Legend:  new window    outside link    tools page  glossary link   

Spam analysis: example #1
forged header; base64 encoded body

Update 6 February 2006: I’ve updated this example to correct some of my errors in interpreting SMTP and to (I hope) make it more clear.

The following is a basic spam e-mail that incorporates a forged mail header, an encoded message body, and a few basic external links (images and mailto’s): I have edited out some information for brevity and to protect identities of myself and fellow-victims.

This is the complete mail packet, including the header and part of the MIME-encoded body:

Return-Path: address hidden
Received: from yahoo.com ([12.98.111.228]) by mta005.verizon.net
    (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with SMTP
    id <20020816232114.QWHU2588.mta005.verizon.net@yahoo.com>;
    Fri, 16 Aug 2002 18:21:14 -0500
Received: from m10.grp.snv.yahui.com ([156.237.19.22])
    by m10.grp.snv.yahui.com with QMQP; Sat, 17 Aug 0102 02:10:18 +1000
Received: from rly-yk05.pesdets.com ([54.118.180.24])
    by m10.grp.snv.yahui.com with SMTP; 17 Aug 0102 12:02:21 +0300
Reply-To: address hidden
Message-ID: <008a84e08a3d$2647b2e0$0dd05cd3@lhwmne>
From: address hidden
To: address hidden
Cc: address hidden , address hidden ,

(... lines skipped ...)

Subject: Climatique Climax Gel For Women Free Bottle Offer
Date: Sat, 17 Aug 0102 22:43:06 -0800
MiME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00E2_42A55B5A.D3753D06"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
Importance: Normal


------=_NextPart_000_00E2_42A55B5A.D3753D06
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: base64


NDc3M25qVkQwLTI0NXh1cHM2Nzc3d0dGUTMtNTY2ZlpyQjkzOTFPSE5zMS01
MjBCWFloMTMwMkpwWnE1LTYxN1ZhQUZsNjQNCg0KPGh0bWw+DQoNCjxoZWFk
Pg0KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIg0KY29udGVudD0i

(... lines skipped ...)

IDwvdHI+DQogICAgICAgIDwvdGFibGU+DQogICAgICAgIDwvdGQ+DQogICAg
PC90cj4NCjwvdGFibGU+DQo8L2JvZHk+DQo8L2h0bWw+DQoNCg0KDQo5MTY4
RlRIdTMtMjEyWG1hZTkwODBacWNGMC0wMTF1QXZTNjgxOHNzclU3LTA2NG1X
cmIwOTM0cnphejEtMDlsNTk=
------=_NextPart_000_00E2_42A55B5A.D3753D06--

Checking the header

We’ll start by looking at the message header (which goes from the top down to the “Cc” entry). We are interested in tracing the route of the message from my ISP back as far as we can go to find the point where the message first hit the internet. We stop our tracing when we hit the end of the chain, or else when we hit what looks like a forged entry.

Looking at the From: and Return-Path: addresses

First of all, just to get this out of the way, we’ll look at the address of the (supposed) message originator, which is given in two places:

Return-Path: address hidden
     
(... lines skipped ...)
From:
address hidden

You would think that these would have to be the same, but they don’t. In fact, neither of them has to be valid or correct according to the protocols used to compose (RFC2822) and send (RFC2821) e-mail. That is, putting bogus information into these fields generally won’t stop the message from being successfully delivered to its destination. These fields are relatively easy to forge, and therefore should never be trusted. If you plan to do much spam-tracing, you should write down the following statement on a sticky note and paste it to your computer screen:

The From: and Return-Path: addresses found in spam (or, indeed, in any e-mail) ARE NOT TRUSTWORTHY and do not tell you anything about the actual origin of the message.

Looking at the message route

Now, let’s move on to the lines that begin with “Received:”; these “routing lines” tell us the path that the messge took from the origin to the destination.

Received: from yahoo.com ([12.98.111.228])
   by mta005.verizon.net
   (InterMail vM.5.01.05.09 201-253-122-126-109-20020611)
   with SMTP
   id <20020816232114.QWHU2588.mta005.verizon.net@yahoo.com>;
   Fri, 16 Aug 2002 18:21:14 -0500

This is the topmost routing line, which means that this handoff was the most recent one; we expect it to show that the message reached a mail transfer agent (MTA) in my ISP’s domain, and the “by” host (mta005.verizon.net) is indeed one of my ISP’s mail hosts. So far, so good.

Interesting things start happening once we look at the from-host’s information. The from-host in this line is identified as “yahoo.com,” with an IP address of 12.98.111.228. The name seems odd, because it is a simple domain name rather than the fully-qualified name of some mail host (e.g., “some.mailhost.yahoo.com”). We can check things out by doing a simple reverse name lookup on the IP address using nslookup:

[localhost:~] rconner% nslookup 12.98.111.228
Server: home1.bellatlantic.net
Address: 199.45.32.43

Name: 228.muah.wash.wacdc01r1.dsl.att.net
Address: 12.98.111.228

So the principal name of the host at 12.98.111.228 is not “yahoo.com” as claimed, but is actually “228.muah.wash.wacdc01r1.dsl.att.net.” What’s going on? Simple: the from-host is lying.

The name of the from-host is actually given by the from-host itself; the from-host identifies itself to the by-host during the SMTP transfer using the HELO command. The from-host is supposed to give its authentic name, but in practice it can give pretty much any name it wants and the by-host won’t care. On the other hand, the IP address comes from the underlying socket connection (the “TCP data” as SMTP calls it), and cannot be forged or spoofed. Therefore, we can always trust the IP address but never the HELO name.

Clearly, here, we have a case of the host “228.muah.wash.wacdc01r1.dsl.att.net” (which, from the name, is obviously a DSL subscriber line run by AT&T) misidentifying itself as yahoo.com in the effort to get the spam through and deflect the blame. In other words, this is a case of a bogus HELO name, an elementary form of header forgery used almost universally in spam.

Since we have found a forged entry in this line, we can pretty much conclude that this is the source of our spam, and there usually is no need to look any farther down the route (since the subsequent lines have likely been made up out of thin air by the spammer, and do not represent actual message relay. Nevertheless, for the sake of completeness, we will have a look at the second (and last) routing line:

Received: from m10.grp.snv.yahui.com ([156.237.19.22])
   by m10.grp.snv.yahui.com with QMQP;
   Sat,
17 Aug 0102 02:10:18 +1000

This is a blatant forgery. In order to preserve a complete audit trail for the message, the “by” host should in this case be “yahoo.com” but it is not. We say that the routing “chain” is “broken.” In fact, the record appears to show that the host “m10.grp.snv.yahui.com” is relaying mail to itself, which makes no sense. Nor does the date of the message, which appears to come to us from the year 102 AD (see the highlight). Either somebody’s computer clock is exactly 1,900 years slow, or else they don’t understand how to use a struct tm (a common programming error).

Incidentally, pings to both m10.grp.snv.yahui.com and 156.237.19.22 got no answer either way, so this host likely does not exist (and probably never did).

Why would the spammer insert obviously bogus routing information into his messages? Because he is trying to give a false history to the message in the hopes that spam investigators will be fooled into following him down a blind alley.

Finding the abuse contact for the mail source

Now that we’ve identified where the mail comes from (i.e., 12.98.111.228), our next job is to find out where to file a spam report. We could root around the att.net website to look for an abuse reporting address, but a quicker and more reliable means is to make a whois request to whois.abuse.net, a host that maintains documented abuse addresses for various internet operations. You cannot get this service from your default whois server, so remember to use the “-h” option and specify “whois.abuse.net” as the whois server.

[localhost:~] rconner% whois -h whois.abuse.net att.net
abuse@att.net (for att.net)

Since this looks to be an address that the folks at att.net actually entered in the abuse.net database, we can use it for reporting. If this check had come up with a “default - no information” address (meaning that no one had registered an address for att.com), then we would probably instead want to use IP-whois to ferret out the reporting contact for this IP address.

Inspecting the body

Now that we’ve finished with the header, let’s turn our attention to the body of the message. The spammer has MIME-encoded it, so we have to decode it. You can use any number of other freeware or shareware MIME utilities to do this job (WinZip can do this in a pinch). Whatever you use, you should get a result like the following. I have highlighted bits of particular interest in blue. (Sorry for the busy-looking HTML markup, but you’d might as well learn to read it if you’re going to deal with spam; fortunately, it becomes easy after awhile to “read around” most HTML tag clutter.)

4773njVD0-245xups6777wGFQ3-566fZrB9391OHNs1-520BXYh1302JpZq5-617VaAFl64

<html>

<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Microsoft FrontPage Express 2.0">
<title>Climatique is a specially designed gel that was created for women who wish to experience,</title>
</head>

<body bgcolor="#FFFFFF">

<table border="0" cellpadding="0" cellspacing="0" width="468">
<tr>
<td><table border="0" cellpadding="0" cellspacing="0"
width="468">
<tr>
<td>&nbsp;</td>
</tr>
</table>
<p align="center" class="MsoBodyText"
style="MARGIN-RIGHT: 3pt"><img
src="
http://www.seenontvmall.com/tv_ban.gif" width="66"
height="50"></p>
<p align="center" class="MsoBodyText"
style="MARGIN-RIGHT: 3pt"><a
href="mailto:
glemedia@btamail.net.cn?subject=Tell Me How I Can Get A Free Bottle ASAP!"
target="mailto:glemedia@btamail.net.cn?subject=Tell Me How I Can Get A Free Bottle ASAP!"><img
src="
http://www.geocities.com/glepub4/climatique_300X120.gif"
border="0" width="300" height="120"></a></p>
<p class="MsoBodyText" style="MARGIN-RIGHT: 3pt"><font
color="#0000A0" size="2" face="Tahoma"><strong>Climatique
is a specially designed gel that was created for women
who wish to experience, restore or enhance the pleasure
&amp; joy of great sex.</strong></font></p>
<p class="MsoBodyText" style="MARGIN-RIGHT: 3pt"><font
color="#0000A0" size="2"
face="Arial, Helvetica, sans-serif">Climatique is
manufactured by Taylor-Wright Pharmacals, Inc., a leading
homeopathic manufacturer of sexual health care products
for over a decade. </font></p>
<p class="MsoBodyText2" style="MARGIN-RIGHT: 3pt"><font
color="#0000A0" size="2" face="Arial">Climatique has been
tested and recommended by the Institute for Advanced
Study of Human Sexuality for use as a sexual enhancer and
pleasure product. It also is distinguished with a
recommendation from the American College of Sexologists</font></p>
<p align="left" class="MsoBodyText2"
style="MARGIN-RIGHT: 3pt"><a
href="mailto:
glemedia@btamail.net.cn?subject=Tell Me How I Can Get A Free Bottle ASAP!"><font
color="#8080FF" size="3" face="Arial"><strong><u>Click
Here To Find Out How You Can Get A Free Bottle!</u></strong></font></a></p>
<p class="MsoBodyText2" style="MARGIN-RIGHT: 3pt"><font
color="#0000A0" size="4" face="Tahoma"><strong>Testimonials</strong></font></p>
<p class="MsoNormal" style="MARGIN-RIGHT: 3pt"><font
color="#0000A0" size="2" face="Arial"><b>Doris, aged 27,
married, Carlsbad, CA</SPAN><SPAN style="FONT-SIZE: 10pt; COLOR: #333399; FONT-FAMILY: Arial"><br>
</b>&quot;My husband is a Marine who is always ready,
willing and able. We used Climatique and for the first
time I stayed with him&#133;. In fact, I was a little
ahead of him.&quot; <b><br>
<br>
Mabel, aged 48, divorced, Los Angeles, CA<br>
</b>&quot;I thought I wouldn't ever be interested again.
Climatique made me find a new incentive.&quot;<br>
<b><br>
Janette, aged 33, engaged, Kahuku, HI<br>
</b>&quot;I went from sometimes no orgasms to multiple
orgasms.&quot; <b><br>
<br>
Matt, aged 39, engaged, Philadelphia, PA<br>
</b>&quot;It's increased our sexual satisfaction
immensely. We're having more and better sex all the time
now.&quot; <b><br>
<br>
Monique, aged 23, single, Long Island, NY <br>
</b>&quot;Climatique is like a tube of orgasmic
sensation. It lifted me through the clouds to a state of
ecstasy in a matter of moments when ordinarily it would
take much longer.<b><br>
<br>
</b></font><a
href="mailto:
glemedia@btamail.net.cn?subject=Tell Me How I Can Get A Free Bottle ASAP!"><font
color="#8080FF" size="3" face="Arial"><strong><u>Click
Here To Find Out How You Can Get A Free Bottle!</u></strong></font></a></p>
<p><font color="#0000A0" size="2" face="Arial">Regards,</font></p>
<p><font color="#0000A0" size="2" face="Arial">Customer
Service</font></p>
<p><font color="#0000A0" size="2" face="Arial"><strong>Ps.
Announcing From The Makers Of Climatique: An Amazing, New
Aphrodisiac For Men And Women.</strong></font></p>
<p align="left"><font color="#0000A0" size="2"
face="Arial">Vigorex&trade; is a new and unique
aphrodisiac which has been documented and scientifically
proven at the Institute for Advanced Study of Human
Sexuality to increase in both men and women sexual
desire, potency strength and longevity of orgasm and
enhance a person's sexual experience naturally.</font></p>
<p align="left"><font color="#0000A0" size="2"
face="Arial">For more information on Vigorex, click
below:</font></p>
<p align="left"><a
href="mailto:
glemedia@btamail.net.cn?subject=More Info On Your Amazing Aphrodisiac!"><font
color="#8080FF" size="3" face="Arial"><strong>Vigorex
Information Please</strong></font></a></p>
<p><font size="2" face="Arial">This message is never sent
unsolicited. Direct Shopping has been given the right to
market to you through our Web site partners and their
privacy policies. If you feel that your email was
obtained by error, or would like to opt-out of receiving
future offers please click </font><a
href="mailto:
glemedia@btamail.net.cn?subject=Remove Me From Climatique Immediately!"><font
color="#0000FF" size="2" face="Arial"><strong>here</strong></font></a><font
size="2" face="Arial"> and hit send.</font></p>
<table border="0" cellpadding="0" cellspacing="0"
width="468">
<tr>
<td>&nbsp;</td>
</tr>
</table>
</td>
</tr>
</table>
</body>
</html>



9168FTHu3-212Xmae9080ZqcF0-011uAvS6818ssrU7-064mWrb0934rzaz1-09l59

As you can see, the body has decoded into an HTML markup file (i.e., a web page). The general plan of attack in looking through an HTML message body is as follows:

  1. Look for JavaScripts or other bits of client-side executable code (HTML by itself is not executable code, and server-side code such as CGI or PHP does not usually appear in mail messages). If there’s too much of it, or if it seems to be working on the message content itself or on external links, you should be suspicious of external links within the message. Confirm that they won’t reveal your e-mail address or lead you to a malware site before you load them.
  2. Look for beacon URLs or hyperlink URLs containing your e-mail address or other suspicious looking encoded data. Be very careful not to follow these links, lest you reveal to the spammer that your e-mail address works.
  3. Look for hyperlink URLs pointing to CGI scripts, ASPs, or other types of automation, as well as for <FORM> tags (and particularly for the target programs that process the form data).
  4. Look for e-mail addresses (often in “mailto” URLs).
  5. For each such external URL or address, try to identify the ISP responsible for hosting the link, and get its abuse reporting address.

If you’re dealing with a plain-text message (without the HTML tags), you can generally just look for any e-mail addresses or website URLs contained in the body; you don’t have to worry about beacons or scripts.

This message is pretty straightforward (don’t worry, we’ll look at more interesting ones later). We find no JavaScript or other executable code in the message. The message contains the following hyperlinks and URLs:

mailto:glemedia@btamail.net.cn

This is an e-mail address; if you click the “mailto” link that contains it, your browser will pop up a pre-addressed outgoing e-mail form for you to fill in. Since this address is used to collect inquiries, orders, and removal requests, the provider of the address may be included in any spam complaints.

Who to complain to? We’ll try another whois lookup to whois.abuse.net:

[localhost:~] rconner% whois -h whois.abuse.net btamail.net.cn
spam@btamail.net.cn (for btamail.net.cn)
postmaster@btamail.net.cn (for btamail.net.cn)

The response from whois.abuse.net doesn’t include the warning about “default, no info,” so we know at least that the two addresses given were put there by someone in charge at btamail.net.cn. However, I happen to know that btamail.net.cn is a notoriously spam-friendly ISP from mainland China; you could complain if you wanted, but it’s unlikely to get any result.

http://www.seenontvmall.com/tv_ban.gif
http://www.geocities.com/glepub4/climatique_300X120.gif

These links just fetch images from servers (i.e., tv_ban.gif and climqtique_300X120.gif); there’s no information being collected and no code being run. More than likely the spammer simply “borrowed” the tv_ban picture, while the climatique image probably comes from a free website that the spammer set up on Geocities to support his spams.

It’s a judgment call as to whether to report these two URLs. If the providers were doing anything more than simply hosting pictures, I’d gladly bitch. In this case, however, I’m inclined to lay off. For the record, however, here are the abuse addresses for these hosts:

[localhost:~] rconner% whois -h whois.abuse.net www.seenontvmall.com
postmaster@seenontvmall.com (default, no info)
postmaster@www.seenontvmall.com (default, no info)

[localhost:~] rconner% whois -h whois.abuse.net www.geocities.com
abuse@geocities.com (for geocities.com)
geo-abuse@yahoo-inc.com (for geocities.com)

The lookup for “seenontvmall” shows only default information; together with the cheesy domain name, this suggests that a complaint to these addresses would be ineffective at best. If you really wanted to dig deeper, you could determine who was the “upstream” provider for the host www.seenontvmall.com .

Now, on to the complaining

Here’s what a complaint about this e-mail might look like. Note that I’ve included the addresss for the image links and the mailto address, even though in practice I probably wouldn’t bother.

To: abuse@att.net, spam@btamail.net.cn, postmaster@btamail.net.cn,
geo-abuse@yahoo-inc.com, postmaster@seenontvmall.com

From: (my address)

Subject: Spam complaint (Climatique Climax Gel For Women Free Bottle Offer)

I received the attached mail, which appears to be spam from an address in the att.net domain, and cites an e-mail address at btamail.net.cn and website URLs at seenontvmall.com and geocities.com. Please take appropriate action in accordance with your acceptable use policies.

Signed,
(me)

Message follows:

(paste in the full message here)

Next example :: Back to sample analyses



 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2008, Richard C. Conner ( )

09344 hits since March 28 2009

Updated:    Fri, 20 Jun 2008

Document made with KompoZer