Re: blind people need to die!, how to find origin
- From: "Terrill Reynolds" <terrill1@xxxxxxxx>
- To: <jfw@xxxxxxxxxxxxx>
- Date: Thu, 5 Jul 2007 16:00:15 -0400
How to find the right ISP to complain to? It takes a close look at the spam
message's header lines. These headers contain information about the
path an email took.
follow the path until the point where the email was sent from. From this point,
also know as an
IP address,
it can derive the spammer's ISP and send the report to this ISP's abuse
department.
Let's take a closer look at how this works.
Email: Header and Body
Every email message consists of two parts, the body and the header. The header
can be thought of as the envelope of the message, containing the address
of the sender, the recipient, the subject and other information. The body
contains the actual text and the attachments.
Some header information usually displayed by your email program includes:
List of 4 items
. From: - The sender's name and email address.
. To: - The recipient's name and email address.
. Date: - The date when the message was sent.
. Subject: - The subject line.
list end
Header Forging
The
actual delivery of emails
does not depend on any of these headers, they are just convenience.
Usually, the From: line, for example, will be set to the sender's address. This
makes sure you know who the message is from and can reply easily.
Spammers want to make sure you cannot reply easily, and certainly don't want
you to know who they are. That's why they insert fictitious email addresses
in the From: lines of their junk messages.
Received: Lines
So the From: line is useless if we want to determine the real source of an
email. Fortunately, we need not rely on it. The headers of every email message
also contains Received: lines.
These are not usually displayed by email programs, but they can be very helpful
in tracing spam. Find out how helpful they are, and how the analysis works
What Email Headers can Tell You About the Origin of Spam
Parsing Received: Header Lines
Just like a postal letter will go through a number of post offices on its way
from sender to recipient, an email message is processed and forwarded by several
mail servers.
Imagine every post office putting a special stamp on each letter. The stamp
would say exactly when the letter was received, where it came from and where
it was forwarded to by the post office. If you got the letter, you could
determine the exact path taken by the letter.
This is exactly what happens with email.
Received: Lines for Tracing
As a mail server processes a message, it adds a special line, the Received:
line to the message's header. The Received: line contains, most interestingly,
List of 2 items
. the server name and IP address of the machine the server received the message
from and
. the name of the mail server itself.
list end
The Received: line is always inserted at the top of the message headers.
If we want to reconstruct an email's journey from sender to recipient we also
start at the topmost Received: line (why we do this will become apparent in
a moment) and walk our way down until we have arrived at the last one, which is
where the email originated.
Received: Line Forging
Spammers know that we will apply exactly this procedure to uncover their
whereabouts. To fool us, they may insert forged Received: lines that point to
somebody
else sending the message.
Since every mail server will always put its Received: line at the top, the
spammers' forged headers can only be at the bottom of the Received: line chain.
This is why we start our analysis at the top and don't just derive the point
where an email originated from the first Received: line (at the bottom).
How to Tell a Forged Received: Header Line
The forged Received: lines inserted by spammers to fool us will look like all
the other Received: lines (unless they make an obvious mistake, of course).
By itself, you can't tell a forged Received: line from a genuine one.
This is where one distinct feature of Received: lines comes into play. As we've
noted above, every server will not only note who it is but also where it
got the message from (in IP address form).
We simply compare who a server claims to be with what the server one notch up
in the chain says it really is. If the two don't match, the earlier Received:
line has been forged.
In this case, the origin of the email is what the server immediately after the
forged Received: line has to say about who it got the message from.
Are you ready for
an example?
List of 5 items
Example Spam Analyzed and Traced
Now that we know
the theoretical underpinning,
let's see how analyzing an junk email to identify its origin works in real life.
I've just received an exemplary piece of spam that we can use for exercise.
Here are the header lines:
Received: from unknown (HELO 38.118.132.100) (62.105.106.207)
by mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000
Received: from [235.16.47.37] by 38.118.132.100 id <5416176-86323>; Sun, 16 Nov
2003 13:38:22 -0600
Message-ID: <o7-89089$t--2-370--h6b1@xxxxxxxxxxxx>
From: "Reinaldo Gilliam" <27knxeppzk@xxxxxxxxx>
Reply-To: "Reinaldo Gilliam" <27knxeppzk@xxxxxxxxx>
To: ladedu@xxxxxxxxxx
Subject: Category A Get the meds u need lgvkalfnqnh bbk
Date: Sun, 16 Nov 2003 13:38:22 GMT
X-Mailer: Internet Mail Service (5.5.2650.21)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="9B_9.._C_2EA.0DD_23"
X-Priority: 3
X-MSMail-Priority: Normal
Can you tell the IP address where the email originated?
Sender and Subject
First, take a look at the - forged - From: line.
The spammer wants to make it look as if the message was sent from a
Yahoo! Mail
account. Together with the Reply-To: line, this From: address is aimed at
directing all bouncing messages and angry replies to a non-existing Yahoo! Mail
account.
Next, the Subject: is a curious agglomeration of random characters. It is
barely legible and obviously designed to fool
spam filters
(every message gets a slightly different set of random characters), but it is
also quite skillfully crafted to get the message across in spite of this.
The Received: Lines
Finally, the Received: lines. Let's begin with the oldest, Received: from
[235.16.47.37] by 38.118.132.100 id <5416176-86323>; Sun, 16 Nov 2003 13:38:22
-0600. There are no host names in it, but two IP addresses: 38.118.132.100
claims to have received the message from 235.16.47.37. If this is correct,
235.16.47.37
is where the email originated, and we'd find out which ISP this IP address
belongs to, then
send an abuse report
to them.
Let's see if the next (and in this case last) server in the chain confirms the
first Received: line's claims: Received: from unknown (HELO 38.118.142.100)
(62.105.106.207) by mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000.
Since mail1.infinology.com is the last server in the chain and indeed "my"
server I know that I can trust it. It has received the message from an "unknown"
host that claimed to have the IP address 38.118.132.100 (using the
SMTP HELO command).
So far, this is in line with what the previous Received: line said.
Now let's see where my mail server did get the message from. To find out, we
take a look at the IP address in brackets immediately before by
mail1.infinology.com.
This is the IP address the connection was established from, and it is not
38.118.132.100. No, 62.105.106.207 is where this piece of junk mail was sent
from.
HTH
Best wishes,
Terrill Reynolds
----------
Email:
Terrill1@xxxxxxxx
Windows Messenger:terrillreynolds36@xxxxxxxxxxx
Yahoo:terrillreynolds
AIM:terrill36
PH:(910)842-7701
----- Original Message -----
From: "Darrell Shandrow" <nu7i@xxxxxxxxxxxxx>
To: <jfw@xxxxxxxxxxxxx>
Sent: Thursday, July 05, 2007 1:09 PM
Subject: Re: blind people need to die!
Uh, well, hmm.
It seems we have some sort of a security related issue here as I clearly did
not send this. I'll have to check it out later when my work day is done.
Grrr!
Darrell Shandrow - Accessibility Evangelist
Information should be accessible to us without need of translation by
another person.
Blind Access Journal blog and podcast: http://www.blindaccessjournal.com
Check out high quality telecommunications services at http://ld.net/?nu7i
----- Original Message -----
From: "Darrell Shandrow" <nu7i@xxxxxxxxxxxxx>
To: <jfw@xxxxxxxxxxxxx>
Sent: Thursday, July 05, 2007 9:46 AM
Subject: blind people need to die!
blind people need to fuckin' die!
-- Darrell
--
JFW related links:
JFW homepage: http://www.freedomscientific.com/
Scripting mailing list:
http://lists.the-jdh.com/listinfo.cgi/scriptography-the-jdh.com
JFW List instructions:
To post a message to the list, send it to jfw@xxxxxxxxxxxxx
To unsubscribe from this mailing list, send a message to
jfw-request@xxxxxxxxxxxxx with the word unsubscribe in the subject line.
Archives located at: //www.freelists.org/archives/jfw
If you have any concerns about the list, post received from the list, or the
way the list is being run, do not post them to the list. Rather contact the
list owner at jfw-admins@xxxxxxxxxxxxxx
--
JFW related links:
JFW homepage: http://www.freedomscientific.com/
Scripting mailing list:
http://lists.the-jdh.com/listinfo.cgi/scriptography-the-jdh.com
JFW List instructions:
To post a message to the list, send it to jfw@xxxxxxxxxxxxx
To unsubscribe from this mailing list, send a message to
jfw-request@xxxxxxxxxxxxx with the word unsubscribe in the subject line.
Archives located at: //www.freelists.org/archives/jfw
If you have any concerns about the list, post received from the list, or the
way the list is being run, do not post them to the list. Rather contact the
list owner at jfw-admins@xxxxxxxxxxxxxx
--
JFW related links:
JFW homepage: http://www.freedomscientific.com/
Scripting mailing list:
http://lists.the-jdh.com/listinfo.cgi/scriptography-the-jdh.com
JFW List instructions:
To post a message to the list, send it to jfw@xxxxxxxxxxxxx
To unsubscribe from this mailing list, send a message to
jfw-request@xxxxxxxxxxxxx with the word unsubscribe in the subject line.
Archives located at: //www.freelists.org/archives/jfw
If you have any concerns about the list, post received from the list, or the
way the list is being run, do not post them to the list. Rather contact the
list owner at jfw-admins@xxxxxxxxxxxxxx
Other related posts:
- » Re: blind people need to die!, how to find origin
