How does the spammer do this?

kranky

Elite Member
Oct 9, 1999
21,019
156
106
I got an email yesterday trying to phish for bank information, but the spammer screwed up the body of the message. It came again today but they fixed their mistake. The email is supposedly from USBank.

The header says:
Received: from mailexchanger1.[myisp].com (mailexchanger1.[myisp].com [208.xxx.xxx.xxx]) by oldmail.[myisp].com (8.12.10/8.12.10) with ESMTP id i2UE29wa031636 for <kranky@[myisp].com>; Tue, 30 Mar 2004 09:02:09 -0500 (EST)

Received: from lsanca2-ar27-4-46-141-048.lsanca2.dsl-verizon.net (lsanca2-ar27-4-46-141-048.lsanca2.dsl-verizon.net [4.46.141.48]) by mailexchanger1.[myisp].com (8.12.10/8.12.10) with SMTP id i2UE7SKJ049647 for <kranky@[myisp].com>; Tue, 30 Mar 2004 09:07:36 -0500 (EST)

Received: from usbank.com (mail2.usbank.com [170.135.240.62]) by lsanca2-ar27-4-46-141-048.lsanca2.dsl-verizon.net (Postfix) with ESMTP id 13E51F2ED2 for <kranky@[myisp].com>; Tue, 30 Mar 2004 08:01:14 -0600

How do they get the Received entry to make it look like it originated from mail2.usbank.com? I've never noticed spammers being able to do that before.
 

spartan

Senior member
Oct 9, 1999
330
0
0
Doesn't each mail relay prepend a "Received:" header to the mail? So the spammer could have just put the first "Received:" header when sending the mail to make it look like it comes from USBank.

PS: I don't know much about internet email. I'm just guessing.