Print

Print


To answer your question, everything up to and including the BCC line is
header.

I'm no expert on mail headers or anything, but the lines I pay attention to
the most are the Received: lines, it'll tell you what SMTP servers the
message has passed through on it's way to the recipient.  Usually something
there will look funny if it's a spoofed message.

On Fri, Feb 10, 2017 at 9:42 AM, Edith Fogarty <[log in to unmask]>
wrote:

> Forgive my ignorance, but what can I tell from the headers?  I can
> honestly say that I don't even know what part is the "header."  Below is
> what I received.
>
> Delivered-To: [log in to unmask]
> Received: by 10.157.12.155 with SMTP id b27csp265855otb;
>         Thu, 9 Feb 2017 05:36:05 -0800 (PST)
> X-Received: by 10.129.118.77 with SMTP id j13mr2242697ywk.270.1486647365266;
>         Thu, 09 Feb 2017 05:36:05 -0800 (PST)
> Return-Path: <[log in to unmask]>
> Received: from mail-yw0-x244.google.com (mail-yw0-x244.google.com. [2607:f8b0:4002:c05::244])
>         by mx.google.com with ESMTPS id p193si504832ybg.263.2017.02.09.05.36.05
>         for <[log in to unmask]>
>         (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
>         Thu, 09 Feb 2017 05:36:05 -0800 (PST)
> Received-SPF: neutral (google.com: 2607:f8b0:4002:c05::244 is neither permitted nor denied by best guess record for domain of [log in to unmask]) client-ip=2607:f8b0:4002:c05::244;
> Authentication-Results: mx.google.com;
>        dkim=pass [log in to unmask];
>        spf=neutral (google.com: 2607:f8b0:4002:c05::244 is neither permitted nor denied by best guess record for domain of [log in to unmask]) [log in to unmask]
> Received: by mail-yw0-x244.google.com with SMTP id u68so284402ywg.0
>         for <[log in to unmask]>; Thu, 09 Feb 2017 05:36:05 -0800 (PST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>         d=beschool-org.20150623.gappssmtp.com; s=20150623;
>         h=mime-version:from:date:message-id:subject:to;
>         bh=p8Q4mmR+ZloPt9MxTFU4D0BK5NEE720i2AzPZhYs5ts=;
>         b=st87TXF/ZxLcW7kIQZn+sBP4CdwcPjxDGzme9bau3NMOwANTBIrDeM/9wDjVZR2knW
>          SbIROFvItRmOo2svQ/jXdNAu8r17xM0A/0zioX58PdORI/mqSR9Zog+b9oy+jo5KUAnd
>          sX5vxcW8Gec4a+Ls4eqKS+WsRDugYZIqKjFx4NQR5ksDZvVWNmh16izB0TGlOIAS+CO7
>          Ztp2P17vI9TOy9HaSVVNvNyiQZO5FqwkLdprdrjy0UqKjAaM7yjgIU1b7qQLeyHDv/Ln
>          sHb9yM/WGC4XPEprUml9D3keYU25MMsuOCdN4vQ97tKOkCVPqcHFnipUc7Fig19mqiG4
>          GU/A==
> X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>         d=1e100.net; s=20161025;
>         h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
>         bh=p8Q4mmR+ZloPt9MxTFU4D0BK5NEE720i2AzPZhYs5ts=;
>         b=gDgAnHh7seW5/ZpkNZH2tJGiRsDkAqkyCalfsM+XyV/3FSk+C1Hk88LAKPuGhhdoyD
>          92OjwtonWKrGdA0QlAnZ6xm7Ki++21Qk1HjiGsgfsxntQb9c2ty99k6lNX/BKuOYAz9b
>          SyGR/MjJPPFV+1ttJ5dPW9nYtHoIJAwbFxM15mu8i5d0aXBnjIjvnwHic3zAwhU6a1pK
>          zaxJuhp/B1rbeAHCAhNeQxNliRQirPRImYU8IFuf0i1/OHQwDcaKIM1cW1BiSWl3Rej5
>          5GfucJbUpPmNyo0/dIoakgJ4AKoKcAu5IlCj5wtuvljJIB0foXfgNQ/ZH8Ve9kB0CNfg
>          Ji4Q==
> X-Gm-Message-State: AMke39meRKrQIlBCi/b1td+HPKj1LNmo6fARAfngy0QKa4QBRglJK37maSp67CZvRG3jUVcoyfPq/Ci+Axh+k7cPbGo=
> X-Received: by 10.129.152.77 with SMTP id p74mr2064320ywg.177.1486647364611; Thu, 09 Feb 2017 05:36:04 -0800 (PST)
> MIME-Version: 1.0
> Received: by 10.37.123.7 with HTTP; Thu, 9 Feb 2017 05:36:01 -0800 (PST)
> From: Cathy Roberts <[log in to unmask]>
> Date: Thu, 9 Feb 2017 05:36:01 -0800
> Message-ID: <[log in to unmask]>
> Subject: Secured Message
> To: undisclosed-recipients:;
> Content-Type: multipart/mixed; boundary=94eb2c0bbf5613479005481910fc
> Bcc: [log in to unmask]
>
> --94eb2c0bbf5613479005481910fc
> Content-Type: multipart/alternative; boundary=94eb2c0bbf5613478b05481910fa
>
> --94eb2c0bbf5613478b05481910fa
> Content-Type: text/plain; charset=UTF-8
>
> Please see attached document for your review.
>
>
> Thanks
>
> --94eb2c0bbf5613478b05481910fa
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> <div dir=3D"ltr"><span style=3D"font-size:12.8px;line-height:normal">Please=
>  see attached document for your review.</span><br style=3D"font-size:12.8px=
> ;line-height:normal"><br style=3D"font-size:12.8px;line-height:normal"><br =
> style=3D"font-size:12.8px;line-height:normal"><span style=3D"font-size:12.8=
> px;line-height:normal">Thanks</span><br></div>
>
> --94eb2c0bbf5613478b05481910fa--
> --94eb2c0bbf5613479005481910fc
> Content-Type: application/pdf; name="Document2017-09-02-075055.pdf"
> Content-Disposition: attachment; filename="Document2017-09-02-075055.pdf"
> Content-Transfer-Encoding: base64
> X-Attachment-Id: f_iyyffr0t0
>
>
> --94eb2c0bbf5613479005481910fc--
>
>
> Edith Fogarty
> Technology Integration Facilitator
> Bradford Elementary School
> 143 Fairground Rd
> Bradford, VT 05033
> 802.222.4077 x281 <(802)%20222-4077>
> 802.222.5196 <(802)%20222-5196> fax
>
>
> On Fri, Feb 10, 2017 at 9:12 AM, Scott Grant <[log in to unmask]> wrote:
>
>> Agreed.  I've seen that actually more often.  Be sure to point out that
>> you need the headers of the original they received.
>>
>> On Fri, Feb 10, 2017 at 9:04 AM, David McClellan <
>> [log in to unmask]> wrote:
>>
>>> Not to discount the possibility of the account being compromised, but
>>> I'm with Bill Fitzgerald here. I'd check the headers of the sent mail, I'd
>>> be willing to bet the address was spoofed. Maybe have the recipients of the
>>> email forward it back to you to see what you can in the headers?
>>>
>>> Good luck,
>>>
>>> On Thu, Feb 9, 2017, 18:23 Bill Fitzgerald <[log in to unmask]> wrote:
>>>
>>> Also, just so the email address can't be spoofed, make sure that you
>>> have SPF, DKIM, and DMARC records set up.
>>>
>>> Cheers,
>>>
>>> Bill
>>>
>>> On Thu, Feb 9, 2017 at 12:55 PM, Scott Grant <[log in to unmask]> wrote:
>>>
>>> Most of these suggestions assume Google email accounts.  Here's what I'd
>>> suggest to summarize:
>>>
>>> Disable the account first! (already done)
>>> Review where the account had been logged into.  Get screen captures of
>>> the data.
>>> Change the password.
>>> Consider having the user leverage a second-factor for authentication.
>>> Reset sign in cookies as per another suggestion.
>>> Run AV on the user's computer(s).
>>> Ensure a level of password complexity for the new password.
>>> Re-enable the account.
>>> Review their Sent messages and ALL Mail views.  Also ensure they are
>>> receiving emails correctly.  Sometimes hackers will add a rule to GMail to
>>> archive all inbound messages.  This way, the owner doesn't see the delivery
>>> failures, etc.
>>>
>>> Verify where they access their email from.  Is it from home as well on a
>>> different computer?  Suggest they run AV there as well.
>>>
>>> That's the basics.
>>>
>>>
>>>
>>> On Thu, Feb 9, 2017 at 10:06 AM, Christine Gibson <[log in to unmask]>
>>> wrote:
>>>
>>> I would also suggest that you reset the sign-in cookies.  This will kick
>>> out anyone who may have been signed into the account.  Simply changing the
>>> password does not terminate all current sessions.  You can find the switch
>>> to reset the sign-in cookies under Account in the Google Admin Console.
>>>
>>>
>>> *Christine Gibson*
>>> *PowerSchool Data Manager*
>>> <https://mail.google.com/mail/u/0/#inbox>
>>> 49 Charles Avenue
>>> Middlebury, VT 05753
>>> *[log in to unmask]* <[log in to unmask]>
>>> 802-382-1720 <(802)%20382-1720>
>>>
>>> On Thu, Feb 9, 2017 at 10:01 AM, Raymond Ballou <[log in to unmask]>
>>> wrote:
>>>
>>> Edith
>>>
>>> Not sure why it doesn't list change password, but here are the
>>> suggestions from Google.
>>>
>>> https://support.google.com/a/answer/2984349?hl=en
>>>
>>>
>>> R
>>>
>>> -----------------------------------------------------------------------
>>>
>>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>>> Archive
>>>
>>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>>> Subscription to SCHOOL-IT
>>>
>>>
>>> -----------------------------------------------------------------------
>>>
>>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>>> Archive
>>>
>>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>>> Subscription to SCHOOL-IT
>>>
>>>
>>> -----------------------------------------------------------------------
>>>
>>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>>> Archive
>>>
>>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>>> Subscription to SCHOOL-IT
>>>
>>>
>>> -----------------------------------------------------------------------
>>>
>>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>>> Archive
>>>
>>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>>> Subscription to SCHOOL-IT
>>>
>>> --
>>> David McClellan
>>> Technology Support Specialist
>>> Chittenden East Supervisory Union
>>> Mobile: (802) 458 - 7327 <(802)%20458-7327>
>>> Backup Mobile: (802) 448 - 0329 <(802)%20448-0329>
>>>
>>> This e-mail may contain information protected under the Family
>>> Educational Rights and Privacy Act (FERPA). If this e-mail contains student
>>> information and you are not entitled to access such information under
>>> FERPA, please notify the sender. Federal regulations require that you
>>> destroy this e-mail without reviewing it and you may not forward it to
>>> anyone.
>>>
>>> -----------------------------------------------------------------------
>>>
>>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>>> Archive
>>>
>>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>>> Subscription to SCHOOL-IT
>>>
>>
>> -----------------------------------------------------------------------
>>
>> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT
>> Archive
>>
>> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
>> Subscription to SCHOOL-IT
>>
>
>
> *CONFIDENTIALITY NOTE:* The information transmitted, including
> attachments, is intended only for the person(s) or entity to which it is
> addressed and may contain confidential and/or privileged material. Any
> review, retransmission, dissemination or other use of, or taking of any
> action in reliance upon this information by persons or entities other than
> the intended recipient is prohibited. If you received this in error, please
> contact the sender and destroy any copies of this information.
>
> -----------------------------------------------------------------------
>
> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive
>
> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
> Subscription to SCHOOL-IT
>



-- 
Bob Wickberg
Technology Coordinator
Brattleboro Union High School District # 6
(802)451-3418