|
How To Find Where
E-mail REALLY Came From
I've had a lot of people contact me lately,
telling me that I or someone in our office had sent them an e-mail with a
virus, or a spam message. What most people don't realize is that it's a
very simple thing for a person (or virus) to change the reply-to address on outgoing
e-mail.
We've all heard of the viruses out there that will
e-mail everyone in your address book. What many don't know is that some of
these will put one of these addresses that were retrieved from the address
book in as the reply-to address. Therefore, if I were to catch one of
these viruses, the e-mail sent out from my computer could put the e-mail
address of any one of the 210 people I have in my address book in as the
reply-to address.
For more information on the Klez virus and the
capabilities of it's variants, please refer to
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.html.
This is a page on Symantec's Security Response web site that contains
information on the Klez virus. I encourage you to read the "Technical
Details" section, specifically the part on "E-mail Spoofing."
That section is applicable to most viruses now-a-days.
When it comes it spammers, there are a variety of ways
that they use to select a reply-to address. The "kinder" spammers put an
invalid return address, so that any nasty or automated return mail simply
bounces back to the person who sent it. The nastier ones will pull a valid
e-mail address from one of their mail lists and select that as the
reply-to address. The net result of this is that when people get upset or
an automated system flags the message as spam and a reply is sent, the
reply ends up in some poor, unsuspecting persons mailbox, sometimes
flooding it with hate mail.
We've been the victim of BOTH of these types of
misdirection recently, and its bound to continue simply because of the
number of address books our e-mail addresses are in. This article is intended to give you a basic
understanding of what you need to do to determine whether that offending
e-mail message really came from us or not. If it did, by all means, let me
know! If we've got a virus or a spammer has figured out a new way to use our
mail server for distributing his message, you can bet I want to know so I
can stop it! Following is a sample
Internet mail header, taken from a real message that was sent with a virus
attached. Ironically, the reply-to address for this message had MY e-mail
address in it (is sending yourself e-mail as bad as talking to yourself?). This header information
was obtained from Outlook 2002 by opening the message (you have to open it,
this can't be done from the preview pane) and selecting the Options item
under the View menu.
You can see in the Reply-To line that my e-mail address
is showing. However, if you look at the lower of the
two Received lines, you'll see that the computer this was sent from
(the actual virus-infected computer) identified itself as 1cust58.tnt1.corydon.in.da.uu.net and it was sent to the
pintail.mail.pas.earthlink.net mail server. If the e-mail had been sent
from our e-mail server, the header would show that it was received by
nts4.bxcleve.com (notice in the top Received line (the final transfer)
that it was received by nts4.bxcleve.com ... our mail server. While the
server name (nts4) might change in the future, the domain (bxcleve.com)
probably won't.
Another, and perhaps easier, way to tell what the
originating server was is to look at the Messages-ID line. This won't tell
you anything about the specific system that the message was sent from, but
you'll notice
that the originating server is shown there as well.
A possible way to determine the actual e-mail address
that the message was sent from is by the Return-Path line. This should
contain the e-mail address of the sending mail client. This can be faked
as well, but it's not nearly as easy to fake as the Reply-To: address.
Microsoft Mail Internet Headers Version 2.0
Received: from pintail.mail.pas.earthlink.net ([207.217.120.122]) by
nts4.bxcleve.com with Microsoft SMTPSVC(5.0.2195.2966); Thu, 11 Jul 2002
14:35:29 -0400
Received: from 1cust58.tnt1.corydon.in.da.uu.net ([67.241.15.58] helo=Epzpo)
by pintail.mail.pas.earthlink.net with smtp (Exim 3.33 #1) id
17Sim7-0004DF-00 for jfciii@bxcleve.com; Thu, 11 Jul 2002 11:34:48 -0700
From: "jfciii" <jfciii@bxcleve.com>
X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
To: <jfciii@bxcleve.com>
Subject: A special new game
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="O1Sn49J0xjpC9xjj7V8X5f3MO4"
Message-ID: <E17Sim7-0004DF-00@pintail.mail.pas.earthlink.net>
Date: Thu, 11 Jul 2002 11:34:48 -0700
Return-Path: <wdthorpe@earthlink.net>
X-OriginalArrivalTime: 11 Jul 2002 18:35:29.0833 (UTC) FILETIME=[BB94C990:01C22909]
--O1Sn49J0xjpC9xjj7V8X5f3MO4
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--O1Sn49J0xjpC9xjj7V8X5f3MO4
Content-Description: Quarantined Attachment Report
Content-Type: text/plain;
name="Quarantined Attachment.txt"
Content-Transfer-Encoding: quoted-printable
Content-ID: <B1sX1sCQ>
--O1Sn49J0xjpC9xjj7V8X5f3MO4
Content-Type: application/octet-stream;
name="NewProjects[1].htm"
Content-Transfer-Encoding: base64
Content-ID: <B1sX1sCQ>
--O1Sn49J0xjpC9xjj7V8X5f3MO4--
OK, now you've got all this information and you
want to know what you can do about it. The short version is, not much. In
a case like this, you can always report the matter to the ISP. There's no
guarantee that the ISP will do anything about it. It depends on the
individual ISPs policy on matters such as this. However, if they get
enough complaints about a specific user, most ISPs will eventually do
something.
The ISP can generally be determined by the last two
sections of the mail server's domain name. In the example above, the ISP's
domain name is earthlink.net (PLEASE NOTE: This is just a sample message,
chosen at random. We do not intend to infer from this article that
Earthlink is a bad ISP or anything of the sort). Now that you have this
information, you can either go to the standard "www.<domain name>" web
site and look for contact information or you can do a WhoIs lookup such as
the one at
http://www.netsol.com/cgi-bin/whois/whois to find more information
about them. Getting into this in detail goes beyond the scope of this
article, but any good network administrator/consultant can help you track
this information down.
Generally speaking, I wouldn't recommend going through
all of this to try to track down and nail every spammer and virus infected
individual who ever sends you an e-mail. However, if you're getting a lot
of mail that seems to originate from a specific place, or you just want to
check some messages to see if they're coming from a specific place, this
information gives you what you need to get started tracking it down.
Incidentally, I would like to point out that the
particular message that was used in this article was chosen at random. It
is not meant to imply that Earthlink supports, condones or even tolerates
spam. I could easily have picked a message from any of thousands of
different ISPs for this example.
|
fax: 216-393-6304 