Any email can pretend itself it is from a trusted site, but in fact it was created by some hackers and served by their servers. When this spoof or forged mail is sent in at least thousands while not in millions. We already seen in the previous post by reading e-mail headers we can identify the sender when the mail seems to be some spoof.
Below is a email header of a mail I sent from my hosting server with PHPmailer. Because normal mail clients never allow you to change the from mail address and other data. This mail pretends where it is from some trusted web site to you but it is created from my server. I have changed some data in below header, due to some security reasons.
[sniplet postads]
Before reading the header your mail looks like this when I receive it in my gmail inbox.
[code]
To: you@yourdomain.com
From: Trustedsite.com <someone@trustedsite.com>
Subject: Verify Your Account Details
[/code]
Now, you can say this mail is from someone@trustedsite.com to verify your account details. Okay lets read the header of this mail which is given below.
[code]
Delivered-To: you@yourdomain.com
Received: by 10.231.182.200 with SMTP id cd8cs166526ibb;
Mon, 11 Oct 2010 19:39:48 -0700 (PDT)
Received: by 10.101.166.37 with SMTP id t37mr3252242ano.122.1286851188074;
Mon, 11 Oct 2010 19:39:48 -0700 (PDT)
Return-Path: <someone@trustedsite.com>
………………
………………// content removed to reduce confusion
………………// some details of intermediate servers.
………………// No need to consider this.
………………
………………
Received: from hackerdomain.com (21.hackingwebserver.com [11.11.11.111])
by mail.hackingweb.com with ESMTPS id q23sm3375542yba.17.2010.10.11.19.39.45
(version=SSLv3 cipher=RC4-MD5);
Mon, 11 Oct 2010 19:39:46 -0700 (PDT)
Date: Tue, 12 Oct 2010 02:39:44 +0000
Return-Path: no-reply@hackerdomain.com
To: you@yourdomain.com
From: Trustedsite.com <someone@trustedsite.com>
Subject: Verify Your Account Details.
Message-ID: <050f1b51c4ebc17fb46cb18d980b8397@apecunited.com>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version 2.0.4]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
[/code]
[sniplet postads]
This email header determine where a message is sent, and records the specific path the message follows as it passes through each mail server. To follow the path of a message chronologically, read from the bottom of the header, and work your way up. In this header the mail passes through more than 2 mail servers so I removed the information to reduce confusion. Our motto is to find where the mail is generated, for that read the first ” Received: ” data (from bottom), it specifies that this mail is from “hackerdomain.com” with the ip address of “11.11.11.111” and it includes a timestamp “17.2010.10.11.19.39.45” which means exactly at “Mon, 11 Oct 2010 19:39:45”.
Here is an another example email header (only first “Received:” is shown)
[code]
Received: from source ([11.11.11.111]) by exprod5mx37.postini.com ([12.12.12.123]) with SMTP; Wed, 20 Aug 2003 21:40:05 CDT
[/code]
In this case, exprod5mx37.postini.com ([12.12.12.123]) – was smart enough to know the email really came from ip 11.11.11.111. So we can find the sender’s domain or ip address from the email headers almost all the time.
[sniplet postads]
What can we do with the hacker’s ip address, we have to find the domain name, server location, owner of that domain, etc etc. We can do this by DNS Look up or else we can simply notify the domain owner whose domain is abused by the hacker, in the above full header the abused domain is “turstedsite.com”. The next article will brief this, so stay subscribed to alvistor.com in the below box.
