Deciphering Email
Headers
One thing that most people will agree on - if you have an e-mail account, then you probably get
"spam" (Unsolicited Commercial Email, or UCE, to give it it's official title).
The first thing to realize is that you're not alone - there is a team of individuals at every ISP that is there specifically to police their own customers. Note that - their own customers, not anyone else's. These people enforce the Acceptable Usage Policy
(AUP); they are often termed the "Abuse Team", for the simple reason that their email address is generally abuse@<ISP domain> (as laid-down in RFC-2142).
The trick is in tracking-down where an email originated. Fortunately, this is fairly straightforward.
Step 1 - Retrieving e-mail header information
I would advise against opening any email in which you
don't know its contents. There are websites
recommending that you open the mail in order to get the
header information. I would advise against this
because there could be malicious code in the email and it
is not worth it to go through the trouble of reporting a
possible spammer.
So how do you get the
header information? In Outlook simply right-click on
the e-mail whose header information you want and select
"options..." .
Here is a typical header from an email:
Return-Path: <dl2zfiot@aol.com>
Received: from pcp03045459pcs.nrockv01.md.comcast.net
(pcp03045459pcs.nrockv01.md.comcast.net [68.49.107.231])
by mta05-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806)
with SMTP id
<20030511155221@pcp03045459pcs.nrockv01.md.comcast.net>;
Sun, 11 May 2003 16:52:21 +0100
Received: from pxlvx.cvp5tr.net
([195.216.10.200])
by pcp03045459pcs.nrockv01.md.comcast.net
with ESMTP id 61648259;
Fri, 09 May 2003 23:48:32 -0100
Message-ID: <5-1hgn0rxz5992ia2utt-7xked9t@h33.a3>
From: "Wilfred Yarbrough" <dl2zfiot@aol.com>
To: ianle@ntlworld.com
Subject: Watch this Young Slut Getting a Facial! k dcpb tz
Date: Fri, 09 May 03 23:48:32 GMT
Step 2 - Identifying who really sent the e-mail
Let's start from the top - the "Return-Path" is supposed to be the originator of the
spam, but that's extremely easy to fake. After all, this message was not received by
"ianle" (incidentally, that wasn't the real e-mail address, but it wasn't the author's address either!)
It's far better to look at the SMTP servers instead - the "Received" headers. If you think of an e-mail as a postcard, these Received headers are the postmarks, showing each post office
[SMTP server] that the message passed through.
So, the last person to receive this message was mta05-svc.ntlworld.com, who received a message from someone claiming to be pcp03045459pcs.nrockv01.md.comcast.net who resides at the internet address 68.49.107.231. The real address was confirmed by the server, and the message was given th unique (if verbose!) ID shown in maroon - a unique code, followed by the person who sent the message. Let's see if this is true or not..
Step 3 - Getting hold of the right tools, and knowing how to use them
You can use the Hackers
Toolbox Whois (IP owner) option to enter the address (68.49.107.231) see what you get:
Comcast Cable Communications, Inc. JUMPSTART-1 (NET-68-32-0-0-1)
68.32.0.0 - 68.63.255.255
Comcast Cable Communications, Inc. DC-3 (NET-68-48-0-0-1)
68.48.0.0 - 68.49.255.255
So, we see that the address really does belong to comcast.net. Let's try the next "postmark", 195.216.10.200:
inetnum: 195.216.10.192 - 195.216.10.207
netname: JLI
descr: Jli Ltd
country: GB
admin-c: STAR3-RIPE
tech-c: STAR3-RIPE
status: ASSIGNED PA
mnt-by: AS6656-MNT
changed: dummyaddress-donotuse@star.net.uk 20001226
source: RIPE
route: 195.216.0.0/19
descr: Star Internet Ltd
origin: AS6656
So, it's a genuine address, but doesn't match who it claimed to be. Hmm. How about the message ID?
5-1hgn0rxz5992ia2utt-7xked9t@h33.a3
A quick glance at the "h33.a3" will quickly tell you that this doesn't match either the claimed host name or any combination of JLI or Star Internet (the company's ISP). So, can we get any more information?
The answer is yes. Use Reverse/Resolve Lookup on in the Hacker's
Toolbox. So, what do we get if we perform a "name server lookup" on the mystery address?
C:\>nslookup 195.216.10.200
Server: cache1.ntli.net
Address: 194.168.4.100
Name: support.kamino.co.uk
Address: 195.216.10.200
Thus we can see that this particular address is very much alive-and-well, and could have been looked-up by the machine at comcast.net. Which means that this header has been faked.
Step 4 - Making a difference
So, we now know that the spam originated from comcast.net. If we hit their web site (http://www.comcast.net) we find that we have a web-based form that we can fill-in with details of the spam. Remember to include all headers in your report - they are required as proof by the AUP team.
So, what happens next?
Well, you may or may not receive an automated e-mail saying that your complaint has been received. The report will be investigated, and the AUP team should reach the same conclusion as yourself, given the same SMTP headers. What probably won't happen is that you ever hear from the AUP team again - these are busy people, and common courtesy can be a little way down the list of priorities!
What you will have achieved, however, is to either close an open e-mail " relay" that can be used by spammers, put someone of a "final warning", or have had their account closed completely. Once that happens enough, maybe they'll go and get a "proper job".. who knows?
|
