the “Administrator” or “Postmaster” or “Security Team” at your school or ISP. The subject may
be “Returned Mail” or “Hacking Activity” or some other interesting subject line. Often there will
be an attachment. The problem is that it takes no technical knowledge and about 10
seconds of work to forge an e-mail address. (It also – depending on where you live – may be
very illegal.)
To do this, you make a simple change to the settings in your e-mail client software. Where it
asks you to enter your e-mail address (under Options, Settings or Preferences) you enter
something else. From here on out, all your messages will have a fake return address. Does this
mean that you're safe from identification? No, not really. Anyone with the ability to read an e-
mail header and procure a search warrant can probably figure out your identity from the
information contained on the header. What it does mean is that a spammer can represent
himself as anyone he wants to. So if Fannie Gyotoku [telecommunicatecreatures@cox.net]
sells you a magic cell phone antenna that turns out to be a cereal box covered with tin foil,
you can complain to cox.net, but don't be surprised when they tell you that there is no such
user.
Most ISPs authenticate senders and prevent relaying, which means that you have to be who
you say you are to send mail via their SMTP server. The problem is that hackers and spammers
often run an SMTP server on their PC, and thus don’t have to authenticate to send e-mail, and
can make it appear any way they want. The one sure way to know if a suspicious e-mail is
legitimate is to know the sender and call them up. Never reply to a message that you suspect
may be forged, as this lets the sender know they have reached an actual address. You can
also look at the header information to determine where the mail came from, as in the example.
This is an e-mail from someone I don’t know, with a suspicious attachment. Normally, I would
just delete this but I want to know where it came from. So I’ll look at the message header. I
use Outlook 2003 as my e-mail client, and to view the header you go to view>options and you
will see the header information as below:
Microsoft Mail Internet Headers Version 2.0
Received: from srv1.mycompany.com ([192.168.10.53]) by mx1.mycompany.com
over TLS secured channel with Microsoft SMTPSVC(6.0.3790.0);
Mon, 9 Aug 2004 11:20:18 -0700
Received: from [10.10.205.241] (helo=www.mycompany.com)
by srv1.mycompany.com with esmtp (Exim 4.30)
id 1BuEgL-0001OU-8a; Mon, 09 Aug 2004 11:15:37 -0700
Received: from kara.org (67.108.219.194.ptr.us.xo.net [67.108.219.194])
by www.mycompany.com (8.12.10/8.12.10) with SMTP id i79IBYUr030082
for
Date: Mon, 09 Aug 2004 14:15:35 -0500
To: "Sales"
From: "Sales"
Subject:
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------cfwriebwwbnnfkkmojga"
X-Scan-Signature: 178bfa9974a422508674b1924a9c2835
Return-Path: sales@innovonics.com
X-OriginalArrivalTime: 09 Aug 2004 18:20:18.0890 (UTC) FILETIME=
[868FEAA0:01C47E3D]
----------cfwriebwwbnnfkkmojga
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
----------cfwriebwwbnnfkkmojga
Content-Type: application/octet-stream; name="price_08.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="price_08.zip"
----------cfwriebwwbnnfkkmojga—
Now, the part I’m interested in is highlighted above. Note that the “Received” is from
kara.org at an IP that appears to be an xo.net DSL line, which does not agree with
innovonics.com, the purported sender.
Also, if I look up innovonics.com’s mail server using nslookup, its address comes back as
follows:
C:\>nslookup innovonics.com
Server: dc.mycompany.com
Address: 192.168.10.54
Non-authoritative answer:
Name: innovonics.com
Address: 64.143.90.9
So, my suspicion was correct, and this is an e-mail that is carrying some malware in an
executable file posing as a zip file. The malware has infected the person’s computer on the
DSL line, which is now a zombie, sending copies of the malware to everyone in the infected
computers address book. I’m glad I checked it out!
