Header manipulation...?


Suppose I receive an email with this header:

Return-Path: Delivered-To: grelm@0 Received: (qmail 5923 invoked by uid 107); 10 Nov 2004

11:57:41 -0000 Received: from rrcs-11-222-33-444.west.biz.rr.com (HELO aflac.com) ( by s9006.hostcentric.net with SMTP; 10 Nov 2004 11:57:41

-0000 From: snipped-for-privacy@aflac.com To: snipped-for-privacy@mydomain.com Subject: ifgdqpvssnqmk Date: Wed, 10 Nov 2004 03:59:10 -0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0004_73A0935F.42C6F0F0" X-Priority: 3 X-MSMail-Priority: Normal

Is there any way that it did not come through ""?

That is, are there possible manipulations that might disguise the source server?

Here's why I ask:

About a month ago, I was flooded with email messages each of which had a virus attachment. The headers of all of these revealed that they came through "" (which, of course, is not the real IP address.)

I checked with a WhoIs, contacted the appropriate abuse folks, and, (you guessed it), they denied that they were the source.

There is more to the story, and the problem was solved after just a bit of pushing and shoving, but I remained curious.

Might they have been telling me the truth?

Sincere thanks,

Reply to
Loading thread data ...

On Wed, 10 Nov 2004 07:55:11 -0500, Kenneth spoketh

As e-mail moves from server to server (and sometimes, it may be routed through a few servers before it gets to you), each add their own headers to it, and they are added on top. So, the "Received" line closest to the top is the one added by the mail server that accepted the message on your behalf. It will list the IP Address of the server it is talking to when accepting the message, and most mail servers will also do a reverse lookup on the IP address, which is why you get both the FQDN and the IP address listed. Since this information is added by your mail server, it is unlikely that there's any type of header manipulation going on, at least with that header. It is possible to add in additional "received" lines to make it look like it's been routed through a number of servers, but that top one is difficult to manipulate unless they've hacked the mail server...

So, if that "biz.rr.com" address is the only one (or the top one), then it is very likely that the message either came from there, or at least was relayed through their mailserver.

Lars M. Hansen

formatting link
'badnews' with 'news' in e-mail address)

Reply to
Lars M. Hansen

Hi Lars,

I very much appreciate your help...

I want to make certain that I am understanding this correctly:

Suppose I receive an email with a virus attachment. When I look at the header, I should be looking for the IP address closest to the bottom to see where the message started its journey. Is that correct?

And also, you said that the top IP address would be difficult to manipulate. But, what about the bottom one (that is the IP address that is the sender's starting point?) Would that be any easier to manipulate?

I am asking all this for a specific reason:

Months ago, I received many hundreds of emails each day that had a version of the LOVGATE virus attached. Apparently, that is a mass mailing worm that was going around at the time.

Now, it is starting again. Currently, I receive about 25 of these each day.

I have little reason to believe that these are being sent to me maliciously. Rather, I assume that there is someone out there who has an infected system.

If the starting IP address is difficult, or impossible to manipulate, then it should be quite easy for me to contact the appropriate folks and stop the impending flood.

Thanks again for your help,

Reply to

Hitting ANY search engine - this happens to be

formatting link
plugging in

reading mail headers_____________________ Search Advanced Search Preferences Web Results 1 - 10 of about 595,000 for reading mail headers. (0.29 seconds)

The first two hits take you to

formatting link

Briefly, the ONLY headers you can trust are the headers that your system puts on the mail. _PROBABLY_ you can trust the headers your ISP's mail server puts on - but beyond that, it starts getting very chancy. Also, look at the sequence of the 'Received:" headers, and consider "does this make sense"? If "A" got the mail from "B", does the next header say that "B" got it from somewhere, or is there some completely different host (say "S") claiming to have gotten the mail from one of the moons of Jupiter or something.

Well, seeing as how is a block used by the (US) Department of Defense - probably not. However as that is probably your substitution of a more valid address, it is possible. More than half of the unwanted mail that I see comes through home (and business) systems connected to a high bandwidth (Cable, DSL) service. These systems are invariably windoze boxes in a default 'out-of-the-box' configuration, with no firewall, no anti-trojan, no anti-virus, and no anti-spyware software, and get taken over by spammers because the owner/user is to stupid to be using a digital watch, much less a computer.

Of course not. The spammer is not operating there at the moment. Did you actually get a real response from rr.com - OTHER THAN a auto- response full of meaningless BS?

Why should they? There are so many open hosts out there to be taken over to send spam, that the normal mode seems to be "in, send a ton of spam, get out, and move to the next sucker's system". Many abuse desks are either "staffed" by auto-responders, or the abuse mail goes straight to the bit-bucket, never to be seen again.

If you are referring to the apparent owner of the system, they could be telling the truth as they know it - they didn't send the spam, but the zombie program they don't know is running on the system did. Surely it's not _their_ fault, right?

Old guy

Reply to
Moe Trin

Hi Moe,

A few responses:

Yes, to my surprise, I did get a response of substance from Earthlink. First, I got an auto-responder with a bunch of suggestions. In that text there was information about how to take the matter further. I did, and to my surprise, received what I believe to be a response of substance.

We shall see if they actually do something to assist.

My earlier experience was with Pac Bell and was rather interesting:

I was being flooded with emails each of which had a virus attachment. The headers told me that these were coming through Pac Bell servers. Of course, I got nowhere.

I then called Pac Bell Customer Service. They said that they could do nothing (as I would expect.)

I said simply:

I will wait four hours. If I don't have this matter resolved, I will contact the office of the Attorney General of the State of California.

To my amazement, about two hours later, I received a call from a gentleman who described himself as the head of Security for Pac Bell. He insisted that the messages were not coming through his servers.

I said, "That's fine. I have no way to know. I will contact the Attorney General and perhaps they can sort it out."

That was the end of our conversation, and until two days ago, I did not receive another email with the virus attachment!

And now, back to the substance:

If I understand you correctly, because the headers cannot be trusted, there is, in essence, nothing that I can do about this situation.

Is that correct?

I guess that would be true if the messages were sent to me maliciously. If, as I suspect, they are being sent by a system that is infected with the worm (without the knowledge of its owner) then the headers are likely to be trustworthy, and thus, contacting the abuse folks might be of some help.

Would you agree?

Thanks for your comments,

Reply to

Hi Justin,

I am particularly interested in your last comment just above...

Suppose the originating IP is forged. How would I know who to contact about the abuse? And, in reality, were the header forged, could anything be done to prevent such a flood of messages from getting through?

Sincere thanks,

Reply to

in a non-forged email

trivial to forge, and much spam/virus mail comes with forged received lines.

However, it doesn't really matter. The sytem that your servers recorded as having sent the mail either originated it, or allowed a third party to relay that mail through it. They are the people to contact in either case.

Reply to
Justins local account

I am very surprised. I understand that all of Earthlink support (which includes the abuse desk) was outsourced to India about two years ago. The external satisfaction level has not been glowing.

To say the least. Pac Bell has a very poor reputation.

Were these actually Pac Bell mail servers (I vaguely recall that they have at least 15 different mail servers over 3 different address blocks), or directly from a zombie host on one of their networks. They have quite a lot of those.

Uhuh. Well, without seeing the headers, it's hard to say.

Normally, that works only within the state. But again, Pac Bell has a very poor reputation.

A lot depends on how you are set up now. You are posting from an attbi.com address, and I don't know how your mail is being received. At a previous ISP, they made no effort to control the inflow of garbage, and that was one reason I left. The current primary ISP I'm using uses some blocklists that drastically reduce the amount of spam coming in. In brief, they do not accept mail from "dynamic" addresses - meaning (for example) whole blocks from attbi (they accept mail from the attbi mail servers, but not from hosts with the words 'cable', 'client' 'dsl', 'dyn', or 'user' [among others] in the host name). Likewise, they don't accept mail where the remote host says "hello, my name is $FOO" where $FOO is the names of the local mail servers - or "my name is $IP.AD.RE,SS" where $IP.AD.RE,SS is the address of the local mail servers. They also do not accept mail from some of the more flagrant domains. See the Usenet newsgroup news.admin.net-abuse.blocklisting for more information.

As far as being trustworthy, you need to analyze the headers for a while, so that you know what is normal, and what is not. Some is quite obvious as for example this set of headers (from a posting to the Usenet newsgroup news.admin.net-abuse.sightings):

Received: from 216.82.94.XXX (71445678@[]) by mail.ZZZZZ.com (8.13.1/8.13.1) with SMTP id iABEq2D9009375 for ; Thu, 11 Nov 2004 09:52:08 -0500 Received: from planetarium widow (algebraic.koalaquash.com []) by (2.5.9/5.6.7) with ESMTP id OP6053364 for ;

The first header was put there by the poster's mail server, saying the mail transaction began with the remote host saying "Hi, my name is 216.82.94.XXX" (here munged to protect the victim), but the actual connection was from some host in Korea ( This guy's mail server accepted the mail, and one of the headers it contained was that second "Received:" line. That one just screams "bogus", because the claimed source address (allocated to CSC in the US) would have no reason to be sending mail to Korea to be forwarded, and that the claimed domain "koalaquash.com" does not exist either. Best guess from here: is a zombie, taken over by the spammer.

That's just one example, chosen at random by the way. The second header will often have other quite glaring errors, such as the missing timestamp, or a timestamp with a timezone quite different from the purported location of the host, IP addresses from blocks that don't exist (see

formatting link
and so on.

The _only_ thing you can possibly believe is the first received header, the "Received: from 216.82.94.XXX" header above. Virtually everything else is under control of the spammer/virus, and is almost certain to be false.

Now one thing you might be able to do is to ask whoever is running _your_ mail server why they are accepting mail from dynamic addresses. A lot of spam and nearly all viruses come from zombies that are mailing direct to your mail server, RATHER THAN handing the mail to their ISP's mail server and letting it do the delivery. But that is between you and the person running your mail server. There is a VERY frequent comment posted in responses in news.admin.net-abuse.blocklisting: "my mail server, my rules". This means that your mail server isn't REQUIRED to accept mail from hosts outside their network, unless there is some contract between that remote site and whoever runs your mail server.

Old guy

Reply to
Moe Trin

Going down the list, you contact the abuse address for the first IP address that you don't /know/ can be trusted.

If you have an agreement with your ISP to handle your email, you may wish to seek assurances that the headers inserted by their servers can be trusted (What headers do their systems insert for locally generated messages)

The IP address recorded by your server is responsible either for originating, or for relaying UCE/viruses. You don't care which. If they are not willing/able to deal with the issue, refuse to accept mail from them.

Reply to
Justins local account

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.