Dissecting a Spam Message

· IT Related
  • I found an article that I had written back in 2006.   Some of the details are outdated such as my domain, but much of it is still accurate and relevant.

Well, here’s a topic that has been beat to death.   When it comes to dealing with spam, it seems all of our collective efforts have been focused on dealing with the problem after the fact…after the message has already been sent.

We have lots of spam control options.   Some reside on the servers of the ISPs, others reside on locally hosted email servers, and still many others reside on the enduser’s desktop in the form of filters.   Yet there seems to be absolutely nothing available to stop the spam messages from being sent in the first place.

Email is all about sending the actual message.  Email programs don’t care if the recipient exists or not, nor do they care if the sender is who they say they are.  It seems that we should spend our collective, global energy on disallowing the sending of messages, if the recipient or the sender are false or do not exists, or if the sender claims to be someone that doesn’t add up.

For example, if I say I’m from ebay (From: “eBay Center”<security-center@ebay.com>…a forged header), and I don’t have an ebay ip address, I shouldn’t be allowed to send the message.  Either the email program, or some router should figure it out and forbid the message from being sent in the first place.

Let’s take a spam message I received and analyze it carefully.  It’s a phishing attempt to try to get me to login to my ebay account using their link, and therefore give away my password, steal my credit card info, and proceed with fraud.

Let’s take a look at some actual headers, then dissect them, and understand how this message is sent.  The first thing to understand is that absolutely everything in the example below can be forged.  My domain and email address are no secret, and they can be readily accessed from any browser.  This explains why I am the target of so much spam.  I’m quite sure my address has been harvested by programs looking for email addresses on websites.

Received: from VWILSON [] by mountainnetworks.com with ESMTP
(SMTPD-9.04) id ACCD0240; Fri, 08 Dec 2006 13:44:45 -0800

Ok, here is the first part of the header.  The domain mountainnetworks.com is my domain, and that’s for real. If we go to http://www.dnstuff.com and lookup the IP address of, we see that belongs to Comcast.  It’s possible that this is a DHCP address being used by a computer on a comcast internet connection.  It is also just as possible, that a spam sending software program randomly inserts this IP from a list of known, popular ISPs.

There is some language in this first part of the header that says “ESMTP.”   ESMTP stands for (Extended Simple Mail Transfer Protocol). ESMTP provides the capability for a client e-mail program to ask a server e-mail program which capabilities it supports and then communicate accordingly.   Currently, most commercial e-mail servers and clients support ESMTP.

Next we see this (SMTPD – 9.04).   Processes ending in “d” are most likely unix or linux driven processes called “daemons.” If we accept what we see at face value, and assume that up to this point, the headers have not been forged (which they probably were), we see that an email was received from a comcast address by my server with an Extended protocol, and with a linux or unix daemon, probably version 9.04.  The email is given an id,  stamped with a date and a time.Received: from User ([]) by VWILSON with Microsoft SMTPSVC(5.0.2195.2966); Fri, 8 Dec 2006 13:49:36 -0800

Here we see an IP address, which according to DNSSTUFF says it’s from Romania.  The message says “from users” by “VWILSON” using a Microsoft smtp agent, and it says the date and the time.  If I understand this correctly, the first thing we should focus our technology on is prohibiting the sending of messages from sources which can’t be authenticated. “From user” should be rejected, as should “VWILSON”.  The program should ask, “who is VWILSON?”  Do I have “VWILSON” in my database of authenticated email accounts? Am I VWILSON?  Is that my login or profile name?  Am I in a known ebay subnet?  Do I have an ebay IP address? 

Reply-To: <noreply@ebay.com>
From: “eBay Center”<security-center@ebay.com>
Subject: Several login attempts from a foreign IP address
Date: Fri, 8 Dec 2006 23:44:46 +0200
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Return-Path: security-center@ebay.com
Message-ID: <vwilsonphwfutjltosj00000386@vwilson>
X-OriginalArrivalTime: 08 Dec 2006 21:49:36.0656 (UTC) FILETIME=[C11C3100:01C71B12]
X-RCPT-TO: <–sniped-for-obvious-reasons–@mountainnetworks.com>
Status: U
X-UIDL: 454681969
X-IMail-ThreadID: dccd00ad0000a4be

All the rest of this information is generated after the message is created, and can be easily modified before the spammer clicks “send.”  But the only information the spammer is interested in forging is the sender, the return path and the “from”.  But let’s help each other understand the more obscure langage in this secton of the email.   I’ll start from the bottom.

The X-IMail-ThreadID is a unique ID for the message that corresponds to log entries and processing files on the IMail server during processing. 

IMail is an email server software product made by IPSwitch.

The X-UIDL stands for (Unique ID Listing) which is a POP3 mail server function that assigns a unique number to each incoming mail message.  This allows mail to be left on the server after it has been downloaded to the user.  Both the mail client and the POP server must support this feature.   If you configure your email to “Leave a copy of the message on the server” this is the part of the email that makes this possible.

Status U:  The “Status” field is used by some mail delivery systems to indicate the status of delivery for this message when stored.  In my case, the “U” means the message is not downloaded, and not deleted.
I won’t spend any time on the X-RCPT TO and the X OriginalArrrivalTime because they’re self-explanatory and irrelevant.

Message-ID: The message ID is the unique message identifier that refers to a particular version of a particular message.  The server name after the @ symbol is often invalid/forged in spam messages as it was in this one.  The structure of this message looks like it was sent by a spam sending software program.
The rest of the headers have nothing to do with sending or receiving the message.  They simply identify the technology and formats used to both draft and send the message.  It’s good information to know, so I’ll go over them.

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 … In this portion of the
email headers, the technology identification is broken up into two parts.  First is “MIME” which stans for “Multipurpose Internet Mail Extensions.”

The OLE portion stands for “Object Linking and Embedding.”  MIME extends the format of Internet mail to allow non-US-ASCII textual messages, non-textual messages, multipart message bodies, and non-US-ASCII information in message headers.   Among a few other things, it’s the ability to send graphics in the body of an email.  It’s also how you can send embedded html pages.   Put the Mime and OLE together and you simply have a software product which happens to be named by Microsoft…MimeOLE …some version….
X-Mailer is the program used to send the mail.  In this example, the spammer used Microsoft’s Outlook Express which is very common.

X-Priority: 1
X-MSMail-Priority: High

These two are not at all interesting. Except that your mail program reads these flags to decide where they will show up in your inbox.

Skipping over the rest because the message content types,  character sets,  etc aren’t important,  we move into the From and Reply-to headers.   These are forged.   Many automated messaging programs use a “noreply” feature so to prevent people from replying to automated messages which will never be read.  The “From” says this message is from Ebay Security.   Well, we all know that’s crap.

My wish is that if a sender is not who they say they are, which can be verified by identifying their current IP, or validating their email account from their incoming/outgoing mail servers, the spammers would be prevented from sending the email.   My wish is that the spammer would get an error message that says something like, “unable to validate sender information against current login profile and/or email account parameters.  Your message cannot be sent.”  I’m sure that over time someone would find a work-around. But it would make actually sending spam a lot harder than it is today.

Tracking the location of an actual spammer is next to impossible.   Let’s look at the relevant
portions of the body of this message:

“Dear Customer”,
Ok…here’s the first thing.  Ebay never sends a message “Dear Customer.”  It’s always “Dear where they actually say your ebay id.  They identify you by your full name.

This is the link they want me to click.  I guess if I was ignorant,  I would just blindly click the link.   But even an ignorant user could easily surmise that ebay would never put a security link off of an xbox directory.  Most people know by now that anything after a “/” in a URL means a directory on the web server where a web account exists.

I did a lookup of the root domain xbox.com.bo.   To my shock, it actually resolves to an IP address.   I thought Microsoft owned the world and was on top of this sort of thing 🙂   Anyway, the IP of xbox.com.bo belongs to EntelNet, which is some south american tech company in Bolivia.   All the /%20/…blah blah, tells me is that their site has probably been hacked.

In the end, we see an email that was sent from Hungrary, that points to a hacked site in Bolivia, that says it was sent from someone with a comcast account.   Because email programs don’t do any sort of the email checking before they’re sent, and because the headers of a message can be made to say anything you really want them to say, your guess is as good as mine in determining who sent the message.

%d bloggers like this: