[Dshield] Email Headers

KickerRick kickerrick at hottubforum.sytes.net
Fri Jun 7 03:33:18 GMT 2002


    Start here; http://www.samspade.org/ssw/ if you run Windows you can d/l
a program that parses headers simply by pasting the complte header into the
program.
        http://www.samspade.org/ and there is web-based access.
http://www.samspade.org/d/ has a pretty good reference library to help you
figure out what you're looking at.
    ALSO (hehe), go to news://admin.net-abuse.email and there's some good
people there to give more specific help.
    I used to make a hobby out of LARTing spammers (Luser's Attitude
Adjustment Tool, you'll see that used a lot in that group), but now I just
filter it into the trash where it belongs.
    BTW, nearly all the "Yahoo" and "Hotmail" Return-path info from spammers
is bogus.
    Take this nugget from my trash for example, this is as copied from the
Sam Spade program;

>06/06/02 20:09:56 Input
>The Received: headers are the important ones to read

>My comments are just hints, and should be considered only
>an opinion. I may have guessed wrong, or things may have
>changed since I was written

>Received: from cpimssmtpa31.msn.com ([10.48.181.170]) by
    cpimsstra21.email.msn.com with Microsoft
    SMTPSVC(5.0.2195.4905);  Thu, 6 Jun 2002 12:02:47 -0700
  This received header was added by your mailserver
  cpimsstra21.email.msn.com received this from someone claiming
  to be cpimssmtpa31.msn.com
  but really from 10.48.181.170(No rDNS)

    Notice the above inserted blackhole;
Netname: RESERVED-10
Netblock: 10.0.0.0 - 10.255.255.255
    Some spam proggies will toss something like that in to mess with your
head. Look past it.

"Received: from earthlink.net ([194.208.118.39]) by
    cpimssmtpa31.msn.com with Microsoft
    SMTPSVC(5.0.2195.4905);  Thu, 6 Jun 2002 12:02:00 -0700
  cpimssmtpa31.msn.com received this from someone claiming
  to be earthlink.net
  but really from 194.208.118.39(194-208-118-039.TELE.NET)
  All headers below may be forged"

    Now we're getting somewhere. It's obvious that the header above this one
was inserted (badly I might add), because this one links to the first header
at the top. Tele.net resolves to Germany, but is not Blackhole listed as an
open relay. Iffy, but probably came from there.

    What I like to do after running the header is see where the click-to
takes me via a secure browser. In this case, it led to
http://www.homebizshop.net/, which IMMEDIATELY in a secure browser attempts
this;
<SCRIPT LANGUAGE="JavaScript">
<!-- Begin
function leave() {
window.open('opt-in-popup.htm','','toolbar=yes, status=no, scrollbars=yes,
location=no, menubar=no, directories=no,height=500,width=500');

    Anyway, to make it short the METHOD="POST"
ACTION="http://128.121.187.72/cgi-local/yform.cgi"> is the giveaway. Comes
around to Verio, Inc, which was a spamer haven at one time. Don't know about
now.
    Best to just firewall their IP's and secure your SMTP server, which is a
huge pain in the ass, but there ya go.

Erick Brockway




----- Original Message -----
From: "Wayne Beckham" <wbeckham at yahoo.com>
To: <list at dshield.org>
Sent: Thursday, June 06, 2002 6:54 PM
Subject: [Dshield] Email Headers


> Does anyone have a quick guide to how to tear apart e-mail headers to
> find the actual point of origin?  Specifically, we're getting a lot of
> spam-mail from web-based e-mail services, such as Yahoo, and I was
> wondering if there was anyway to find out where they're really coming
> from.
>
> - Wayne
>
>
> [[ Attachement of type text/html deleted]]
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>





More information about the list mailing list