Identifying spam e-mails

How to identify and trace spam e-mails :

This procedure used as a true sample was done in Outlook 2010. Please note that we tried to make this as comprehensive as possible (within our means and without trying to attract the wrath of the cyber crooks). Click on the images to see a bigger version of it.

When receiving a suspicious e-mail with a hyperlink for verification, information or a so-called ‘stored message’, follow these simple steps to verify the sender and validity of the e-mail –

This is a sample e-mail which I have been receiving quite frequently :

idemail01

Open the e-mail but don’t click on any links or attachments. Note that I have removed my personal information, but yours will appear in the relevant white blocks.

First we’ll notice that even though it pretends to be from Facebook, the “From”” field clearly shows the senders true e-mail address (mail@bruuns-handel.dk). The “.dk” at the end indicates that this message originated from Germany. Clearly this message is not from Facebook then?

Now click on “File” at the top and select “Properties” on the next screen :

idemail02This is what you will get :

idemail03The full text won’t make much sense but in this case it looks like this :

Return-path: <mail@bruuns-handel.dk>
Envelope-to: yours@e-mail address.com –> your full e-mail address
Delivery-date: Tue, 18 Mar 2014 00:29:48 +0200
Received: from [221.143.22.213] (helo=localhost) -> sender IP address
        by pop3.telkomsa.net with smtp (Exim 4.62) –> your ISP mailbox address (i.e. Telkom)
                (envelope-from <mail@bruuns-handel.dk>)
                id 1WPg2V-00076n-8a
                for : yours@e-mail address.com; Tue, 18 Mar 2014 00:29:48 +0200
From: AutoFacebookNotifier <mail@bruuns-handel.dk>
Date: Tue, 18 Mar 2014 07:39:32 +0000

What do we learn from this and what can we do about it?

First we have the persons e-mail address. Big deal, but we won’t be sending him any e-mails even though most of the time we feel like giving him a piece of our mind. Problem with this is that you might blow off some steam but what you will lose is the right to less spam. Sending an e-mail will confirm that you are aware of this mail and that your e-mail address is in fact in use and active. This will just elicit more spam, so don’t.

What we can do with this e-mail address is to check on his / her service provider – in this case it will be the latter part of his e-mail (bruuns-handel.dk). So let’s head over to www.bruuns-handel.dk in our web browser. Here we’ll check if it’s a general web services provider or a company. Whichever the case we’ll be looking for a “Contact” page from which we can possibly send them an e-mail informing them of this criminal behaviour – just copy and paste your e-mail into their contact sheet, or in an e-mail to them.

At the same time do indicate that this instance has been reported to the authorities. You most probably will not get a reply but this miscreant will be prevented from sending any more mails using this mail services.

The cherry on the top for some people (yes me) is the IP address. Head over to “whois” and enter the IP address which in this case is 221.143.22.213. Through this facility you will get to the company who is responsible for this IP address and through which this criminal is getting his internet connectivity (his ISP). Now we can send them an e-mail as well.

At www.iplocation.net we can get a map with what is known as “geolocation” through Google Maps. Once you narrowed his physical location down you wish you were there with a sniper rifle or a stick of dynamite! But this is just the fun part of the whole exercise and not much use in trying to prevent the hacker / spammer from stopping his criminal behavior.

Here is another e-mail I received with more complete information :

idemail10Please note that the red warning indicator at the top of the e-mail is an automatic warning from my internet security suite. Now let’s look further into this one –

At the senders name it clearly states that this mail is not from Twitter :

Return-path: <warrenvermilionray@feministing.com>
Envelope-to: your@e-mail.com
Delivery-date: Sat, 29 Mar 2014 17:31:45 +0200
Received: from [83.222.229.28] (helo=localhost)
                by xxx.xxxxxx.net with smtp (Exim 4.62)
                (envelope-from <warrenvermilionray@feministing.com>)
                Date: Sat, 29 Mar 2014 15:43:43 +0000

The “View message” link points to: http://78.9.71.198/earning.php

Checking the link destination and the registered owner of this IP, we get the following from “whois” :

inetnum:        78.9.71.0 – 78.9.71.255
netname:        DIALOGNET
descr:          Static Broadband Services
descr:          Telefonia Dialog S.A. – Dialog Telecom
country:        PL
admin-c:        NT1264-RIPE
tech-c:         NT1264-RIPE
status:         ASSIGNED PA
mnt-by:         NETIA-MNT
source:         RIPE # Filtered
 
role:           Netia Telekom S.A. Contact Role
address:        Poleczki 13
address:        02-822 Warszawa
address:        Poland
phone:          +48(22)352 0000
fax-no:         +48(22)352 2213
remarks:        trouble:      24/7 phone number: +48(22)352 2233
admin-c:        MO3780-RIPE
tech-c:         KP2343-RIPE
tech-c:         AK3224-RIPE
tech-c:         RPOZ-RIPE
nic-hdl:        NT1264-RIPE
remarks:        —————————————
remarks:        In case of abuse from our address range
remarks:        please contact     abuse@inetia.pl
remarks:        —————————————
abuse-mailbox:  abuse@inetia.pl
mnt-by:         NETIA-MNT
source:         RIPE # Filtered
 
route:          78.8.0.0/14
descr:          DIALOGNET
origin:         AS12741
mnt-by:         NETIA-MNT
source:         RIPE # Filtered

From this we can see that the hackers website is located in Poland and hosted by Dialog Telecom.

Let’s see where the e-mail was sent from :

inetnum:        83.222.228.0 – 83.222.229.255
netname:        EU-PER1
descr:          Peer 1 Network Enterprises Limited
country:        GB
org:            ORG-PNEL1-RIPE
admin-c:        NOC116-RIPE
tech-c:         NOC116-RIPE
status:         ASSIGNED PA
mnt-by:         PNE-NETADMIN-MNT
mnt-lower:      PNE-NETADMIN-MNT
mnt-domains:    PNE-NETADMIN-MNT
mnt-routes:     PNE-NETADMIN-MNT
source:         RIPE # Filtered
remarks:        INFRA-AW
 
organisation:   ORG-PNEL1-RIPE
org-name:       Peer 1 Network Enterprises Limited
org-type:       LIR
address:        Peer 1 Network Inc. 1000-555 West Hastings Street V6B 4N5 Vancouver Canada
phone:          +16046837747
fax-no:         +16046834634
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        PNE-NETADMIN-MNT
mnt-by:         RIPE-NCC-HM-MNT
abuse-c:        PE1
source:         RIPE # Filtered
 
person:         Peer 1 Support
address:        Suite 1000 – 555 West Hastings St.
address:        Vancouver
address:        British Columbia
address:        Canada
phone:          +6044842588
nic-hdl:        NOC116-RIPE
mnt-by:         PNE-NETADMIN-MNT
source:         RIPE # Filtered

 

From the above we can see that the spammer is using a Canadian mail server to send his / her spam  but his link that he hopes you will follow is hosted in Poland.

Taking the next step to see where this link will take you is very risqué and should not be attempted unless you have absolute faith in your anti-virus software. Connecting to the actual IP address as listed above I got to a file listing of the spammers website :

idemail12Now each and every file listed above has a payload (virus). And if it wasn’t for my security software I would’ve been infected in no time.

idemail11Others are not so simple as per this example :

idemail13From this the e-mail seems to be from somebody at Standard Bank (note the e-mail address at the top).

However, when we hover the mouse over the link (sign on here) we’ll see a pop-up which shows where this link will take us. In this case “cascio.be/images/smilies/_admin1.php”.

When checking this site out, we found that it was down for ‘maintenance’ – so they obviously realised that their site has been compromised and they’re hopefully busy fixing it.