1. Tracking the source of email spam by examining its header Anh Nguyen May 3 rd, 2010

2. Organization Introduction Email Headers Overview Spam Examples Email Tracer Tool: eMailTrackerPro Conclusions 2

3. Introduction Email Headers Overview Spam Examples Email Tracer Tool: eMailTrackerPro Conclusions 3

4. Introduction Spammers usually fake their email’s headers Headers can be examined to identify the true source of email Assumption: Full headers of the examined email can be shown by the mail reader 4

5. Email Headers Overview Introduction Email Headers Overview Spam Examples Email Tracer Tool: eMailTrackerPro Conclusions 5

6. Email Headers Overview From – First line in headers – Not actually part of the e-mail header – Inserted by mail transfer software – Used by many Unix mailers to separate messages – Can be faked, but not always From: – Who the message is from – The easiest to forge 6

7. Email Headers Overview (Cont.) Reply-To: – The address to which replies are sent – Easily to be forged – Often provides a clue Return-Path: – The address for return mail Sender: – The account that sent the message – Many mail software fails to insert this line 7

8. Email Headers Overview (Cont.) Message-ID: – Unique string assigned to message by mail system when the message is first created – Forgeable, but requires more knowledge than forging the From: line – Often identifies the system where the sender is logged in – Not identifies the system where the message originated – Every mail software has its own unique string style – Spam can be identified by comparing its message-id with legitimate messages from the same site 8

9. Email Headers Overview (Cont.) Received: – Most important field for tracking – Format: Received: from ? by ? via ? with ? id ? for ? ; date-time – List all sites (mail servers) through which the message traveled before reaching the destination. – Lines are read from bottom to top 9

10. Email Headers Overview (Cont.) Received: from.foo.com by bar.com id AA15057; Fri, 25 Jul 97 09:39:02 – foo.com: the name that the sending machine uses to identify itself Received: from foo.com ([129.2.3.4]) by bar.com id AA15057; Fri, 25 Jul 97 09:39:02 – IP address of the sending machine is inserted by bar.com. The IP and the machine name can be compared to identify a forgery – IP validity can also be checked (ex., no component in the address can be > 255) Received: from foo.com (x.y.alterdial.uu.net [129.2.3.4]) by bar.com id AA15057;... – Both IP and the actual name of the sending machine are inserted 10

11. Spam Examples Introduction Email Headers Overview Spam Examples Email Tracer Tool: eMailTrackerPro Conclusions 11

12. Spam Examples Received: from cola.bekkoame.or.jp (cola.bekkoame.or.jp [202.231.192.40]) by srv.net (8.8.5/8.8.5) with ESMTP id BAA00705 for ; Wed, 30 Jul 1997 01:15:27 -0600 (MDT) From: beautifulgirls585@aol.com Received: from cola.bekkoame.or.jp (ip21.san-luis-obispo.ca.pub-ip.psi.net [38.12.123.21]) by cola.bekkoame.or.jp (8.8.5+2.7W/3.5W) with SMTP id OAA11439; Wed, 30 Jul 1997 14:35:50 +0900 (JST) Received: from mailhost.aol.com(alt1.aol.com(244.218.07.32)) by aol.com (8.8.5/8.6.5) with SMTP id GAA00075 for ; Tue, 29 Jul 1997 22:19:42 -0600 (EST) Date: Tue, 29 Jul 97 22:19:42 EST Subject: You can have what you want... Message-ID: Reply-To: beautifulgirls585@aol.com X-PMFLAGS: 56354433 0 Comments: Authenticated sender is X-UIDL: vjg79u26gfkjjrty38jf983j309jfyrw 12

13. Spam Examples From jerry@nowhere.com Wed Apr 2 21:13:04 1997 Received: from watagashi.zzzzzzzzzzz.zzz (watagashi.zzzzzzzzzzz.zzz [10.168.192.43]) by ccshst06.cs.uoguelph.ca with ESMTP (8.7.5/8.7.3) id OAA20088 for <tburgess@uoguelph.ca>; Wed, 2 Apr 1997 14:35:28 -0500 (EST) From: jerry@nowhere.com Received: from zzzzzzzzzzz.zzz (Cust76.Max7.Los-Angeles.xx.xxxxx.xxx [10.168.73.204]) by watagashi.xxxxxxxxxxx.xxx (8.7.5+2.6W/3.5W) with SMTP id DAA06068; Thu, 3 Apr 1997 03:58:21 +0900 (JST) Received: from mailhost.nowhere.com (alt1.nowhere.com (206.1.562.999)) by nowhere.com (8.8.5/8.6.5) with SMTP id GAA00597 for <jerry@nowhere.com>; Wed, 02 Apr 1997 10:18:14 -0600 (EST) To: jerry@nowhere.com Message-ID: <144523806421342786@nowhere.com> Date: Wed, 02 Apr 97 10:18:14 EST Subject: How To E-Mail Up To A Million Messages Per Hour--No Kidding Reply-To: jerry@nowhere.comjerry@nowhere.com X-PMFLAGS: 34078848 0 X-UIDL: 3671313288a65eb1890m0762123a 13

14. eMailTrackerPro Introduction Email Headers Overview Spam Examples Email Tracer Tool: eMailTrackerPro Conclusions 14

15. eMailTrackerPro Received: from unknown (HELO 38.118.132.100) (62.105.106.207) by mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000 Received: from [235.16.47.37] by 38.118.132.100 id ; Sun, 16 Nov 2003 13:38:22 -0600 Message-ID: From: "Reinaldo Gilliam" Reply-To: "Reinaldo Gilliam" To: ladedu@ladedu.com Subject: Category A Get the meds u need lgvkalfnqnh bbk Date: Sun, 16 Nov 2003 13:38:22 GMT X-Mailer: Internet Mail Service (5.5.2650.21) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="9B_9.._C_2EA.0DD_23" X-Priority: 3 X-MSMail-Priority: Normal 15

16. eMailTrackerPro 16

17. Conclusions Introduction Email Headers Overview Spam Examples Email Tracer Tool: eMailTrackerPro Conclusions 17

18. Conclusions Thank you for your time Questions and feedback are welcome 18

19. References Spam Tracking Page – http://www.rahul.net/falk/ Email Tracer Tutorial – http://www.visualware.com/resources/tutorials/e mail.html 19