Received from local host 127.0.0.1 ???????

[joecrash]

I've been plauged by trojans and worms in spoofed emails with forged headers. So, I now at least look at the email headers now, even if I do not understand all of it - I had this in the header of 2 emails today:

"from localhost ([127.0.0.1] helo=sfs-ml-2.v29.ch3.sourceforge.com) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.74) (envelope-from <[email protected]>) id 1Q47OU-00008s-Gd; Mon, 28 Mar 2011 08:01:46 +0000"

What does this mean? Is this a spoofed email header?

Thanks in advance for your help!

 

[Bill2]

Sleuthkit is a collection of open source forensic tools. Did you at any time download those or subscribe to their mailing lists?

Old Nabble - The Sleuth Kit forum

The Sleuth Kit | Download The Sleuth Kit software for free at SourceForge.net

You could just block mail from that sender.

 

[joecrash]

I didn't look further than the "received from" IP

Yes, I did subscribe to the Sleuthkit mailings. I didn't look past the "local host" part -

So, even if the "received from" portion of the header says "from local host 127.0.0.1"

this by itself doesn't indicate mal/spy ware? I'd just never seen that before, and just assumed it had to be incorrect.

I'm paranoid now because of all the forged emails I've had in the past with trojans in them.

 

[Bill2]

The "from localhost" is a common issue, has to do something with the way the mail is relayed and how the hosts file is setup and what software is used. But AFAIK, it doesnt indicate any malware. If you want to get into the details, post in the networking subforum.

 

[Clinkz]

"from localhost ([127.0.0.1] helo=sfs-ml-2.v29.ch3.sourceforge.com) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.74) (envelope-from <[email protected]>) id 1Q47OU-00008s-Gd; Mon, 28 Mar 2011 08:01:46 +0000"
!

I really wouldn't be concerned, if you take a closer look you can see what its doing.

When it says localhost ([127.0.0.1] it is talking about the loopback address on your machine.

by sfs-ml-2.v29.ch3.sourceforge.com with esmtp this is the mail server address which uses esmtp (a mail protocol) to send it.

(Exim 4.74) is the mail server which sent the mail

[email protected] is the email adress it sent from

Mon, 28 Mar 2011 08:01:46 is just your date/time stamp for the email.

Nothing out of the ordinary here, all this text is in every email, you just normally cant see it.

 

[joecrash]

Thank you

Thanks for looking at that, it lessens my paranoia a bit!

I'll have to research email headers and forging them to be able to pick the bad ones out in the future, but at least I know I'm OK for now.
Thanks Again.

 

[Clinkz]

Glad i could be of some assistance.