spoofed mail forensics
Sunday, 27 January 2008 4:32 pm by noelposted in tech | tags: e-mail, spam, tech, work, yahoo
the other day i received an e-mail which looked a lot like spam but it didn’t get filtered. i took a closer look and i found out that the address of the sender was my e-mail address and it was sent to the same. i’m absolutely sure i didn’t send anything with a subject “january 74% off” let alone to myself. and with yahoo! doing my mail serving needs i’m sure i didn’t. they would only allow a limited number of e-mails per day.
this is interesting. curiosity gets the best of me and i opened it up. it just contained an image. i set my mail reader not to show me any images when i open an e-mail. i’m not about to start with this one.
the juicier part would be to look at the e-mail headers. its that part of the message that is not normally seen by the reader. in part, it is used as a troubleshooting aid to look for kinks in the 
mailing system. it has the data from what service provider it came from, which mail server received it, and where it was sent. all e-mail programs would have a way of letting you see the full headers of a particular e-mail. i use yahoo’s web interface and the headers is located on the right side of the open e-mail message.
click on the full header and you’ll get to some of the e-mail internals.
the first line in the screenshot above is suppose to be the sending address — who sent it. the second line with the return path is the e-mail address that will be put in the to: field when you click on reply. the fifth to seventh line (received) is interesting. it shows where the e-mail was supposedly sent from — a dsl subscriber in russia — and which server in yahoo! received it.
i got another spam with the same subject and opening the headers reveals something similar but the fifth line (received) is different. it says intel sent it but when i checked the ip address the sender is from poland. hmmm…
two similar mails from two different countries. this leads me to the conclusion that the spam mail wasn’t sent by me (or yahoo!) but by a botnet that is posing as me.
you may have received something similar so you can likely check it using the steps i took.
disclosure: i do not like spam and i do not and will not knowingly send any. i take great pains to make sure of that. my firewall here only allows sending via one particular yahoo! smtp server. and we don’t even use pop mail. all of us use yahoo!’s webmail interface.
