诈骗者如何伪造电子邮件地址，以及如何分辨

Consider this a public service announcement: Scammers can forge email addresses. Your email program may say a message is from a certain email address, but it may be from another address entirely.

考虑这是一项公共服务公告：诈骗者可以伪造电子邮件地址。您的电子邮件程序可能会说一条消息来自某个电子邮件地址，但可能完全来自另一个地址。

Email protocols don’t verify addresses are legitimate — scammers, phishers, and other malicious individuals exploit this weakness in the system. You can examine a suspicious email’s headers to see if its address was forged.

电子邮件协议不会验证地址是否合法-诈骗者，网络钓鱼者和其他恶意人员利用系统中的此漏洞。您可以检查可疑电子邮件的标题，以查看其地址是否为伪造。

电子邮件如何运作 (How Email Works)

Your email software displays who an email is from in the “From” field. However, no verification is actually performed – your email software has no way of knowing if an email is actually from who it says it’s from. Each email includes a “From” header, which can be forged – for example, any scammer could send you an email that appears to be from bill@microsoft.com. Your email client would tell you this is an email from Bill Gates, but it has no way of actually checking.

您的电子邮件软件会在“发件人”字段中显示电子邮件的发件人。但是，实际上并没有执行验证–您的电子邮件软件无法知道电子邮件实际上是来自其发件人。每封电子邮件都包含一个“发件人”标头，可以伪造该标头-例如，任何诈骗者都可以向您发送一封电子邮件，该电子邮件似乎来自bill@microsoft.com。您的电子邮件客户端会告诉您这是来自比尔·盖茨的电子邮件，但实际上无法检查。

Emails with forged addresses may appear to be from your bank or another legitimate business. They’ll often ask you for sensitive information such as your credit card information or social security number, perhaps after clicking a link that leads to a phishing site designed to look like a legitimate website.

带有伪造地址的电子邮件可能来自您的银行或其他合法公司。他们通常会要求您提供敏感信息，例如您的信用卡信息或社会安全号，也许是在单击了指向仿冒网站的链接之后，该链接被设计为看起来像合法网站。

Think of an email’s “From” field as the digital equivalent of the return address printed on envelopes you receive in the mail. Generally, people put an accurate return address on mail. However, anyone can write anything they like in the return address field – the postal service doesn’t verify that a letter is actually from the return address printed on it.

将电子邮件的“发件人”字段想像成打印在邮件中收到的信封上的寄信人地址的数字形式。通常，人们会在邮件中输入准确的回信地址。但是，任何人都可以在寄信人地址字段中写任何喜欢的东西-邮政服务不会验证信件实际上是从上面打印的寄信人地址发出的。

When SMTP (simple mail transfer protocol) was designed in the 1980s for use by academia and government agencies, verification of senders was not a concern.

当SMTP(简单邮件传输协议)在1980年代设计用于学术界和政府机构时，发件人的验证就不再是问题。

如何调查电子邮件的标题 (How to Investigate an Email’s Headers)

You can see more details about an email by digging into the email’s headers. This information is located in different areas in different email clients – it may be known as the email’s “source” or “headers.”

您可以通过查看电子邮件标题来查看有关电子邮件的更多详细信息。此信息位于不同电子邮件客户端的不同区域中-可能称为电子邮件的“源”或“标题”。

(Of course, it’s generally a good idea to disregard suspicious emails entirely – if you’re at all unsure about an email, it’s probably a scam.)

(当然，完全不考虑可疑电子邮件通常是个好主意-如果您完全不确定电子邮件，那可能是骗局。)

In Gmail, you can examine this information by clicking the arrow at the top right corner of an email and selecting Show original. This displays the email’s raw contents.

在Gmail中，您可以通过单击电子邮件右上角的箭头并选择显示原始信息来检查此信息。这将显示电子邮件的原始内容。

Below you’ll find the contents of an actual spam email with a forged email address. We’ll explain how to decode this information.

您将在下面找到带有伪造电子邮件地址的实际垃圾邮件的内容。我们将解释如何解码此信息。

Delivered-To: [MY EMAIL ADDRESS] Received: by 10.182.3.66 with SMTP id a2csp104490oba; Sat, 11 Aug 2012 15:32:15 -0700 (PDT) Received: by 10.14.212.72 with SMTP id x48mr8232338eeo.40.1344724334578; Sat, 11 Aug 2012 15:32:14 -0700 (PDT) Return-Path: <e.vwidxus@yahoo.com> Received: from 72-255-12-30.client.stsn.net (72-255-12-30.client.stsn.net. [72.255.12.30]) by mx.google.com with ESMTP id c41si1698069eem.38.2012.08.11.15.32.13; Sat, 11 Aug 2012 15:32:14 -0700 (PDT) Received-SPF: neutral (google.com: 72.255.12.30 is neither permitted nor denied by best guess record for domain of e.vwidxus@yahoo.com) client-ip=72.255.12.30; Authentication-Results: mx.google.com; spf=neutral (google.com: 72.255.12.30 is neither permitted nor denied by best guess record for domain of e.vwidxus@yahoo.com) smtp.mail=e.vwidxus@yahoo.com Received: by vwidxus.net id hnt67m0ce87b for <[MY EMAIL ADDRESS]>; Sun, 12 Aug 2012 10:01:06 -0500 (envelope-from <e.vwidxus@yahoo.com>) Received: from vwidxus.net by web.vwidxus.net with local (Mailing Server 4.69) id 34597139-886586-27/./PV3Xa/WiSKhnO+7kCTI+xNiKJsH/rC/ for root@vwidxus.net; Sun, 12 Aug 2012 10:01:06 –0500

传递至：[我的电子邮件地址]接收：10.182.3.66之前，SMTP ID为a2csp104490oba；周六，2012年8月11日15:32:15 -0700(PDT)接收：SMTP ID为x48mr8232338eeo.40.1344724334578的10.14.212.72; 2012年8月11日，星期六，15:32:14 -0700(PDT)返回路径：<e.vwidxus@yahoo.com>接收：来自72-255-12-30.client.stsn.net(72-255-12 -30.client.stsn.net。[72.255.12.30])由mx.google.com提供，ESMTP ID为c41si1698069eem.38.2012.08.11.15.32.13; 2012年8月11日，星期六，15：32：14 -0700(PDT)收到-SPF：中性(e.vwidxus@yahoo.com的域的最佳猜测记录既不允许也不拒绝google.com：72.255.12.30)客户- ip = 72.255.12.30; 身份验证结果：mx.google.com； spf = neutral(对于e.vwidxus@yahoo.com域的最佳猜测记录，既不允许也不拒绝google.com：72.255.12.30)smtp.mail=e.vwidxus@yahoo.com接收：通过vwidxus.net id hnt67m0ce87b用于<[我的电子邮件地址]>； Sun，2012年8月12日10:01:06 -0500(来自<e.vwidxus@yahoo.com>的信封)接收：来自web.vwidxus.net的vwidxus.net，具有本地(Mailing Server 4.69)ID 34597139-886586- 27 /./ PV3Xa / WiSKhnO + 7kCTI + xNiKJsH / rC / for root@vwidxus.net; 2012年8月12日，星期日：10:01:06 –0500

…

…

From: “Canadian Pharmacy” e.vwidxus@yahoo.com

来自：“加拿大药房” e.vwidxus@yahoo.com

There are more headers, but these are the important ones – they appear at the top of the email’s raw text. To understand these headers, start from the bottom – these headers trace the email’s route from its sender to you. Each server that receives the email adds more headers to the top — the oldest headers from the servers where the email started out are located at the bottom.

头更多，但这些头很重要-它们出现在电子邮件原始文本的顶部。要了解这些标头，请从底部开始-这些标头跟踪电子邮件从发件人到您的路由。每个接收电子邮件的服务器在顶部都添加了更多标头-电子邮件开始的服务器中最旧的标头位于底部。

The “From” header at the bottom claims the email is from an @yahoo.com address – this is just a piece of information included with the email; it could be anything at all. However, above it we can see that the email was first received by “vwidxus.net” (below) before being received by Google’s email servers (above). This is a red flag – we’d expect the see the lowest “Received:” header on the list as one of Yahoo!’s email servers.

底部的“发件人”标头声称电子邮件来自@ yahoo.com地址-这只是电子邮件中包含的一部分信息；可能什么都没有。但是，在其上方，我们可以看到该电子邮件首先由“ vwidxus.net”(如下)接收，然后再由Google的电子邮件服务器(上方)接收。这是一个危险信号–我们希望将列表中最低的“ Received：”标头视为Yahoo!的电子邮件服务器之一。

The IP addresses involved may also clue you in – if you receive a suspicious email from an American bank but the IP address it was received from resolves to Nigeria or Russia, that’s likely a forged email address.

如果您从一家美国银行收到可疑的电子邮件，但是从解决者那里收到的该IP地址是发往尼日利亚或俄罗斯的IP地址，则所涉及的IP地址也可能为您提供线索，这很可能是伪造的电子邮件地址。

In this case, the spammers have access to the address “e.vwidxus@yahoo.com”, where they want to receive replies to their spam, but they’re forging the “From:” field anyway. Why? Likely because they can’t send massive amounts of spam via Yahoo!’s servers – they’d get noticed and be shut down. Instead, they’re sending spam from their own servers and forging its address.

在这种情况下，垃圾邮件发送者可以访问“ e.vwidxus@yahoo.com”地址，希望在该地址接收对垃圾邮件的答复，但是无论如何，他们都在伪造“发件人：”字段。为什么？可能是因为它们无法通过Yahoo!的服务器发送大量垃圾邮件-它们会受到注意并被关闭。相反，他们是从自己的服务器发送垃圾邮件并伪造其地址。

翻译自: https://www.howtogeek.com/121532/htg-explains-how-scammers-forge-email-addresses-and-how-you-can-tell/