[DEMUG] email usurped

Dick Atlee atlee at umd.edu
Fri Nov 16 11:30:22 EST 2007 

Mary Folsom said:
 > I received an email which claimed to be from my business email alias,
 > info at circadiadesigns.com <mailto:info at circadiadesigns.com> (which
 > forwards to my real email account at hughesnet). The email was a spam 
 > ad for drugs. I've pasted the headers below, in hopes someone can give
 > me a lead. I've sent the email, with expanded headers, to both
 > abuse at hughes.net <mailto:abuse at hughes.net>, and iPowerweb support.
 > Thanks for any help from those of you fluent in header-ise.

Well, I used to do a lot of header analysis as a university help desk 
person.  Normally, it isn't particularly unusual for a message that you 
didn't send to nevertheless appear to be "from" you.  Anyone infected 
with a virus of a particular sort (the kind that gathers email addresses 
from all over the infected machine and plugs them randomly into the TO 
and FROM lines of mass mail that it sends out) who has your address(es) 
somewhere on their machine can unwittingly be the source of such mail. 
I get a lot of "Delivery failures" of mail that supposedly came from my 
machine and went to bad addresses.  My machine isn't infected, but 
someone who has my address on their machine IS infected.

However, I admit that the header structure on the bogus mail you 
forwarded is a bit odd in my experience.  For what its worth, in case 
you or anyone else is interested, here is a beginning analysis.

For comparison, I've laid out below the headers, with all the "noise" 
removed and lined up for ease in following the path.  (The "noise" may 
be useful for technical tracking, but isn't for at least seeing where 
the messages went.)

The first one is the part of the header from your mail to DEMUG that 
covers the transmission from your machine to the first of the list's 
servers.  The second is from the problem email, covering the entire 
transmission path.

The Received lines are the complete record of the chain of servers 
through which the message is passed, reading UP, with the first one at 
the bottom being the server that first received it from your machine. 
Each "Received" line mentions the receiving server (received "BY"), the 
previous server that passed it on ("FROM"), and sometimes the ultimate 
destination ("FOR").


THE "REAL" MAIL (you to the list) -- the "192.168..." address is you on 
your local area network.  TUCOWS.COM appears to be the SMTP (outgoing) 
server for your mail, and LIGHTNING.SVAHA.COM is the first of Matt's 
servers to receive the message (the message then gets passed around a 
bit in svaha.com)

Received:  from smtpout1071.sc0.he.tucows.com ([64.97.144.71])
            by lightning.svaha.com with esmtp
            (envelope-from <folsom at hughes.net>)
            for demug at lists.demug.org;
Received:  from [192.168.1.45] (69.35.187.42)
            by n016.sc0.he.tucows.com  (7.2.078)
            (authenticated as folsom at hughes.net)
            for demug at lists.demug.org


THE FAKE MAIL -- I'm not sure about the various GMAIL lines, which don't 
follow the usual format.  But here's what seems to be happening, if you 
follow the chain of "Received's" up from the bottom.

1. It starts from a subscriber to HOMECHOICE, a British 
TV/broadband/phone company.  Since Homechoice offers Webmail, it's hard 
to tell whether the starting machine belongs to the subscriber (who 
would be operating with his/her own IP address instead of being on a 
local network, since the address does not start with 192.168) or is a 
server providing Webmail service to the customers.

2. It then goes to YOURHOSTINGACCOUNT.COM (which may not offer web 
service, since I can't get a response via a broswer), first through its 
incoming server, which passes the message on to a mail-scanning server, 
and from there out through an outgoing server.

3. From where it goes through POWERWEB.COM (apparently an ISP in Wisconsin)

4. Then through TUCOWS.COM, which appears (from the header, above, of 
your message to DEMUG) to provide your mail service

5. And on to.NET, who "offers consumer messaging solutions for mobile 
operators and broadband service providers" (perhaps this step represents 
the forward you mentioned).

Since at no point in this process is you or a server related to you 
mentioned until the very end, it's clear that this is not a compromise 
of your email, and whether it is a virus or a conscious "usurpation" I 
think would be hard to tell unless HOMECHOICE keeps careful records of 
all email handled by their service(s).

*Received: * from n003.sc0.he.tucows.com (64.97.160.107)
              by n164.sc0.cp.net (7.2.066)
              for folsom at hughes.net
*Received: * from host259.ipowerweb.com (66.235.211.71)
              by n003.sc0.he.tucows.com (7.2.078)
              for folsom at hughes.net
*Received: * (qmail 91986 invoked by uid 10026)0
*Received: * from 127.0.0.1
              by host259.ipowerweb.com (envelope-from
         <srs0=iurbgm=qj=circeinstitute.com=info at yourhostingaccount.com>)
*Received: * (qmail 91731 invoked from network)
*Received: * from unknown (HELO mailout08.yourhostingaccount.com)
               (65.254.253.233)
              by host259.ipowerweb.com with SMTP;
*Received: * from mailscan13.yourhostingaccount.com ([10.1.15.13]
              by mailout08.yourhostingaccount.com with esmtp (Exim)
              for info at circadiadesigns.com
*Received: * from impinc04.yourhostingaccount.com ([10.1.13.104]
              by mailscan13.yourhostingaccount.com with esmtp (Exim)
              for info at circadiadesigns.com
*Received: * from ip-81-1-110-54.cust.homechoice.net ([81.1.110.54])
              by impinc04.yourhostingaccount.com with NO UCE
*Received: * (qmail 26164 by uid 843); Fri, 16 Nov 2007 02:51:23 GMT

More information about the DEMUG mailing list