[Dshield] Email Headers

ALEPH0 aleph0 at pacbell.net
Fri Jun 7 14:28:28 GMT 2002


A lot of the freemail originator spam uses open relays, that will still
reveal the source of the mail as they do build a Received rfc822 header.
However, the spammers will also often construct a fake history of Received
headers that they send to throw off the less experienced or less attentive
admins.

Just follow the headers like a roadmap.  I find manually doing these is
really the best way.  The fake ones should become apparent pretty quickly as
you end up with a gross dicontinuity in MTA delivery times (but to account
for GMT, various TZ issues and clocks being off by a little bit) or just a
clear, illogical hop (or hops) between networks.  Most email uses DNS to
simply go from the originator MTA to the destination MTA.  Other hops are
generally due to intranet smtp routing at either end or both ends, generally
explaining the appearance of IANA reserved addresses.  Additional hops can
arise if there are forward rules for the recipient to another account on
another network.

Though rigorous, you should verify the hostname and network whois for each
address in the path.  Spammers will fake the name and names can NEVER be
trusted in spam Received headers.  If you are on Windows and use Blightly
Design's Sam Spade for this, realize that is limited for Asia Pacific
networks and augmenting the analysis by a whois search at
http://www.apnic.net is wise.

The ultimate address determined sometimes needs a second analysis as often
it isn't as clear as you think the first time through.  Definitely give that
a shot before writing to the wrong abuse address.  Also it is worth looking
at blackhole lists and http://www.mynetwatchman.com to see if a server is
listed as an open relay or has been used for suspicious activities.  Port 25
telnetes with the rfc821 negotiation also will easily ferret out the open
relays directly.

That's it in a nutshell.  The freemail source addresses are rarely actually
sourced there.  Those addresses are really faked or they are part of an
automated scheme where they robotically try to register a lot of addresses;
when they get one, they register it and use it; otherwise, they add the
"already taken" address to a spam recipient list.  Anyone who sets up a
hotmail account and gets tons of spam even though they never even used the
account can, at least partially (don't know wis M$ is party to some of it),
account for it this way.

For spam genuinely sent through the freemail web mail services, that service
should use user-specified rfc X-* headers.  Hotmail uses X-Originating-IP,
or something like that.  That is appropriate, as the sending source is not
SMTP and not subject to rfc821/822.  As a purist, I think that should be the
case for all non-smtp MUAs (pop, imap, ...).  But some freemail sources will
also add the address.  Your out of luck though for the more anonymous ones,
like ziplip.com.

-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
Wayne Beckham
Sent: Thursday, June 06, 2002 6:54 PM
To: list at dshield.org
Subject: [Dshield] Email Headers


Does anyone have a quick guide to how to tear apart e-mail headers to
find the actual point of origin?  Specifically, we're getting a lot of
spam-mail from web-based e-mail services, such as Yahoo, and I was
wondering if there was anyway to find out where they're really coming
from.

- Wayne


[[ Attachement of type text/html deleted]]

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list