Tracking the source of email spam by examining
Tracking the source of email spam by examining its header Anh Nguyen May 3 rd, 2010
Organization • • • Introduction Email Headers Overview Spam Examples Email Tracer Tool: e. Mail. Tracker. Pro Conclusions 2
Introduction • • • Introduction Email Headers Overview Spam Examples Email Tracer Tool: e. Mail. Tracker. Pro Conclusions 3
Introduction • Spammers usually fake their email’s headers • Headers can be examined to identify the true source of email • Assumption: Full headers of the examined email can be shown by the mail reader 4
Email Headers Overview • • • Introduction Email Headers Overview Spam Examples Email Tracer Tool: e. Mail. Tracker. Pro Conclusions 5
Email Headers Overview • From – First line in headers – Not actually part of the e-mail header – Inserted by mail transfer software – Used by many Unix mailers to separate messages – Can be faked, but not always • From: – Who the message is from – The easiest to forge 6
Email Headers Overview (Cont. ) • Reply-To: – The address to which replies are sent – Easily to be forged – Often provides a clue • Return-Path: – The address for return mail • Sender: – The account that sent the message – Many mail software fails to insert this line 7
Email Headers Overview (Cont. ) • Message-ID: – Unique string assigned to message by mail system when the message is first created – Forgeable, but requires more knowledge than forging the From: line – Often identifies the system where the sender is logged in – Not identifies the system where the message originated – Every mail software has its own unique string style – Spam can be identified by comparing its message-id with legitimate messages from the same site 8
Email Headers Overview (Cont. ) • Received: – Most important field for tracking – Format: • Received: from ? by ? via ? with ? id ? for ? ; date-time – List all sites (mail servers) through which the message traveled before reaching the destination. – Lines are read from bottom to top 9
Email Headers Overview (Cont. ) • Received: from. foo. com by bar. com id AA 15057; Fri, 25 Jul 97 09: 39: 02 – foo. com: the name that the sending machine uses to identify itself • Received: from foo. com ([129. 2. 3. 4]) by bar. com id AA 15057; Fri, 25 Jul 97 09: 39: 02 – IP address of the sending machine is inserted by bar. com. The IP and the machine name can be compared to identify a forgery – IP validity can also be checked (ex. , no component in the address can be > 255) • Received: from foo. com (x. y. alterdial. uu. net [129. 2. 3. 4]) by bar. com id AA 15057; . . . – Both IP and the actual name of the sending machine are inserted 10
Spam Examples • • • Introduction Email Headers Overview Spam Examples Email Tracer Tool: e. Mail. Tracker. Pro Conclusions 11
Spam Examples • • • Received: from cola. bekkoame. or. jp (cola. bekkoame. or. jp [202. 231. 192. 40]) by srv. net (8. 8. 5/8. 8. 5) with ESMTP id BAA 00705 for <got@srv. net>; Wed, 30 Jul 1997 01: 15: 27 -0600 (MDT) From: beautifulgirls 585@aol. com Received: from cola. bekkoame. or. jp (ip 21. san-luis-obispo. ca. pub-ip. psi. net [38. 123. 21]) by cola. bekkoame. or. jp (8. 8. 5+2. 7 W/3. 5 W) with SMTP id OAA 11439; Wed, 30 Jul 1997 14: 35: 50 +0900 (JST) Received: from mailhost. aol. com(alt 1. aol. com(244. 218. 07. 32)) by aol. com (8. 8. 5/8. 6. 5) with SMTP id GAA 00075 for <"">; Tue, 29 Jul 1997 22: 19: 42 -0600 (EST) Date: Tue, 29 Jul 97 22: 19: 42 EST Subject: You can have what you want. . . Message-ID: <574857638458. HWF 39862@aol. com> Reply-To: beautifulgirls 585@aol. com X-PMFLAGS: 56354433 0 Comments: Authenticated sender is <aol. com> X-UIDL: vjg 79 u 26 gfkjjrty 38 jf 983 j 309 jfyrw 12
Spam Examples • • • From jerry@nowhere. com Wed Apr 2 21: 13: 04 1997 Received: from watagashi. zzzzzz. zzz (watagashi. zzzzzz. zzz [10. 168. 192. 43]) by ccshst 06. cs. uoguelph. ca with ESMTP (8. 7. 5/8. 7. 3) id OAA 20088 for < tburgess@uoguelph. ca> ; Wed, 2 Apr 1997 14: 35: 28 -0500 (EST) From: jerry@nowhere. com Received: from zzzzzz. zzz (Cust 76. Max 7. Los-Angeles. xxxxx. xxx [10. 168. 73. 204]) by watagashi. xxxxxx. xxx (8. 7. 5+2. 6 W/3. 5 W) with SMTP id DAA 06068; Thu, 3 Apr 1997 03: 58: 21 +0900 (JST) Received: from mailhost. nowhere. com (alt 1. nowhere. com (206. 1. 562. 999)) by nowhere. com (8. 8. 5/8. 6. 5) with SMTP id GAA 00597 for < jerry@nowhere. com> ; Wed, 02 Apr 1997 10: 18: 14 -0600 (EST) To: jerry@nowhere. com Message-ID: < 144523806421342786@nowhere. com> Date: Wed, 02 Apr 97 10: 18: 14 EST Subject: How To E-Mail Up To A Million Messages Per Hour--No Kidding Reply-To: jerry@nowhere. com X-PMFLAGS: 34078848 0 X-UIDL: 3671313288 a 65 eb 1890 m 0762123 a 13
e. Mail. Tracker. Pro • • • Introduction Email Headers Overview Spam Examples Email Tracer Tool: e. Mail. Tracker. Pro Conclusions 14
e. Mail. Tracker. Pro • Received: from unknown (HELO 38. 118. 132. 100) (62. 105. 106. 207) by mail 1. infinology. com with SMTP; 16 Nov 2003 19: 50: 37 -0000 Received: from [235. 16. 47. 37] by 38. 118. 132. 100 id <5416176 -86323>; Sun, 16 Nov 2003 13: 38: 22 -0600 Message-ID: <o 7 -89089$t--2 -370 --h 6 b 1@y 07 l 72. olpvl> From: "Reinaldo Gilliam" <27 knxeppzk@yahoo. com> Reply-To: "Reinaldo Gilliam" <27 knxeppzk@yahoo. com> To: ladedu@ladedu. com Subject: Category A Get the meds u need lgvkalfnqnh bbk Date: Sun, 16 Nov 2003 13: 38: 22 GMT X-Mailer: Internet Mail Service (5. 5. 2650. 21) MIME-Version: 1. 0 Content-Type: multipart/alternative; boundary="9 B_9. . _C_2 EA. 0 DD_23" X-Priority: 3 X-MSMail-Priority: Normal 15
e. Mail. Tracker. Pro 16
Conclusions • • • Introduction Email Headers Overview Spam Examples Email Tracer Tool: e. Mail. Tracker. Pro Conclusions 17
Conclusions • Thank you for your time • Questions and feedback are welcome 18
References • Spam Tracking Page – http: //www. rahul. net/falk/ • Email Tracer Tutorial – http: //www. visualware. com/resources/tutorials/e mail. html 19
- Slides: 19