Changes between Version 2 and Version 3 of faq/email/address-hijacked


Ignore:
Timestamp:
Jul 5, 2010, 4:26:34 PM (10 years ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • faq/email/address-hijacked

    v2 v3  
    22
    33Often a friend or colleague will email us a message that seems to have been sent from us, but that we didn't send. Other times, we get a bounce, that seems to indicate that we sent a message to a non-working email address, however, we didn't send the original message.
     4
     5=== Usually, there is no need for concern ===
    46
    57This common occurrence happens because the email system in place on the Internet does not verify the from address. So, we can send email messages from any address we choose simply by telling our email program to use a different address in our from field (anyone with Thunderbird/Icedove can add an arbitrary from address by clicking on the "Manage identities" button in your account settings). Try it - it's fun! You can send a message to your friends from {{{george.bush@whitehouse.gov or che@revolution.org}}}.
     
    810
    911The bottom line is: there's nothing we can do to stop someone from sending a message from your email address.
     12
     13=== How can I be sure an email is from the person it claims to be from? ===
    1014
    1115Along with the bottom line comes another one: you should never believe a message came from someone just because their email address is in the from line!
     
    1822
    1923The examples all used the command line - but that's not necessary! If you are using the [http://www.mozilla.com/en-US/thunderbird/ Thunderbird/Icedove] email program, you can get started with GnuPG with [http://www.linuxjournal.com/article/8578 this tutorial].
     24
     25=== No really, I think my account ''is'' hijacted ===
     26
     27Of course, your account might really be hijacked... meaning that someone may have access to your username and password and is sending messages through our servers from you.
     28
     29The best way to find out is to examine the headers of the message. Each email is sent with extensive information about the various computers it passed through on it's way to you. Most email programs hide all but the basic headers. The steps to view the full headers are different for each email program. This [http://www.abika.com/Reports/Samples/emailheaderguide.htm web site] provide a comprehensive list of directions for many different programs.
     30
     31The key headers to watch for are the ones that start with Receive. From the bottom up, they report each mail server that message has passed through. Alghouth they can also be spoofed (so you should not believe them 100%), they typically can tell you where your message has been.
     32
     33The bottom most received headers on a message I just sent are:
     34
     35{{{
     36
     37Received: from chavez.mayfirst.org ([127.0.0.1])
     38        by localhost (chavez.mayfirst.org [127.0.0.1]) (amavisd-new, port 10024)
     39        with ESMTP id 4EtnYPmvbvgY for <jmcclelland@chavez.mayfirst.org>;
     40        Mon,  5 Jul 2010 15:45:26 -0400 (EDT)
     41Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender:
     42        jmcclelland@chavez.mayfirst.org) with ESMTPSA id DB7F744113
     43Received: by chicken.mayfirst.org (Postfix, from userid 1000)
     44        id AA80F36F4E; Mon,  5 Jul 2010 15:44:23 -0400 (EDT)
     45}}}
     46
     47The bottom most one says "chicken.mayfirst.org" - that's my own computer. Next comes the anonymized line the strips your personal information about receiving the message on our servers. The third, top-most line, is chavez reporting that it has received the message.
     48
     49Typically, a spoofed email will show other servers prior to the chavez line, indicating that the message was sent by a server not under our control.
     50
     51If you have a spoofed email that has headers resembling the ones above please [/newticket open a ticket] with a copy of the headers so we can determine if your account is compromised.
     52
     53jamie