Diciamo che sei l'obiettivo di un attacco di phishing avanzato, pensato per sembrare che provenga da Amazon.com. Mostra @amazon.com
nel campo del mittente, ma sei sospettoso. Puoi chiamare Amazon e scoprirlo, ma immagina di non poterlo fare. È possibile guardare l'intestazione dell'e-mail e verificare con qualsiasi livello di certezza che l'e-mail sia stata o meno proveniente da Amazon?
Ecco un'intestazione di un'email che ho ricevuto e che il supporto Amazon verificato non proviene da loro:
From security - update @amazon.com Wed Jun 15 05: 35: 15 2016
X - Apparently - To: ***** @yahoo.com;
Wed, 15 Jun 2016 05: 35: 16 + 0000
Return - Path: < 2016061505351500688 fd1d5684edabf9d32ee87d0p0na @bounces.amazon.com >
Received - SPF: pass(domain of bounces.amazon.com designates 54.240.13.30 as permitted sender)
YW5kIHByaXZhY3kgdmVyeSBzZXJpb3VzbHkuIEFzIHBhcnQgb2Ygb3VyIHJv
dXRpbmUgbW9uaXRvcmluZywgd2UgZGlzY292ZXJlZCBhIGxpc3Qgb2YgZW1h
aWwgYWRkcmVzc2VzIGFuZCBwYXNzd29yZHMgcG9zdGVkIG9ubGluZS4gV2hp
bGUgdGhlIGxpc3Qgd2FzIG5vdCBBbWF6b24tcmVsYXRlZCwgd2Uga25vdyB0
aGF0IG1hbnkgY3VzdG9tZXJzIHJldXNlIHRoZWlyIHBhc3N3bwEwAQEBAQN0
ZXh0L3BsYWluAwMy
X - YMailISG: bvKKjZcWLDuqAP4uJx5EzWqDZs4AGZltJxwsTWfKWTo3MpLP
RRAOPYJ0kEPrw4uT_S5NxE1XUyrqTYMpgofwIq41BJ0ZeIqhv5jhgkOcTT3f
iwxX2SoomtBJ.ueo90kdV4tTSihP0_Igz8dlfJb4tSARevolMmcQ2dvAWbNs
not5nyJJkw9rvBxeLa38H_diZewKRWfDi_pVCnd8tw9a0o9uxwsB1KMu5Sxf
81 SekEnsOZdct9N0SXP_DCg0_xNBS33DybGyj9PDcwrsQp5yBHE3mnFwBz2a
yXlyJ88Hw6BLyXAFWCrnb3JyBV1eTg2TrTJvRHLsXcVimTAIhGAYO6a5Yt8D
yl9HIJ..V33ir0l7nUeA19KkacDYEnSPfOzgGrBP5ChAB7RQ0FlabG_xgVB_
SmGw4QGJqruH7Gsa5vT9v15phcwEbvGZQTkEVPFNZc.kvPrX3wTgbhCB7qHI
vAZKPdIDloLiA10qmW0J1.sxdMApofO1EVi0AncLnXOb9Y6ZArYLomqTtjeq
TF1AE9QFzTDIAmGHZQlRTpSZHgoOFKMt8PrFw7nuCxjft_.zgg4X2nEl2WfP
vwwm7_t4wpoX_GkTEAepUL..F5lLKaJg4w36T5qzMxFx3.eiqYy00Bda_Io2
TjX._44ji3VCVYIWHPAm_Q08iVFjXUHRIW69rp2A4n7gkAo_9NaY_m_zvSju
ctYuA4TEe7L8XyK.1 Ah0kPmAFbXAYgB74HluZ4GxKONxK33kJkkrUkNTcp7d
2 CyNppWJ2gBJ.xb8_OnuFuGtzfvAn7i3CkluWZt.uLLliwGZo86W.s6J5HYS
4 mvCm3cHR5Zg16UFxH5Qyw_iDGePt8EgMLhjV2rKGdYBF0bOu2TSZb1AcT5n
JRwjJMa8i7KqxsuiwzKhDJOaYXfGaBC2M13N6QeggiO7FKHXXMUplnK3.gtP
KzrvBVTVVYQdoWFL7mB6lJK7rG5ZJV.SduOUyAsDC.3 JUg86MwPwuGpC1sLe
sIsNU_zF1cZiQEXcD2DlHJxniCxn74BEGgyF8dO1oh6.SkKIHNjud2bnmqDx
lqvSL7NzUsJwclMvxPY3UtmLs95cvUcBvIOVZR9ovhgSD_g9joPYVLE0.3 zu
_dDuD07BSJtT.ICNzqQcg4VJ.CzTQWH0Eb78qC0QCui0KA_USNINQXT.ZWho
CsLIyorUTUtTWdgtbltDb9dhUxf9vs6cgGHFtlBBWyWUi_Y8MxxhdTwwjW.l
ErgFJ4WDsKVSZqE0MqMQJij7g3t5Qf4UNcx7dVFIknpL3.k.gsz8nMEyA.6 k
nEvz45gD2nXSU1JVFQXwXnwaqlBBu6AaTXsuz_9snKkMkwJJKbfxew.yuI49
SbDEnYnH_1kqdD6Dsh9mhlTTZIx4EnD2vO3TV_vQGdJaZSm1Jy2wn0etnCi4
JprcFP9MsQIrULrsdBDTAdwa_3qC_FC7Zo.Hxh91sL3cHnRLRwybhD0jTbqP
TdzqqnMe8rzhGk3QfnyTPO.I3YR7rx8HDh743dY -
X - Originating - IP: [54.240.13.30]
Authentication - Results: mta1509.mail.gq1.yahoo.com from = amazon.com;
domainkeys = neutral(no sig);
from = amazonses.com;
dkim = pass(ok)
Received: from 127.0.0.1(EHLO a13 - 30. smtp - out.amazonses.com)(54.240.13.30)
by mta1509.mail.gq1.yahoo.com with SMTPS;
Wed, 15 Jun 2016 05: 35: 16 + 0000
DKIM - Signature: v = 1;
a = rsa - sha256;
q = dns / txt;
c = relaxed / simple;
s = eaxkvsyelrnxjh4cicqyjjmtjpetuwjx;
d = amazon.com;
t = 1465968915;
h = From: To: Message - ID: Subject: MIME - Version: Content - Type: Date;
bh = 6 MBHnat6TXZGDjYr8xS + fQIKeGWNo2gEkiV7HI92Lgk = ;
b = GhJgCJCM6N1IksIdk3YMJAN01Rs / 5 i5Qo8V / DW / exZk / lv0n00lRSgx + H6GgJ0Cm
6 VOi0o848HKD6ozzXuOrtw0NqRVHFUEG9 / 37 yBfhYMW9nt5 + fa3jqL4PaA4kqhsH52a
70 SEPkxxhqZGjN4kmR2lLyYs9LWPo0Zmc0jdjx3I =
DKIM - Signature: v = 1;
a = rsa - sha256;
q = dns / txt;
c = relaxed / simple;
s = 6 gbrjpgwjskckoa6a5zn6fwqkn67xbtw;
d = amazonses.com;
t = 1465968915;
h = From: To: Message - ID: Subject: MIME - Version: Content - Type: Date: Feedback - ID;
bh = 6 MBHnat6TXZGDjYr8xS + fQIKeGWNo2gEkiV7HI92Lgk = ;
b = sg9kv2564IQpHZ9P5fjZzgo43k1OQT1Q / 8 u2FSyhaLfrRVtjvAQdkLfhMMyupVu3
70 VavyNthdmQEmawWGHM0dnviOPxUCOAF4KxrYi1s22vecoNEvjjDBy1xiGBzzeXtM6
YRutkI3NrIG / A3ylPGub8So0H1MoQ90uSmZdFiT8 =
From: security - update @amazon.com
To: ***** @yahoo.com
Message - ID: < 01000155528e74 f4 - b61f49db - 5 a99 - 47 f0 - 8220 - de3d790e7100 - 000000 @email.amazonses.com >
Subject: Your Amazon password has been changed
MIME - Version: 1.0
Content - Type: multipart / alternative;
boundary = "----=_Part_435506_288452969.1465968915690"
X - AMAZON - MAIL - RELAY - TYPE: notification
Bounces - to: 2016061505351500688 fd1d5684edabf9d32ee87d0p0na @bounces.amazon.com
X - AMAZON - METADATA: CA = C34L8ES1N9UV8E - CU = AYTEASIHBL0P9 - RI = A1BTPRBNF2RGB1
X - Original - MessageID: < urn.rtn.msg.2016061505351500688 fd1d5684edabf9d32ee87d0p0na @1465968915691.rtn - svc - na - us - east - 1e- i - 5 a3634e4.us - east - 1. amazon.com >
Date: Wed, 15 Jun 2016 05: 35: 15 + 0000
X - SES - Outgoing: 2016.06.15 - 54.240.13.30
Feedback - ID: 1. us - east - 1. ZHcGJK6s + x + i9lRHKog4RW3tECwWIf1xzTYCZyUaiec = : AmazonSES
Content - Length: 1794
È possibile verificare che l'email non provenga da Amazon semplicemente guardando questa intestazione?