Many of you probably wonder what I mean with the term "Fake emails". Thats the short description for emails that are originally SPAM, but they have forged contact fields so a user can confuse them for real one. With today's technologies it is quite easy to forge emails which it is often used for phishing( term which means fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by hiding as a trustworthy entity in an electronic communication ). In this thread I will try to describe the most commonly used methods of forging email contact information and how you can distinguish fake from real ones.
The most common methods the spammers are using is by faking the "From" field. By doing this they are simply trying to get the user's password if they reply by mistake on that. This is very easily done by simply editing the email headers. The email headers may look a bit like gibberish text at first glance, but believe me, they can get you most of the information on where the email has come from, is it real and etc. Some programs may need to be adjusted a bit before you can view the full headers of the emails, for example in Mozilla Thunderbird you will need to go to View -> Headers -> All. Lets take a look at an example email header of a fake SPAM email:
From - Mon Feb 01 09:29:44 2010
X-Account-Key: account2
X-UIDL: UID47386-1145502272
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <raymond@tebtebba.org>
Delivered-To: raymond@tebtebba.org
Received: (qmail 637 invoked by uid 89); 30 Jan 2010 13:45:39 -0000
Received: by simscan 1.3.1 ppid: 602, pid: 627, t: 0.6124s
scanners:none
Received: from unknown (HELO 5ac2b5c3.bb.sky.com) (90.199.68.3)
by 0 with SMTP; 30 Jan 2010 13:45:38 -0000
To: <raymond@tebtebba.org>
Subject: Your order
From: <raymond@tebtebba.org>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
X-EsetId: 99E45F289637656986E25F7D996C29 Some fields do not concern us about determining whether the email is fake or not. We should concentrate on the From, To and Received fields. In the above example we can see that the email appears to come from a person with email "
raymond@tebtebba.org" and it appears to be delivered to the same person(We can tell this from the From and To fields). However this email is fake and that person
raymond@tebtebba.org actually did not send it. In fact, the email did not came from the person's account at all or the server his account is located in that matter. We can easily determine the real sender by looking at the last "Received" line
Received: from unknown (HELO 5ac2b5c3.bb.sky.com) (90.199.68.3)
by 0 with SMTP; 30 Jan 2010 13:45:38 -0000This line tells us that the sender really is someone from "5ac2b5c3.bb.sky.com" (Thats the reverse DNS of the person) and his IP address really is 90.199.68.3.
So if you are suspicious of whether the sender of an email is legit, you can now tell for sure. There are many ways for preventing SPAM(these fake emails are often considered as such), some invisible for the average user. There are many software solutions, which are running in the background and determining the SPAM messages with complex algorithms. Such software for instance is SpamAssasin and it is common software run on cPanel servers. You can also blacklist/whitelist emails inside your cPanel by editing your SpamAssasin configuration. However the software is not always able to catch all the junk/spam emails and thats when the external POP3/IMAP programs come in handy. For instance Mozilla Thunderbird, which we used as an earlier example has very useful SPAM filters which automatically send unwanted messages to the spam folder. The method in which the messages are sorted out is simple but effective - the user just needs to add the criteria(the to, from, subject and etc. fields) from which the program determines if that message is SPAM or not.
I hope this short thread was useful to some of you, any comments on this will be much appreciated
Author
Topic: Determining fake emails and fighting SPAM (Read 1081 times)