How to track down the true source of an email

Nowadays, a large portion of spam is actually sent from compromised home PCs. Spammers don’t use lax ISPs to send mail, they use grandma’s hijacked computer and cable modem. These computers are often compromised by email worms, which then send out more emails in an attempt to infect other PCs, thus creating more zombies. The emails claim to be from some random address found on the PC. The “From” address is not a reliable indicator of who has the infected PC. The “From” address is analogous to the return address on the envelope of a piece of postal mail – there’s nothing guaranteeing that’s really where it came from. Once you understand what’s happening, it’s fairly easy to interpret the information in an email to see what’s happening.

1. View the email’s headers


The first step is to actually see all the behind-the-scenes information that’s included in the email message. This process will vary based on which email program you’re using. You will be opening the virus/spam email, so make sure that your operating system and email client are both fully patched to prevent any bugs (like auto-running an attached program) from causing harm to your system.

In Mozilla and Thunderbird (and probably other Mozilla-based programs), select the email message and press Ctrl+U to view the source. This will open a new window with all of the data in the email message visible. You can also enable the View All Headers option in the menus, which will show all of this hidden information along with subject and address information.

In Outlook Express, Ctrl+F3 will bring up a view showing all of the email’s data also.

In the full version of Outlook (included with MS Office), right-click on the message and choose Options. This will display a new window. A small window at the bottom will show the email’s complete data. You can also use the PocketKnife Peek addon. This creates a new preview window which has tabs for viewing the email in several ways. The Internet header tab will show the information we’re looking for.

If you use webmail like Hotmail or Yahoo, there should be an option somewhere in the preferences to display the message’s source or headers. You will need to enable this or set it to display all headers.

Other email clients should be similar. You need to enable the option to display all headers, or view the source code of the message.

Once you’ve enabled the source/header view in your particular client, you’ll be looking at something like this:

Return-path: 
Envelope-to: invisibill@invisibill.net
Delivery-date: Mon, 22 Mar 2004 19:30:32 -0800
Received: from [68.149.253.31] (helo=invisibill.net)
	by mx.mailix.net with esmtp (Exim 4.24-ND)
	id 1B5ccM-0006XQ-H5
	for invisibill@invisibill.net; Mon, 22 Mar 2004 19:30:19 -0800
From: tom@tomzwheels.com
To: invisibill@invisibill.net
Date: Mon, 22 Mar 2004 19:59:27 -0800
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <E1B5ccM-0006XQ-H5@mx.mailix.net>
X-SA-Exim-Mail-From: tom@tomzwheels.com
Subject: Re: Status
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0016----=_NextPart_000_0016"

This is a multi-part message in MIME format.

------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit


For further details see the attachment.


++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com


------=_NextPart_000_0016----=_NextPart_000_0016
Content-Type: application/octet-stream;
	name="data.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="data.zip"

2. Find the IP address of the sending mail server


The sending mail server has to connect to your mail server to deliver the message. Because of this, we can always find out where the mail came from. Some viruses and spammers will add fake information to the email to make it look like it came from somewhere else.

Here is what we’re looking for:

Received: from [68.149.253.31] (helo=invisibill.net)
	by mx.mailix.net with esmtp (Exim 4.24-ND)
	id 1B5ccM-0006XQ-H5
	for invisibill@invisibill.net; Mon, 22 Mar 2004 19:30:19 -0800

There may be several sections that begin with Received: from if the sender added fake info. In this email, this is the lone entry. If there are several, it should be the one closest to the top (though some mail filters act as a separate server, and the last one is actually your company/ISP processing the mail). After it says who it is received from, it will list who it was received by. In this case, it was received by mx.mailix.net, which is my mail server. Yours may be something like mail.myisp.net or smtp.myisp.net.

This line tells us that my mail server received the email from the mail server at 68.149.253.31. The helo command is what the sending mail server said its name was. This email message is from the Netsky virus, so it uses the destination address for the helo command – it got invisibill.net from my email address, even though it claims to be from tom@tomzwheels.com. Most other viruses will use the spoofed sender address for the helo, i.e. this email’s helo would be tomzwheels.com.

This nuance of Netsky makes for some easy email filtering. Even though my domain is invisibill.net, my mail server is not named invisibill.net. As you can see above, it’s something totally different due to the email provider I use. Any email coming in with helo=invisibill.net in the headers must be a fake, as there is no mail server named invisibill.net.

Here is an example of having multiple valid headers. You can see that the message went from Dell’s server to the company’s main mail server, then from there went to the mail server of one individual branch. You’ll have to figure out on your own whether the headers you’re seeing are legitimate or not. But if you do have a setup like this, everything will have these headers (since every mail has to come in through the same server(s)).

Received: from smtp.company.com ([198.208.160.116])
	by server01.branch.company.com with Microsoft SMTPSVC(5.0.2195.6713);
	Fri, 12 Mar 2004 11:57:15 -0500
Received: from ausc60ps301.us.dell.com ([143.166.148.206])
	by smtp.company.com (SAVSMTP 3.1.2.35)
	with SMTP id M2004031211444513348
	for ; Fri, 12 Mar 2004 11:44:46 -0500

3. Figure out who this IP address belongs to


Now that we have the IP address where the email came from, we can probably get a better idea of whose PC this is. To do this, we’re going to use the internet’s Domain Name Server system. DNS converts names like microsoft.com and invisibill.net into IP addresses. Every computer on the internet has an IP address, and this is the “real” address of the server. Domain names are just an easy way for people to remember how to get to a server.

You can find information on the spammer IP address at SamSpade.org. That form will show information on the owner of the address block containing that IP, including the different contacts (possibly including an abuse address) for the address. This form provides the same information as the process below, all in one step. However, the following method gives you a better understanding of what you’re figuring out. Once you understand what’s happening, you might as well use SamSpade.org since it’s quicker.

Here’s the detailed way, if you want to gain a better understanding of what you’re figuring out. You can use the ping command included with just about every OS to figure this out. In Windows, the -a switch tells ping to resolve IP addresses into hostnames. ping -a 68.149.253.31 will tell our computer to connect to the IP address and resolve the hostname.

The output will be something like this:

Pinging h68-149-253-31.ed.shawcable.net [68.149.253.31] with 32 bytes of data:

Reply from 68.149.253.31: bytes=32 time=125ms TTL=110
Reply from 68.149.253.31: bytes=32 time=136ms TTL=110
Reply from 68.149.253.31: bytes=32 time=140ms TTL=110
Reply from 68.149.253.31: bytes=32 time=150ms TTL=110

Ping statistics for 68.149.253.31:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 125ms, Maximum = 150ms, Average = 137ms

Ping is a tool that times network connections, to aid in troubleshooting. We can ignore all of that info except the very first line. Pinging h68-149-253-31.ed.shawcable.net [68.149.253.31] with 32 bytes of data: tells us that the IP address resolves to the hostname h68-149-253-31.ed.shawcable.net.

However, some firewalls and routers may block the ping packets, so you won’t be able to obtain any useful information this way. There is still hope via online ping tools which do the same thing, but not on your PC. VisualRoute will also return h68-149-253-31.ed.shawcable.net as the hostname of the last system (at the bottom of the list).

The first section is obviously based on the IP address. Many broadband ISPs use hostnames based on the address like this. The last part, shawcable.net, tells us the ISP. http://shawcable.net isn’t a valid website, but http://shawcable.com redirects to http://www.shawcable.ca. This is the front page for Shaw, an ISP. The .ca tells us that they’re in Canada, which helps us narrow down the middle part of the hostname. In this case, ed stands for Edmonton. Many other ISPs use this scheme as well, naming subnetworks after the state/province, or after cities. If you were to find a 1-2-3-4.denver.co.comcast.net hostname, you could figure out that the user’s IP address is 1.2.3.4, they live near Denver, Colorado, and they have Comcast for an ISP. Some ISPs may use airport codes as well.

Even though VisualRoute shows a map of where the connection is coming from, it may not be accurate. In the DNS records for domain names, there is an option to specify locational coordinates. If the location isn’t found for a specific server, it works it’s way backwards up to the top domain. If Shaw were headquartered in Iowa, everything under shaw.net might show up as being located in Iowa. This is an optional setting, and completely user-defined. It should not be assumed to be accurate.

4. More on finding and stopping virus-infected PCs


If you only know one person in Edmonton and have never given your email address out, then you probably know whose PC this is already. If you’ve been on messageboards, mailing lists, or mass-forwards, then a whole bunch of people may have your email address. Recent email worms look at many different files to find addresses. It’s possible that the infected person has never emailed you, but your address is on a saved webpage on their hard drive. Address books are still the best source of valid email addresses, but they’re not the only target anymore.

The “From” email address and the “To” email address (yours) were both on the infected PC. This may give you a hint as to how the person got your email address. In this case, tom@tomzwheels.com was on the infected PC along with my address. http://www.tomzwheels.com is a website that sells aftermarket wheels for cars. The infected PC has both my address and a wheel-related address on it. It’s probably safe to say that I know this person through one of the car forums I visit (as opposed to a computer forum or a growing-vegetables-that-look-like-celebrities forum).

This may narrow it down enough that you can figure out who the culprit is. If not, you can at least make a post on the car forum(s) you visit letting them know that someone has a virus. A script like http://www.invisibill.net/ipcheck.php will show the IP address of the person connecting to the page. You can post a link like this and tell them you got a virus email from 68.149.253.31. If someone’s IP address is that exact address, or the first two or three parts match, they should scan their computer. If they have anti-virus software installed, it needs to be updated. If they don’t have AV software, they should do an online scan and/or get an AV program. Note that it’s best if you don’t even post the “From” email address. That person’s address just happened to be on the infected PC (just like yours) – they had no more to do with it than you did. Just say that you got a virus email with a car-related “From” address, so it’s likely someone from that forum that’s infected.

Also, you now know that the IP address 68.149.253.31 is probably not a mail server. If it were, it would most likely have a hostname like mail.someisp.net. There probably isn’t any valid email coming from this server, so you can filter out any emails containing Received: from [68.149.253.31]. You should be careful though, as some lesser ISPs do provide companies with server connections that still get assigned hostnames like this. It’s possible, but not very likely.

Spam Punisher is a small tool to automate this process. The program parses an email (open a saved file or cut and paste) for IP addresses, and can then do lookups on the owners of those IP addresses. You can find the old freeware 1.4 beta version here or you can get the current shareware version here.