Tuesday, October 15, 2013

Identify Location of Email

See below for an example of a scam that was sent to me, pretending to be from my friend, claiming she had been robbed and asking me for financial aid. I've changed the names— I'm "Bill," and the scammer has sent an email to bill@domain.com, pretending to bealice@yahoo.com. Note that Bill forwards his email to bill@gmail.com.P
First, in Gmail, click show original:P
How Can I Find Out Where an Email Really Came From?
The full email and its headers will open:P
Delivered-To: bill@gmail.com
Received: by 10.64.21.33 with SMTP id s1csp177937iee;
        Mon, 8 Jul 2013 04:11:00 -0700 (PDT)
X-Received: by 10.14.47.73 with SMTP id s49mr24756966eeb.71.1373281860071;
        Mon, 08 Jul 2013 04:11:00 -0700 (PDT)
Return-Path: <SRS0=Znlt=QW=yahoo.com=alice@domain.com>
Received: from maxipes.logix.cz (maxipes.logix.cz. [2a01:348:0:6:5d59:50c3:0:b0b1])
        by mx.google.com with ESMTPS id j47si6975462eeg.108.2013.07.08.04.10.59
        for <bill@gmail.com>
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Mon, 08 Jul 2013 04:11:00 -0700 (PDT)
Received-SPF: neutral (google.com: 2a01:348:0:6:5d59:50c3:0:b0b1 is neither permitted nor denied by best guess record for domain of SRS0=Znlt=QW=yahoo.com=alice@domain.com) client-ip=2a01:348:0:6:5d59:50c3:0:b0b1;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 2a01:348:0:6:5d59:50c3:0:b0b1 is neither permitted nor denied by best guess record for domain of SRS0=Znlt=QW=yahoo.com=alice@domain.com) smtp.mail=SRS0=Znlt=QW=yahoo.com=alice@domain.com
Received: by maxipes.logix.cz (Postfix, from userid 604)
    id C923E5D3A45; Mon,  8 Jul 2013 23:10:50 +1200 (NZST)
X-Original-To: bill@domain.com
X-Greylist: delayed 00:06:34 by SQLgrey-1.8.0-rc1
Received: from elasmtp-curtail.atl.sa.earthlink.net (elasmtp-curtail.atl.sa.earthlink.net [209.86.89.64])
    by maxipes.logix.cz (Postfix) with ESMTP id B43175D3A44
    for <bill@domain.com>; Mon,  8 Jul 2013 23:10:48 +1200 (NZST)
Received: from [168.62.170.129] (helo=laurence39)
    by elasmtp-curtail.atl.sa.earthlink.net with esmtpa (Exim 4.67)
    (envelope-from <alice@yahoo.com>)
    id 1Uw98w-0006KI-6y
    for bill@domain.com; Mon, 08 Jul 2013 06:58:06 -0400
From: "Alice" <alice@yahoo.com>
Subject: Terrible Travel Issue.....Kindly reply ASAP
To: bill@domain.com
Content-Type: multipart/alternative; boundary="jtkoS2PA6LIOS7nZ3bDeIHwhuXF=_9jxn70"
MIME-Version: 1.0
Reply-To: alice@yahoo.com
Date: Mon, 8 Jul 2013 10:58:06 +0000
Message-ID: <E1Uw98w-0006KI-6y@elasmtp-curtail.atl.sa.earthlink.net>
X-ELNK-Trace: 52111ec6c5e88d9189cb21dbd10cbf767e972de0d01da940e632614284761929eac30959a519613a350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 168.62.170.129
[... I have cut the email body ...]P
The headers are to be read chronologically from bottom to top—oldest are at the bottom. Every new server on the way adds its own message—starting with Received. For example:P
Received: from maxipes.logix.cz (maxipes.logix.cz. [2a01:348:0:6:5d59:50c3:0:b0b1])
        by mx.google.com with ESMTPS id j47si6975462eeg.108.2013.07.08.04.10.59
        for <bill@gmail.com>
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Mon, 08 Jul 2013 04:11:00 -0700 (PDT)
P
This says that mx.google.com has received the mail from maxipes.logix.cz at Mon, 08 Jul 2013 04:11:00 -0700 (PDT).P
Now, to find the real sender of your email, you must find the earliest trusted gateway—last when reading the headers from top. Let's start by finding Bill's mail server. For this, query MX record for the domain. You can use online tools like MxToolbox, or on Linux you can query it on command line (note the real domain name was changed to domain.com):P
~$ host -t MX domain.com
domain.com               MX      10 broucek.logix.cz
domain.com               MX      5 maxipes.logix.cz
P
And you'll see the mail server for domain.com is maxipes.logix.cz orbroucek.logix.cz. Hence, the last (first chronologically) trusted "hop"—or last trusted "received record" or whatever you call it—is this one:P
Received: from elasmtp-curtail.atl.sa.earthlink.net (elasmtp-curtail.atl.sa.earthlink.net [209.86.89.64])
    by maxipes.logix.cz (Postfix) with ESMTP id B43175D3A44
    for <bill@domain.com>; Mon,  8 Jul 2013 23:10:48 +1200 (NZST)
P
You can trust this because it was recorded by Bill's mail server for domain.com. This server got it from209.86.89.64. This could be, and very often is, the real sender of the email—in this case the scammer! You can check this IP on a blacklist. It's listed in three blacklists! There's yet another record below it:P
Received: from [168.62.170.129] (helo=laurence39)
    by elasmtp-curtail.atl.sa.earthlink.net with esmtpa (Exim 4.67)
    (envelope-from <alice@yahoo.com>)
    id 1Uw98w-0006KI-6y
    for bill@domain.com; Mon, 08 Jul 2013 06:58:06 -0400
P
But be careful trusting that this is the real source of the email. The blacklist complaint could just be added by the scammer to wipe out his traces and/or lay a false trail. There's still the possibility that the server 209.86.89.64 is innocent and just a relay for the real attacker at168.62.170.129. In this case, 168.62.170.129 is clean so we can be nearly certain the attack was done from209.86.89.64.P
Another point to keep in mind is that Alice uses Yahoo! (alice@yahoo.com) and elasmtp-curtail.atl.sa.earthlink.net isn't on the Yahoo! network (you may want to re-check its IP Whois information). Therefore we may safely conclude that this email is not from Alice, and we should not send her money to the Philippines.P

The Shortcut (A Comment by Ex Umbris)P

Or, you can paste the headers into SpamCop and let it do all the deciphering for you. They'll even send a SPAM notice to the responsible sysadmin(s) if you wish.P

0 comments:

Post a Comment