Email headers -- the last of the "black arts"?

If you use email, you know about spam. Some of it is legitimate, and includes a link to unsubscribe. You get that because you bought something online, and left checked the little box giving them permission to send you "special offers". Big mistake. But the vast majority of the spam is not legitimate. The spammers use computer programs to make a list of every domain name in existence, then generate a list of every possible combination of 2-10 letters as usernames, and send email to all those combinations at every domain: al@example.com bob@example.com bill@example.com borgmeister@example.com carl@example.com capillary@example.com etc. What? Isn't that millions? Gazillions? Yes, but so what? It's free. We know about a spammer in Texas who sends out 20,000,000 emails every day, 24-7. Probably 18,000,000 of them bounce, but if 2,000,000 a day get delivered somewhere, and the response-and-purchase rate is just 1/4 of 1%, that's 50,000 orders each day. Of course, he's breaking the law. Besides prison, the biggest downside for a business model like this is the 18,000,000 bounced emails coming back. What's an honest criminal to do? Simple. Forge the headers, so the bounces go to someone else, and let them worry about the crashed mailserver, the honest companies offline for 8 hours, the thousands of people inconvenienced, the thousands (or millions) of dollars lost in manhours and lost contracts, etc. <soapbox>As you are probably aware, the government is doing virtually nothing about the problem, while the company best positioned to develop a solution, Microsoft, is arguably the biggest spammer of them all. Money talks.</soapbox> Have you ever gotten an email that seems to come from someone you know, but advertising porn? Have you gotten emails that seem to come from legitimate businesses, like banks, eBay, or Paypal, and are trying to get your credit card number? Have you gotten spam from yourself? If you haven't, you will, and these are all cases of criminals using forged headers to escape detection. What can you do about it? What are headers, anyway? When does this article get to the point? Patience, grasshopper. There are three things you can do: 1. Delete them, and move on. 2. Change your email username to as9edtfhenctdbrufkq0kehrou7hd5nj66kdyst56hdbsr@whatever.com 3. Copy the headers, and send them to the FTC (lot of good that will do). 4. If you have a few minutes, and want to aggravate a spammer, track down the source of the email, and submit an Abuse Report. In some cases, that will cause their ISP account to be shut down. That sounds like fun! Hence, the reason for this post. Headers are pieces of data that go with an email, so that each Mail Transfer Agent (MTA) between the starting point and the delivery point will know what to do. They are embedded in the email, so usually all you see are the TO and FROM headers, but if your email client will allow you to see the raw view of the email, you can see all that are included. There are many, but not all are used in every case. When you send an email, your email client sets these for you, correctly, but a spammer uses a program to generate the emails, so the headers (most of them) can be forged or disguised. The headers can include (among others): TO FROM REPLY-TO DATE SUBJECT CC BCC X-MAILER MESSAGE-ID RECEIVED APPARENTLY-TO CONTENT-TRANSFER-ENCODING CONTENT-TYPE MIME-VERSION PRIORITY For all practical purposes, all of these can be forged. The trick to analyzing headers is to look at the IP address associated with the Received headers. As an example: (thanks to stopspam.org) Received: from unwilling.intermediary.com (unwilling.intermediary.com [98.134.11.32]) by mail.bieberdorf.edu (8.8.5) id 004B32 for ; Wed, Jul 30 1997 16:39:50 -0800 (PST) Received: from turmeric.com ([104.128.23.115]) by unwilling.intermediary.com (8.6.5/8.5.8) with SMTP id LAA12741; Wed, Jul 30 1997 19:36:28 -0500 (EST) From: Anonymous Spammer To: (recipient list suppressed) Message-Id: X-Mailer: Massive Annoyance Subject: WANT TO MAKE ALOT OF MONEY??? In the example, the Received headers show two sources, meaning that the original source handed off the email to another MTA which relayed it. Both mailservers show a domain name, which can be forged, but each MTA also adds the CORRECT IP address. If you check this out, you will find that 104.128.23.115 does not resolve back to turmeric.com, as it appears. The procedure, then, is this: 1. Look at the IP address associated with the last Received from address. 2. Resolve that IP to a domain name, using any of several websites that give you access to the Unix "nslookup" facility 3. Send a copy of the headers to abuse@<thatdomain> Since the "abuse" email address always goes to the relevant ISP, this will often cause trouble for the spammer. Links: stopspam.org nslookup utility