1

I often receive fishing /SPAM emails with multiple received fields.

First, I'd like to understand how one email header can have more than one received field.

Second, I'd like to know if I can use this to fight SPAM.

Here is an example:


    Return-Path: 
    X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on myhosting.com
    X-Spam-Level: 
    X-Spam-Status: No, score=0.0 required=3.5 tests=HTML_MESSAGE autolearn=ham
        version=3.3.2
    X-Spam-ASN: 
    X-Original-To: my@email.rs
    Delivered-To: my@email.rs
    Received: from posta.abak.si (posta.abak.si [84.255.212.92])
        by myhosting.com (Postfix) with ESMTPS id 522CA80DC8
        for ; Wed, 8 May 2019 14:31:59 +0200 (CEST)
    Authentication-Results: myhosting.com;
        dmarc=none (p=NONE sp=NONE) smtp.from=mk.kema-on.net header.from=mk.kema-on.net;
        spf=none (sender IP is 84.255.212.92) smtp.mailfrom=dime.mitreski@mk.kema-on.net smtp.helo=posta.abak.si
    Received-SPF: none (myhosting.com: no valid SPF record)
    Received: from localhost (localhost [127.0.0.1])
        by posta.abak.si (Postfix) with ESMTP id 2C09E1E6A7D7
        for ; Wed, 8 May 2019 14:35:06 +0200 (CEST)
    Received: from posta.abak.si ([127.0.0.1])
        by localhost (posta.abak.si [127.0.0.1]) (amavisd-new, port 10032)
        with ESMTP id dw1MvahvfmXL for ;
        Wed, 8 May 2019 14:35:05 +0200 (CEST)
    Received: from localhost (localhost [127.0.0.1])
        by posta.abak.si (Postfix) with ESMTP id EB2B21E6A3C6
        for ; Wed, 8 May 2019 14:30:12 +0200 (CEST)
    X-Virus-Scanned: amavisd-new at posta.abak.si
    Received: from posta.abak.si ([127.0.0.1])
        by localhost (posta.abak.si [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id luUYSdWOdHLE for ;
        Wed, 8 May 2019 14:30:12 +0200 (CEST)
    Received: from IP-129-13.dataclub.eu (unknown [84.38.129.13])
        by posta.abak.si (Postfix) with ESMTPA id B18CD1E6A7A6
        for ; Wed, 8 May 2019 14:25:39 +0200 (CEST)
    Content-Type: multipart/alternative; boundary="===============0253676305=="
    MIME-Version: 1.0
    Subject: Warning: you have (3) Undelivered messesges
    To: my@email.rs
    From: "Webmaster" 
    Date: Wed, 08 May 2019 15:25:37 +0300
    Message-Id: 
    Message Body
Vojkan Cvijanovic
  • 165
  • 1
  • 6

1 Answers1

3

Every mail server that processes an email adds its own Received field to the header. It is normal for emails to pass through several email servers when traveling across the internet from the sender's computer to the final destination.

https://tools.ietf.org/html/rfc5321#section-4.4

When an SMTP server receives a message for delivery or further
processing, it MUST insert trace ("time stamp" or "Received")
information at the beginning of the message content,

Looking at the first Received field, 

Received: from IP-129-13.dataclub.eu (unknown [84.38.129.13])
by posta.abak.si (Postfix) with ESMTPA id B18CD1E6A7A6
for ; Wed, 8 May 2019 14:25:39 +0200 (CEST)

you will notice that it says which server it received the mail from (the "FROM" clause), and which server received it (the "BY" clause").

As you read through the list of Received fields in the header you posted, you will notice that they are all linked in this fashion.

echawkes
  • 397
  • 1
  • 11
  • Thank you for your reply. Can you please help me understand why there is "posta.abak.si" 6 times? – Vojkan Cvijanovic May 14 '19 at 02:14
  • Also, judging by the time stamps this email travelled 10 minutes through the same server and the time stamp above "Authentication-Results:" are different from the one below the "Authentication-Results:". I don't get it. How is that first time stamp generated? – Vojkan Cvijanovic May 14 '19 at 02:16
  • It looks like the email went through several different mail servers on the same host. You can see that in several cases, posta.abak.si was actually 127.0.0.1 or localhost. This is relatively common: mail may be sent first to a mail submission agent (MSA), then routed through several mail servers, each of which apply different junk blocking techniques (anti-spam, anti-virus, etc.), encryption, or other services, and then get routed to a mail transfer agent (MTA), which then attempts to route the mail to the next hop. – echawkes May 15 '19 at 06:41
  • It looks like the email did spend 10 minutes on posta.abak.si. It's possible that queuing and processing took several minutes in each stop on posta.abak.si. The server at myhosting.com probably has a clock that is off by a few minutes from posta.abak.si. I don't know which server has a clock that is wrong, or if both are. The email certainly couldn't have gone backwards in time. :-) – echawkes May 15 '19 at 06:52