Friday 25 November 2005
- Decoding the spam: From head to eternity
Decoding the spam: From head to eternity
by Steven Burn
In A tribute to Joe, we went through and dissected the body of an obvious scam that led us to Mr Buchar and his watches.
Contemplating another installment for the past two days, I was delighted to receive an e-mail yesterday, claiming to come from Google. Fantastic I thought, I can use that - and so I shall. In this installment, we'll look at e-mail headers, and how these can be used by both the spammers, to confuse us, and by ourselves, to figure out they are trying to confuse us.
If you read the last installment, you should know how to access the e-mail headers. For those that did not however, here's a reminder (for those using Outlook/Outlook Express as I don't use any other e-mail clients).
1. Locate the e-mail you wish to view
2. Right click it and select Properties
3. Click the Details tab
4. Click the Message Source button at the bottom of the dialog
Now, before we get into it, you may be asking yourself, why would I want to view the headers before the e-mail?. The answer is quite simple. Not only does the header tell you where the e-mail was sent from, it also allows you to preview the content (imperative in todays world of rootkits, trojans and viruses). From this you can then decide whether or not you want to open it, or delete it.
Because I am a paranoid person, I always view the headers and content of an e-mail before opening it (irrespective of where the "From" line in the e-mail clients list says it is from). The e-mail I mentioned above is no different. Looking at the From and Subject lines, you may be forgiven for thinking it has come from the almighty Google. A look at the very first line of the headers, gives us our first clue;
Hang on a second, Google e-mailing via excite.com?, are the main GMail/Google servers too busy?. Okay, we know it's a little suspicious, so lets look at this one closer. When analyzing headers, the main part we are interested in, are the "Received:" lines. In this case;
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 The "Received:" lines tell us the route the e-mail took on it's way to our inbox. Can you guess where it started from?. Lets see shall we. According to the headers above, this one used the route:
by smtpin15l.fasthosts.co.uk (Postfix) with SMTP id 8D119168B4C
for <services@[REMOVED]>; Thu, 24 Nov 2005 22:12:12 +0000 (GMT)
Received: from excite.com (host-20-37.espoltel.net [126.96.36.199])
by smtpin15l.fasthosts.co.uk (Postfix) with SMTP id 47FCB168D24
for <ceo@[REMOVED]>; Thu, 24 Nov 2005 22:12:07 +0000 (GMT)
Received: from mail.gimmicc.net ([188.8.131.52])
by mail.gimmicc.net with ASMTP; Thu, 24 Nov 2005 20:05:58 +0200
Received: from unknown (HELO smtp.doneohx.com) (184.108.40.206)
by mail.naihautsui.co.kr with LOCAL; Fri, 25 Nov 2005 07:01:17 -0900
Received: from [220.127.116.11] by nntp.pinxodet.net with LOCAL; Thu, 24 Nov 2005
Received: from external.newsubdomain.com ([18.104.22.168])
by asx121.turbo-inline.com with SMTP; Fri, 25 Nov 2005 01:33:08 -0400
external.newsubdomain.com > asx121.turbo-inline.com > 22.214.171.124 > nntp.pinxodet.net > smtp.doneohx.com > mail.naihautsui.co.kr > mail.gimmicc.net > mail.gimmicc.net > excite.com > smtpin15l.fasthosts.co.uk
Because fasthosts.co.uk is my it-mate.co.uk mail server host, we can determine the path stops here as it is routed internally to my mail server. The problem with the alledged route of course, is that there are some irregularities. Lets break these down.
1. The e-mail claims to have originated from external.newsubdomain.com yet the IP (126.96.36.199) resolves to 164.sub-72-102-95.myvzw.com.
2. It then claims asx121.turbo-inline.com forwarded it on, yet the IP that the headers show, resolve to misc-148-77-122-237.spacenet.com, asx121.turbo-inline.com is not actually a valid host.
3. It is then alledged that nntp.pinxodet.net sent it to smtp.doneohx.com, but both of these are invalid hosts?
4. It then apparently went from mail.naihautsui.co.kr to mail.gimmicc.net, but both of these are also invalid (see any pattern here?). In addition, the IP that the headers claim belong to mail.gimmicc.net (188.8.131.52), actually belong to a Swiss ISP called "PHARMACIA" (hmm, didn't I see that on a Viagra website somewhere?).
5. It was then apparently received by excite.com (doesn't the e-mail address claim to be from here aswell?), with the hostname host-20-37.espoltel.net (excite outsourcing now?), and IP 184.108.40.206.
Still with me?, good.
So how would you tell which "Received:" line is true, and which was placed there by the spammer?. The simple answer is that all of the "Received:" from lines would have matched up. In this case, all of the lines prior to "Received: from excite.com" are bogus, they were put there by the spammer. How do we tell?, not only does the route not line up, the route that claims excite.com received it, contains the only hostname and IP that is actually valid.
Received: from excite.com (host-20-37.espoltel.net [220.127.116.11])
Now, a host or IP that does not resolve does not mean it is bogus, by no means. It could be that the server was offline or going through a DNS change when the lookup was performed. However, when an e-mail claims to come from one domain, but the hostname and IP belong to another domain, it guarantees the e-mail is bogus, and we've found the culprit domain, in this case, host-20-37.espoltel.net. After it left here, it was in the fasthosts.co.uk central server.
Looking at a simpler example, the following headers were taken from a virus infected e-mail that claimed to have been sent by me.
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (smtpin04l.livemail.co.uk [127.0.0.1]) The problems here of course;
by smtpin04l.livemail.co.uk (Postfix) with SMTP id C613416C434
for ; Fri, 25 Nov 2005 17:29:38 +0000 (GMT)
Received: from it-mate.co.uk (68-113-123-59.dhcp.leds.al.charter.com [18.104.22.168])
by smtpin04l.livemail.co.uk (Postfix) with ESMTP id 5E59616C73E
for ; Fri, 25 Nov 2005 17:29:31 +0000 (GMT)
1. email@example.com is not a valid account on my mail server
2. The Received line claims the originating server to be it-mate.co.uk, but shows the hostname and IP as being on the charter.com server.
The latter would be fine if I was actually with charter.com. For example, my sister is with PlusNet (same as myself) and has an it-mate.co.uk account, so when she sends me an e-mail, the hostname and IP quite obviously shows as being mysister.plus.com (where mysister is her hostname), and when I send an e-mail, the hostname does not show the originating server as it-mate.co.uk, but instead shows mysteryfcm.co.uk as this is the hostname of my network.
So what do you do once you've tracked down the real originating domain?. You could simply say fine, and delete it, you could report it to the domain's ISP (in this case ESPOLTEL, who have an abuse address of: marceloc@ESPOLTEL.NET), or you could report it to a spam block database such as Spamhaus or Spam Cop. The majority of ISP's that support spammers will likely do absolutely nothing to help, however, those ISP's that actually care, will investigate it and take appropriate action.
Now, because I'm in a strange mood today, I'm going to put a challenge to you. The following two sets of headers were taken from e-mails I received just a few minutes ago. I want you to tell me:
1. The route the e-mail took from originator, to my inbox
2. Which if any, of the alledged routes are bogus
3. The REAL route the e-mail took
4. How you determined the REAL route
5. Whether you think the e-mail is spam, or legitimate
Send your results to me via the ticket system or E-mail