M2kEG44er5ERzATnWSjdd4b6Yhn9tKa+660tyh3RW3WCcpEmkJXgJYpgqvR4BfNJ06k
eqDCsRMPHZmz/HZ4Hez9C+GkWk/rElxmzjnwp6TrRIqRTJqRnydyYNnU6DhPdIP2oGlC
tspDmeWkdAEGTLPwB1VbHWIoadiOjw9yWigve35Wk1Fa5XrX+lq5rngKhmCf+3FNMk5H
GM8xUqtL2hY94dZ9pl21r31ho/QFehajv8Y191wE3MeZmQ/aQTBb841Tq4v5ke9ECkyG
rLdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-transfer-encoding:mime-version:subject:references
:in-reply-to:message-id:to:from:date:dkim-signature
:arc-authentication-results;
bh=HMpsDDGEKNiGVAeThTTH4PXumG5F50lCG2rnFuk/+/I=;
b=PD62Cr78VN/7nUekoJ7LJrf0KEF6TPEJMN+SlB19UBDhRL1ToVaM3myWIVxQNOcM2f
wEmxsBOlANtpGocmqvpob0iZJSBkTTHtohKkkTGQdLFzV1KL7kJVn4CwttjT0RHup7Os
+zqyzfSXLqjyNbqbyQUZO6X+ummzwh1oPXQinaYtiE9CBxwJrwb4zUgZXX2z18DWUOhF
YBYl3Vh7zYaNSoT3frBbR0OpTmCbgIAFPnpfQ+0X5DJ5MulsHQo8S132C5g7c0Kv67Vd
S4hQtBKug3huEVp3gcqgflMm7r0RqfjUMQL/fLMF1Wq8f472U+1oTGydYPdTaLbcrX4m
iinw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass (test mode) [email protected] header.s=afl header.b=nXKH7bsA;
spf=pass (google.com: domain of [email protected] designates 200.147.97.220 as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from a4-salsa1.bol.com.br (a4-salsa1-1.bol.com.br. [200.147.97.220])
by mx.google.com with ESMTP id f6si1675754qtb.466.2017.09.21.11.22.08
for <[email protected]>;
Thu, 21 Sep 2017 11:22:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 200.147.97.220 as permitted sender) client-ip=200.147.97.220;
Authentication-Results: mx.google.com;
dkim=pass (test mode) [email protected] header.s=afl header.b=nXKH7bsA;
spf=pass (google.com: domain of [email protected] designates 200.147.97.220 as permitted sender) [email protected]
Received: from localhost (localhost.localdomain [127.0.0.1])
by a4-salsa1.bol.com.br (Postfix) with ESMTP id 0D4B6380008A
for <[email protected]>; Thu, 21 Sep 2017 15:22:08 -0300 (BRT)
Received: from a4-salsa1.host.intranet (localhost.localdomain [127.0.0.1])
by a4-salsa1.bol.com.br (Postfix) with ESMTP id C0DF73800089
for <[email protected]>; Thu, 21 Sep 2017 15:22:07 -0300 (BRT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bol.com.br; s=afl;
t=1506018127; bh=HMpsDDGEKNiGVAeThTTH4PXumG5F50lCG2rnFuk/+/I=;
h=Date:From:To:In-Reply-To:References:Subject;
b=nXKH7bsAv1rx9J5QmyVDwgHWzmYZi1oPkZaEEPrG11YFu0IbHo9rffS6MjIr/UVs/
4rHAEeHBqOo3hkW9bRP/4WR8WRvuuPXx5cdRyJMJH4gr/YU3iyTrfU08JNFQJF4EGC
v59X0llNrXN022t1ACXQKRHBIRf9h6IlePNQ6LCU=
Received: from localhost (a4-winter20.host.intranet [10.131.133.147])
by a4-salsa1.host.intranet (Postfix) with ESMTP id 9131F3800083
for <[email protected]>; Thu, 21 Sep 2017 15:22:07 -0300 (BRT)
Date: Thu, 21 Sep 2017 15:22:07 -0300
From: "[email protected]" <[email protected]>
To: [email protected]
Message-ID: <[email protected]>
In-Reply-To:
References:
Subject: ATESTADO
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="--==_mimepart_59c4034f82e01_55be3f8adc1651384293d";
charset=utf-8
Content-Transfer-Encoding: 7bit
X-SenderIP: 187.67.89.176
X-SIG5: 8030fe2b24c06fb6a61d8f2a6a113e0c
邮件 2
Delivered-To: [email protected]
Received: by 10.100.170.5 with SMTP id i5csp2364805pjd;
Thu, 21 Sep 2017 10:51:01 -0700 (PDT)
X-Received: by 10.129.159.147 with SMTP id w141mr2102519ywg.11.1506016261823;
Thu, 21 Sep 2017 10:51:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1506016261; cv=none;
d=google.com; s=arc-20160816;
b=wxtjwb3EPjUb11jPK6YYnKcbg8p3/gRWem0yhpUCMywIaMj7hqYhvm/ODBNA3zb20C
CKnxbmxqvhZLcYOVn2dyiBbrXVmc3GMWLYmtMAfC2Vrm85n+LgeH3rCDiAmwp8Upl1MM
H/eoDYi774tqnfSLxojzMboVRTUWWsoa48hmh2TDfFKZn3c2rg82hp3aYrXVNK+RicAB
xFkQOK2uaXYDCyohBE3PR2+ISYWUy/xtJZurbUfmII7mO/14LQIfIIJkRCA0O50qwhhk
4uRsyn81XVc2FO72nUI1z8YU0tM3NM3H4OI7F0FerzXwTX1aoR84htVVZsoYdKjJUd4N
lt+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:subject:message-id:date:from:mime-version:dkim-signature
:arc-authentication-results;
bh=V9BwbsP4SGXLIud2rj2NIdd8O4GXXIPz16hg/2fc6E4=;
b=l63lew5qOPNP0j5yFF5JKHRLRvQY8tN0vAZVtpEyFiczKdXoWX+Zctwz32MwKf81cL
fRcUIfcCQ/ulb68gY24GT0Kc7OxOvgvAkN/RtqC2tmAbF6HMpoSf1M6TlW9VIf5SSaS0
ySQqdLOrm8yZzlaWwAwjMTbzIBhPO9wlD4K99eicUkhEWbjF8QHLTwVfDuSD12jpdyp3
5v9uCc7/eekIjoCC1pMJi36l85RMW142qdYjIGb5UdMk44m8KzVGVbWbCtqL03MelDAz
TrndV1xWl9+22fmmWlIiYek/6wjzOItrGJikjskwbW7hmJ2bVqhPWcCOCHq2csvW12KE
+kxQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=20161025 header.b=hstp6qBK;
spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) [email protected];
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <[email protected]>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
by mx.google.com with SMTPS id t8sor856255ywi.217.2017.09.21.10.51.01
for <[email protected]>
(Google Transport Security);
Thu, 21 Sep 2017 10:51:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=20161025 header.b=hstp6qBK;
spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) [email protected];
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=V9BwbsP4SGXLIud2rj2NIdd8O4GXXIPz16hg/2fc6E4=;
b=hstp6qBKWtkByX+jxlXkuFMBW8aBsgalPza+aZsTM3gCHGrJp5+ZQF+MAHtSWGrddu
Bd7sBWtOKI973N5cpvpBmyW2QqtJSSFOyyjM9YkgEPgUBpiwTXBVWI1PQZ4+6KxUAv7M
jhxqrlSe5TXGrL/mJJa0mJUbewkFIXnDXc5N+tp0ibiEQzksU27mTYrwRJm9X6ft99Gv
L9lRA1klQVOC8w0t2VwzTQIVX55VO/+gc4HdNmXcgKQKwQuprV9FIHeG46lX+bH2mNWb
XFi8kcJln63K0CCvwdkw4fe/cskNybmon8cKc1yi/wFTuatI/n2dqF6roPIpbbiDfnvN
qvPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=V9BwbsP4SGXLIud2rj2NIdd8O4GXXIPz16hg/2fc6E4=;
b=EwQboXycQIKqcognqoHpYyxH10U8TASsdzzdtfeeGBW34Pz4rPcPt43IQmqGicvlbB
kSL0TNNPHOnwgGvSU+bzaEiOKIYBbe87bjDNOXozzChNp/zyjiGmA1SWvP2+RC7FG0Ep
TQZ8+UZg7DzRFaR/fMSmNa3VpiItzqSB59u11RUvYow2UI1zq/z3f9g27XbGj0crxL5Q
0NkcvKzzH5fpnRs89OTIFyjM9sSTA36uovfvZZJ7ZzqQggF1mMVNL4Tu+YscrIiF9oui
XgJfBY0Lfi9adYUeQ3f1DZOoFpHF/n4SXN+FUif4am83yEJ0XFjNzXbfbwCkTwnTO/Qh
mP6g==
X-Gm-Message-State: AHPjjUiP1W19v1WPztjqyb1LzM23e2wgKcc8eyVNIz6A4fmIqR5xpx+5
olJsvouEGCTUOmbPOGb1CvQzXDgUt4enstnRL8M=
X-Google-Smtp-Source: AOwi7QDrkmK06qzh1F7+6JxgB53+Z6dJ4xqiHTGj4yQUrDN8UBB7x/bFutYtvH/haAsJfI6h7PuXPMlSNbugEgr3uEc=
X-Received: by 10.129.160.130 with SMTP id x124mr922804ywg.510.1506016260905;
Thu, 21 Sep 2017 10:51:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.208.2 with HTTP; Thu, 21 Sep 2017 10:51:00 -0700 (PDT)
From: Act Ipsus <[email protected]>
Date: Thu, 21 Sep 2017 14:51:00 -0300
Message-ID: <CAH4=1pMnt4Yf8+_DmSOxbcv6UqdAZhEV8YqAq+gbduyai8nhAg@mail.gmail.com>
Subject: IMPEDIMENTO DE LICITAR >> FENIX... CNPJ 18.963.664/0001-11
To: =?UTF-8?Q?Arsenal_de_Guerra_S=C3=A3o_Paulo?= <[email protected]>
Content-Type: multipart/mixed; boundary="94eb2c08590c421e820559b6bc8a"
我有电子邮件的完整标题和正文。
答案1
您将需要查看几个字段。首先可能确定它们是否来自同一来源,请查看该Received: from
字段。通常(尽管这是可配置的)每个服务器都会在此字段中添加其 IP 和接收消息的 IP。这会留下一条您可以追溯到源头的线索。
例如,查看这些字段,我可以看到 MAIL 2 是由 Gmail 用户发送给 Gmail 用户的,并且该电子邮件从未离开 Gmail 网络 - 它保持内部状态。此消息来自实际(但希望没有被盗用)的 Gmail 帐户。
查看 MAIL 1 上的相同字段,我可以看到此邮件已被路由通过a4-salsa1.bol.com.br,但这可能是一个开放中继 - 我不能相信这不是一个欺骗性消息。为了验证这一点,我想知道 a4-winter20.host.intranet [10.131.133.147] 实际上归 bol.com.br 所有。不过,这在可用信息中是隐含的。虽然此服务器说它是内部网的一部分,您可以将主机名设置为任何您想要的。但是,无法从不可路由的地址发送电子邮件。在本例中,我们可以看到内部 IP 是 10.131.133.147。这是保留不可路由的 IP 块- 在这种情况下,10.0.0.0/8 意味着这不可能来自外部来源 - 它必须来自合法的(希望未被泄露的)bol.com.br 帐户。
其他需要注意的事项是不匹配FROM:
以及REPLY-TO:
字段或显示名称与电子邮件地址不匹配(例如 :)From: President of The United States <[email protected]>