Can email header information be used to track down spoofers?

BROWSE BY TAG Application Security,   Email Protection,   Email Security Guidelines, Encryption and Appliances,   Application and Platform Security,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Do Facebook URL security concerns justify blocking social networks? Is there a way to block iPhone widgets that bypass Web filters? Should enterprises be concerned with Twitter in the workplace? Are there still Google Desktop security problems? Can an IP spoofing tool be used to spam SPF servers? Will an application usage policy best control network bandwidth? How can URL-shortening services be manipulated? Is my security program ready for Web application firewall deployment? How to ensure the security of a shopping cart application When to use the service features of the Metasploit hacking tool Email Security Guidelines, Encryption and Appliances How to confirm the receipt of an email with security protocols Best Email Security Products Can an IP spoofing tool be used to spam SPF servers? WatchGuard acquires email and Web security vendor BorderWare McAfee to acquire email SaaS vendor MX Logic What does 'invoked by uid 78' mean? How to configure firewall ports for webmail system implementation Fierce competition prompted new Cisco email security options Cisco brings email security appliances closer to SaaS Cisco offers more email security choices, but lacks vision Email and Messaging Threats (spam, phishing, instant messaging) Top spammer gets four years in jail for stock fraud scheme New Zeus spam poses as Social Security statements Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary asymmetric cryptography  (SearchSecurity.com) challenge-response system  (SearchSecurity.com) cryptographic checksum  (SearchSecurity.com) data encryption/decryption IC  (SearchSecurity.com) elliptical curve cryptography  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) MPPE  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) session key  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Unfortunately, Simple Mail Transfer Protocol (SMTP), the main protocol used when sending email, does not include a way to authenticate where the email message originated. However, the mail server inserts a Received: header at the top of every email message it processes, providing a continuous track of the message's route and making it possible to determine the origin of the message.

In fact, the only part of the email header that can't be faked is the Received: line, which references your mail server. Spammers often add spoofed Received: headers to try to hide the true origin of the unwanted email, but modern mail transfer programs record the sender's correct IP address. So even if the sender uses a fictitious or false name when contacting the receiving server, you can determine the origin of the spoofed message.

Let's take a look at a typical Received header:

Received: from bay121-f19.bay121.hotmail.com ([207.46.10.99] helo=hotmail.com) by argon.webfusion.co.uk with esmtp (Exim 4.54) id 1FvB5u-0007UK-Qd for; Tue, 27 Jun 2006 11:46:58 +0100

This header indicates the message was received by argon.webfusion.co.uk (which runs esmtp Message Transfer Agent) from a server named bay121-f19.bay121.hotmail.com on June 27, 2006 at 11:46:58, which is one hour ahead of the Universal clock Time. It also shows us that the host bay121-f19.bay121.hotmail.com has an IP address of 207.46.10.99. Using the WHOIS tool we know that this IP address is registered to Microsoft.

Since Received: headers are always added to the top of the message, check each of the subsequent Received headers to find the first one that is suspicious. Perform a whois lookup of the IP addresses in the Received: header to see who, if anyone, owns the address. Any headers after such a header can be safely ignored. This first invalid header means that it must be spoofed. You can presume that the general origin of the spam is the server that received the message with this false information. Using the IP address you can look up the name and contact details of the registered owner of the receiving server, probably an ISP. Email them and provide a sample of the spam you received, making sure to include the full message headers. Even if the ISP can use their logs to trace who sent the email, it may well have come from a zombie machine -- a PC taken over by a spammer to send spam unbeknown to the owner. You can also report spam via the CERT Web-based Incident Reporting Form at https://irf.cc.cert.org if you do not get a satisfactory response from the ISP.

In order to provide as much information as possible to help trace unwanted emails, increase the level of logging on your mail server. Also, consider configuring your firewall to route SMTP connections from outside your firewall through a central mail hub. This will provide you with a single point of entry for email and central logging capabilities. Finally, consider using digital signatures, like PGP, to exchange authenticated email messages. This provides a mechanism for ensuring that a message is from who it appears to be, as well as ensuring that the message has not been altered in transit. Similarly, you may want enable SSL/TLS in your mail transfer software to increase the amount of authentication performed when sending mail.