Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!mhuxt!houxm!whuxl!whuxlm!akgua!gatech!seismo!mcvax!ukc!dcl-cs!stephen
From: stephen@dcl-cs.UUCP
Newsgroups: net.news.sa
Subject: Re: phoney addresses, can they be tracked?
Message-ID: <66@comp.lancs.ac.uk>
Date: Wed, 2-Apr-86 07:52:53 EST
Article-I.D.: comp.66
Posted: Wed Apr  2 07:52:53 1986
Date-Received: Sat, 5-Apr-86 12:14:54 EST
References: <134@gilbbs.UUCP>
Reply-To: stephen@comp.lancs.ac.uk (Stephen J. Muir)
Organization: Department of Computing at Lancaster University, UK.
Lines: 49
Keywords: forgery, phoney addresses, protection

In article <134@gilbbs.UUCP> root@gilbbs.UUCP writes:
>Is there any way that we might be able to track such a posting?
>
>   The offensive posting header follows:
>
>
>Received: by hplabs.ARPA ; Thu, 27 Mar 86 00:03:55 pst
>Received: by hao.NCAR (4.12/4.7)
>	id AA08482; Thu, 27 Mar 86 00:26:14 mst
>Received: by seismo.ARPA (4.12/4.7)
>	id AA03491; Thu, 27 Mar 86 13:45:53 est
>Received: by mcvax.UUCP (4.12/4.7)
>	id AA09712; Thu, 27 Mar 86 10:48:31 gmt
>Received: by moskvax.USSR (4.12/4.7)
>	id AA08123; Wed, 26 Mar 86 23:19:33 ust
>Received: by kremlin.USSR (4.12/4.7)
>	id AA03099; Wed, 26 Mar 86 23:15:03 ust

Our mailer puts "Received" stamps on according to where the mail actually came
from.  Thus, this mail message would've become:

Received: from hao.NCAR by hplabs.ARPA ; Thu, 27 Mar 86 00:03:55 pst
Received: from seismo.ARPA by hao.NCAR (4.12/4.7)
	id AA08482; Thu, 27 Mar 86 00:26:14 mst
Received: from mcvax.UUCP by seismo.ARPA (4.12/4.7)
	id AA03491; Thu, 27 Mar 86 13:45:53 est
Received: from moskvax.USSR by mcvax.UUCP (4.12/4.7)
	id AA09712; Thu, 27 Mar 86 10:48:31 gmt
Received: from kremlin.USSR by moskvax.USSR (4.12/4.7)
	id AA08123; Wed, 26 Mar 86 23:19:33 ust
Received: by kremlin.USSR (4.12/4.7)
	id AA03099; Wed, 26 Mar 86 23:15:03 ust

All you would then have to do is see where the discrepancy is.  E.g., if part
of the message was instead:

Received: from bogus.UUCP by mcvax.UUCP (4.12/4.7)
	id AA09712; Thu, 27 Mar 86 10:48:31 gmt
Received: from kremlin.USSR by moskvax.USSR (4.12/4.7)
	id AA08123; Wed, 26 Mar 86 23:19:33 ust

you would be able to find it.  It is my firm belief that all mailers should do
this for this reason (this conforms to RFC822).
-- 
UUCP:	...!seismo!mcvax!ukc!dcl-cs!stephen
DARPA:	stephen%comp.lancs.ac.uk@ucl-cs	| Post: University of Lancaster,
JANET:	stephen@uk.ac.lancs.comp	|	Department of Computing,
Phone:	+44 524 65201 Ext. 4120		|	Bailrigg, Lancaster, UK.
Project:Alvey ECLIPSE Distribution	|	LA1 4YR