Wednesday, September 12, 2012

Tracing Email Forgeries

Long and dull, but useful information:..

By now many folks know that emails claiming to be from Fed Ex, or UPS, or the postal service about deliveries are often scams.  But people often ask how do you tell for sure instead of just guessing?  

The way to tell is to look at the email’s “Full Headers.”  While such a display looks daunting there are particular details you are looking for and you can ignore a lot of the other detail.

What you are looking for is the often strangely formatted Received lines.  What you are interested in is what system sent me the email?  Did it really come from UPS or did it come from Moon-buk-tu?

Here is an example.  It claims to be from UPS about a delivery confirmation contained in an attachment.  First of all UPS doesn’t do that, so you know it’s not right from the start, but let’s continue.

Email gets handed off pony express style from one computer to another and there will be a Received line in the email for every “hop.”

Return-Path:
Received: from mail.ups.com (mail.dawee.co.id [203.160.60.139])
    by mymailsystem.blahblah.com (8.13.8/8.13.4) with ESMTP id q8A9vW9W028734
    for ; Mon, 10 Sep 2012 02:57:35 -0700

 Received: from [219.168.131.98] (helo=jsrlvuefbfxn.gjqtj.ru)
    by mail.dawee.co.id with esmtpa (Exim 4.69)
    (envelope-from )
    id 1MM3D6-6022ia-PI
    for ellen@blahblah.com; Mon, 10 Sep 2012 16:54:50 +0700
 
From: "UPS Quantum View"
To:
Subject: Delivery Notification UPS Mon, 10 Sep 2012 16:54:50 +0700


Return-Path - this can be faked so ignore it.
Received lines go in reverse order so the last one to touch it is the one at the top and usually the one you want to look at.  You want to look for the name of your system that receives email for you.  In this case, I’m calling it mymailsystem.blahblah.com.  The top Received line is what sent it to mymailsystem.  That system claims to be mail.ups.com, but look inside the parenthesis.  In an ESMTP Received line what is inside the parens is placed there by the email software and rarely is forged.  What is inside the parens is who really sent the message: dawee.co.id which is a system in Indonesia.  UPS may be an international company, but I can assure you that a system of theirs whose job it is to send email is never going to look like this.  So we can safely conclude that it is a forgery.

The second received line is who sent it to indonesia which implies the Indonesian system may have been hacked/hijacked by a virus intended to send spams and scams.  This line is generated by Exim and I’m not as familiar with how those lines are formatted though I do know they are easiliy configurable and so I don’t trust them as much.  It is interesting that the parens only contain a “helo” which is what the system claims its name is to the mailer (listed as from Russia but very easily faked) and the ip address in the [] doesn’t match it.  The IP address is from Japan. (I checked with http://whatismyipaddress.com/ip/)  
The implication is that the system is lying to the Indonesian system about where it is from.



Here is another example.
This claims to be from the ADP payroll system company.

That first glance a big clue: X-Mailer The Bat!
The Bat! is a mailer that is heavily used by spammers.
Return-Path is just whatever the spammer claimed to be

Return-Path: \ 
Received: from adpmailer.adp.com ([62.198.244.64])
by mymailsystem.blahblah.com (envelope-sender )
with ESMTP id q8ADQiYc012151; Mon, 10 Sep 2012 06:26:45 -0700  

Received: from [207.99.101.96] (helo=eqlcqhhswioo.nxqyhrp.ru)  
by with esmtpa (Exim 4.69) (envelope-from ) id 1MMCKK-1644oq-DH 
for someone@blahblah.com; Mon, 10 Sep 2012 14:26:43 +0100
Date:     Mon, 10 Sep 2012 14:26:43 +0100
From:
"ADP_Online_Invoice_DoNotReply@adp.com"
X-Mailer:
The Bat! (v2.04.7) Business

Looking at the first Received line, i find mymailsystem@blahblah.com which is my example email system.  The system that sent it claims to be adpmailer.adp.com but, again, look inside the parens.  there is no name inside the parens so we have to do a little more work by using http://whatismyipaddress.com/ip/. and it tells us this system is from Denmark which again is not an ADP system.

The system that sent it to the Denmark system is 207.99.101.96 which is a system in New Jersey and again not from Russia as it claimed to be.



This example is basic forged spam.  It claims to be a stock tip from Italy but is really from a system in Russia (.ru inside the parens) that has likely been broken into:

Received: from ppp91-79-82-35.pppoe.mtu-net.ru (ppp91-79-82-35.pppoe.mtu-net.ru [91.79.82.35])
    by mysystem.blahblah.com (8.13.8/8.13.4) with SMTP id q88GA0nQ027380
    for ; Sat, 8 Sep 2012 09:10:04 -0700

Received:
from unknown (HELO ebd) ([35.42.178.112])
    by ppp91-79-82-35.pppoe.mtu-net.ru with ESMTP; Sat, 8 Sep 2012 20:10:48 +0300

Message-ID:
<001b01cd8ddc ab270="ab270" comp1ebd="comp1ebd" d1d0="d1d0">
From: "Keith Greer"
To:
Subject: Stock To Watch!


While the email address (kc_kate@tradenet.it) is a forgery, the name of the Russian system (ppp91-79-82-35.pppoe.mtu-net.ru) has not been - it appears the same both inside and outside of the parens in the Received line.  On the second Received line you can see the system that sent the spam through the Russian one.  Its identity is more protected, but it is likely 35.42.178.112 which is a system in Ann Arbor Michigan owned by Merit Network (who is a college), and I will send the full headers to the Merit Network abuse address which I’m hoping is abuse@merit.edu.  It's likely the Merit system has been broken into as well.

1 comment:

sanjith said...

Informative blog really helpful for those who are in need to trace the location of an email id ..I followed the steps given here and easily find the ip address of a particular mail id from which i received unwanted junk mail ...After finding the ip address i did whois search for that ip address using sites like Whoisxy.com to trace the location of that ip address...