Someone requested that the password be reset for the following account:
If this was a mistake, just ignore this email and nothing will happen.
To reset your password, visit the following address:
As we can see, fields Return-Path, From, and Message-ID, all have the attacker’s domain set.
The verification of the headers can be performed by replacing /usr/sbin/sendmail with a bash script of:
cat > /tmp/outgoing-email