SPAM and Email Caller-ID
In recent weeks, I have noted a rise in both the quantity and quality of malicious SPAM. A lot more suspicious attachments with inducements to check out the attached “thank you card.” Some rather convincing phishing emails posing as large banking institutions advising me to contact them immediately, “with the link provided,” to avert an impending threat. Observing and dealing with this activity over the years, makes one a bit jaded and insensitive to these attacks. Like watching violence on television – both real and fictitious – it is no longer an attention grabber. Still, a big part of my job is understanding the latest trends in how hackers hack.
One aspect of this activity that piques my curiosity is understanding from where and whom these attacks originate. When I understand from what part of the Internet community such activity originates, then I can effectively tell my computers that they are not allowed to play with other computers from that part of town.
However, to understand who and where, I must understand how to look for the real address of the offending email. To do so, one must look at the IP (Internet Protocol) address. Every computer and every website has a unique IP. Even Laura's Sewing Studio has its own unique IP. LaurasSewingStudio.com is merely pseudonym created to make it easier for folks to find us. After all, we might change our IP address like we might change our mailing address, but we'll always be LaurasSewingStudio.com.
There is a relative long, boring, and esoteric set of rules for defining and assigning IP address, by which the Internet community follows. For our purpose, an IP is merely a set of four numbers ranging from 0.0.0.0 to 255.255.255.255, separated by periods. Each number can go from 0 to 255, yielding just shy of 4.3 billion addresses.
So now that we know what an IP is, how can we find the IP of a malicious email? The rules are little different to every email client. Many folks use Outlook Express (OE), so let's discuss how to peek at an IP from within OE. I warn you now that it is a little tedious in OE.
If you find an email in your inbox that you suspect of being malicious spam and want to find out from where it came, do the following.
- Place the mouse cursor over the offending email and click the right mouse key to bring up the pop up menu.
- At the bottom of the pop up menu is Properties. Click on Properties.
- A window appears showing the general properties of the email. Click on the Details tab found in the top left corner, next to the General tab.
Under the Details tab is shown the header information of a the email.
Inside the header of an email is contained its entire history from start to finish. To find the IP address from which it originated, look for a line that starts with “Received:.” When looking at the headers of SPAM, several such lines will be found with a few extra inserted to confuse and misdirect. To find the real one with the originating IP, look at the last few “Received:” lines. In the example below, the very last “Received:” entry is worthless, because it has no accompanying email address in it. The one above it, that is changed to red text, has an IP of “22.214.171.124” and the email address email@example.com.
delivery-date: Mon, 11 Dec 2006 21:10:37 -0500
Received: from xxxx by cs2.xxxx.com with local-bsmtp (Exim 4.62 (FreeBSD))
(envelope-from <firstname.lastname@example.org>) id 1Gtx6G-000LR7-Pb
for email@example.com; Mon, 11 Dec 2006 21:10:36 -0500
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on cs2.simplehost.com
X-Spam-Status: No, score=0.8 required=5.0 tests=EXTRA_MPART_TYPE,HTML_MESSAGE autolearn=no version=3.1.7
Received: from [126.96.36.199] (port=2773 helo=dnffnlh) by cs2.simplehost.com with smtp (Exim 4.62 (FreeBSD)) (envelope-from <firstname.lastname@example.org>) id 1Gtx6B-000LQR-Vw for email@example.com; Mon, 11 Dec 2006 21:10:32 -0500
Received: from tklqng ([188.8.131.52]) by dnffnlh with Microsoft SMTPSVC(6.0.3790.0); Tue, 12 Dec 2006 10:10:17 +0800
Yes, the above header came from a SPAM email. More importantly, because the IP from which it originated is now known, an informed decision was made with how to deal with future SPAM originating from that same part of town. No, The IP did not tell reveal the real name and address of the spammer, but the Internet neighborhood in which she lives was clearly identified.
In the next installment, we will look at how to identified the Internet neighborhood and how to put Internet Security Software to work keeping them at bay.