|
There are a lot
of ways that spammers insert email into your
mailbox. The spammers will try everything possible to
hide their identity, but there are always ways to find
out who they are. I'll show you how to examine two
kinds of spam here; spam sent using traditional
methods (mail servers), and spam sent using hijacked
web servers.
Example 1
Consider for a
moment this email:
|
Return-Path: <640550AgeReversal010@hotmail.com>
Received: from mail.cscl.lk (UNKNOWN [203.94.67.162]) by
www.dzm.com (Netscape Messaging Server 4.15) with ESMTP id
GQ2YUW00.E00 for ; Thu, 17 Jan 2002 03:35:20 -0800
Received: from 25646.com (INTERNET-SERV [203.162.12.170]) by
mail.cscl.lk with SMTP (Microsoft Exchange Internet Mail Service Version
5.5.2448.0) id C0PHHDBF; Thu, 17 Jan 2002 17:34:55 +0530
From: 2851980AgeReversal010@hotmail.com
Reply-To: AgeReversalNow1@hotmail.com
To: ra36@akronet.com
Content-Type: text/plain; charset=us-ascii
Subject: 7840 === Have You Heard of Age Reversal With HGH? === 5198028
Date: Thu, 17 Jan 2002 02:28:51
Mime-Version: 1.0
Message-ID:
Can Aging Be Reversed? Now with the
discovery of HGH (orginally 1950's), Age Reversal is proven and
documented to work.
http://www.spammersite.com/
|
Most of the
information is useless, or at least not of any real
value in determining where the spam came from. So how
do you know what you should be looking for? The first
step is to examine the "Received" headers. These
headers are inserted into the message by mail servers
between you and the "point of insertion." These
headers are created by adding new entries above older
entries, so these are read from the bottom up:
|
Return-Path: <640550AgeReversal010@hotmail.com>
Received: from mail.cscl.lk (UNKNOWN [203.94.67.162]) by
www.dzm.com (Netscape Messaging Server 4.15) with ESMTP id
GQ2YUW00.E00 for ; Thu, 17 Jan 2002 03:35:20 -0800
Received: from 25646.com (INTERNET-SERV [203.162.12.170]) by
mail.cscl.lk with SMTP (Microsoft Exchange Internet Mail Service Version
5.5.2448.0) id C0PHHDBF; Thu, 17 Jan 2002 17:34:55 +0530
From: 2851980AgeReversal010@hotmail.com
Reply-To: AgeReversalNow1@hotmail.com
To: ra36@akronet.com
Content-Type: text/plain; charset=us-ascii
Subject: 7840 === Have You Heard of Age Reversal With HGH? === 5198028
Date: Thu, 17 Jan 2002 02:28:51
Mime-Version: 1.0
Message-ID:
Can Aging Be Reversed? Now with the
discovery of HGH (orginally 1950's), Age Reversal is proven and
documented to work.
http://www.spammersite.com/
|
Lets pull apart
the bottom entry. from 25646.com will
generally not be usefull. This text is inserted by the
spammer when they begin transferring the mail (the
SMTP command is "HELO 25646.com" and is not verified,
so this is not a valid way to track the
source). (INTERNET-SERV [203.162.12.170])
is more interesting. This is inserted by the mail
server whent he message is received. This is the IP
address of the computer that sent the message, plus
the DNS name that the mail server believes the IP maps
to. The DNS can easily be wrong, but the IP address is
very difficult for the spammer to fake. In this case
the IP address 203.162.12.170 is very likely the
computer the spam was sent from. By dropping this IP
address into the "IP Whois" field at
http://www.samspade.org/ I can determine that this IP
address is assigned
to the "National Center for Hydrometeorological
Forecacsting[sic]" in Hanoi, Vietnam. (A message
should be sent to the technical contact expressing
your displeasure at spam coming from their network.)
The message was then received by a mail server called
mail.cscl.lk. A quick
bonk at samspade.org shows me that this is owned
by "Ceylon Shipping Corporation Limited" and that the
IP address (apparantly) lives in Sri Lanka. (Email
should be sent to Ceylon and Sri Lanka Telecom
expressing dismay at their insecure mail servers.) The
rest of the line will provide information regarding
what time the message was sent, what the mail server
is (including version), etc.
The second (top)
Received line simply describes the transfer of the
message from the "Ceylon Shipping Corporation" to my
mail server.
By examining
these "Received" headers we have learned where the
spam came from as well as what path it traveled to
reach my mailbox. I can now happily send email to
abuse@cscl.lk, abuse@hn.vnn.vn, and met-int@hn.vnn.vn
reporting the abuse of their systems. When I send this
email I'll include the headers I've examined so that
they can perform the same checks we just performed. If
I'm feeling particularly slighted I'll also send email
to abuse@hotmail.com to report that their service is
being used as a collector for replies to the email,
and I'll determine who owns "spamsite.com" using
SamSpade so that I can report them to their provider.
Example 2
In some cases
spammers will go to great lengths to hide their
identities. Often these are pornographic in nature or
are smaller (i.e. individuals atttempting to earn
"rewards" for referrals to a service, etc). Often
these spams will use security holes that make their
messages even more difficult to trace. Consider for a
moment this email:
|
Return-Path: <nobody@www.farmgate-showcase.co.uk>
Received: from www.farmgate-showcase.co.uk (www.acpoexpo.co.uk
[193.41.97.52]) by www.dzm.com (Netscape Messaging Server 4.15)
with ESMTP id GLT55X00.T00 for <Radar067724939@dzm.com>; Fri, 26
Oct 2001 03:01:09 -0700
Received: (from nobody@localhost) by www.farmgate-showcase.co.uk (8.11.0/8.11.0)
id f9QA0a627243; Fri, 26 Oct 2001 11:00:36 +0100
Date: Fri, 26 Oct 2001 11:00:36 +0100
Message-Id: <200110261000.f9QA0a627243@www.farmgate-showcase.co.uk>
To: robtfields@bogus.com, lavinp@bogus.com, geraldm@bogus.com,
bran426@bogus.com, lgan_and_vath@bogus.com, s_takamura@bogus.com,
schoee7@bogus.com, saxultra@bogus.com, omni@bogus.net, vps@bogus.net,
Radar067724939@dzm.com
From: Radar067724939@dzm.com ()
Subject: ?? r62522
Below is the result of your feedback form. It was submitted by
(Radar067724939@dzm.com) on Friday, October 26, 2001 at 11:00:36
---------------------------------------------------------------------------
message: <pre><html>hey, wanna see pictures of me and my sexy friends?
then check out my site @ http://smuthut.persik.ru/ 2<BR><BR><BR>t3i6a
---------------------------------------------------------------------------
|
A quick
examination of the message shows us several things;
the spammer doesn't know the first thing about how
HTML, browsers, and email works. It also shows us that
the spammer has probably utilized a security hole on
somebody's web server to send spam in a more-or-less
untracable way. Let's take a look:
|
Return-Path: <nobody@www.farmgate-showcase.co.uk>
Received: from www.farmgate-showcase.co.uk (www.acpoexpo.co.uk
[193.41.97.52]) by www.dzm.com (Netscape Messaging Server 4.15)
with ESMTP id GLT55X00.T00 for <Radar067724939@dzm.com>; Fri, 26
Oct 2001 03:01:09 -0700
Received: (from nobody@localhost) by www.farmgate-showcase.co.uk (8.11.0/8.11.0)
id f9QA0a627243; Fri, 26 Oct 2001 11:00:36 +0100
Date: Fri, 26 Oct 2001 11:00:36 +0100
Message-Id: <200110261000.f9QA0a627243@www.farmgate-showcase.co.uk>
To: robtfields@bogus.com, lavinp@bogus.com, geraldm@bogus.com,
bran426@bogus.com, lgan_and_vath@bogus.com, s_takamura@bogus.com,
schoee7@bogus.com, saxultra@bogus.com, omni@bogus.net, vps@bogus.net,
Radar067724939@dzm.com
From: Radar067724939@dzm.com ()
Subject: ?? r62522
|
The first clearly
broken thing is the first Received line. It claims
that the message is from
nobody@localhost. It further says that
the message was received by a machine called
"www.farmgate-showcase.co.uk" (we'll call this "www"
from now on). What this tells us is that the mail
server on "www" received the email message from
itself. How is this possible if "www" didn't really
create the spam? Web Servers are able to run programs
to extend their features. In this case a program on
the web server was taken advantage of to feed the spam
to.
Since the entire
delivery path is suspect due to the "www"
manipulation, who should we compain to? We can use
SamSpade to learn information about the site being
promoted (smuthut.persik.ru) and complain to their
ISP. We should also send a message to the owners of
"farmgate-showcase.co.uk" to make them aware of the
way their system is being abused.
|