tracking the source of email spam by examining its header anh nguyen may 3 rd, 2010
Post on 21-Dec-2015
220 views
TRANSCRIPT
Tracking the source of email spam by examining its header
Anh NguyenMay 3rd, 2010
2
Organization
• Introduction• Email Headers Overview• Spam Examples• Email Tracer Tool: eMailTrackerPro• Conclusions
3
Introduction
• Introduction• Email Headers Overview• Spam Examples• Email Tracer Tool: eMailTrackerPro• Conclusions
4
Introduction
• Spammers usually fake their email’s headers• Headers can be examined to identify the true
source of email• Assumption: Full headers of the examined
email can be shown by the mail reader
5
Email Headers Overview
• Introduction• Email Headers Overview• Spam Examples• Email Tracer Tool: eMailTrackerPro• Conclusions
6
Email Headers Overview
• From– First line in headers– Not actually part of the e-mail header– Inserted by mail transfer software– Used by many Unix mailers to separate messages– Can be faked, but not always
• From:– Who the message is from– The easiest to forge
7
Email Headers Overview (Cont.)
• Reply-To:– The address to which replies are sent– Easily to be forged– Often provides a clue
• Return-Path:– The address for return mail
• Sender: – The account that sent the message– Many mail software fails to insert this line
8
Email Headers Overview (Cont.)
• Message-ID:– Unique string assigned to message by mail system when
the message is first created– Forgeable, but requires more knowledge than forging the
From: line– Often identifies the system where the sender is logged in– Not identifies the system where the message originated– Every mail software has its own unique string style– Spam can be identified by comparing its message-id with
legitimate messages from the same site
9
Email Headers Overview (Cont.)
• Received:– Most important field for tracking– Format:
• Received: from ? by ? via ? with ? id ? for ? ; date-time
– List all sites (mail servers) through which the message traveled before reaching the destination.
– Lines are read from bottom to top
10
Email Headers Overview (Cont.)
• Received: from.foo.com by bar.com id AA15057; Fri, 25 Jul 97 09:39:02– foo.com: the name that the sending machine uses to identify itself
• Received: from foo.com ([129.2.3.4]) by bar.com id AA15057; Fri, 25 Jul 97 09:39:02 – IP address of the sending machine is inserted by bar.com. The IP and
the machine name can be compared to identify a forgery– IP validity can also be checked (ex., no component in the address can
be > 255)• Received: from foo.com (x.y.alterdial.uu.net [129.2.3.4]) by bar.com id
AA15057; ... – Both IP and the actual name of the sending machine are inserted
11
Spam Examples
• Introduction• Email Headers Overview• Spam Examples• Email Tracer Tool: eMailTrackerPro• Conclusions
12
Spam Examples
• Received: from cola.bekkoame.or.jp (cola.bekkoame.or.jp [202.231.192.40]) by srv.net (8.8.5/8.8.5) with ESMTP id BAA00705 for <[email protected]>; Wed, 30 Jul 1997 01:15:27 -0600 (MDT)
• From: [email protected]• Received: from cola.bekkoame.or.jp (ip21.san-luis-obispo.ca.pub-ip.psi.net [38.12.123.21])
by cola.bekkoame.or.jp (8.8.5+2.7W/3.5W) with SMTP id OAA11439; Wed, 30 Jul 1997 14:35:50 +0900 (JST)
• Received: from mailhost.aol.com(alt1.aol.com(244.218.07.32)) by aol.com (8.8.5/8.6.5) with SMTP id GAA00075 for <"">; Tue, 29 Jul 1997 22:19:42 -0600 (EST)
• Date: Tue, 29 Jul 97 22:19:42 EST• Subject: You can have what you want... • Message-ID: <[email protected]> • Reply-To: [email protected] • X-PMFLAGS: 56354433 0 • Comments: Authenticated sender is <aol.com> X-UIDL: vjg79u26gfkjjrty38jf983j309jfyrw
13
Spam Examples• From [email protected] Wed Apr 2 21:13:04 1997 • Received: from watagashi.zzzzzzzzzzz.zzz (watagashi.zzzzzzzzzzz.zzz [10.168.192.43]) by
ccshst06.cs.uoguelph.ca with ESMTP (8.7.5/8.7.3) id OAA20088 for <[email protected]>; Wed, 2 Apr 1997 14:35:28 -0500 (EST)
• From: [email protected] • Received: from zzzzzzzzzzz.zzz (Cust76.Max7.Los-Angeles.xx.xxxxx.xxx [10.168.73.204]) by
watagashi.xxxxxxxxxxx.xxx (8.7.5+2.6W/3.5W) with SMTP id DAA06068; Thu, 3 Apr 1997 03:58:21 +0900 (JST)
• Received: from mailhost.nowhere.com (alt1.nowhere.com (206.1.562.999)) by nowhere.com (8.8.5/8.6.5) with SMTP id GAA00597 for <[email protected]>; Wed, 02 Apr 1997 10:18:14 -0600 (EST)
• To: [email protected] • Message-ID: <[email protected]> • Date: Wed, 02 Apr 97 10:18:14 EST• Subject: How To E-Mail Up To A Million Messages Per Hour--No Kidding• Reply-To: [email protected]• X-PMFLAGS: 34078848 0 • X-UIDL: 3671313288a65eb1890m0762123a
14
eMailTrackerPro
• Introduction• Email Headers Overview• Spam Examples• Email Tracer Tool: eMailTrackerPro• Conclusions
15
eMailTrackerPro
• Received: from unknown (HELO 38.118.132.100) (62.105.106.207) by mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000Received: from [235.16.47.37] by 38.118.132.100 id <5416176-86323>; Sun, 16 Nov 2003 13:38:22 -0600Message-ID: <[email protected]>From: "Reinaldo Gilliam" <[email protected]>Reply-To: "Reinaldo Gilliam" <[email protected]>To: [email protected]: Category A Get the meds u need lgvkalfnqnh bbkDate: Sun, 16 Nov 2003 13:38:22 GMTX-Mailer: Internet Mail Service (5.5.2650.21)MIME-Version: 1.0Content-Type: multipart/alternative; boundary="9B_9.._C_2EA.0DD_23"X-Priority: 3X-MSMail-Priority: Normal
16
eMailTrackerPro
17
Conclusions
• Introduction• Email Headers Overview• Spam Examples• Email Tracer Tool: eMailTrackerPro• Conclusions
18
Conclusions
• Thank you for your time• Questions and feedback are welcome
19
References
• Spam Tracking Page– http://www.rahul.net/falk/
• Email Tracer Tutorial– http://www.visualware.com/resources/tutorials/
email.html