Thursday, November 22, 2012, 15:00
Solution ID: 00000178
I see the phrase "may be forged" in my email "received" headers; what does this mean? Does this mean the message is spam?
PerfectMail's Mail Transport Agent does a reverse hostname lookup of the IP address of the connecting client, and a lookup of the IP addresses associated with that hostname. If the client IP address does not appear in that list then the "may be forged" tag is added.
The "may be forged" mail tag is an artifact of the sendmail MTA.
Spammers can spoof DNS domains via PTR records. In DNS validation of data is implicit in the lookup process. When you do a DNS lookup of "example.com" (A record) you are directed to the Name Servers for "example.com"; they are inherently valid servers. No validation is performed or implied on the responses the Names Servers provide.
Similarly, when you do a Reverse DNS lookup of an IP address (e.g. 126.96.36.199), you are directed to the Name Servers for "204.10.243", and no validation/verification is performed on the responses.
The Name Server easily can say 188.8.131.52 is secure.yourbank.com. The only way to validate this result is to perform a DNS lookup of the PTR result (e.g. secure.yourbank.com) and confirm that the IP address is listed. If it is not listed you may be in a situation where the PTR record is a spoof/forged!
It is best practice to maintain the referential integrity of your DNS A and PTR records. Unfortunately it is quite common for these records to not be fully matched.
Tags: email, mail, header, received, forged
Link to this article: kb/may_be_forged_header
Updated: Thursday, November 22, 2012, 15:00
-- David Rutherford