1 / 19

Tracking the source of email spam by examining its header

Tracking the source of email spam by examining its header. Anh Nguyen May 3 rd , 2010. Organization. Introduction Email Headers Overview Spam Examples Email Tracer Tool: eMailTrackerPro Conclusions . Introduction. Introduction Email Headers Overview Spam Examples

petra
Download Presentation

Tracking the source of email spam by examining its header

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tracking the source of email spam by examining its header Anh Nguyen May 3rd, 2010

  2. Organization • Introduction • Email Headers Overview • Spam Examples • Email Tracer Tool: eMailTrackerPro • Conclusions

  3. Introduction • Introduction • Email Headers Overview • Spam Examples • Email Tracer Tool: eMailTrackerPro • Conclusions

  4. Introduction • Spammers usually fake their email’s headers • Headers can be examined to identify the true source of email • Assumption: Full headers of the examined email can be shown by the mail reader

  5. Email Headers Overview • Introduction • Email Headers Overview • Spam Examples • Email Tracer Tool: eMailTrackerPro • Conclusions

  6. Email Headers Overview • From • First line in headers • Not actually part of the e-mail header • Inserted by mail transfer software • Used by many Unix mailers to separate messages • Can be faked, but not always • From: • Who the message is from • The easiest to forge

  7. Email Headers Overview (Cont.) • Reply-To: • The address to which replies are sent • Easily to be forged • Often provides a clue • Return-Path: • The address for return mail • Sender: • The account that sent the message • Many mail software fails to insert this line

  8. Email Headers Overview (Cont.) • Message-ID: • Unique string assigned to message by mail system when the message is first created • Forgeable, but requires more knowledge than forging the From: line • Often identifies the system where the sender is logged in • Not identifies the system where the message originated • Every mail software has its own unique string style • Spam can be identified by comparing its message-id with legitimate messages from the same site

  9. Email Headers Overview (Cont.) • Received: • Most important field for tracking • Format: • Received: from ? by ? via ? with ? id ? for ? ; date-time • List all sites (mail servers) through which the message traveled before reaching the destination. • Lines are read from bottom to top

  10. Email Headers Overview (Cont.) • Received: from.foo.com by bar.com id AA15057; Fri, 25 Jul 97 09:39:02 • foo.com: the name that the sending machine uses to identify itself • Received: from foo.com ([129.2.3.4]) by bar.com id AA15057; Fri, 25 Jul 97 09:39:02 • IP address of the sending machine is inserted by bar.com. The IP and the machine name can be compared to identify a forgery • IP validity can also be checked (ex., no component in the address can be > 255) • Received: from foo.com (x.y.alterdial.uu.net [129.2.3.4]) by bar.com id AA15057; ... • Both IP and the actual name of the sending machine are inserted

  11. Spam Examples • Introduction • Email Headers Overview • Spam Examples • Email Tracer Tool: eMailTrackerPro • Conclusions

  12. Spam Examples • Received: from cola.bekkoame.or.jp (cola.bekkoame.or.jp [202.231.192.40]) by srv.net (8.8.5/8.8.5) with ESMTP id BAA00705 for <got@srv.net>; Wed, 30 Jul 1997 01:15:27 -0600 (MDT) • From: beautifulgirls585@aol.com • Received: from cola.bekkoame.or.jp (ip21.san-luis-obispo.ca.pub-ip.psi.net [38.12.123.21]) by cola.bekkoame.or.jp (8.8.5+2.7W/3.5W) with SMTP id OAA11439; Wed, 30 Jul 1997 14:35:50 +0900 (JST) • Received: from mailhost.aol.com(alt1.aol.com(244.218.07.32)) by aol.com (8.8.5/8.6.5) with SMTP id GAA00075 for <"">; Tue, 29 Jul 1997 22:19:42 -0600 (EST) • Date: Tue, 29 Jul 97 22:19:42 EST • Subject: You can have what you want... • Message-ID: <574857638458.HWF39862@aol.com> • Reply-To: beautifulgirls585@aol.com • X-PMFLAGS: 56354433 0 • Comments: Authenticated sender is <aol.com> X-UIDL: vjg79u26gfkjjrty38jf983j309jfyrw

  13. Spam Examples • From jerry@nowhere.com Wed Apr 2 21:13:04 1997 • Received: from watagashi.zzzzzzzzzzz.zzz (watagashi.zzzzzzzzzzz.zzz [10.168.192.43]) by ccshst06.cs.uoguelph.ca with ESMTP (8.7.5/8.7.3) id OAA20088 for &lt;tburgess@uoguelph.ca&gt;; Wed, 2 Apr 1997 14:35:28 -0500 (EST) • From: jerry@nowhere.com • Received: from zzzzzzzzzzz.zzz (Cust76.Max7.Los-Angeles.xx.xxxxx.xxx [10.168.73.204]) by watagashi.xxxxxxxxxxx.xxx(8.7.5+2.6W/3.5W) with SMTP id DAA06068; Thu, 3 Apr 1997 03:58:21 +0900 (JST) • Received: from mailhost.nowhere.com (alt1.nowhere.com (206.1.562.999)) by nowhere.com (8.8.5/8.6.5) with SMTP id GAA00597 for &lt;jerry@nowhere.com&gt;; Wed, 02 Apr 1997 10:18:14 -0600 (EST) • To: jerry@nowhere.com • Message-ID: &lt;144523806421342786@nowhere.com&gt; • Date: Wed, 02 Apr 97 10:18:14 EST • Subject: How To E-Mail Up To A Million Messages Per Hour--No Kidding • Reply-To: jerry@nowhere.com • X-PMFLAGS: 34078848 0 • X-UIDL: 3671313288a65eb1890m0762123a

  14. eMailTrackerPro • Introduction • Email Headers Overview • Spam Examples • Email Tracer Tool: eMailTrackerPro • Conclusions

  15. eMailTrackerPro • Received: from unknown (HELO 38.118.132.100) (62.105.106.207)  by mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000Received: from [235.16.47.37] by 38.118.132.100 id <5416176-86323>; Sun, 16 Nov 2003 13:38:22 -0600Message-ID: <o7-89089$t--2-370--h6b1@y07l72.olpvl>From: "Reinaldo Gilliam" <27knxeppzk@yahoo.com>Reply-To: "Reinaldo Gilliam" <27knxeppzk@yahoo.com>To: ladedu@ladedu.comSubject: Category A Get the meds u need lgvkalfnqnhbbkDate: Sun, 16 Nov 2003 13:38:22 GMTX-Mailer: Internet Mail Service (5.5.2650.21)MIME-Version: 1.0Content-Type: multipart/alternative;  boundary="9B_9.._C_2EA.0DD_23"X-Priority: 3X-MSMail-Priority: Normal

  16. eMailTrackerPro

  17. Conclusions • Introduction • Email Headers Overview • Spam Examples • Email Tracer Tool: eMailTrackerPro • Conclusions

  18. Conclusions • Thank you for your time • Questions and feedback are welcome

  19. References • Spam Tracking Page • http://www.rahul.net/falk/ • Email Tracer Tutorial • http://www.visualware.com/resources/tutorials/email.html

More Related