Anonymous email and phishing

Learn how phishers forge headers to send you anonymous email

This Content Component encountered an error

The following is tip #3 from "Phishing exposed -- 10 tips in 10 minutes," excerpted from Chapter 3 of the book Phishing Exposed, published by Syngress Publishing.


Technology sector experts well know that SMTP was not designed with security in mind. Email is trivial to forge, and in more than one way, forged email can be passed with ease to the mail transport agent (SMTP server). As we already are aware, spammers forge emails, and since phishers are classified as spammers, they take on this practice as well. Most spammers tend to forge emails for anonymity, since they are sending you annoying emails that will usually get a negative reaction, and if the emails were easily traceable, they would probably be caught. Phishers forge for a different reason: They are attempting to con you, and they are using forgery to spoof a likely bank email, such as verify@citibank.com. Not all headers can be forged, so the good news is that you can still track down the originator IP address, but unfortunately the phishers are not emailing directly from their homes.

The headers that can be forged are:

  • Subject, Date, Message-ID
  • Recipients: From, To, CC
  • Content body
  • Any arbitrary headers such as the X-Mailer and X-Message-Info
  • The initial Received headers

The headers that cannot be forged are:

  • The final Received headers
  • The originating mail server, including:
  • IP address
  • Subsequent timestamps

A header view of a phishing email that was sent targeting Citibank customers might look something like this:

Received: from 157.red-80-35-106.pooles.rima-tde.net 
(157.Red-80-35-106.pooles.rima-tde.net [80.35.106.157]) 
        by mail.nwsup.com (8.13.0/8.13.0) with SMTP id i6KCInwW020143; 
        Tue, 20 Jul 2004 08:18:51 -0400 
 Received: from jomsi9.hotmail.com ([109.231.128.116]) 
by p77-ewe.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); 
         Tue, 20 Jul 2004 11:01:16 -0200 
 Received: from aeronauticsaranf21 (bub[208.113.178.170]) 
           by hotmail.com (mcak97) with SMTP 
           id <40364465887f8mut> 
           Tue, 20 Jul 2004 11:01:16 -0200 
 From: "Citibank" <safeguard@citibank.com>
 To: "'Novell2'" <someone@nwsup.com>
 Subject: Attn: Citibank Update! 
 Date: Tue, 20 Jul 2004 14:03:16 +0100 
 Message-ID: <1575948b156d80$0sv4mtq8$296tas263sil@edmondsonvl9695>

We want to read Received headers from top to bottom in this case. As we learned earlier, at the very top is the final Received header, which cannot be forged. In this case, the previous hop before the message landed at its final destination was through 157.red-80-35-106.pooles.rima-tde.net. This address can be verified by a forward lookup of the IP, which resolves to this. The next Received line says it is from jomsi9.hotmail.com, which we should doubt--first, because it is tough to forge email from a web email service in general, and second, the IP address and hostnames for the Hotmail domains do not exist on the Internet.

The bottom Received header is clearly a fake header, since there is no real domain associated and IP address is untraceable. So, relying on what we know, the only known accurate header is 80.35.106.157--and oh, what a surprise, a whois (www.whois.org) lookup on the IP shows the location to be in Estonia, which happens to be a popular country for phishing and other electronic fraud. Also, this IP address has been on record at the SPAMHAUS (www.spamhaus.org) Real Time Block List, meaning that it was probably an open relay at some point in time and used to send abusive email.

Looking at context clues, we note the timestamps on the two forged Received headers. It is extremely unlikely that the timestamps would be at the exact same time, as indicated here.

The Message-ID is definitely not a Hotmail one, since Hotmail message IDs take a form similar to BAY19-F30997BCBE3A45FF3DB16698E3D0@phx.gbl. Hotmail also sends an X-Originating-IP as well as a few other abuse-tracking headers, which are definitely not included in the phishing email.

General clues within the header usually identify whether it is forged or not. The obvious one is the Received headers being inconsistent with mismatched From and by fields. The HELO name does not match the IP address, there are nonstandard headers in general placed within the email, and wrong or "different" formats of the Date, Received, Message-ID, and other header labels.

Here are some more specific clues regarding this email header:

  • The time zone on the Hotmail header doesn't match the geographical location, nor does the Date header.
  • The asterisk in the From domain cannot originate from Hotmail and generally is not legitimate;
  • SMTPSVC is Exchange's SMTP connector, which is used consistently throughout Hotmail.
  • Hotmail records a Received header matching Received: from [browser/proxy IP] with HTTP; [date].
  • Hotmail systems are usually set to GMT.

Let's compare the suspicious mail to a legitimate Hotmail message:

Received: from hotmail.com (bay19-f30.bay19.hotmail.com [64.4.53.80])
 by mail.sendinge-mail.com (Postfix) with ESMTP id 4F6A7AAA8E
 for <me@sendinge-mail.com>; Tue,  5 Apr 2005 21:46:27 -0700 (PDT)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
  Tue, 5 Apr 2005 21:45:50 -0700
Message-ID: <BAY19-F30997BCBE3A45FF3DB16698E3D0@phx.gbl>
Received: from xx.7.239.24 by by19fd.bay19.hotmail.msn.com with HTTP;
 Wed, 06 Apr 2005 02:45:50 GMT
X-Originating-IP: [xx.7.239.24]
X-Originating-E-mail: [myhotmailaccount@hotmail.com]
X-Sender: myhotmailaccount@hotmail.com
From: "Hotmail Account" <myhotmailaccount@hotmail.com>
To: me@sendinge-mail.com
Date: Wed, 06 Apr 2005 02:45:50 +0000

A quick comparison to the phishing email makes it quite obvious that the previous email headers were not authentic and definitely not from Hotmail. The final Received header shows accurately that it was received from Hotmail, and if we did a forward DNS lookup on the IP, it would match Hotmail. The second Received header is the internal mail pickup service and demonstrates that there was an extra hop from the user sending email from the Web outgoing to the Internet. The initial Received header is authentic, displaying our IP address and the mail relay it was picked up by. It also states that we performed this action via HTTP on a certain date and time based in the GMT time zone.

We also note the X-headers; in this case they are being used for abuse tracking so that one can quickly identify the IP address of the originator. X-headers are user-defined fields, usually marked by other vendors outside the MTA; they are usually nonstandard and vendor-specific. The X-Originating-Email matches the From: field, and the dates are sufficiently accurate and do not look suspicious. All in all, you can see a vast difference between a suspicious set of headers and a properly formed email. This does not mean that forged headers are always this obvious, but there are some clues that may give it away if you know how to read them.


Phishing exposed -- 10 tips in 10 minutes

 Home: Introduction
 Tip 1: Phishing and email basics
 Tip 2: Phishing and the mail delivery process
 Tip 3: Anonymous email and phishing
 Tip 4: Forging headers and phishing
 Tip 5: Open relays, proxy servers and phishing
 Tip 6: Proxy chaining, onion routing, mixnets and phishing
 Tip 7: Harvesting email addresses and phishing
 Tip 8: Phishers, hackers and insiders
 Tip 9: Sending spam and phishing
 Tip 10: Fighting phishing with spam filters


This chapter excerpt from Phishing Exposed, Lance James, is printed with permission from Syngress Publishing, Copyright 2005. Click here for the chapter download.

Dig deeper on Lotus Notes Domino Phishing and Email Fraud Protection

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchEnterpriseLinux

SearchDataCenter

SearchExchange

SearchContentManagement

Close