Cyber Security Expo
 
Tracking the source of email spam by Ed Falk on 05/09/02

Spammers often forge the headers of their email in an attempt to avoid losing their accounts and to evade email filters. These notes may help you track the source of spam. The most important thing is to have a mail reader that can show you the full headers of an email in question. The important lines are as follows:

From:
Who the message is from. This is the easiest to forge, and thus the least reliable.
From
As distinct from the From:" line. This line is not actually part of the email header, but mail transfer software often inserts it when the mail is received. Many Unix mailers use this line to seperate messages in a mail folder. This line will always be the first line in the headers.

This line can also be forged, but not always.

Reply-To:

The address to which replies should be sent. Often absent from the message, and very easily forgeable. However, it often provides a clue. For example, forged spam often has a legitimate Reply-To: field so that the spammer can receive mail orders.
Return-Path:

The email address for return mail. Same as Reply-To:

Sender:

The account that sent the message. Mail software is supposed to insert this line if the user modifies the From: line. Most Mail software is broken in this respect, so this line is rarely present. Some mailers provide an X-Sender: line.

Message-ID:

A unique string assigned by the mail system when the message is first created. This is also forgeable in most cases, but requires a little more specialized knowledge than forging the From: line. Also, the Message-ID:often identifies the system from which the sender is logged in, rather than the actual system where the message originated.

The format of a Message-ID: field is @

Each kind of mail software has its own style of unique string. Sloppy forgeries often get it wrong, thus a forgery can be confirmed by comparing the message id with some legitimate messages from that same site.

Received:

These are the most reliable lines in the header. They form a list of all sites through which the message traveled in order to reach you. They are completely unforgeable after the point where it was injected. Up to that point, they may be forgeries.

Received: lines are read from bottom to top. That is, the first Received: line is your own system or mail server. The last (non-forged) Received: line is where the mail originated.

Each mail system has their own style of Received: line. A Received: line typically identifies the machine that received the mail and the machine that the mail was received from. I.e.:

Received: from foo.com by bar.com id AA15057; Fri, 25 Jul 97 09:39:02

The foo.com" part is the name that the sending machine used to identify itself. This may be forged in the case of spam. The id is for logging purposes and may help system administrators track the spam if you can get them to cooperate with you.

Many mailers will add extra information. For example:

Received: from foo.com ([129.2.3.4]) by bar.com id AA15057; Fri, 25 Jul 97 09:39:02

In this case, bar.comhas inserted the IP address of the sending system. If the machine name does not match the IP address, then you have likely identified the point where the mail was forged. In other words, the machine whose address is 129.2.3.4 lied when it identified itself as foo.com. Any Received: lines that follow are likely to be forgeries.

If the IP address does not make sense (for instance, no component may be greater than 255), then this entire Received: line is a fake. Contact a system admin for more advice in determining if an IP address is bogus. If the entire Received: line is fake, then the injection point is somewhere above in the headers.

Sometimes you will see

Received: from foo.com x.y.alterdial.uu.net [129.2.3.4]) by bar.com id AA15057;

... In this case, the mailer has inserted both the IP address and the real name of the sending system. This will help you identify forgeries and eliminate the need to look up the IP address by hand.

Comment:

Some mailers may add additional information to the headers, such as Authenticated sender is doe@foo.com. Forged Comment: lines can be easily added to outgoing mail, so this line is likely to be fake, but not always.

Other mailers may insert their own authentication information in the headers.

Here is an example of a forgery:

  From webpromo@denmark.it.earthlink.net  Tue Jul  8 13:05:02 1997

  Return-Path: 

  From: webpromo@denmark.it.earthlink.net

  Received: from denmark.it.earthlink.net (denmark-c.it.earthlink.net

	[204.119.177.22]) by best.com (SMI-8.6/mail.byaddr) with ESMTP id

	NAA21506 for ;

	Tue, 8 Jul 1997 13:05:16 -0700

  Received: from mail.earthlink.net (1Cust98.Max16.Detroit.MI.MS.UU.NET

 	 [153.34.218.226]) by denmark.it.earthlink.net (8.8.5/8.8.5)

	 with SMTP id NAA12436; Tue, 8 Jul 1997 13:00:46 -0700 (PDT)

  Received: from adultpromo@earthlink.net by adultpromo@earthlink.net

	(8.8.5/8.6.5) with SMTP id GAA05239 for ;

	Tue, 08 Jul 1997 15:48:51 -0600 (EST)

  To: adultpromo@earthlink.net

  Message-ID: <199702170025.GAA08056@no-where.net>

  Date: Tue, 08 Jul 97 15:48:51 EST

  Subject: Hot News !

  Reply-To: adultpromo@earthlink.net

  X-PMFLAGS: 12345678 9

  X-UIDL: 1234567890x00xyz1x128xyz426x9x9x

  Comments: Authenticated sender is 

  Content-Length: 672

  X-Lines: 26

  Status: RO

Obviously, the To: line is a forgery; the actual recipients list was hidden, probably with a blind carbon-copy (Bcc: header)

The "From", "Return-Path:" and "From:" all identify the same email address, but that may be a forgery. You can try mailing to the given address and see if your complaint bounces.

The "To:", "Reply-To:" and "Authenticated sender" lines all identify a different account. Again, these may all be forgeries.

The Message-ID: line is an obvious fake.

The first Recieved: line shows the mail arriving at my service provider from Earthlink. I trust my service provider, so this line is almost certainly valid.

The second Received: line shows this inconsistency:

... from mail.earthlink.net (1Cust98.Max16.Detroit.MI.MS.UU.NET [153.34.218.226])

In other words, the machine that delivered the mail to denmark.it.earthlink.net identified itself as mail.earthlink.net but was actually named 1Cust98.Max16.Detroit.MI.MS.UU.NET. This is very likely a lie. However, Earthlink rents POPs from Uunet, so this might be an Earthlink customer dialing in from Uunet.

The third Received: line is completely bogus. If the mail came from a dial-in customer at Uunet, there wouldn"t be any more Recieved: lines. If the mail was being relayed from Uunet, this Received: line would indicate Uunet, not Earthlink. Further, this Received: line contains email addresses, not machine names.

Clearly, this email was forged to make it look like it came from Earthlink but was actually injected from Uunet. Whether this was by an Earthlink customer or some other Uunet customer is impossible to tell without cooperation from Earthlink sysadmins.

  Received: from cola.bekkoame.or.jp (cola.bekkoame.or.jp [202.231.192.40])

	by srv.net (8.8.5/8.8.5) with ESMTP id BAA00705

	for ; Wed, 30 Jul 1997 01:15:27 -0600 (MDT)

  From: beautifulgirls585@aol.com

  Received: from cola.bekkoame.or.jp

	(ip21.san-luis-obispo.ca.pub-ip.psi.net [38.12.123.21]) by

	cola.bekkoame.or.jp (8.8.5+2.7W/3.5W) with SMTP id OAA11439;

	Wed, 30 Jul 1997 14:35:50 +0900 (JST)

  Received: from mailhost.aol.com(alt1.aol.com(244.218.07.32)) by

	aol.com (8.8.5/8.6.5) with SMTP id GAA00075 for <"">;

	Tue, 29 Jul 1997 22:19:42 -0600 (EST)

  Date: Tue, 29 Jul 97 22:19:42 EST

  Subject: You can have what you want...

  Message-ID: <574857638458.HWF39862@aol.com>

  Reply-To: beautifulgirls585@aol.com

  X-PMFLAGS: 56354433 0

  Comments: Authenticated sender is 

  X-UIDL: vjg79u26gfkjjrty38jf983j309jfyrw

Here, the second Received: line indicates that "cola.bekkoame.or.jp" received the mail from a machine which identified itself as "cola.bekkoame.or.jp", but was in fact "ip21.san-luis-obispo.ca.pub-ip.psi.net". This mail was probably forged from a Psi.net dial-in account.

As a final proof, the IP address mentioned in the third Received: line cannot be matched via whois or traceroute. It certainly doesn"t match AOL, indicating that this line is bogus.

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , Infosecwriters.com. All rights reserved. Comments are property of the respective posters.