PerfectMail™ Antispam/Antivirus is a simple, accurate, and easy to use solution! FOLLOW US :
Toll Free: +1 888-451-3131
+1 905-451-9488

Thursday, November 22, 2012, 15:00

What does "may be forged" mean?

Category: General

Solution ID: 00000178

Summary:

I see the phrase "may be forged" in my email "received" headers; what does this mean? Does this mean the message is spam?

Answer:

PerfectMail's Mail Transport Agent does a reverse hostname lookup of the IP address of the connecting client, and a lookup of the IP addresses associated with that hostname. If the client IP address does not appear in that list then the "may be forged" tag is added.

The "may be forged" mail tag is an artifact of the sendmail MTA.

Example/Explanation:

Spammers can spoof DNS domains via PTR records. In DNS validation of data is implicit in the lookup process. When you do a DNS lookup of "example.com" (A record) you are directed to the Name Servers for "example.com"; they are inherently valid servers. No validation is performed or implied on the responses the Names Servers provide. 

Similarly, when you do a Reverse DNS lookup of an IP address (e.g. 204.10.243.99), you are directed to the Name Servers for "204.10.243", and no validation/verification is performed on the responses.

The Name Server easily can say 204.10.243.99 is secure.yourbank.com. The only way to validate this result is to perform a DNS lookup of the PTR result (e.g. secure.yourbank.com) and confirm that the IP address is listed. If it is not listed you may be in a situation where the PTR record is a spoof/forged!

It is best practice to maintain the referential integrity of your DNS A and PTR records. Unfortunately it is quite common for these records to not be fully matched.


Tags: email, mail, header, received, forged

See Also:

Link to this article: http://perfectmail.com/kb/may_be_forged_header

Updated: Thursday, November 22, 2012, 15:00

-- David Rutherford

Comments

1. Rick Hawkes, Monday, February 15, 2016, 17:58:

If it "may be forged" does that mean that it could have originated from anywhere? Even from my computer?

2. David Rutherford, Tuesday, February 16, 2016, 12:20:

It doesn't matter where the email originated. It is a simple test that compares the DNS PTR and A records. If there is a mismatch the "may be forged" message is displayed.




(optional)

Last modified: 2016-02-16, 12:40

© 1999-2013 PerfectMail