Spammers often forge the headers of their email in an attempt to avoid losing their accounts and to evade email filters. These notes may help you track the source of spam. The most important thing is to have a mail reader that can show you the full headers of an email in question. The important lines are as follows:

From:
Who the message is from. This is the easiest to forge, and thus the least reliable.
From
As distinct from the From:" line. This line is not actually part of the email header, but mail transfer software often inserts it when the mail is received. Many Unix mailers use this line to seperate messages in a mail folder. This line will always be the first line in the headers.
This line can also be forged, but not always.

Reply-To:

The address to which replies should be sent. Often absent from the message, and very easily forgeable. However, it often provides a clue. For example, forged spam often has a legitimate Reply-To: field so that the spammer can receive mail orders.
Return-Path:

The email address for return mail. Same as Reply-To:
Sender:

The account that sent the message. Mail software is supposed to insert this line if the user modifies the From: line. Most Mail software is broken in this respect, so this line is rarely present. Some mailers provide an X-Sender: line.

Message-ID:

A unique string assigned by the mail system when the message is first created. This is also forgeable in most cases, but requires a little more specialized knowledge than forging the From: line. Also, the Message-ID:often identifies the system from which the sender is logged in, rather than the actual system where the message originated.

The format of a Message-ID: field is @

Each kind of mail software has its own style of unique string. Sloppy forgeries often get it wrong, thus a forgery can be confirmed by comparing the message id with some legitimate messages from that same site.

Received:

These are the most reliable lines in the header. They form a list of all sites through which the message traveled in order to reach you. They are completely unforgeable after the point where it was injected. Up to that point, they may be forgeries.

Received: lines are read from bottom to top. That is, the first Received: line is your own system or mail server. The last (non-forged) Received: line is where the mail originated.

Each mail system has their own style of Received: line. A Received: line typically identifies the machine that received the mail and the machine that the mail was received from. I.e.:

Received: from foo.com by bar.com id AA15057; Fri, 25 Jul 97 09:39:02

The foo.com" part is the name that the sending machine used to identify itself. This may be forged in the case of spam. The id is for logging purposes and may help system administrators track the spam if you can get them to cooperate with you.

Many mailers will add extra information. For example:

Received: from foo.com ([129.2.3.4]) by bar.com id AA15057; Fri, 25 Jul 97 09:39:02

In this case, bar.comhas inserted the IP address of the sending system. If the machine name does not match the IP address, then you have likely identified the point where the mail was forged. In other words, the machine whose address is 129.2.3.4 lied when it identified itself as foo.com. Any Received: lines that follow are likely to be forgeries.

If the IP address does not make sense (for instance, no component may be greater than 255), then this entire Received: line is a fake. Contact a system admin for more advice in determining if an IP address is bogus. If the entire Received: line is fake, then the injection point is somewhere above in the headers.

Sometimes you will see

Received: from foo.com x.y.alterdial.uu.net [129.2.3.4]) by bar.com id AA15057;

... In this case, the mailer has inserted both the IP address and the real name of the sending system. This will help you identify forgeries and eliminate the need to look up the IP address by hand.

Comment:

Some mailers may add additional information to the headers, such as Authenticated sender is doe@foo.com. Forged Comment: lines can be easily added to outgoing mail, so this line is likely to be fake, but not always.
Other mailers may insert their own authentication information in the headers.

Here is an example of a forgery:

From webpromo@denmark.it.earthlink.net Tue Jul 8 13:05:02 1997

Return-Path:

From: webpromo@denmark.it.earthlink.net

Received: from denmark.it.earthlink.net (denmark-c.it.earthlink.net

[204.119.177.22]) by best.com (SMI-8.6/mail.byaddr) with ESMTP id

NAA21506 for ;

Tue, 8 Jul 1997 13:05:16 -0700

Received: from mail.earthlink.net (1Cust98.Max16.Detroit.MI.MS.UU.NET

[153.34.218.226]) by denmark.it.earthlink.net (8.8.5/8.8.5)

with SMTP id NAA12436; Tue, 8 Jul 1997 13:00:46 -0700 (PDT)

Received: from adultpromo@earthlink.net by adultpromo@earthlink.net

(8.8.5/8.6.5) with SMTP id GAA05239 for ;

Tue, 08 Jul 1997 15:48:51 -0600 (EST)

To: adultpromo@earthlink.net

Message-ID: <199702170025.GAA08056@no-where.net>

Date: Tue, 08 Jul 97 15:48:51 EST

Subject: Hot News !

Reply-To: adultpromo@earthlink.net

X-PMFLAGS: 12345678 9

X-UIDL: 1234567890x00xyz1x128xyz426x9x9x

Comments: Authenticated sender is

Content-Length: 672

X-Lines: 26

Status: RO



Obviously, the To: line is a forgery; the actual recipients list was hidden, probably with a blind carbon-copy (Bcc: header)

The "From", "Return-Path:" and "From:" all identify the same email address, but that may be a forgery. You can try mailing to the given address and see if your complaint bounces.

The "To:", "Reply-To:" and "Authenticated sender" lines all identify a different account. Again, these may all be forgeries.

The Message-ID: line is an obvious fake.

The first Recieved: line shows the mail arriving at my service provider from Earthlink. I trust my service provider, so this line is almost certainly valid.

The second Received: line shows this inconsistency:

... from mail.earthlink.net (1Cust98.Max16.Detroit.MI.MS.UU.NET [153.34.218.226])

In other words, the machine that delivered the mail to denmark.it.earthlink.net identified itself as mail.earthlink.net but was actually named 1Cust98.Max16.Detroit.MI.MS.UU.NET. This is very likely a lie. However, Earthlink rents POPs from Uunet, so this might be an Earthlink customer dialing in from Uunet.

The third Received: line is completely bogus. If the mail came from a dial-in customer at Uunet, there wouldn"t be any more Recieved: lines. If the mail was being relayed from Uunet, this Received: line would indicate Uunet, not Earthlink. Further, this Received: line contains email addresses, not machine names.

Clearly, this email was forged to make it look like it came from Earthlink but was actually injected from Uunet. Whether this was by an Earthlink customer or some other Uunet customer is impossible to tell without cooperation from Earthlink sysadmins.

Received: from cola.bekkoame.or.jp (cola.bekkoame.or.jp [202.231.192.40])

by srv.net (8.8.5/8.8.5) with ESMTP id BAA00705

for ; Wed, 30 Jul 1997 01:15:27 -0600 (MDT)

From: beautifulgirls585@aol.com

Received: from cola.bekkoame.or.jp

(ip21.san-luis-obispo.ca.pub-ip.psi.net [38.12.123.21]) by

cola.bekkoame.or.jp (8.8.5+2.7W/3.5W) with SMTP id OAA11439;

Wed, 30 Jul 1997 14:35:50 +0900 (JST)

Received: from mailhost.aol.com(alt1.aol.com(244.218.07.32)) by

aol.com (8.8.5/8.6.5) with SMTP id GAA00075 for <"">;

Tue, 29 Jul 1997 22:19:42 -0600 (EST)

Date: Tue, 29 Jul 97 22:19:42 EST

Subject: You can have what you want...

Message-ID: <574857638458.HWF39862@aol.com>

Reply-To: beautifulgirls585@aol.com

X-PMFLAGS: 56354433 0

Comments: Authenticated sender is

X-UIDL: vjg79u26gfkjjrty38jf983j309jfyrw


Here, the second Received: line indicates that "cola.bekkoame.or.jp" received the mail from a machine which identified itself as "cola.bekkoame.or.jp", but was in fact "ip21.san-luis-obispo.ca.pub-ip.psi.net". This mail was probably forged from a Psi.net dial-in account.

As a final proof, the IP address mentioned in the third Received: line cannot be matched via whois or traceroute. It certainly doesn"t match AOL, indicating that this line is bogus.



http://www.infosecwriters.com/texts.php?op...p=display&id=10

And now a guide to Forge the emails

Telnet - SMTP Commands (sending mail using telnet)
In order to access your mailbox you will need 3 things:
An active internet connection (an embarrasing stage to miss sometimes!)
The address of a mail server capable of relaying for you - usually provided by your dialup provider (e.g. mail.domain.ext)
A valid email address (e.g. mail@domain.ext)
The first thing to do is to open a connection from your computer to your mail server.
telnet mail.domain.ext 25
You should receive a reply like:
Trying ???.???.???.???...
Connected to mail.domain.ext.
Escape character is '^]'.
220 mail.domain.ext ESMTP Sendmail ?version-number?; ?date+time+gmtoffset?

You will then need to delcare where you are sending the email from:
HELO local.domain.name - dont worry too much about your local domain name although you really should use your exact fully qualified domain name as seen by the outside world the mail server has no choice but to take your word for it as of RFC822-RFC1123.
This should give you:
250 mail.domain.ext Hello local.domain.name [loc.al.i.p], pleased to meet you

Now give your email address:
MAIL FROM: mail@domain.ext
Should yeild:
250 2.1.0 mail@domain.ext... Sender ok
If it doesn't please see possible problems.

Now give the recipients address:
RCPT TO: mail@otherdomain.ext
Should yeild:
250 2.1.0 mail@otherdomain.ext... Recipient ok
If it doesn't please see possible problems.

To start composing the message issue the command DATA

If you want a subject for your email type Subject:-type subject here- then press enter twice (these are needed to conform to RFC 882)

You may now proceed to type the body of your message (e.g. hello mail@otherdomain.ext from mail@domain.ext)

To tell the mail server that you have completed the message enter a single "." on a line on it's own.
The mail server should reply with: 250 2.0.0 ???????? Message accepted for delivery

You can close the connection by issuing the QUIT command.
The mailserver should reply with something like:221 2.0.0 mail.domain.ext closing connection
Connection closed by foreign host.



Here are a list of problems I've encountered and their fixes
501 nouser@nosuchplace.here... Sender domain must exist
The domain that you are sending from must exist

503 Need MAIL before RCPT
A recipient has been specified before a sender.

550 mail@domain.ext... Relaying Denied
The mail server has refused to relay mail for you, this may be for any number of reasons but typical resons include:
Not using this provider for an internet connection and/or
Not using an email address provided by the owner of the server.

I'll be putting more as and when I get them and figure out how to fix each problem.




http://www.yuki-onna.co.uk/email/smtp.html

Now this is what I like to see, both defense (how to detect) as well as how to do it. Great stuff

mmhmm just found another GREAT page about email headers.

http://www.stopspam.org/email/headers/headers.html

There are certain programs that are available for preventing mail spam
http://www.governmentsecurity.org/forum/in...t=ST&f=13&t=115 For some outlook programs.