GREATWEBHOST.COM.PH » netzona http://greatwebhost.com.ph/blog Pinoy Web Hosting Blog and Everything Else! Sat, 06 Feb 2010 02:36:04 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 Spoofed Emails http://greatwebhost.com.ph/blog/2009/11/13/spoofed-emails/ http://greatwebhost.com.ph/blog/2009/11/13/spoofed-emails/#comments Thu, 12 Nov 2009 23:07:39 +0000 admin http://greatwebhost.com.ph/blog/?p=298 Ever encountered a time that you received an email supposedly coming from a contact but which your contact did not send to you? Or maybe a friend getting emails from you that you did not make?

The technology behind email sending is inherently unsecure. It would be easy to spoof or create any email that you would like to use. If only there is a way to somehow digitally imprint a unique signature into your emails to show authenticity of a given email source, then spoofed or fraudulent emails would not have a place in this world.

Until then, we should be able to recognize what is indeed a genuine email from hoax emails. As a first rule, whatever seems unreal maybe just that- not real. To confirm whether an email indeed came from a valid source, one may look at its full email headers to take a hint. (Now if the email source was correct, perhaps your email account was used without your permission but that is altogether another thing.)

Depending on what you are using- a web based email like Yahoo! or Gmail or if you are using an email client like Thunderbird, Evolution or Outlook- there are different ways to look at the full email headers. I shall not discuss it in here but you may consult relevant documentations.

This is an email header from a legitimate Yahoo! account to another Yahoo! account.

X-Apparently-To: truerecipient@yahoo.com via 68.142.200.36; Wed, 11 Nov 2009 11:34:02 -0800
Return-Path: <truesender@yahoo.com>
X-YMailISG: ml4Zxf0WLDs0nf3MwNIsm7PZshlNwq1Wb_deqAZMvHjf6RYqjAQXhCc_Lz73l.AsX2HzLbWQ4WYINVgWmzK1CC7y0Y2lCOrhVAjYh3qOtpQpzqN17tHADAcQ.WAlYeNmHXA7CGBc9l0czG532d2pjOzPc0QVLQTrIyGiWsbspMiFZIUGdVfTAoVoK06SlkhxubkMKtOnS.FVMMYzM_yJ7P_MPrvkObMLQaYTSVXR.IjTpai4dw9mSe5UDvTi90seGH6vDlCvGOBCWbdIq3qNiZMZ2hXQTgVvENLnmaQQVQbvo5HMCXf5kuHz843zY23sgmvF1ZeKL8sFmt4MuIMVmn2f2zHXaY0mdHnyTo50XOHXbnp9p86VPg8T1iMkcQxEcD1p6kwfpfbLlyaPrrU9nZXfoFa2tVGg6RJ_sLbrhOSLgmWYMtA4
X-Originating-IP: [98.136.44.35]
Authentication-Results: mta1075.mail.sp2.yahoo.com from=yahoo.com; domainkeys=fail (bad sig); from=yahoo.com; dkim=permerror (bad sig)
Received: from 127.0.0.1 (HELO n62.bullet.mail.sp1.yahoo.com) (98.136.44.35) by mta1075.mail.sp2.yahoo.com with SMTP; Wed, 11 Nov 2009 11:34:02 -0800
Received: from [69.147.84.145] by n62.bullet.mail.sp1.yahoo.com with NNFMP; 11 Nov 2009 19:34:02 -0000
Received: from [69.147.84.95] by t8.bullet.mail.sp1.yahoo.com with NNFMP; 11 Nov 2009 19:34:02 -0000
Received: from [127.0.0.1] by omp205.mail.sp1.yahoo.com with NNFMP; 11 Nov 2009 19:34:02 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 170087.71609.bm@omp205.mail.sp1.yahoo.com
Received: (qmail 11655 invoked by uid 60001); 11 Nov 2009 19:34:02 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1257968042; bh=9O+w8kxRRco8XSVHKAtZAtaa95tj7rC1P0Ezh7AMBRg=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=bY9U+g/3i1nucTnk6npre9zjYd3/+X+pIsiYw1zhICvbeRUo66tVMegD2jvQERXv4YDWQCvz905dKU48A0ORBYKwlg2tqSNgSNzB69ARyScCvQvDqr4RNI1z8ndyZHzeTODI94ytDzyUGVVz21cW7kZWaLi5sWupcJJHb919AZ4=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=ZANLaoVFNJX8hJf/GCwrO578JoSeJGRIFr//vrhBBwO58vpUKMg1660syExDkK0w/qtb9HTJnj1qByE3dSyvv8DpWif8pg66HwnBnhpQtPK0nG2Axe1Jkns2hFlQCr+W5I6Z8IFW3EnC8fIF/WySIF5BMICTn+rVrNUlX0M8Tys=;
Message-ID: <101811.11242.qm@web44711.mail.sp1.yahoo.com>
X-YMail-OSG: q1fLjrEVM1mVKkzcPB85tBZ8naOeiSI_r_e.8VCu6atyG5ys_6Ru3aR7ejWJxoTv4okXKqAi0LPksSUqfkPT2BXb4JhVU12ZdQFwAOFLFUYS2r4w_A6jJEjZyVQwh640kAIMSeLq2cNBTUILEJ7d_CcbZq11OC7fpIUkfvr2z9gSG35KxXSmLRzZMnOj0JuInkFEEaHkyazAoXMukIKffiXVtvAdEGmer9VnkcpTHxFwemgjMz5N4GRdVRaWfREMQoQ03S1wF48spNbVvefdwXYsAc9kbiJR0NVMw4NmqJry1umTtG7nTglqazroXg–
Received: from [77.31.44.73] by web44711.mail.sp1.yahoo.com via HTTP; Wed, 11 Nov 2009 11:34:02 PST
X-Mailer: YahooMailClassic/8.1.6 YahooMailWebService/0.7.361.4
Date: Wed, 11 Nov 2009 11:34:02 -0800 (PST)
From: True Sender <truesender@yahoo.com>
Subject: subject
To: True Recipient <truerecipient@yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=”0-637299057-1257968042=:11242″
Content-Length: 1675

This is the email header from one claiming to be from Yahoo! which was received by another email server. Notice the existence of an unwanted domain.

Return-Path: <mail@netzona.cz>
X-Original-To: poorrecipient@corporateemail.com
Delivered-To: poorrecipient@corporateemail.com
Received: from mxfirewall1.corporateemail.com (unknown [210.185.187.5])
by a.corporateemail.com (Postfix) with ESMTP id 1887F9A7AC
for <poorrecipient@corporateemail.com>; Mon,  9 Nov 2009 04:03:13 +0800 (PHT)
Received: from mxfirewall1.corporateemail.com (localhost [127.0.0.1])
by mxfirewall1.corporateemail.com (Proxmox) with ESMTP id 8324734C784
for <poorrecipient@corporateemail.com>; Mon,  9 Nov 2009 04:18:20 +0800 (PHT)
Received: from netzona.cz (alfa.netzona.cz [89.187.131.211])
by mxfirewall1.corporateemail.com (Proxmox) with ESMTP id EE61C34C5E4
for <poorrecipient@corporateemail.com>; Mon,  9 Nov 2009 04:18:17 +0800 (PHT)
Received: from /spool/local
by netzona.cz with [XMail 1.24 LMAIL Server]
for <poorrecipient@corporateemail.com> from <mail@netzona.cz>;
Sun, 8 Nov 2009 21:18:11 +0100
To: poorrecipient@corporateemail.com, poorrecipient@corporateemail.com,
poorrecipient@corporateemail.com
Subject: DEROGATORY SUBJECT!!!!
From: I am not as I am <fakesender@yahoo.com>
MIME-version: 1.0
X-Priority: 1 (Highest)
Importance: High
X-Mailer: yahoomail.com
Reply-To: I am not as I am <fakesender@yahoo.com>
Content-Type: text/plain; charset=”iso-8859-2″
Content-Transfer-Encoding: base64
Date: Sun, 8 Nov 2009 21:18:10 +0100
Message-Id: <20091108201818.EE61C34C5E4@mxfirewall1.corporateemail.com>

I shall also post the email headers of a sender disguising as a Yahoo! account and was sent to another Yahoo! account soon.

I have seen a case of a spoofed Yahoo! email account sent to another Yahoo! email account. The email subject is almost always something that would elicit the recipients curiosity thereby opening the said email and any atttachment it has. Little do the recipient know that the attachment contains a harmful software that may damage his/her computer.

What I do not understand is- why can’t Yahoo! flag emails like this as spam or suspicious? Is it hard to trace emails claiming to be from Yahoo! but which did not come from them?

Whatever the motive of the sender is- be it to make a prank, to fool someone etc., if we know how to tell a good email from something that is fishy, then basically this cheap trick of faking an email would be useless for us. Whoever is doing it only achieves one thing- that is, he makes a fool of himself and wastes his own time. Time which instead would have been spent on more productive things.

]]> http://greatwebhost.com.ph/blog/2009/11/13/spoofed-emails/feed/ 1