The Origin of Emails…
Today’s spammers, viruses, emailbots, and spoofers can forge enough information within an email to obfuscate its origin from the average casual recipient.
However, the rest of the header information in emails can be used successfully to track their source if you know where to look. While Simple Mail Transfer Protocol (SMTP), the main protocol used when sending email, does not include a way to authenticate where the email message originated, it does ensure that each server that hands off the message to the next server adds header information to the top of each email it processes.
Spammers often add a false trail of spoofed headers to attempt to hide the true origin of the unwanted email, but mail transfer programs record the sender’s correct IP address anyway. So even if the sender uses a fictitious or false name when contacting the receiving server, you can determine the origin of the spoofed message because each server along the way adds valid information to the stack. The secret is to trace the email back, header by header, until you reach the origin. Thankfully, once the email leaves the originating server, it is not possible to remove any trace information before it reaches the sender, leaving a record of the path the email took to get to its final destination.
Let’s take a look at the most relevant headers of a typical email.
Received: from [199.93.70.138] by hotmail.com (3.2) with ESMTP id MHotMailBE984393005A40043758C75D468A0E000; Tue, 30 Apr 2002 13:03:35 -0700
Received: from GODDESSY [172.142.138.29] by mail7.burlee.com
(SMTPD32-6.00) id A890978300EE; Tue, 30 Apr 2002 16:03:28 -0400
This email was fairly easy to trace. Remember to trace emails from destination to source, starting with the top Received headers and working backward. The email was sent to a hotmail.com user, and the previous hop was through 199.93.70.138, the IP address of mail7.burlee.com back in 2002. It was routed through mail7.burlee.com by a user or server that called itself GODDESSY with an IP address assigned to AOL. Once you pair that information with the matching From, Reply-To, and Organization headers, there can be no doubt as to the origin of the email. The headers in this email are all valid.
Now let’s view the headers of a spam email I received this morning:
Received: from [211.247.192.30] ([211.247.192.30])
by rdlnational.com (8.11.6/8.11.6) with ESMTP id l84I1LN30452
Tue, 4 Sep 2007 11:01:21 -0700
Received: from [211.247.192.30] by mail.orextour.com; Tue, 35 Aug 2007 27:01:22 +0900
In this case, the email was directed to my email server (rdlnational.com) through 211.247.192.30. Using a series of whois lookups, starting with arin.net, it is easy to discover that 211.247.192.30 is assigned to a cable company in Busan, South Korea. The next Received header does not show where 211.247.192.30 received the email, but leaves a potential trail pointing to orextour.com. The spammer was sloppy as well; there is a visible indication that the header is a fake since August does not have 35 days, nor does a day have more than 27 hours (probably the result of a programming glitch on the part of the spammer). Finally, 211.247.192.30 is listed in the CBL as an open proxy. While the From and Return-Path headers (not shown) matched orextour.com, the trail unfortunately stops in South Korea because of the open proxy, and it cannot be certain that any user at orextour.com had anything to do with the spam — although it is still possible. Some of the headers may have been forged.
Finally, here’s another spam email:
Received: from pppoe-226.63.110.89-adsl.spbnit.ru (pppoe-226.63.110.89-adsl.spbnit.ru [89.110.63.226])
by rdlnational.com (8.11.6/8.11.6) with ESMTP id l84LH9H03786
Tue, 4 Sep 2007 14:17:10 -0700
Received: from [89.110.63.226] by mail.expedient.net; Tue, 35 Aug 2007 24:17:25 +0300
The topmost Received header shows that it arrived at rdlnational.com (my email server) from a Russian server at IP address 89.110.63.226 which calls itself pppoe-226.63.110.89-adsl.spbnit.ru. Because 226.63.110.89 is reserved by the Internet Assigned Numbers Authority (IANA), any reference to it is just a red herring. Since there is no relation between either IP address and mail.expedient.net (209.166.161.229, located in Pittsburgh, PA) and the chain of information subsequently breaks, the next header is an obvious fake. An interesting coincidence that the fake header also mentions the nonexisting 35th of August with a greater span than 24 hours, plus I can appreciate the sense of humor of the spammer who attempts to disguise the origin of the spam from St. Petersburg to Pittsburgh. Headers in this email were definitely forged.
Three different emails with three different levels of validity. Fortunately, with the first example, getting more information on the sender is relatively easy because AOL (an American public company) is more likely to respond to court requests for account information than ISPs in South Korea or Russia would.
