Go Back  Bike Forums > Bike Forums > Fifty Plus (50+)
Reload this Page >

OT - Tracing Spoof Email???

Notices
Fifty Plus (50+) Share the victories, challenges, successes and special concerns of bicyclists 50 and older. Especially useful for those entering or reentering bicycling.

OT - Tracing Spoof Email???

Old 07-02-10, 06:30 PM
  #1  
DnvrFox
Banned.
Thread Starter
 
DnvrFox's Avatar
 
Join Date: Aug 2001
Posts: 20,917
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 12 Times in 10 Posts
OT - Tracing Spoof Email???

Someone hijacked Nora's email address and sent a bunch of dirty email out in mass. Not to anyone in her address book - simply to a lot of email addresses. We know, because we got about 15 mailer-daemons (spam) back with the subject, and in some cases more info.

So, they did not get into her computer. We have changed passwords. Our McAfee is up to date and current, and a scan shows no infections, etc.

Apparently, they chose her email for some reason as the "from" address. I have communicated with AOL and they assure me there is nothing wrong with her account, and the "sent" folder shows only messages she has sent.

Is there any way that one (or someone) can tell from the Mailer-Daemons and other returns who was the culprit who sent the emails??

I suspect a neighbor down the street as a result of a recent unpleasantness.
DnvrFox is offline  
Old 07-02-10, 06:34 PM
  #2  
DX-MAN
Banned
 
Join Date: Jun 2009
Posts: 4,788
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 2 Times in 2 Posts
That has happened with my e-mail, as well; I changed carriers, and discovered that they just moved on to my Facebook account.

MAJOR change in access.............
DX-MAN is offline  
Old 07-02-10, 06:55 PM
  #3  
Wake
Sputnik - beep beep beep
 
Wake's Avatar
 
Join Date: Oct 2008
Location: Louisville KY
Posts: 481

Bikes: '12 Jamis Coda Elite '09 Jamis Sputnik, '07 Jamis Eclipse, '13 Brompton M6R.

Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 1 Time in 1 Post
It's very difficult to trace. Basically, with the right program, you can insert any email address as the "From" person.

One of the common ways that people get email addresses is to copy those stupid "You have to see this" emails that encourage you to send it to everybody you know. The forwarding list includes dozens of emails that are easy to gather.

It's pretty harmless, unless one get's sent to her boss or something
Wake is offline  
Old 07-02-10, 07:00 PM
  #4  
Donegal
Road Nazi Hunter
 
Donegal's Avatar
 
Join Date: Jul 2007
Location: Slow! But Ahead of You.
Posts: 409

Bikes: Kuota Kredo, Litespeed Vortex, Aegis Victory, Burley Tandem, Cannondale Rush

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 0 Times in 0 Posts
Spoof emails

Originally Posted by DnvrFox
Someone hijacked Nora's email address and sent a bunch of dirty email out in mass. Not to anyone in her address book - simply to a lot of email addresses. We know, because we got about 15 mailer-daemons (spam) back with the subject, and in some cases more info.

So, they did not get into her computer. We have changed passwords. Our McAfee is up to date and current, and a scan shows no infections, etc.

Apparently, they chose her email for some reason as the "from" address. I have communicated with AOL and they assure me there is nothing wrong with her account, and the "sent" folder shows only messages she has sent.

Is there any way that one (or someone) can tell from the Mailer-Daemons and other returns who was the culprit who sent the emails??

I suspect a neighbor down the street as a result of a recent unpleasantness.
First thing I would do is get an email address that is only used for business. I made the mistake of using my main email to look at a friend's page on facebook and the B.S. began. Most all of the free social sites contain lurkers that find it funny to get into other people's business. If you visit any of those sites, get a free email address and use it. You can throw it away when you are done.

I visited My Space and Facebook one time each and have received thousands of B.S. email since. Live and Learn.

Also, If you neighbor down the street knows your wife's email address, he can use it to create these emails. Before you go down the street and stomp your neighbor, see if your wife uses the free social sites.
Donegal is offline  
Old 07-03-10, 01:35 AM
  #5  
ModeratedUser150120149
Senior Member
 
Join Date: May 2008
Posts: 2,712
Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
Quoted: 41 Post(s)
Likes: 0
Liked 1 Time in 1 Post
Denver, email addresses are very easy to get. Even from places that one would think were "safe". I recently was checking the Terms Of Service from several sites, including this one, and discovered that many in very circumspect language say that they are free to do whatever they please with your information, including your IP and email.

In one case I got an email that was, in my opinon, pretty nasty from one of my own email addresses. What was I to do? I chose to respond to anyone who is offended and otherwise ignore it.

BUT, in my case my passwords and other identifying information I use for public forums like this are not even vaguely related to any I use for any transaction that has any meaning. I'm starting to believe that not all people are as careful.

Just part of the current age I guess.
ModeratedUser150120149 is offline  
Old 07-03-10, 05:49 AM
  #6  
donheff
Senior Member
 
donheff's Avatar
 
Join Date: Jun 2007
Location: Capitol Hill, Washington, DC
Posts: 1,503

Bikes: Specialized Tricross Comp, Custom Steel Sport Touring, Specialized Turbo Vado 4.0 SL

Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quoted: 59 Post(s)
Liked 40 Times in 27 Posts
Originally Posted by Donegal
First thing I would do is get an email address that is only used for business. I made the mistake of using my main email to look at a friend's page on facebook and the B.S. began. Most all of the free social sites contain lurkers that find it funny to get into other people's business. If you visit any of those sites, get a free email address and use it. You can throw it away when you are done.

I visited My Space and Facebook one time each and have received thousands of B.S. email since. Live and Learn.

Also, If you neighbor down the street knows your wife's email address, he can use it to create these emails. Before you go down the street and stomp your neighbor, see if your wife uses the free social sites.
I think you ran into some other problem. Either you did something else that exposed your address at about the same time you visited Facebook or you made your entire Facebook profile including your email address public which would be asking for spam. It isn't like lurkers can hang out in cyberspace and see your email address floating by when you visit Facebook.

As to an address for "business" if you mean personal business that makes sense but if you mean commercial Internet "business" like purchases or little used sites you need to sign-up for be careful. That can be where spammers harvest your address. That is where it can help to have a spare web based email account that you use when (and if) you sign up for things on the Internet. I have an @excite.com address I have used for that purpose for years. That account gets tons of stuff that I am not interested in - probably 20-30 a day. I simply skim through the message subjects and delete 90% of them without a second glance. In my other accounts (personal business) the vast majority of email is stuff I expect..

Last edited by donheff; 07-03-10 at 05:54 AM.
donheff is offline  
Old 07-03-10, 06:34 AM
  #7  
cyclinfool
gone ride'n
 
cyclinfool's Avatar
 
Join Date: Aug 2007
Location: Upstate NY
Posts: 4,050

Bikes: Simoncini, Gary Fisher, Specialized Tarmac

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 1 Time in 1 Post
DF,

Yes - just like with snail mail you can put any return address into an email with the right email program and a cooperative email server. However what most people don't know is that emails can carry a lot more information about the path they took to get to your inbox.

With Microsoft office outlook and other email programs you can view the email header and in that will be information about the originating email server that sent the message out. That won't tell you who sent it but it will tell you from what provider it was sent. In that header is also a message ID - a unique serial number for that message. If the message was sent from a reputable provider they may be able and willing to track down just where (and who) the message came from. At that point you could initiate legal action.

cyclinfool is offline  
Old 07-03-10, 05:22 PM
  #8  
JohnDThompson 
Old fart
 
JohnDThompson's Avatar
 
Join Date: Nov 2004
Location: Appleton WI
Posts: 24,935

Bikes: Several, mostly not name brands.

Mentioned: 153 Post(s)
Tagged: 0 Thread(s)
Quoted: 3571 Post(s)
Liked 3,367 Times in 1,916 Posts
If you want to trace the true origin of an email you need to look at the message headers, specifically the "Received:" lines. Although the sender's address can be trivially forged, the "Received:" header lines are added by each machine on the internet that handles that piece of mail and thus are not under the control of the sender. IOW, they are quite difficult to forge.

These header lines are normally suppressed by your mail client software, because most of the time you are more interested in the message content than how it was delivered to you. I use Mozilla's "Thunderbird" email program; to see the message headers you use CONTROL-U or from the main menu bar "View...Message Source." I suspect other email software e.g. Microsoft's Outlook or Outlook Express has a similar method.

Once you have the message source, you look at the "Received:" lines at the top of the text. Here's one from a recent PayPal "phishing" attempt:

Return-Path: <service@paypal.com>
Received: from mailserver.eagleshoes.com.cn ([61.145.9.75])
by atuin.os2.dhs.org (8.14.4/8.13.8) with ESMTP id o5P011HR010485
for <john@os2.dhs.org>; Thu, 24 Jun 2010 19:01:07 -0500 (CDT)
(envelope-from service@paypal.com)
Received: from User ([211.241.199.209] RDNS failed) by mailserver.eagleshoes.com.cn with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 25 Jun 2010 07:37:32 +0800
Reply-To: <no-reply>
From: "PayPal"<service@paypal.com>
Subject: PayPal - Please Update Your PayPal Account !
Date: Fri, 25 Jun 2010 08:27:58 +0900

The "Return-Path:" and "From:" lines are trivially forged by the sender; here they are set to imply that the message came from paypal.com. The "Received:" lines don't lie, and show the true origin. Each computer that handles the message adds its own "Received:" line above the previous one, so the last "Received:" line shows the ultimate origin of the message. Sometimes there can be quite a list of these.

In this case, the last one shows that the message was sent from someone named "User" at IP address 211.241.199.209. A whois lookup of 211.241.199.209 shows:

KRNIC is not an ISP but a National Internet Registry similar to APNIC.
The following is organization information that is using the IPv4 address.

IPv4 Address : 211.241.199.128-211.241.199.255
Network Name : KRLINE-LLINE-IM
Connect ISP Name : HINETWORKS
Connect Date : 20030619
Registration Date : 20030709
Publishes : Y

[ Organization Information ]
Organization ID : ORG280300
Org Name : IMNETPIA
Address : Seocho4-dong, Seocho-gu, Seoul
Detail Address : 1303-16Alliancheu Gangnamsaok 8Fl.
Zip Code : 135-080

[ Technical Contact Information ]
Name : Kisun Kim
Org Name : IMNETPIA
Address : Seocho4-dong, Seocho-gu, Seoul
Detail Address : 1303-16Alliancheu Gangnamsaok 8Fl.
Zip Code : 135-080
Phone : +82-2-599-5633
E-Mail : kskim@imnetpia.com

Obviously, this is *NOT* paypal.com; the IP address in question is registered to a Korean business, quite likely a small internet service provider who resells access through the block of dynamically assigned IP addresses listed. If you feel motivated, you could contact the technical person through the email address provided. If you do complain, be sure to send the entire message, including all the header lines so the system administrator has a chance to use their system logs to track down who was responsible for the message.

The message was accepted by mailserver.eagleshoes.com.cn, which in turn relayed it to my mail server "atuin.os2.dhs.org" which tossed it to my spam filter which dumped it in my Junk folder. In any case, eagleshoes.com.cn should *NOT* be running an open email relay because spammers use them to distribute their messages freely. Running a "whois" query on mailserver.eagleshoes.com.cn's IP address (61.145.9.75) gives me (among other things) an "abuse" email address I can use to complain about their open relay and encourage them to tighten up their security to prevent this type of exploitation.

HTH...
JohnDThompson is online now  
Old 07-03-10, 05:28 PM
  #9  
unterhausen
Randomhead
 
Join Date: Aug 2008
Location: Happy Valley, Pennsylvania
Posts: 24,363
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 4 Post(s)
Liked 3,664 Times in 2,497 Posts
Just to show how easy it is, check in your spam filter to see how many of the spams came from your own email address. I don't know if that helps get past some filters, or if it's just convenient for them.
unterhausen is offline  
Old 07-03-10, 06:32 PM
  #10  
BlazingPedals
Senior Member
 
BlazingPedals's Avatar
 
Join Date: Dec 2004
Location: Middle of da Mitten
Posts: 12,474

Bikes: Trek 7500, RANS V-Rex, Optima Baron, Velokraft NoCom, M-5 Carbon Highracer, Catrike Speed

Mentioned: 14 Post(s)
Tagged: 0 Thread(s)
Quoted: 1511 Post(s)
Liked 733 Times in 454 Posts
It used to be common for virii to turn the victim machine into a spambot, and insert addresses found on the victim machine into the 'from' field. If that's what is happening, it could be anyone who has your wife's email address saved. They probably don't even know it's happening.
BlazingPedals is offline  
Old 07-03-10, 08:29 PM
  #11  
DnvrFox
Banned.
Thread Starter
 
DnvrFox's Avatar
 
Join Date: Aug 2001
Posts: 20,917
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Likes: 0
Liked 12 Times in 10 Posts
Thanks for all the feedback and suggestions. WOW!! Worse than obscene phone calls. I guess the nuts of the world will always find a way.
DnvrFox is offline  
Old 07-03-10, 08:32 PM
  #12  
BengeBoy 
Senior Member
 
BengeBoy's Avatar
 
Join Date: Jul 2007
Location: Seattle, Washington, USA
Posts: 6,955

Bikes: 2009 Chris Boedeker custom; 2007 Bill Davidson custom; 2021 Bill Davidson custom gravel bike; 2022 Specialized Turbo Vado e-bike

Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quoted: 4 Post(s)
Liked 9 Times in 8 Posts
I just had the same problem a couple of weeks ago. I had to go in and change email passwords on our home Internet account - that seemed to stop it.
BengeBoy is offline  
Old 07-03-10, 09:12 PM
  #13  
Louis
Senior Member
 
Join Date: Dec 2001
Posts: 4,868
Mentioned: 3 Post(s)
Tagged: 0 Thread(s)
Quoted: 8 Post(s)
Likes: 0
Liked 10 Times in 4 Posts
It happened to me two years ago; ended up changing my email address. Big PITA.
Louis is offline  
Old 07-03-10, 10:52 PM
  #14  
Laserman
Senior Member
 
Laserman's Avatar
 
Join Date: Sep 2009
Location: Metro Detroit
Posts: 383

Bikes: 15 Specialized Crosstrail, 83 Schwinn Traveller, Fuji Sport

Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 1 Post(s)
Likes: 0
Liked 1 Time in 1 Post
This is actually fairly common. All emails pass through a variety of relay servers before ending up where they belong. Email hackers use "sniffer" programs to watch traffic on common relays and harvest addresses. There is a thriving black market on the "shadow net" in email lists. Most buyers use them to send bulk spam but some have programs that try and crack the passwords on various accounts then use them either for general mischief or to transmit illegal materials.
First, use a good password or actually a passphrase which includes upper and lower case letters and numbers. These are much more difficult to crack.
A password that is one or two words found in a dictionary can usually be cracked in less than a minute by programs designed for the purpose.
Second get a web based email account that has robust anti-hacker protection, I recommend gmail from google. They also have excellent spam filters.
Laserman is offline  
Related Topics
Thread
Thread Starter
Forum
Replies
Last Post
ModeratedUser150120149
Manufacturer, Retailer, Survey and Consumer Feedback
0
01-25-14 01:33 AM
Retro Grouch
Fifty Plus (50+)
22
11-17-11 11:54 AM
gearbasher
Classic & Vintage
14
09-24-11 06:02 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.