Saturday, June 23, 2007

Where did that spam e-mail come from?

The way you can tell where an e-mail originated from is to look at the e-mail's headers. The default headers show To, From, cc, Subject, & Date. To see all the headers, you need to select Show All or Long Headers. Here's how to do it on Mac OS X's Mail application:

By revealing all the headers you can see each hop the e-mail message made to get to from the originator to you.

Each time an e-mail makes a hop, from the sender to the recipient, it is stamped with the information of the relaying server. A typical e-mail will have two to five hops and each hop will be stamped Received: showing where the relaying mail server received the e-mail. The first Received hop, at the bottom of the list, is usually where the e-mail originated and each successive hop is added above the previous hop. Of course these hops can be spoofed, but that's usually not necessary for a spammer since they highjack people computers (details below).

Most ISPs (except for Google and a few others) will stamp the sender's original IP address on the first hop - even if the e-mail was sent using Web mail.

Here's a perfect example of a phising spammer's e-mail claiming to be sent from PayPal.
(click on image to enlarge - blue highlighted area shows the IP address of the highjacked computer - actual recipient's e-mail address redacted for privacy)

The e-mail should have originated on PayPal's network but, instead, it originated somewhere in Brazil ( Here's the text from its first received header, where the message orginated:
Received: from ( [] (may be forged)) by (Xserve/smtpin36/MantshX 4.0) with SMTP id l5ND6ElW020957 for <>; Sat, 23 Jun 2007 06:06:16 -0700 (PDT) is clearly not

Hard To Catch
It's hard to catch spammers because they highjack unsuspecting personal computers throughout the world. In virtually all cases, these are Windows computers which have been infected with viruses, worms, and spyware. Each highjacked computer is used to send out fake e-mails (spam) to thousands of people without their knowledge before or after the fact. Some of these fraudulent e-mails claim to be from legitimate companies - especially financial institutions such as PayPal and banks.

The purpose of most of these phishing e-mails is get the recipient to click on a link in the e-mail which looks like it'll take the user to their financial institution but, instead, it redirects the user to a Web site which looks exactly like the real thing. From there, a user will enter their account login and password and then click submit, which submits the user's login and password to the spammer's server. Once the spammer has a user's login and password, they can log into that user's real account and do what they please.

1 comment:

dvector said...

Just saying thank you. Finding the source of repetitive spam is a great help