|
|
| Home > Internet > net-abuse-faq > |
alt.spam FAQ or "Figuring out fake E-Mail & Posts". Rev 20040104 - ASFAQ.txt (1/1) |
Section 1 of 5 - Prev - Next
All sections - 1 - 2 - 3 - 4 - 5
Summary: This posting describes how to find out where a fake post or
e-mail originated from.
Archive-name: net-abuse-faq/spam-faq
Posting-Frequency: monthly
Last-modified: 20040104
URL: http://gandalf.home.digital.net/spamfaq.html
Greetings and Salutations:
This FAQ will help in deciphering which machine a fake e-Mail or post
came from, and who (generally or specifically) you should contact.
The three sections to this twelve portion FAQ (With apologies to
Douglas Adams :-)) :
o Introduction
o The Easy Way To Get Rid Of spam
o Tracing an e-mail message
o What computer did this e-mail originate from?
o MAILING LIST messages
o Reporting Spam and tracing a posted message
o WWW IP Lookup URL's
o Converting that IP to a name
o What to do with "strange" looking Web links
o Getting a World Wide Web page busted
o Usenet complaint addresses
o Viruses / Trojans / Spyware
o Fraud on the Internet and The MMF (Make Money Fast)
Posts
o Nigerian Advance Fee Fraud
o Hoaxes
o Open system spammers love
o Filtering E-Mail BlackMail, procmail or News with Gnus
o Rejecting E-Mail from domains that continue to Spam
o Misc. (Because I can't spell miscellaneous :-)) stuff
I couldn't think to put anywhere else.
o Protection for you and your kids on the Internet
o I am interested in eliminating spam from my emails, how
do I do this?
o Origins of Spam
o How *did* I get this unsolicited e-mail anyway?
o Can I find the persons name and phone from an e-mail
address?
o How To Respond to Spam
o Firewalls and protecting your computer
o Revenge - What to do & not to do (mostly not)
o Telephoning someone
o Snail Mailing someone
o 1-900, 1-800, 888, 877 and 1-### may be expensive long distance
phone calls
o Junk Mail - The Law
o Additional Resources - Lots Of Links and a *really* good book
Introduction
=============
Please feel free to repost this, e-mail it, put this FAQ on CD's or
any other media you can think of.
The latest & greatest version of the Spam FAQ is found at:
http://gandalf.home.digital.net/spamfaq.html
or
http://home.digital.net/~gandalf/spamfaq.html
PLEASE email follow-ups, additions / changes to gandalf@digital.net
My news source is OK, but I sometimes miss items.
I accept all and any input. I consider myself to be the manager of
this FAQ for the good of everyone, not the absolute & controlling
Owner Of The FAQ. I do not always write in a completely coherent
manner. What makes sense to me may not make sense to others. If the
community wants something added or deleted, I will do so. I removed
any e-mail and last name references to someone making a suggestion /
addition. This is so that someone doesn't get upset at this FAQ and
do something stupid. If you don't mind having your e-mail in this FAQ
(or where it is required), please tell me and I will add it back in.
If you are in the United States and have not yet written to your
Senator or House of Representatives about how terrible the CAN-SPAM
act is, I would ask you to do so. Bottom line is that there are many
large corporations and over 22.9 million small businesses on the
United States. If you received just one e-mail a year from each of
the small businesses (I am not even including large companies) you
would receive 63,800 e-mails PER DAY. According to CAN-SPAM you would
then be required to opt out of each and every one of these e-mails,
and the company has 10 days to honor your request. Of course this
would not stop spammers from changing company names every 10 days and
just start spamming all over again. I have written a letter
explaining why I think that this act was poorly written, and I would
ask you to write a letter to your representatives also:
http://home.digital.net/~gandalf/CAN-SPAM.htm
http://gandalf.home.digital.net/CAN-SPAM.htm
Find Your Senators at
http://www.senate.gov/general/contact_information/senators_cfm.cfm and
find your US Representative: http://www.house.gov/writerep/ (Fill in
your state and zip, click "Contact My Representative" and you will be
told who your representative is). Go To:
http://www.house.gov/house/MemberWWW.html , click on their site and
your representative should have an address at the bottom of the page
for where to write them. I would also suggest that you cc the two
sponsors of the bill: Conrad Burns 187 DIRKSEN SENATE OFFICE BUILDING
WASHINGTON DC 20510 and Ron Wyden 516 HART SENATE OFFICE BUILDING
WASHINGTON DC 20510.
And why CAN-SPAM won't work:
http://www.google.com/search?q=CAN-SPAM+won%27t+work
http://www.google.com/search?q=Critics+CAN-SPAM
http://www.gripe2ed.com/scoop/story/2003/12/11/9145/0712
Before trying to determine where the post or e-mail originated from,
you should realize that (just like The National Enquirer
http://www.nationalenquirer.com/ or a logical argument from Canter and
Siegel) the message will have *some* amount of truth, but all or most
of the information may be forged. Be careful before accusing someone.
Commands used in this FAQ are UNIX & VMS commands. Sorry if they
don't work for you, you might wish to try looking around at your
commands to find an equivalent command (or I might be able to help out
some). There are programs for the Macintosh and Windows machines that
do the same thing the UNIX commands do, see the above URL's for where
to locate this software.
And no, I am not going to tell you how to post a fake message or fake
e-mail. It only took me about 2 days (a few hours a day) to figure it
out. It ain't difficult. RTFM (or more appropriately, Read The
@&%^@# RFC).
Every e-mail or post will have a point at which it was injected into
the information stream. E-mail will have a real computer from which
it was passed along. Likewise a post will have a news server that
started passing the post. You need to get cooperation of the
postmaster at the sites the message passed thru. Then you can get
information from the logs telling you what sites the message actually
passed thru, and where the message "looked" like it passed thru (but
actually didn't). Of course you do have to have the cooperation of
all the postmasters in a string of sites...
The Easy Way To Get Rid Of spam
=========================
Sorry to tell you this but if you received a spam (Unsolicited
Commercial E-Mail) there is no "easy" way to get the spam stopped.
Generally if you reply (unsubscribe) this confirms that your e-mail
address is "live" and just gets your e-mail address sold to other
spammers. Spam has to be dealt with one at a time. Sorry, it isn't
easy to stop the spam. The "Internet" (the collective non-profit and
profit entities of the network) is trying to fix this problem but it
is taking time. The "easiest" way to stop getting spam is to change
your e-mail address and only give your e-mail address to people you
absolutely trust, and to NEVER allow the e-mail address to be posted
to a web site or posted ANYWHERE on the internet. To see how many
times my e-mail address appears on the Internet go to the following
link:
http://www.google.com/search?q=gandalf%40digital.net
http://www.nwfusion.com/newsletters/edu/2003/0324ed1.html - E-Mail
addresses on the web attract the most spam
It your e-mail address shows up on a search engine, then the spammers
can find your e-mail address also. Be careful about giving your e-
mail address to companies that purport to be against spam:
http://www.gripe2ed.com/scoop/story/2003/5/15/10299/0559
There are businesses that make a good living filtering out spam both
on a personal and corporate level. I would suggest that if you really
don't want to deal with spam that you get an e-mail address from one
of these services (Please note I am not recommending this service,
just using it as an example). Do a search:
http://www.google.com/search?q=email+hosting+spam
And you will come up with companies like:
http://www.No-JunkMail.com/
Or if you wish to block it from your personal e-mail account do a
search on something like:
http://www.google.com/search?q=spam+blocking+software
And you will come up with examples like:
http://www.spamulor.net/ - Free
http://www.spambutcher.com/
Be aware that no spam blocking software (as of yet) is perfect and you
may get "false positives". An e-mail from a friend may be detected as
spam and may get deleted as spam or moved to the spam box. The spam
wars:
http://computerworld.com/softwaretopics/software/groupware/story/0,108
01,75737,00.html
Tracing an e-mail message
============================================
To trace the e-mail you have to look at the header. Most mail readers
do not show the header because it contains information that is for
computer to computer routing. The information you usually see from
the header is the subject, date and the "From" / "Return" address.
About the only thing in an e-mail header that can't be faked is the
"Received" portion referencing your computer (the last received).
You will need to take a look at the headers on the message as follows
(Thanks to Bob, Dave, Kathy, Michael, Piers, Russ, Simon, Chalmers and
others) :
Claris E-Mailer - under Mail select Show Long Headers.
Eudora (before ver. 3) - Select Tools , Options... , then Fonts &
Display then Show all headers
Eudora (ver. 3.x, 4.x IBM or Macintosh) - Press the BLAH button on the
incoming mail message
Eudora V5.1:
1) Double-click on the email subject line in the current
mailbox. This displays the same message with a fuller version of the
header, which will be enough for some ISPs but not all, and also shows
an extra Toolbox which contains the BlahBlahBlah button
2) Click on the BlahBlahBlah button
For Mac Eudora 4.x, hitting the following will cause Eudora to alter
its default setting so that BLAH will be automatically selected for
all new email received after this switch is set:
When checked, Eudora will show all the
headers from messages, not just an abbreviated set.
Hotmail - How to set show the mail headers in hotmail:
1. After you login, just to the right of the tabs, select Options
2. Under Additional Options, select Mail Display Settings
3. In the Message Headers section, click the Advanced button
JUNO - Click on the word "OPTIONS" in the MENU BAR.
On This menu, click on "E-Mail Options (ctrl-E)"
This will get you a Dialog Box:
In the "Show message headers" part, you need to have the "Full" button
marked in order to show full message headings.
KMAIL (KDE Mail Client) - Bryan tells us To display all headers in
kmail(KDE mail client), go to 'view' and click 'all headers'.
Lotus Notes R4 and R5:
1) Examine the fields in the document.
Click on File € Document Properties
Click on fields tab (square rule)
Scroll down to the "received" fields - there should be one for each
"received" header added.
Copy and paste these into a file.
2) Export the headers from the document
*important* You need to be in the inbox folder in Notes
Select the document.
Click on File € Export
Enter a temporary file name, ensure File type is "Structured Text"
Under Export options, click on "selected documents", click OK.
The generated file contains all the headers on the message along
with the message body.
MS Outlook - Double click on the email in your inbox. This will bring
the message into a window. Click on View - Options. You can also open
a message then choose File....Properties....Details.
Microsoft Outlook 2000 - From the Menu Bar select "View" and then
"Options" from that menu.
This displays a dialogue box called "Message Options".
The largest and last text box is called "Internet headers:"
Scroll through this to read all the details.
To save a copy, highlight all the content, and copy it to the
clipboard by pressing (that's both those keys at the same
time), then go into whatever word processor or email program you wish
and press to paste the text onto that page.
Because Microsoft Outlook has many security flaws, the below
instructions may expose your computer to risks. See:
http://www.the-foxhole.org/Disabling_IE_Security_Flaws.htm
MS Outlook Express - Alt-Enter, or Alt-F then R.
MS Outlook Express - More Detailed:
To look for, copy and send headers In Outlook Express
1- Press CTRL F3
2- Press CTRL A
3- Press CTRL C
4- Press Alt F4. (At this point the message is already copied)
5- Open a new message. Right click and paste or select Edit and
paste.
Mike tells us a better way to expose the headers and copy the body for
MS Outlook Express is as follows:
http://www.spamcop.net/fom-serve/cache/119.html
The mouse selections are File/ Properties/ Details tab/ Message source
button. The keyboard access is alt-Enter ctrl-Tab alt-M. Once
accessed the remainder of commands are as discussed elsewhere: Mouse;
R click context menu, Select all, Copy or Keyboard; ctrl-A ctrl-C.
The Message Source described here is the headers + attached spam body.
If one only wanted the complete headers without spam body, they would
stop one step earlier at the Details tab section above.
Netscape 3 - In the mail viewing window: Options > Show Headers > All
- When all the headers are displayed in the NS3 mail window, they are
formatted. This is much more readable than the display in a text
editor such as Notepad.
Netscape 4.xx - Double click on the email in your inbox. Click on View
- Headers - All.
PINE - You have to turn on the header option in setup, then just hit
"h" to get headers.
WebTV - http://www.haltabuse.org/help/headers/webtv.shtml :
1) While viewing the email, hit "Forward" on the sidebar. Address
the document to yourself. Completely erase the subject line.
2) Put your cursor on the first line of the "body" (text area);
Hit "Return" (enter) twice. Your cursor should now be on the 3rd line
of the text area.
3) Type any "Alt" character on this line; DO NOT HIT "RETURN"
4) Cut and Paste the "Alt" character onto the subject line:
(CMD+"A"), (CMD+"X"), (CMD +"V") The "Alt" character should "jump"
down to the message text-area.
5) Hit "Send"; open the received mail.
Ximian Evolution (Linux email program) to display full headers, open
the message, go to the VIEW menu and choose message display>full
headers.
Yahoo-
-Click on the "Mail Options" link located near the top right-hand side
of the page.
-Click the "General Preferences" link.
-Locate the Show Headers heading and select either "Brief" or "All."
-Click the "Save" button to put your new settings into effect.
Another way to show you how to display headers, please see (with some
good screen shots):
http://help.att.net/docs/use/email/gen/prb_msol_mac_headerinfo.htm?pla
tform=osnone - MS Outlook Express for the Mac
http://help.att.net/docs/howto/other/win/prb_all_all_ns-
header.htm?platform=osnone - Netscape Messenger or Netscape Mail
http://www.wurd.com/cl_email_outlook_headers.php - MS Outlook
http://www.wurd.com/cl_email_msie_headers.php - MS Outlook Express
Programs that do not comply with any Internet standards (like cc-Mail
(depending on how it is configured), Beyond Mail, VAX VMS) throw away
the headers. You will not be able to get headers from these e-mail
messages.
George tell us that the gateway that Lotus provides, SMTPLink (is one
of those Microsoft-style utilities that's functional, but just barely)
has an administrator-configurable setting for handling RFC-822 headers
on inbound (to cc:Mail) messages. Headers can be completely
discarded, or copied to an attachment.
George also tells us in the R6 client, headers (if saved to an
attachment in the gateway) are viewable as an attachment, as noted
above. The R8 client handles things differently, hiding the existence
of the headers attachment, and making the content available only by
going to the inbox or a message folder, right-clicking on
"Properties", then selecting the "history" tab. From there, it's
possible to copy/paste into another document. Header information is
left in its original chronological order (unlike Notes, which takes
the liberty of sorting all the headers into alphabetic order).
Aussie tells us that in Pegasus to view the full headers for each
message, use CTRL-H. This will show the full headers for the
particular message, but will not add them to any reply or forward. You
need to cut/paste the message into the reply/forward to send these
headers.
Richard tells us with Nettamer, a MS DOS based email and USENET group
reader you must save the message as an ASCII file, then the full
header will be displayed when you open the saved file with your
favorite ASCII editor.
At this point if you are "pushing the envelope" on your ability to
figure out how to get that complaint to the correct person, I would
suggest joining the Usenet group alt.spam or news.admin.net-
abuse.email and post the message with a title like "Please help me
decipher this header". Unfortunately there is no "single" place to
complain to about spam (or Unsolicited Commercial E-Mail). Complaints
have to be directed to the correct ISP (Internet Service Provider)
that the spam originated from. See the below section entitled
"Reporting spam".
URL's to help you figure out how to look at the headers:
http://support.xo.com/abuse/guide/guide1.shtml
http://www.rahul.net/falk/mailtrack.html
A little different description of headers:
http://digital.net/~gandalf/trachead.html - Line by line tracing of a
spammers e-mail
http://digital.net/~gandalf/trachead2.html - Line by line tracing of a
spammers e-mail when the spammer has inserted a "Fake" Received line
to confuse tracking the e-mail.
http://help.mindspring.com/docs/006/emailheaders/
http://help.mindspring.com/features/emailheaders/extended.htm
http://www.stopspam.org/email/headers/headers.html - In depth header
analysis
There is spamming software that sends the e-mail directly to your
computer. This makes only one received line in the e-mail making your
life many times easier. The computer that is not your computer is the
spamming computer.
Also, please look through the body of the message for e-mail addresses
to reply to. Complain to the postmasters of those sites also (see
below for a list of complaint addresses).
Gregory tells us that assuming a reasonably standard and recent
sendmail setup, a Received line that looks like :
Received: from host1 (host2 [ww.xx.yy.zz]) by host3
(8.7.5/8.7.3) with SMTP id MAA04298; Thu, 18 Jul 1996 12:18:06
-0600
shows four pieces of useful information (reading from back to front,
in order of decreasing reliability):
- The host that added the Received line (host3)
- The IP address of the incoming SMTP connection (ww.xx.yy.zz)
- The reverse-DNS lookup of that IP address (host2)
- The name the sender used in the SMTP HELO command when they
connected (host1).
Looking at the below we see 6 received lines. Received lines are like
links in a chain. The message is passed from one computer to the next
with no breaks in the chain. The received lines indicate that it
ended up at digital.net (my computer) from mail.bestnetpc.com. It was
received at mail.bestnetpc.com from unknown (HELO paul-s.-aiello)
([205.160.183.123]). The last three lines suggests that it was
received at in2.|bm.net from mh.tomsurl|.com and from
reb50.rs41|1date.net. Since none of these computers are in the first
two received lines then we can ignore these lines and every received
entry after this line (this UCE had 4 or 5 more faked Received lines
in it that were deleted for this example). We also know that these
lines are faked because no domain name has a "|" character in the
name. Domain names only have alphabetic or numeric characters in the
name.
Do not get confused by the "Received: from unknown" portion. The word
"unknown" can be *anything* and should be ignored, this is whatever
the spammer put in the SMTP HELO command when they connected to the
SMTP server.
Received: from mail.bestnetpc.com (IDENT:qmailr@mail.bestnetpc.com
[205.160.183.3]) by digital.net (8.9.1a/8.9.1) with SMTP id CAA10768
for ; Thu, 26 Nov 1998 02:55:11 -0500 (EST)
Received: (qmail 25259 invoked from network); 26 Nov 1998 08:05:49 -
0000
Received: from unknown (HELO paul-s.-aiello) ([205.160.183.123]) by
mail.bestnetpc.com with SMTP; 26 Nov 1998 08:05:49 -0000
Received: (from uudp@lcl|lhost) by in2.|bm.net (8.6.9/8.6.9) id
CFF569794 for ; Thursday, November 26, 1998
Received: from tomsurl|.com (mh.tomsurl|.com [100.257.57.69]) by
m4.tomsurl|.com (8.6.12/8.6.12) with ESMTP id PAA21932 Thursday,
November 26, 1998
Received: from reb50.rs41|1date.net (root@reb50.rs41|1date.net
[256.36.1.176]) by tomsurl|.com (8.6.12/8.6.12) with ESMTP id
PBA023891 for ;
So we complain to whomever owns unknown (HELO paul-s.-aiello)
([205.160.183.123]). Make sure that you do a nslookup (or use
http://samspade.org/t/ , put the address in the section "address
digger", click on WhoIs IP block and Traceroute and click on "do
stuff") on the IP address's. I try to verify 205.160.183.123 is paul-
s.-aiello. Indeed paul-s.-aiello does not even exist and
205.160.183.123 does not resolve to a name when I do a NSLookup. Next
would be a traceroute. See further below for more in-depth tracking
on resolving an IP.
IP portion = 205.160.183.123
Traceroute 205.160.183.123 gives us:
Step Host IP
Find route from: 0.0.0.0 to: 205.160.183.123 (205.160.183.123), Max 30
hops, 40 byte packets
13 acsi-sw-gw.customer.alter.net. (157.130.128.26 ): 235ms
14 atlant-ga-2.espire.net. (206.222.97.24 ): 272ms
15 206.222.104.37 (206.222.104.37 ): 279ms
16 orland-fl-1-a5-0.espire.net. (206.222.99.7 ): 362ms
17 iag.net.orland-fl-1.espire.net. (206.222.106.6 ): 195ms
18 d1.s0.gw.dayb.fl.iag.net. (207.30.70.38 ): 230ms
19 s0.gw.bestnetpc.net. (207.30.70.254 ): 231ms
20 * * *
21 205.160.183.123 (205.160.183.123): 372ms
See the traceroute section below for how to interpret the "*" (and
other codes) that are returned from a traceroute.
Note - if you see something like the following realize that the only
portion you can trust is within the "([" and the "])". The spammer
put in the (faked) portion "mail.zebra.net (209.12.13.2)" :
Received: from mail.zebra.net (209.12.13.2) ([209.12.69.42])
Kamiel tells us that you might also want to make sure that the IP is
not hosted by an intermediary site. Check it out at:
http://www.arin.net/
You should complain to the abuse@ or postmaster@. I would complain to abuse@iag.net OR
abuse@espire.net (but NOT both sites) since after looking below at the
list of complaint addresses in this FAQ there are no alternate
addresses for iag.net or espire.net. Unless it is a "major provider"
(someone in the below complaint list) I usually complain to the
upstream provider rather than risk the chance of complaining to the
spammer and being ignored. If you go too far up the chain, however,
it may take quite some time for the complaint to filter down to the
correct person.
Louise tells us that you are entitled to make an 'alleged' accusation
but to prevent yourself from being libel, prefix your statement with:-
"Without prejudice: I suspect you are the culprit of such and such."
The constitutional and legal boundary of 'Without prejudice' exempts
Politician's opinions being spoken publicly and this prefix is often
adopted by Solicitors (English) or Lawyers/Attorneys (USA).
I use :
abuse@XXXXX - Without prejudice I submit to you this Unsolicited
Commercial E-Mail is from your user XXXX. UCE is unappreciated
because it costs my provider (and ultimately myself) money to process
just like an unsolicited FAX. Please look into this. Thank you.
BE SURE to verify the IP address. Windows '95 machines place the name
of the machine as the "name" and place the real IP address after the
name, meaning a spammer can give a legitimate "name" of someone else
to get someone innocent in trouble. A spammer at cyberpromo changed
their SMTP HELO so that it claimed to be from Compuserve. The
Received line looked like the below, but a quick verification of the
IP address 208.9.65.20 showed it was indeed from cyberpromo :
Received: from dub-img-4.compuserve.com (cyberpromo.com [208.9.65.20])
by karpes.stu.rpi.edu
The below e-mail was passed to me thru a "mule" (un1.satlink.com
[200.9.212.3]). The Spammer hijacked an open SMTP port to reroute e-
mail to me:
Received: from un1.satlink.com (un1.satlink.com [200.9.212.3]) by
digital.net (8.9.1a/8.9.1) with ESMTP id GAA06372; Fri, 27 Nov 1998
06:53:20 -0500 (EST)
Received: from usa.net ([209.86.128.234]) by un1.satlink.com (Netscape
Messaging Server 3.54) with SMTP id AAT2FEA; Fri, 27 Nov 1998
08:46:07 -0200
A NSLookup on 209.86.128.234 resolves to
user38ld07a.dialup.mindspring.com, so after I complain to
mindspring.com I also send the postmaster of the open SMTP port the
following :
postmaster@XXXXX - Your SMTP mail server XXXXX was used as a mule to
pass (and waste your system resources) this e-mail on to me. You can
stop your SMTP port from allowing rerouting of e-mail back outside of
your domain if you wish to. FYI only. Info on how to block your
server, see:
http://www.ordb.org/
http://dsbl.org/main
http://relays.osirusoft.com/
http://relays.osirusoft.com/cgi-bin/rbcheck.cgi - See if a server is
on a BlackHole list, i.e. an open relay
http://www.dorkslayers.com/
http://spamhaus.org/sbl
http://mail-abuse.org/rbl/usage.html
http://samspade.org/t/
http://www.abuse.net/relay.html - Test for server vulnerability
Now that Cable Modems are so popular, companies are starting to put
their "personal" e-mail servers on cable / DSL modems and are (of
course) not configuring them correctly. I received UCE from an open
SMTP server:
Received: from SDMAIN (DT1-A-hfc-0251-d1132e93.rdc1.sdca.coxatwork.com
[209.19.46.147]) by digital.net (8.9.3/05.21.76) with
SMTP id SAA04761; Fri, 30 Mar 2001 18:35:24 -0500 (EST)
Received: from Received: (qmail 554 invoked from network); 25 Mar 2001
23:56:02 (ip207.miami41.fl.pub-ip.psi.net
[38.37.111.207]) by SDMAIN; Fri, 30 Mar 2001 10:19:58 -0800
Complain to Cox ( abuse@home.com in this case) about their open SMTP
server.
There are some systems that "claim" to "cloak" e-mail. It is not
true. If you receive one that looks like the following :
Received: from relay4.ispam.net (root@[207.124.161.39]) by digital.net
(8.8.5/8.8.5) with ESMTP id KAA28969 for ; Thu,
26 Jun 1997 10:41:46 -0400 (EDT)
Received: from --- CLOAKED! ---
or
Received: from cerberus.njsmu.com ([204.142.120.2]) by digital.net
(8.8.5/8.8.5) with ESMTP id HAA06250 for ; Mon,
25 Jan 1999 07:11:18 -0500 (EST)
From: hostme39@aol.com
Received: from The.sender.of.this.untracable.email.used.MAILGOD.by.IMI
It is still broken down as follows :
- The route the e-mail took originated from one of the systems above
the line marked "cloaked" or the line "untraceable" (in fact this
makes it even easier to trace). There is no magic to it. Complain to
that provider. If you get no response from the site that spammed, you
should ask your provider to no longer allow the above site
[207.124.161.39] to connect to your system.
It has been kindly pointed out to me that there is a "feature" (read
"bug") in the UNIX mail spool wherein the person e-mailing you a
message can append a "message" (with the headers) to the end of their
message. It makes the mail reader think you have 2 messages when the
joker that sent the original message only sent one message (with a
fake message appended). If the headers look *really* screwy, you
might look at the message before the screwy message and consider if it
may not be a "joke" message.
There are also IBM mainframes and misconfigured Sun Sendmail machines
(SMI-8.6/SMI-SVR4) that do not include the machine that they received
the SMTP traffic from. You have to route the message (with headers)
back to the postmaster at that system and ask them to tell you what
the IP of the machine is that hooked into their system for that
message.
An example of a Microsoft Exchange server that the "HELO" transaction
is taken as the "From" portion (and is completely false) :
Received: from dpi.dpi-conseil.fr (dpi.dpi-conseil.fr [195.115.136.1])
by digital.net (8.9.3/8.9.3) with ESMTP id KAA06614 for
; Thu, 26 Aug 1999 10:51:31 -0400 (EDT)
Received: from FIREWALL ([192.168.0.254]) by dpi.dpi-conseil.fr with
SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0)
id QW11TJV1; Thu, 26 Aug 1999 16:44:38 +0200
It has also been pointed out that someone on your server can telnet
back to the mail port and send you mail. This also makes the forgery
virtually untraceable by you, but as always your admin should be able
to catch the telnet back to the server. If they telnet to a foreign
SMTP server and then use the "name" of a user on that system, it may
appear to you that the message came from that user. Be very careful
when making assumptions about where the e-mail came from.
Note for AOL users when looking at headers:
If you get double headers at the end of a message (like the below) the
spammer has tacked on a extra set of headers to confuse the issue.
Ignore everything except the last set of headers. These are the
*real* headers.
------------------ Headers --------------------------------
Return-Path:
Received: from rly-za05.mx.aol.com (rly-za05.mail.aol.com
[172.31.36.101]) byair-za04.mail.aol.com (v51.16) with SMTP; Mon, 16
Nov 1998 19:16:02 1900
Received: from mailb.telia.com (mailb.telia.com [194.22.194.6]) by
rly-za05.mx.aol.com (8.8.8/8.8.5/AOL-4.0.0) with ESMTP id TAA05189;
Mon, 16 Nov 1998 19:15:53 -0500 (EST)
From: Gloria@me.net
Received: from signal.dk ([194.255.7.40]) by mailb.telia.com
(8.8.8/8.8.8) with SMTP id BAA14174; Tue, 17 Nov 1998 01:15:50 +0100
(CET)
Received: from 194.255.7.40 by signal.dk
viaSMTP(950413.SGI.8.6.12/940406.SGI.AUTO) id AAA28586; Tue, 17 Nov
Section 1 of 5 - Prev - Next
All sections - 1 - 2 - 3 - 4 - 5
| Back to category net-abuse-faq - Use Smart Search |
| Home - Smart Search - About the project - Feedback |
© allanswers.org | Terms of use