Email Fraud

[Loneua Technologies]

Hi Guys,

One of my Business Partners (Company) is having a problem and they asked

for my help. They are getting spam emails but the thing is that they are

getting these emails sent by thier info email address.

For Example:

From:

Code:

info@hiscompany.com

To:

Code:

info@hiscompany.com

He thinks that they cloned his mail server (which he hosts).

Is there any way that i can track where the emails are going to (server wise/IP Address)

If you can help me with this i will give you 200 credits.

Thank You

[Derek]

It's a PHP script that let's you do that. I can do bill@microsoft.com if I wanted to but then it wouldn't be right.. They can mask the email but the mail server won't be the same so they can tell if it's fraud unless they arn't that smart.

[Loneua Technologies]

Is there any way that I can do this,

I have access to the mail server.

Is that fraudulent?

Can someone be sued for doing that? (he wants to sue)

[Derek]

You have to code a PHP script.. I won't reveal it because it's against the TOS. You can try to track the fraud email's down and report them to the host that they are sending them from.

[Starshine]

Is there any way that I can do this,

I have access to the mail server.

Is that fraudulent?

Can someone be sued for doing that? (he wants to sue)

Anyone can sue anyone else for anything.
If you can find out the IP address where the fake e-mails are being created from ... contact the ISP / Provider first with the proof to show what is happening and ask for their help.
If they fail to help, contact a lawyer with the IP / e-mail information, the responses from the IP / e-mail provider.

So, yes. Its possible to sue. You just need to have all the information in hand before proceeding to make sure everything is covered.

[Loneua Technologies]

Is there a program or command I can use?

[Starshine]

Is there a program or command I can use?

Not that I am aware of. You would have to open each e-mail and read the Full Header, check the IP addresses and compare to your friend's e-mail IP address.

[Loneua Technologies]

Okay Starshine,

I will ask him to do that,

Thanks

[tgkprog]

sending a mail to look like from someone else can be dont evn from outlook express or any other emai sender it canbe done more convincingly if u have access to the server but like mentioned above if u view all the headers u will see the real sending mail server and then can report at least that

[tittat]

First, there's the challenge of even getting to the real email headers. In Hotmail they're apparently always visible. In Outlook, they're hidden by default, so with the message open, click on View, and then Options, and you'll see a box labeled Internet Headers. In Thunderbird, you can expand or collapse the headers by clicking on a simple control next to the subject line.

In any case, headers typically look something like this:

Return-Path: <lnotenboom@hotmail.com>
Delivered-To: 1-leo-clean_nospam@pugetsoundsoftware.com
Received: (qmail 13384 invoked by uid 110); 13 May 2005 21:33:53 -0000
Delivered-To: 1-leo_nospam@pugetsoundsoftware.com
Received: (qmail 13380 invoked from network); 13 May 2005 21:33:53 -0000
Received: from bay107-f18.bay107.hotmail.com (HELO hotmail.com) (64.4.51.2
by pugetsoundsoftware.com with SMTP; 13 May 2005 21:33:53 -0000
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Fri, 13 May 2005 14:33:53 -0700
Message-ID: <BAY107-F18247D6C6473F92CC602D8D2120@phx.gbl>
Received: from 64.4.51.220 by by107fd.bay107.hotmail.msn.com with HTTP;
Fri, 13 May 2005 21:33:52 GMT
X-Originating-IP: [64.4.51.220]
X-Originating-Email: [lnotenboom@hotmail.com]
X-Sender: lnotenboom@hotmail.com
From: "Leo Notenboom" <lnotenboom@hotmail.com>
To: leo_nospam@pugetsoundsoftware.com
Bcc:
Subject: Example Email
Date: Fri, 13 May 2005 14:33:52 -0700
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 13 May 2005 21:33:53.0097 (UTC) FILETIME=[75980390:01C55803]
Now yours may look a lot different. It may be longer or shorter, or have additional information, or less. But the basic idea is that there's a lot of information in the headers that has to do with the administration of getting the email from the sender to the receiver.

A detailed reference is more than I can present here, and quite honestly, probably more than you need. But let's examine the headers above a little more closely, since it's a good example of a "normal" email messages. They are from a message I sent to my regular email account from my Hotmail account.

A good rule of thumb is to begin at the bottom and work your way up in the headers. That'll make more sense in just a minute. Working from the bottom:

X-OriginalArrivalTime: is the time the message was submitted to Hotmail ... in other words, the time I pressed "Send". Headers that begin with "X-" are "non standard", and may not be used by all mailers. They're often just informational. Note also the date and time: 13 May 2005 21:33:53.0097 (UTC). The "(UTC)" means that the time is recorded as "Universal Time Coordinated", sometimes thought of as Greenwich Mean Time or GMT. Since I'm in the Pacific time zone, and daylight savings time is in effect, that means I sent it at roughly 2:33 PM PDT.
Content-Type: is how the mailers tell each other what the format of the mail is: plain text, as this example is, or HTML, or something else.
Mime-Version: "Mime" stands for Multipurpose Internet Mail Extensions, and is the formatting protocol most often used to encode attachments and alternate representations in a single email.
Date: This is the more common place you'll find the date and time that the message was sent. This is added by the sending mailer, and is commonly used by your email client as the "Sent Date". Note that the time zone is specified as local time (2:33 PM) and an offset (-7 hours) from UTC. PDT is 7 hours behind UTC as I write this. Subtract the offset (and remember that subtracting a negative offset means to add it), and you'll get the equivalent 21:33 UTC.
Subject: As you'd expect, the subject of the email as you typed it.
Bcc: To be honest, I'm not sure why Hotmail includes this here, as they strip out any BCC'd recipients. BCC is supposed to be stripped from email completely before it is sent.
To: Again, as you'd expect, the list of recipient email addresses that this message is addressed to. What most people don't realize is that the To: line doesn't actually define who the email actually goes to, but rather simply lists who the mailer claims it's to go to. A virus, for example, can easily create a mail message that has bogus addresses in the To: line, and then send the mail to someone else entirely. That's known as "spoofing".
From: Just like To:, the "From:" address show you from whom the mail was supposedly sent. And also like "To:", it's very easy for the spammers and virus writers to spoof the From: address to be pretty much anything they want.
X-Sender: is another representation of the address the email originated from, but like all "X-" headers, is optional and not universally used or recognized. "X-Sender", and the similar "Sender:" are supposed to indicate the sender of the email, which might be an intermediary. For example, if you send mail to a mailing list, the mail might be "From:" you, but the mailing list software might be the "Sender:" to everyone else who receives it.
X-Originating-Email: another representation of the sender of the email. Some mailers add this as a precaution against those who spoof the "From:" line.
X-Originating-IP: The IP address of the computer on which the email originated. Once again, an optional and informational "X-" header. In this case, the IP address is one of Hotmail's servers.
Received: Herein lies the gold. I'll get into more detail on that below.
Deliver-To: is added by the receiving mail server when it finally delivers the email to a specific email alias or mailbox. In my case, I have my mailer configured to deliver my mail to two separate mailboxes: one with, and one without, spam filtering.
Return-Path: is the address that the email, if it fails to be delivered, should be bounced back to.
The series of "Received" headers are the trail that tells us from where the message was sent, and along what path or series of servers it traveled across the internet. And this is why we started at the bottom, as each mail server adds a received header to the top.

In the first one we can see that a Hotmail server "by107fd.bay107.hotmail.msn.com" got the message from the server at "64.4.51.220". In this case it lists an IP address only, since there is apparently no name associated with the server at that address. Since this is Hotmail, and I'm certain that Hotmail has many, many servers, it's not surprising that they might not give all of them a name on the internet.

Further up the header we can see that it left "bay107-f18.bay107.hotmail.com" and was then received by "pugetsoundsoftware.com", my mail server. Note that this line also includes a couple of interesting bits of information:

(HELO hotmail.com) - this is part of the SMTP mail protocol where the server identifies itself while connecting. Basically, it's saying "Hello, I'm Hotmail.com" when it initiates the transfer of mail to the next server to receive it. The receiving server logs this information as part of the "Received" header it adds.
(64.4.51.2 - this is the IP address of the server making the connection.
As part of spam prevention and server authentication, a mail server may elect to ensure that all three of these pieces of information match: the IP address reported matches the server name reported, which in turn should match the end of the HELO string. In practice, the internet is a little too fast and loose for that to be a reliable gauge of authenticity ... to many legitimate servers are not configured to report the right information for that check to always be valid.

Another interesting use of the Received headers is to determine where a delay may have occurred in transferring the mail. Since each is time-stamped, it's quickly apparent where a message may have been held up.