Tracking the source of email spam by examining its header

Anh NguyenMay 3rd, 2010

2

Organization

• Introduction• Email Headers Overview• Spam Examples• Email Tracer Tool: eMailTrackerPro• Conclusions

3

Introduction

• Introduction• Email Headers Overview• Spam Examples• Email Tracer Tool: eMailTrackerPro• Conclusions

4

Introduction

• Spammers usually fake their email’s headers• Headers can be examined to identify the true

source of email• Assumption: Full headers of the examined

email can be shown by the mail reader

5

Email Headers Overview

• Introduction• Email Headers Overview• Spam Examples• Email Tracer Tool: eMailTrackerPro• Conclusions

6

Email Headers Overview

• From– First line in headers– Not actually part of the e-mail header– Inserted by mail transfer software– Used by many Unix mailers to separate messages– Can be faked, but not always

• From:– Who the message is from– The easiest to forge

7

Email Headers Overview (Cont.)

• Reply-To:– The address to which replies are sent– Easily to be forged– Often provides a clue

• Return-Path:– The address for return mail

• Sender: – The account that sent the message– Many mail software fails to insert this line

8

Email Headers Overview (Cont.)

• Message-ID:– Unique string assigned to message by mail system when

the message is first created– Forgeable, but requires more knowledge than forging the

From: line– Often identifies the system where the sender is logged in– Not identifies the system where the message originated– Every mail software has its own unique string style– Spam can be identified by comparing its message-id with

legitimate messages from the same site

9

Email Headers Overview (Cont.)

• Received:– Most important field for tracking– Format:

• Received: from ? by ? via ? with ? id ? for ? ; date-time

– List all sites (mail servers) through which the message traveled before reaching the destination.

– Lines are read from bottom to top

10

Email Headers Overview (Cont.)

• Received: from.foo.com by bar.com id AA15057; Fri, 25 Jul 97 09:39:02– foo.com: the name that the sending machine uses to identify itself

• Received: from foo.com ([129.2.3.4]) by bar.com id AA15057; Fri, 25 Jul 97 09:39:02 – IP address of the sending machine is inserted by bar.com. The IP and

the machine name can be compared to identify a forgery– IP validity can also be checked (ex., no component in the address can

be > 255)• Received: from foo.com (x.y.alterdial.uu.net [129.2.3.4]) by bar.com id

AA15057; ... – Both IP and the actual name of the sending machine are inserted

11

Spam Examples

• Introduction• Email Headers Overview• Spam Examples• Email Tracer Tool: eMailTrackerPro• Conclusions

12

Spam Examples• Received: from cola.bekkoame.or.jp (cola.bekkoame.or.jp [202.231.192.40]) by srv.net

(8.8.5/8.8.5) with ESMTP id BAA00705 for <got@srv.net>; Wed, 30 Jul 1997 01:15:27 -0600 (MDT)

• From: beautifulgirls585@aol.com• Received: from cola.bekkoame.or.jp (ip21.san-luis-obispo.ca.pub-ip.psi.net [38.12.123.21])

by cola.bekkoame.or.jp (8.8.5+2.7W/3.5W) with SMTP id OAA11439; Wed, 30 Jul 1997 14:35:50 +0900 (JST)

• Received: from mailhost.aol.com(alt1.aol.com(244.218.07.32)) by aol.com (8.8.5/8.6.5) with SMTP id GAA00075 for <"">; Tue, 29 Jul 1997 22:19:42 -0600 (EST)

• Date: Tue, 29 Jul 97 22:19:42 EST• Subject: You can have what you want... • Message-ID: <574857638458.HWF39862@aol.com> • Reply-To: beautifulgirls585@aol.com • X-PMFLAGS: 56354433 0 • Comments: Authenticated sender is <aol.com> X-UIDL: vjg79u26gfkjjrty38jf983j309jfyrw

13

Spam Examples• From jerry@nowhere.com Wed Apr 2 21:13:04 1997 • Received: from watagashi.zzzzzzzzzzz.zzz (watagashi.zzzzzzzzzzz.zzz [10.168.192.43]) by

ccshst06.cs.uoguelph.ca with ESMTP (8.7.5/8.7.3) id OAA20088 for &lt;tburgess@uoguelph.ca&gt;; Wed, 2 Apr 1997 14:35:28 -0500 (EST)

• From: jerry@nowhere.com • Received: from zzzzzzzzzzz.zzz (Cust76.Max7.Los-Angeles.xx.xxxxx.xxx [10.168.73.204]) by

watagashi.xxxxxxxxxxx.xxx (8.7.5+2.6W/3.5W) with SMTP id DAA06068; Thu, 3 Apr 1997 03:58:21 +0900 (JST)

• Received: from mailhost.nowhere.com (alt1.nowhere.com (206.1.562.999)) by nowhere.com (8.8.5/8.6.5) with SMTP id GAA00597 for &lt;jerry@nowhere.com&gt;; Wed, 02 Apr 1997 10:18:14 -0600 (EST)

• To: jerry@nowhere.com • Message-ID: &lt;144523806421342786@nowhere.com&gt; • Date: Wed, 02 Apr 97 10:18:14 EST• Subject: How To E-Mail Up To A Million Messages Per Hour--No Kidding• Reply-To: jerry@nowhere.com• X-PMFLAGS: 34078848 0 • X-UIDL: 3671313288a65eb1890m0762123a

14

eMailTrackerPro

• Introduction• Email Headers Overview• Spam Examples• Email Tracer Tool: eMailTrackerPro• Conclusions

15

eMailTrackerPro• Received: from unknown (HELO 38.118.132.100) (62.105.106.207)

by mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000Received: from [235.16.47.37] by 38.118.132.100 id <5416176-86323>; Sun, 16 Nov 2003 13:38:22 -0600Message-ID: <o7-89089$t--2-370--h6b1@y07l72.olpvl>From: "Reinaldo Gilliam" <27knxeppzk@yahoo.com>Reply-To: "Reinaldo Gilliam" <27knxeppzk@yahoo.com>To: ladedu@ladedu.comSubject: Category A Get the meds u need lgvkalfnqnh bbkDate: Sun, 16 Nov 2003 13:38:22 GMTX-Mailer: Internet Mail Service (5.5.2650.21)MIME-Version: 1.0Content-Type: multipart/alternative; boundary="9B_9.._C_2EA.0DD_23"X-Priority: 3X-MSMail-Priority: Normal

16

eMailTrackerPro

17

Conclusions

• Introduction• Email Headers Overview• Spam Examples• Email Tracer Tool: eMailTrackerPro• Conclusions

18

Conclusions

• Thank you for your time• Questions and feedback are welcome

19

References

• Spam Tracking Page– http://www.rahul.net/falk/

• Email Tracer Tutorial– http://www.visualware.com/resources/tutorials/

email.html