OT - Tracing Spoof Email???
#1
Banned.
Thread Starter
Join Date: Aug 2001
Posts: 20,917
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 12 Times
in
10 Posts
OT - Tracing Spoof Email???
Someone hijacked Nora's email address and sent a bunch of dirty email out in mass. Not to anyone in her address book - simply to a lot of email addresses. We know, because we got about 15 mailer-daemons (spam) back with the subject, and in some cases more info.
So, they did not get into her computer. We have changed passwords. Our McAfee is up to date and current, and a scan shows no infections, etc.
Apparently, they chose her email for some reason as the "from" address. I have communicated with AOL and they assure me there is nothing wrong with her account, and the "sent" folder shows only messages she has sent.
Is there any way that one (or someone) can tell from the Mailer-Daemons and other returns who was the culprit who sent the emails??
I suspect a neighbor down the street as a result of a recent unpleasantness.
So, they did not get into her computer. We have changed passwords. Our McAfee is up to date and current, and a scan shows no infections, etc.
Apparently, they chose her email for some reason as the "from" address. I have communicated with AOL and they assure me there is nothing wrong with her account, and the "sent" folder shows only messages she has sent.
Is there any way that one (or someone) can tell from the Mailer-Daemons and other returns who was the culprit who sent the emails??
I suspect a neighbor down the street as a result of a recent unpleasantness.
#3
Sputnik - beep beep beep
Join Date: Oct 2008
Location: Louisville KY
Posts: 481
Bikes: '12 Jamis Coda Elite '09 Jamis Sputnik, '07 Jamis Eclipse, '13 Brompton M6R.
Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 1 Time
in
1 Post
It's very difficult to trace. Basically, with the right program, you can insert any email address as the "From" person.
One of the common ways that people get email addresses is to copy those stupid "You have to see this" emails that encourage you to send it to everybody you know. The forwarding list includes dozens of emails that are easy to gather.
It's pretty harmless, unless one get's sent to her boss or something
One of the common ways that people get email addresses is to copy those stupid "You have to see this" emails that encourage you to send it to everybody you know. The forwarding list includes dozens of emails that are easy to gather.
It's pretty harmless, unless one get's sent to her boss or something
#4
Road Nazi Hunter
Join Date: Jul 2007
Location: Slow! But Ahead of You.
Posts: 409
Bikes: Kuota Kredo, Litespeed Vortex, Aegis Victory, Burley Tandem, Cannondale Rush
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 0 Times
in
0 Posts
Spoof emails
Someone hijacked Nora's email address and sent a bunch of dirty email out in mass. Not to anyone in her address book - simply to a lot of email addresses. We know, because we got about 15 mailer-daemons (spam) back with the subject, and in some cases more info.
So, they did not get into her computer. We have changed passwords. Our McAfee is up to date and current, and a scan shows no infections, etc.
Apparently, they chose her email for some reason as the "from" address. I have communicated with AOL and they assure me there is nothing wrong with her account, and the "sent" folder shows only messages she has sent.
Is there any way that one (or someone) can tell from the Mailer-Daemons and other returns who was the culprit who sent the emails??
I suspect a neighbor down the street as a result of a recent unpleasantness.
So, they did not get into her computer. We have changed passwords. Our McAfee is up to date and current, and a scan shows no infections, etc.
Apparently, they chose her email for some reason as the "from" address. I have communicated with AOL and they assure me there is nothing wrong with her account, and the "sent" folder shows only messages she has sent.
Is there any way that one (or someone) can tell from the Mailer-Daemons and other returns who was the culprit who sent the emails??
I suspect a neighbor down the street as a result of a recent unpleasantness.
I visited My Space and Facebook one time each and have received thousands of B.S. email since. Live and Learn.
Also, If you neighbor down the street knows your wife's email address, he can use it to create these emails. Before you go down the street and stomp your neighbor, see if your wife uses the free social sites.
#5
Senior Member
Join Date: May 2008
Posts: 2,712
Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
Quoted: 41 Post(s)
Likes: 0
Liked 1 Time
in
1 Post
Denver, email addresses are very easy to get. Even from places that one would think were "safe". I recently was checking the Terms Of Service from several sites, including this one, and discovered that many in very circumspect language say that they are free to do whatever they please with your information, including your IP and email.
In one case I got an email that was, in my opinon, pretty nasty from one of my own email addresses. What was I to do? I chose to respond to anyone who is offended and otherwise ignore it.
BUT, in my case my passwords and other identifying information I use for public forums like this are not even vaguely related to any I use for any transaction that has any meaning. I'm starting to believe that not all people are as careful.
Just part of the current age I guess.
In one case I got an email that was, in my opinon, pretty nasty from one of my own email addresses. What was I to do? I chose to respond to anyone who is offended and otherwise ignore it.
BUT, in my case my passwords and other identifying information I use for public forums like this are not even vaguely related to any I use for any transaction that has any meaning. I'm starting to believe that not all people are as careful.
Just part of the current age I guess.
#6
Senior Member
First thing I would do is get an email address that is only used for business. I made the mistake of using my main email to look at a friend's page on facebook and the B.S. began. Most all of the free social sites contain lurkers that find it funny to get into other people's business. If you visit any of those sites, get a free email address and use it. You can throw it away when you are done.
I visited My Space and Facebook one time each and have received thousands of B.S. email since. Live and Learn.
Also, If you neighbor down the street knows your wife's email address, he can use it to create these emails. Before you go down the street and stomp your neighbor, see if your wife uses the free social sites.
I visited My Space and Facebook one time each and have received thousands of B.S. email since. Live and Learn.
Also, If you neighbor down the street knows your wife's email address, he can use it to create these emails. Before you go down the street and stomp your neighbor, see if your wife uses the free social sites.
As to an address for "business" if you mean personal business that makes sense but if you mean commercial Internet "business" like purchases or little used sites you need to sign-up for be careful. That can be where spammers harvest your address. That is where it can help to have a spare web based email account that you use when (and if) you sign up for things on the Internet. I have an @excite.com address I have used for that purpose for years. That account gets tons of stuff that I am not interested in - probably 20-30 a day. I simply skim through the message subjects and delete 90% of them without a second glance. In my other accounts (personal business) the vast majority of email is stuff I expect..
Last edited by donheff; 07-03-10 at 05:54 AM.
#7
gone ride'n
Join Date: Aug 2007
Location: Upstate NY
Posts: 4,050
Bikes: Simoncini, Gary Fisher, Specialized Tarmac
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 1 Time
in
1 Post
DF,
Yes - just like with snail mail you can put any return address into an email with the right email program and a cooperative email server. However what most people don't know is that emails can carry a lot more information about the path they took to get to your inbox.
With Microsoft office outlook and other email programs you can view the email header and in that will be information about the originating email server that sent the message out. That won't tell you who sent it but it will tell you from what provider it was sent. In that header is also a message ID - a unique serial number for that message. If the message was sent from a reputable provider they may be able and willing to track down just where (and who) the message came from. At that point you could initiate legal action.
Yes - just like with snail mail you can put any return address into an email with the right email program and a cooperative email server. However what most people don't know is that emails can carry a lot more information about the path they took to get to your inbox.
With Microsoft office outlook and other email programs you can view the email header and in that will be information about the originating email server that sent the message out. That won't tell you who sent it but it will tell you from what provider it was sent. In that header is also a message ID - a unique serial number for that message. If the message was sent from a reputable provider they may be able and willing to track down just where (and who) the message came from. At that point you could initiate legal action.
#8
Old fart
Join Date: Nov 2004
Location: Appleton WI
Posts: 24,935
Bikes: Several, mostly not name brands.
Mentioned: 153 Post(s)
Tagged: 0 Thread(s)
Quoted: 3571 Post(s)
Liked 3,367 Times
in
1,916 Posts
If you want to trace the true origin of an email you need to look at the message headers, specifically the "Received:" lines. Although the sender's address can be trivially forged, the "Received:" header lines are added by each machine on the internet that handles that piece of mail and thus are not under the control of the sender. IOW, they are quite difficult to forge.
These header lines are normally suppressed by your mail client software, because most of the time you are more interested in the message content than how it was delivered to you. I use Mozilla's "Thunderbird" email program; to see the message headers you use CONTROL-U or from the main menu bar "View...Message Source." I suspect other email software e.g. Microsoft's Outlook or Outlook Express has a similar method.
Once you have the message source, you look at the "Received:" lines at the top of the text. Here's one from a recent PayPal "phishing" attempt:
Return-Path: <service@paypal.com>
Received: from mailserver.eagleshoes.com.cn ([61.145.9.75])
by atuin.os2.dhs.org (8.14.4/8.13.8) with ESMTP id o5P011HR010485
for <john@os2.dhs.org>; Thu, 24 Jun 2010 19:01:07 -0500 (CDT)
(envelope-from service@paypal.com)
Received: from User ([211.241.199.209] RDNS failed) by mailserver.eagleshoes.com.cn with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 25 Jun 2010 07:37:32 +0800
Reply-To: <no-reply>
From: "PayPal"<service@paypal.com>
Subject: PayPal - Please Update Your PayPal Account !
Date: Fri, 25 Jun 2010 08:27:58 +0900
The "Return-Path:" and "From:" lines are trivially forged by the sender; here they are set to imply that the message came from paypal.com. The "Received:" lines don't lie, and show the true origin. Each computer that handles the message adds its own "Received:" line above the previous one, so the last "Received:" line shows the ultimate origin of the message. Sometimes there can be quite a list of these.
In this case, the last one shows that the message was sent from someone named "User" at IP address 211.241.199.209. A whois lookup of 211.241.199.209 shows:
KRNIC is not an ISP but a National Internet Registry similar to APNIC.
The following is organization information that is using the IPv4 address.
IPv4 Address : 211.241.199.128-211.241.199.255
Network Name : KRLINE-LLINE-IM
Connect ISP Name : HINETWORKS
Connect Date : 20030619
Registration Date : 20030709
Publishes : Y
[ Organization Information ]
Organization ID : ORG280300
Org Name : IMNETPIA
Address : Seocho4-dong, Seocho-gu, Seoul
Detail Address : 1303-16Alliancheu Gangnamsaok 8Fl.
Zip Code : 135-080
[ Technical Contact Information ]
Name : Kisun Kim
Org Name : IMNETPIA
Address : Seocho4-dong, Seocho-gu, Seoul
Detail Address : 1303-16Alliancheu Gangnamsaok 8Fl.
Zip Code : 135-080
Phone : +82-2-599-5633
E-Mail : kskim@imnetpia.com
Obviously, this is *NOT* paypal.com; the IP address in question is registered to a Korean business, quite likely a small internet service provider who resells access through the block of dynamically assigned IP addresses listed. If you feel motivated, you could contact the technical person through the email address provided. If you do complain, be sure to send the entire message, including all the header lines so the system administrator has a chance to use their system logs to track down who was responsible for the message.
The message was accepted by mailserver.eagleshoes.com.cn, which in turn relayed it to my mail server "atuin.os2.dhs.org" which tossed it to my spam filter which dumped it in my Junk folder. In any case, eagleshoes.com.cn should *NOT* be running an open email relay because spammers use them to distribute their messages freely. Running a "whois" query on mailserver.eagleshoes.com.cn's IP address (61.145.9.75) gives me (among other things) an "abuse" email address I can use to complain about their open relay and encourage them to tighten up their security to prevent this type of exploitation.
HTH...
These header lines are normally suppressed by your mail client software, because most of the time you are more interested in the message content than how it was delivered to you. I use Mozilla's "Thunderbird" email program; to see the message headers you use CONTROL-U or from the main menu bar "View...Message Source." I suspect other email software e.g. Microsoft's Outlook or Outlook Express has a similar method.
Once you have the message source, you look at the "Received:" lines at the top of the text. Here's one from a recent PayPal "phishing" attempt:
Return-Path: <service@paypal.com>
Received: from mailserver.eagleshoes.com.cn ([61.145.9.75])
by atuin.os2.dhs.org (8.14.4/8.13.8) with ESMTP id o5P011HR010485
for <john@os2.dhs.org>; Thu, 24 Jun 2010 19:01:07 -0500 (CDT)
(envelope-from service@paypal.com)
Received: from User ([211.241.199.209] RDNS failed) by mailserver.eagleshoes.com.cn with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 25 Jun 2010 07:37:32 +0800
Reply-To: <no-reply>
From: "PayPal"<service@paypal.com>
Subject: PayPal - Please Update Your PayPal Account !
Date: Fri, 25 Jun 2010 08:27:58 +0900
The "Return-Path:" and "From:" lines are trivially forged by the sender; here they are set to imply that the message came from paypal.com. The "Received:" lines don't lie, and show the true origin. Each computer that handles the message adds its own "Received:" line above the previous one, so the last "Received:" line shows the ultimate origin of the message. Sometimes there can be quite a list of these.
In this case, the last one shows that the message was sent from someone named "User" at IP address 211.241.199.209. A whois lookup of 211.241.199.209 shows:
KRNIC is not an ISP but a National Internet Registry similar to APNIC.
The following is organization information that is using the IPv4 address.
IPv4 Address : 211.241.199.128-211.241.199.255
Network Name : KRLINE-LLINE-IM
Connect ISP Name : HINETWORKS
Connect Date : 20030619
Registration Date : 20030709
Publishes : Y
[ Organization Information ]
Organization ID : ORG280300
Org Name : IMNETPIA
Address : Seocho4-dong, Seocho-gu, Seoul
Detail Address : 1303-16Alliancheu Gangnamsaok 8Fl.
Zip Code : 135-080
[ Technical Contact Information ]
Name : Kisun Kim
Org Name : IMNETPIA
Address : Seocho4-dong, Seocho-gu, Seoul
Detail Address : 1303-16Alliancheu Gangnamsaok 8Fl.
Zip Code : 135-080
Phone : +82-2-599-5633
E-Mail : kskim@imnetpia.com
Obviously, this is *NOT* paypal.com; the IP address in question is registered to a Korean business, quite likely a small internet service provider who resells access through the block of dynamically assigned IP addresses listed. If you feel motivated, you could contact the technical person through the email address provided. If you do complain, be sure to send the entire message, including all the header lines so the system administrator has a chance to use their system logs to track down who was responsible for the message.
The message was accepted by mailserver.eagleshoes.com.cn, which in turn relayed it to my mail server "atuin.os2.dhs.org" which tossed it to my spam filter which dumped it in my Junk folder. In any case, eagleshoes.com.cn should *NOT* be running an open email relay because spammers use them to distribute their messages freely. Running a "whois" query on mailserver.eagleshoes.com.cn's IP address (61.145.9.75) gives me (among other things) an "abuse" email address I can use to complain about their open relay and encourage them to tighten up their security to prevent this type of exploitation.
HTH...
#9
Randomhead
Join Date: Aug 2008
Location: Happy Valley, Pennsylvania
Posts: 24,363
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 4 Post(s)
Liked 3,664 Times
in
2,497 Posts
Just to show how easy it is, check in your spam filter to see how many of the spams came from your own email address. I don't know if that helps get past some filters, or if it's just convenient for them.
#10
Senior Member
It used to be common for virii to turn the victim machine into a spambot, and insert addresses found on the victim machine into the 'from' field. If that's what is happening, it could be anyone who has your wife's email address saved. They probably don't even know it's happening.
#12
Senior Member
I just had the same problem a couple of weeks ago. I had to go in and change email passwords on our home Internet account - that seemed to stop it.
#14
Senior Member
Join Date: Sep 2009
Location: Metro Detroit
Posts: 383
Bikes: 15 Specialized Crosstrail, 83 Schwinn Traveller, Fuji Sport
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 1 Post(s)
Likes: 0
Liked 1 Time
in
1 Post
This is actually fairly common. All emails pass through a variety of relay servers before ending up where they belong. Email hackers use "sniffer" programs to watch traffic on common relays and harvest addresses. There is a thriving black market on the "shadow net" in email lists. Most buyers use them to send bulk spam but some have programs that try and crack the passwords on various accounts then use them either for general mischief or to transmit illegal materials.
First, use a good password or actually a passphrase which includes upper and lower case letters and numbers. These are much more difficult to crack.
A password that is one or two words found in a dictionary can usually be cracked in less than a minute by programs designed for the purpose.
Second get a web based email account that has robust anti-hacker protection, I recommend gmail from google. They also have excellent spam filters.
First, use a good password or actually a passphrase which includes upper and lower case letters and numbers. These are much more difficult to crack.
A password that is one or two words found in a dictionary can usually be cracked in less than a minute by programs designed for the purpose.
Second get a web based email account that has robust anti-hacker protection, I recommend gmail from google. They also have excellent spam filters.
Thread
Thread Starter
Forum
Replies
Last Post
ModeratedUser150120149
Manufacturer, Retailer, Survey and Consumer Feedback
0
01-25-14 01:33 AM