Your own email address in the "from" field of spam

From Spamwiki

Jump to: navigation, search

Contents

[edit] Introduction

One of the most common questions people would post on forums was something along the lines of, "Why is my computer sending spam, and what's going to happen to me now??!" Actually, there is a good chance their computers were sending spam. But that isn't usually what the posters were talking about. Usually they were referring to receiving spam with their own email address in the "from" field. The typical spam might look something like this:

To: charliez@example.com
From: Sharon Smallwood <charliez@example.com>
Subject: Vi@gra/C1@lis!

Now the first time poor Charlie Z. gets an email like this, he assumes it means his computer must have mailed it. He's expecting an angry call from his internet provider telling him he's being thrown off their network for spamming.

In reality, those emails don't fool anyone who is in a position to throw someone off a network. (Though it's frankly pretty pathetic how many times they fool people who ought to know better.)

[edit] Understanding email headers

Let's look at that spam more closely. You want to look at the message source, which is the actual text in the email before your email client prettied it up by removing all the computer-geek, changing the image files to viewable pictures, etc. (These are fake email headers just used for an example.):

Received: from mxp2.isis.unc.edu ([192.168.175.40]) by vms169456.mail.example.com
 (Sun Java System Messaging Server 6.2-6.01 (built Apr  3 2006))
 with ESMTP id <0KCO007L7LPUUSV1@vms169456.mail.example.com> for
 charliez@example.com; Tue, 30 Dec 2008 05:57:08 -0600 (CST)
Date: Tue, 30 Dec 2008 05:02:28 -0700
From: Sharon Smallwood <charliez@example.com>
Subject: Vi@gra/C1@lis!
X-Originating-IP: [192.168.175.40]
To: <cathysmith@example.com>,        <ccbanks@example.com>,
 <charliez@example.com>,        <carfan344@example.com>,
 <ccmom@example.com>,        <clickerdad@example.com>,        <caa01@example.com>
Message-id: <0KCO009009UJ5USW1@mail.example.com>
MIME-version: 1.0
Content-type: multipart/alternative;
 boundary="----=_Part_123403_6527409.1230601078311"

------=_Part_123403_6527409.1230601078311
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

[the spam message follows here]

What can we learn from this gobbledygook?

The first thing to look for is "IP numbers." Those are numbers divided into four sections with decimal points, each section being a number between 1 and 255. Those are the real addresses of the computers on the internet. Things like "example.com" are just for humans' benefit and have to be translated for computers to understand.

In this case, the number is "192.168.175.40." Charlie needs to know if that is his address or not.

Since whenever you visit a website, they get your IP address (after all, your computer is asking to see their files, and their computer needs to know where to send them), there are lots of places on the internet that will tell you what address you are logged into when you visit them. Charlie can go to AjaxDNS, for example, and at the top of the page, in a big box, is an IP number. That will be his address (as long he hasn't done anything to route his visit to the site through another computer, which Charlie likely has no idea how to do anyway). Not surprisingly, the number Charlie sees there isn't in the spam headers anywhere. His email address was "spoofed."

However, if the spam was sent yesterday, and Charlie has logged into the internet in a separate session since then, he could have a different IP address than at the time the spam was sent. So he may also want to check to see where the spam came from. In this case, there is only one IP address in the headers. Sometimes there are more.

When there are a series of IP addresses, Charlie would start with the first one from the top. If that belongs to his network, it could be just a record of email being passed from one computer to another within his internet company -- nothing interesting to Charlie. So he would go to the next IP address until he either finds one that belongs to another internet company (therefore the email couldn't have come from Charlie or anyone else using that company) or until he gets to the last IP number.

[edit] Looking up IP address whois information

How can Charlie find out what those numbers mean? Fortunately everything is organized. Start off asking the American Registry for Internet Numbers (ARIN). ARIN is the registry for any IP addresses in the US and Canada. But they also keep track of which registries all the other numbers belong to, so if it isn't one of their numbers, they can point you in the right direction.

Here are links to some of the major registries. When you go to one of these sites, you're looking for a form on the page called "whois," and you're going to paste the IP number in it, with no extra spaces:

As Charlie goes down each line of the email headers looking up the numbers, as soon as he gets one that doesn't belong to his internet provider, that's where the spam came from. Spammers often add a few other fake numbers to the headers to confuse people. But the line with the IP address of the "origin of the spam" gets added on after it is sent, on a line above any of the fake information the spammers create. The whois lookup will also give an address for the company that owns that range of IP numbers, should Charlie want to complain about the spam.

Or he could go to spamcop.net and paste the entire spam with headers into the input box. Spamcop will sort through the headers and create a report, removing Charlie's email address from the headers. It's a faster way of doing the lookup, though Charlie can't assume the spammers won't know who he is from some code in the body text of the email. To report to spamcop, he will need to register and will need to submit all his own email addresses, so spamcop knows which ones to ignore and so he doesn't inadvertently report himself.

[edit] How to see the message source for an email

This depends on which program you use to read your email. Every email program has its own method. Check the instructions at spamcop to find the method for your email program.

You'll note that it is impossible to see the message source with some email clients. Microsoft Outlook only allows you to see the headers -- it's impossible to see the source code of the message itself without a registry hack. That's really unacceptable. That means there is no way to spot some of the tricks spammers use to mislead you about what kind of link you're clicking on, for instance. We strongly recommend you use an email program that permits you to see the message source, and which makes it easy for you to do so, as you may wish to flip back and forth between the raw view and the standard email view to figure out what you're looking at.

[edit] Filtering for spams that use your own email address as the "from"

If your spam filtering program allows you to use header information in filters, you're golden. There are several methods to use.

First, think of the header you looked at above. Although the "from" includes Charlie's email address, it had someone else's name. Spammers usually don't bother making them match. If Charlie's name and email address were much different, that could be a way of filtering. So, it's not much good filtering for his first name, since it's in the email address, but if his last name is "Zeller," then he could set his email client to always send out email with the "from"

Charlie Zeller <charliez@example.com> 

and create a filter

IF the "from" address is charliez@example.com
AND 
IF the "from" address doesn't contain the character string "zeller"
THEN it is spam

That only works for this one address that doesn't have his last name, and only if Charlie always has his name in the "from." Also, he will frequently run into situations where some autoreply will have his email in the "from" -- they aren't supposed to, but they could be senders he considers legitimate. So he would have to whitelist all those senders.

Another way is to use the fact that no matter what it says in the "from," it isn't going to include the IP of any computer used by the person with that email address. So if Charlie works somewhere that has its own permanent IP address, he can use that information to filter spam:

IF the email says it is from my email address
AND
IF the complete headers do NOT contain my IP address
THEN it is spam.

But since most people might be sending email from multiple addresses, they want a way to filter when they can't always predict which IP address they will be logged into. And if their email addresses contain their entire name -- like "charlie.zeller@example.com" -- filtering for the name isn't going to work, either.

Another solution is setting up the email program they use to send their mail to add information that a spammer won't guess. Spammers are sending mail to millions of addresses at one time and aren't paying attention to any one address. That's why they couldn't manage to guess Charlie's real name when they put Sharon's name in the "from" with his address. So if you can include information that is even a little bit different from what one can guess looking at the email address, you can make a very effective filter.

A useful way to do this is to use an "Organization" line. The information in this field usually won't even display in an email client, but it will be there in the headers for a spam filter to see. In your email client, edit your email account to add something in the organization line. It could be your real job's name (with something included that isn't obvious from the email address). For instance, if Charlie works at the Example Corporation, his organization line could say:

Organization: Example Corporation 

rather than something obvious like

Organization: Example.com

If this is Charlie's personal email address and he has no organization, he can use anything he can remember well enough to add to any future email accounts he sets up -- maybe the phone number of his favorite pizza parlor, maybe the name of his town, whatever. He just has to be sure that whatever he picks, it is always letter-for-letter the same, so his filter can look for that. Again, he will need to whitelist senders who think it's a good idea to put his address in the "from" of autoreplies.

So now our filter looks like this:

IF my email address is in the "from"
AND my "organization" is not letter-for-letter present anywhere in the complete headers
THEN it is spam

You can even create a filter that combines both, to look for all the people mailing from your job, if you don't expect them to mail you while they are away from the office:

IF my email address domain name (the part after the "@") is in the "from"
AND the complete headers contain NEITHER my IP address or my organization
THEN it is spam

One spam filtering program that gives you the option to use these types of questions is MailwasherPro. Mailwasher uses Regular Expressions to encode the logic. So for Charlie, his filter might look like this after he uses the user interface to make his choices. We're assuming Charlie has two email addresses, charliez@example.com and czeller@example.com and that 7075551212 is the phone number his wife had before they got married:

[enabled],"zfake from me","zfake from me",255,AND,TakesPrecedence,
From,containsRE,charliez@example\.com|czeller@example\.com,EntireHeader,
doesn'tContainRE,Example Corporation|7075551212

where

  • [enabled] means Charlie set the filter to "on"
  • Charlie chose a filter name with a "z" in front so it would be easier to delete spam by sorting the names of the filters alphabetically; all the spam will be together to be selected and deleted in two clicks
  • 255 is just added by MWP to indicate which color Charlie chose for the filter
  • AND means both conditions must be satisfied to trigger the filter
  • TakesPrecedence means the fact that the email address in the "from" field is on the friends list doesn't prevent it from being marked as spam if it triggers this filter
  • the first condition that must be met is "From,containsRE,charliez@example\.com|czeller@example\.com"
  • the other condition that must be met is "EntireHeader,doesn'tContainRE,Example Corporation|7075551212"
  • RE means the condition is a Regular Expression and so "." could stand for any character but "\." must be a decimal point, and that "|" means "OR"

Charlie doesn't actually see this filter in its raw form like this, but it shows all the choices he made when he used the tool to set up his filter.

[edit] But wait, what did you say at first? That my computer might really be sending spam?

Unfortunately, most spam is sent from hijacked computers. So there is a very good chance your computer could be one of them, especially if this is the first you are hearing about this problem. But that doesn't mean your email address will be in the "from" field of those spams. The spam sent from your computer will have some other fake address, not yours. Spammers aren't trying to make it easy for you to find out you've been hijacked.

Your best defense is to educate yourself about "Avoiding hijacking" in the wiki article here and by participating in discussions at the InboxRevenge.com forums.

Personal tools