[Dshield] Email Headers

Stephane Grobety security at admin.fulgan.com
Fri Jun 7 04:59:24 GMT 2002


Hello Wayne,

I've kept a list of the headers of your mesage yo you can have an easy
look. The "Received" lines are added by the various SMTP relays the
mesages have gone through (Starting by your own smtp server to finish
by my own).

Now, ALL the other parts of the header could have been forged. Most
web-based mail will add their fingerprints inthese headers (sometimes
including the submitting IP) but, most of the time, it is pretty
useless (many spamhouse use missconfigured proxies to do their dirty
work).

One easy thing you can do to quickly analize a spam is submit it to
spamcop.net They will usually give you a good analysis of where this
came from. As for Yahoo, I think they have got some arangement with
them to quickly close the reported accounts.

Good luck,
Stephane

Friday, June 7, 2002, 3:54:26 AM, you wrote:

WB> Received: from iceman.giac.org ([12.33.247.3])
WB>         by mail.fulgan.com (Merak 4.4.2) with SMTP id MXA36598
WB>         for <security at admin.fulgan.com>; Fri, 07 Jun 2002 04:44:41 +0200
WB> Received: (qmail 6157 invoked from network); 7 Jun 2002 02:44:34 -0000
WB> Received: from unknown (HELO viper.incidents.org) (127.0.0.1)
WB>   by localhost with SMTP; 7 Jun 2002 02:44:34 -0000
WB> Received: from localhost.localdomain (viper [127.0.0.1])
WB>         by viper.incidents.org (8.11.6/8.11.6) with ESMTP id g572iHJ23629;
WB>         Thu, 6 Jun 2002 22:44:17 -0400
WB> Received: from sundown.giac.org (sundown [12.33.247.9])
WB>         by viper.incidents.org (8.11.6/8.11.6) with ESMTP id g571vcJ22729
WB>         for <list at viper.giac.org>; Thu, 6 Jun 2002 21:57:38 -0400
WB> Received: from sundown.giac.org (localhost.localdomain [127.0.0.1])
WB>         by sundown.giac.org (8.12.2/8.12.2) with ESMTP id g571sgkp009557
WB>         for <list at viper.giac.org>; Thu, 6 Jun 2002 21:54:42 -0400
WB> Received: (from dshield at localhost)
WB>         by sundown.giac.org (8.12.2/8.12.2/Submit) id g571sgYn009554
WB>         for list at viper.giac.org; Thu, 6 Jun 2002 21:54:42 -0400
WB> Received: from iceman.giac.org (iceman.giac.org [12.33.247.3])
WB>         by sundown.giac.org (8.12.2/8.12.2) with SMTP id g571sfkp009486
WB>         for <list at dshield.org>; Thu, 6 Jun 2002 21:54:41 -0400
WB> Received: (qmail 31392 invoked from network); 7 Jun 2002 01:54:41 -0000
WB> Received: from unknown (HELO smtp016.mail.yahoo.com) (127.0.0.1)
WB>   by localhost with SMTP; 7 Jun 2002 01:54:41 -0000
WB> Received: from ip-91-210.gst.pe.net (HELO den) (wbeckham at 64.38.91.210 with login)
WB>   by smtp.mail.vip.sc5.yahoo.com with SMTP; 7 Jun 2002 01:54:39 -0000
WB> From: "Wayne Beckham" <wbeckham at yahoo.com>
WB> To: <list at dshield.org>
WB> Message-ID: <001a01c20dc6$452714b0$d25b2640 at den>
WB> MIME-Version: 1.0
WB> X-Priority: 3 (Normal)
WB> X-MSMail-Priority: Normal
WB> X-Mailer: Microsoft Outlook, Build 10.0.3416
WB> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
WB> Importance: Normal
WB> X-Envelope-To: list at dshield.org
WB> Content-Disposition: inline
WB> Content-Type: text/plain
WB> Content-Transfer-Encoding: binary
WB> Subject: [Dshield] Email Headers
WB> Sender: list-admin at dshield.org
WB> Errors-To: list-admin at dshield.org
WB> X-BeenThere: list at dshield.org
WB> X-Mailman-Version: 2.0.8
WB> Precedence: bulk
WB> Reply-To: list at dshield.org
WB> List-Help: <mailto:list-request at dshield.org?subject=help>
WB> List-Post: <mailto:list at dshield.org>
WB> List-Subscribe: <http://www.dshield.org/mailman/listinfo/list>,
WB>         <mailto:list-request at dshield.org?subject=subscribe>
WB> List-Id: General DShield Discussion List <list.dshield.org>
WB> List-Unsubscribe: <http://www.dshield.org/mailman/listinfo/list>,
WB>         <mailto:list-request at dshield.org?subject=unsubscribe>
WB> List-Archive: <http://www.dshield.org/pipermail/list/>
WB> Date: Thu, 6 Jun 2002 18:54:26 -0700

WB> Does anyone have a quick guide to how to tear apart e-mail headers to
WB> find the actual point of origin?  Specifically, we're getting a lot of
WB> spam-mail from web-based e-mail services, such as Yahoo, and I was
WB> wondering if there was anyway to find out where they're really coming
WB> from.

WB> - Wayne


-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com





More information about the list mailing list