|
| |
Example on Reading Email Headers
Spammers often forge the headers of their email in an attempt to avoid losing
their accounts and to evade email filters. These notes may help you track the
source of spamm. The most important thing is to have a mail
reader that can show you the full headers of an email in question. The
important lines are as follows:
- From:
- Who the message is from. This is the easiest to forge, and thus the least
reliable.
- From
- As distinct from the "From:" line. This line is not actually part of the
email header, but mail transfer software often inserts it when the mail is
received. Many Unix mailers use this line to separate messages in a mail
folder. This line will always be the first line in the headers.
This line can also be forged, but not always.
- Reply-To:
- The address to which replies should be sent. Often absent from the
message, and very easily forgeable. However, it often provides a clue. For
example, forged spam often has a legitimate Reply-To: field so that the
spammer can receive mail orders.
- Return-Path:
- The email address for return mail. Same as Reply-To:
- Sender:
- The account that sent the message. Mail software is supposed to insert
this line if the user modifies the From: line. Most Mail software is broken in
this respect, so this line is rarely present. Some mailers provide an
X-Sender: line.
- Message-ID:
- A unique string assigned by the mail system when the message is first
created. This is also forgeable in most cases, but requires a little more
specialized knowledge than forging the From: line. Also, the Message-ID: often
identifies the system from which the sender is logged in, rather than the
actual system where the message originated.
The format of a Message-ID: field is <unique string>@<sitename>
Each kind of mail software has its own style of unique string. Sloppy
forgeries often get it wrong, thus a forgery can be confirmed by comparing the
message id with some legitimate messages from that same site.
- Received:
- These are the most reliable lines in the header. They form a list of all
sites through which the message traveled in order to reach you. They are
completely unforgeable after the point where it was injected. Up to that
point, they may be forgeries.
Received: lines are read from bottom to top. That is, the first Received:
line is your own system or mail server. The last (non-forged) Received: line
is where the mail originated.
Each mail system has their own style of Received: line. A Received: line
typically identifies the machine that received the mail and the machine that
the mail was received from. I.e.:
Received: from foo.com by bar.com id AA15057; Fri, 25 Jul 97 09:39:02
The "foo.com" part is the name that the sending machine used to identify
itself. This may be forged in the case of spam. The id is for logging purposes
and may help system administrators track the spam if you can get them to
cooperate with you.
Many mailers will add extra information. For example:
Received: from foo.com ([129.2.3.4]) by bar.com id
AA15057; Fri, 25 Jul 97 09:39:02
In this case, bar.com has inserted the IP address of the sending system. If
the machine name does not match the IP address, then you have likely
identified the point where the mail was forged. In other words, the machine
whose address is 129.2.3.4 lied when it identified itself as foo.com. Any
Received: lines that follow are likely to be forgeries.
If the IP address does not make sense (for instance, no component may be
greater than 255), then this entire Received: line is a fake. Contact a system
admin for more advice in determining if an IP address is bogus. If the entire
Received: line is fake, then the injection point is somewhere above in the
headers.
Sometimes you will see
Received: from foo.com (x.y.alterdial.uu.net
[129.2.3.4]) by bar.com id AA15057; ...
In this case, the mailer has inserted both the IP address and the real name of
the sending system. This will help you identify forgeries and eliminate the
need to look up the IP address by hand.
- Comment:
- Some mailers may add additional information to the headers, such as
"Authenticated sender is doe@foo.com". Forged Comment: lines can be easily
added to outgoing mail, so this line is likely to be fake, but not always.
Other mailers may insert their own authentication information in the
headers.
Here is an example of a forgery:
From webpromo@denmark.it.earthlink.net Tue Jul 8 13:05:02 1997
Return-Path:
From: webpromo@denmark.it.earthlink.net
Received: from denmark.it.earthlink.net (denmark-c.it.earthlink.net
[204.119.177.22]) by best.com (SMI-8.6/mail.byaddr) with ESMTP id NAA21506 for
; Tue, 8 Jul 1997 13:05:16 -0700
Received: from mail.earthlink.net
(1Cust98.Max16.Detroit.MI.MS.UU.NET [153.34.218.226]) by
denmark.it.earthlink.net (8.8.5/8.8.5) with SMTP id NAA12436; Tue, 8 Jul 1997
13:00:46 -0700 (PDT) Received: from adultpromo@earthlink.net by
adultpromo@earthlink.net (8.8.5/8.6.5) with SMTP id GAA05239 for
; Tue, 08 Jul 1997 15:48:51 -0600 (EST) To:
adultpromo@earthlink.net Message-ID: <199702170025.GAA08056@no-where.net> Date:
Tue, 08 Jul 97 15:48:51 EST Subject: Hot News ! Reply-To: adultpromo@earthlink.net
X-PMFLAGS: 12345678 9 X-UIDL: 1234567890x00xyz1x128xyz426x9x9x Comments:
Authenticated sender is
Content-Length: 672 X-Lines: 26 Status: RO
Obviously, the To: line is a forgery; the actual recipients list was hidden,
probably with a blind carbon-copy (Bcc: header)
The "From", "Return-Path:" and "From:" all identify the same email address,
but that may be a forgery. You can try mailing to the given address and see if
your complaint bounces.
The "To:", "Reply-To:" and "Authenticated sender" lines all identify a
different account. Again, these may all be forgeries.
The Message-ID: line is an obvious fake.
The first Recieved: line shows the mail arriving at my service provider from
Earthlink. I trust my service provider, so this line is almost certainly valid.
The second Received: line shows this inconsistency:
... from mail.earthlink.net (1Cust98.Max16.Detroit.MI.MS.UU.NET
[153.34.218.226])
In other words, the machine that delivered the mail to denmark.it.earthlink.net
identified itself as mail.earthlink.net but was actually named
1Cust98.Max16.Detroit.MI.MS.UU.NET. This is very likely a lie. However,
Earthlink rents POPs from Uunet, so this might be an Earthlink customer dialing
in from Uunet.
The third Received: line is completely bogus. If the mail came from a dial-in
customer at Uunet, there wouldn't be any more Recieved: lines. If the mail was
being relayed from Uunet, this Received: line would indicate Uunet, not
Earthlink. Further, this Received: line contains email addresses, not machine
names.
Clearly, this email was forged to make it look like it came from Earthlink
but was actually injected from Uunet. Whether this was by an Earthlink customer
or some other Uunet customer is impossible to tell without cooperation from
Earthlink sysadmins.
Here is another forgery:
Received: from cola.bekkoame.or.jp (cola.bekkoame.or.jp
[202.231.192.40]) by srv.net (8.8.5/8.8.5) with ESMTP id BAA00705 for
; Wed, 30 Jul 1997 01:15:27 -0600 (MDT) From: beautifulgirls585@aol.com
Received: from cola.bekkoame.or.jp
(ip21.san-luis-obispo.ca.pub-ip.psi.net [38.12.123.21]) by cola.bekkoame.or.jp
(8.8.5+2.7W/3.5W) with SMTP id OAA11439; Wed, 30 Jul 1997 14:35:50 +0900 (JST)
Received: from mailhost.aol.com(alt1.aol.com(244.218.07.32)) by aol.com
(8.8.5/8.6.5) with SMTP id GAA00075 for <"">; Tue, 29 Jul 1997 22:19:42 -0600
(EST) Date: Tue, 29 Jul 97 22:19:42 EST Subject: You can have what you want...
Message-ID: <574857638458.HWF39862@aol.com> Reply-To: beautifulgirls585@aol.com
X-PMFLAGS: 56354433 0 Comments: Authenticated sender is
X-UIDL: vjg79u26gfkjjrty38jf983j309jfyrw
Here, the second Received: line indicates that "cola.bekkoame.or.jp"
received the mail from a machine which identified itself as "cola.bekkoame.or.jp",
but was in fact "ip21.san-luis-obispo.ca.pub-ip.psi.net". This mail
was probably forged from a Psi.net dial-in account.
As a final proof, the IP address mentioned in the third Received: line cannot
be matched via whois or traceroute. It certainly
doesn't match AOL, indicating that this line is bogus.
| |
|
