The eMinistry Letter :: The eMail Dilemma


The eMinistry Letter : November 2007

The eMail Dilemma
Spam and Spammers: What You Really Must Know

Unsolicited junk mail is a huge problem that I deal with every day. No doubt you have to deal with spam every time you check your email too. Most email apps come with spam filters to keep spam out of our mailboxes, but these filters are far from perfect and legitimate email is frequently caught in them, and because my business runs on email, that makes it necessary for me to scan through all the spam to find email I need to see.

Recently, I received an email from a person that I’m going to call Randall that accused me of allowing one of my mail servers to relay spam. I knew that my mail servers were closely monitored and did not believe that they could be used to relay spam, so I asked Randall to send me one of these spam emails so I could examine the header.

A thorough examination of the header made it clear exactly what was going on and I was able to stop the flow of spam.

This article is not meant to be exhaustive, but if you’ve ever wished you could understand how to read email headers, this article will help you. For those of you who want to know how to slow down the flow of spam to your mailbox, this article will help you. You cannot stop all the spam, but you can stop a lot of it, and I’m going to detail my experience of analyzing this email that Randall sent to me.

Randall claimed that my email server was not secure and was being used by a spammer to send out massive amounts of spam email. Spam mailings using an innocent victim’s email address as the From and Reply To are quite common. Any undeliverable spam will bounce back to the victim, even though he had nothing to do with sending the spam. It has happened to me many times, and I doubt that my situation is unique.

Any time you are flooded with email from Mailer-Daemon or Mail Administrator with a subject line of “Delivery Status Notification (Failure)” or something similar, you have been victimized by a spammer. Unfortunately for you, those being spammed do not know you are just as much a victim as they are. So you will likely receive angry responses from the recipients of the spam.

If your email address is hijacked by a spammer, you should examine the emails until you find one that includes the original email message with complete header information. I am going to show you how to analyze the header information to determine where it actually originated and how to report it.

But before I do that, I want you to know that you can fight spam without knowing all the details I’m going to give you in this article. If you sign up for a free account with SpamCop.net, all you need to know is how to access the full email with complete header information of the suspected spam email. You can then submit the email to SpamCop.net to report the spam abuse.

How email works

Now, let’s start with a brief explanation about how email works. It may help to use a postal mail analogy to get a clear understanding of email. When you send a postal letter from your home, it is taken to the local post office. From your local post office, your letter is taken to the recipient’s local post office. (The exception to this would be if both sender and recipient share the same local post office.) Along the way to the recipient’s local post office, it may stop at one or more other post offices, depending on the distance the letter must travel and the route it takes. From the recipient’s local post office, your letter will be taken to the recipient’s home. Note that each post office along the way has a unique postal address.

Similarly, when you send an email, four computers (post offices) are usually involved in the transmission. From your local computer, the first computer to receive your email is the email server of your internet service provider (ISP). From your email server, the email is routed to the recipient’s email server. When the recipient retrieves his email, it is received by his computer from his email server. Note that each computer along the way to the recipient has a unique address called an IP address, or internet protocol address. (And just as a postal mail recipient may share the same post office with a sender, so an email sender and recipient may share the same ISP and email server. In this case, only three computers may be involved in the routing.)

Email headers

Every email message contains a header that identifies the route that it took from your computer to the recipient’s computer. Unfortunately for us, the language that is used in the header is somewhat confusing, and each email server seems to write it in a different order. And to make matters worse, a spammer that knows what he is doing can add forged lines into the header to throw you off of his trail.

I wish there was a formula that worked every time for reading email headers, but the truth is that it is more of an art than a science. There are rules to follow that will help, and that is what I’m going to give you. I’m going to show you how to read the header by using the actual example sent to me by my Randall.

You are probably familiar with some parts of the header already. The From, To, Date, and Subject lines are all parts of the header. Most email apps (Outlook, Thunderbird, Eudora, etc.) hide this information by default, but it is easy to display. SpamCop.com has a page that will show you how for most of the popular email apps. You will find it here.

Headers are written from the bottom up. This means that the first lines written in the header are at the bottom of the header, and the top lines are written by the recipient’s email server.

My email from Randall

I am going to give you the lines of my email header a few lines at a time in the order they were originally written. (I have disguised the names of servers and email addresses to protect identities. Everything else is the actual information in the original header.) 

X-Account-Key: account3
X-Mozilla-Keys:

The top two lines are X-headers. These are descriptive headers that certain email apps insert. I rarely find them to be useful. These two lines were written by the recipient’s email app, which appears to be Mozilla Thunderbird.

Return-Path: jranacondam@dc.rr.com

This line is written by the recipient’s email server. The Return-Path header is the email address that a reply would be delivered to. By default it is the same email address as the sender, but is often set to a fake address by spammers.

Spammers will not use their actual email address in the Return-Path header. The address will either be fictitious or a real address that does not belong to them. 

Delivered-To: mail@cltaz.org

This line is written by the recipient’s email server. It is the address that the email is delivered to.

Received: (qmail 72998 invoked from network); 24 Oct 2007 21:12:08 -0000 
Received: from mail9.vawebworks.com ([216.198.182.931])
          (envelope-sender )
          by mail.mainstream.com (qmail-ldap-1.03) with SMTP
          for < mail@cltaz.org>; 24 Oct 2007 21:12:08 -0000

These lines are written by the recipient’s email server. The first line indicates the date and time the email was received.

The second line indicates that the recipient’s email server received the email from an email server that identifies itself as mail9.vawebworks.com. The IP address of the email server that the recipient received it from is 216.198.182.931. The name of the recipient’s email server is mail.mainstream.com. Because this information is written by the recipient’s email server, it is authentic and cannot be forged by the spammer.

The following lines were written by the sending email server. Again, the spammer cannot forge these lines. They are automatically written by the email server.

X-SMSpamC: skipped (authenticated sender)
Return-Path: 
Received: from MAIL2 [ 10.10.12.2] by mail9.vawebworks.com with SMTP;
   Wed, 24 Oct 2007 16:10:00 -0500

The first line is a X-header written by Smarter Mail software on the sending email server. It indicates that Smarter Mail did not call Spam Assassin (a spam filter package on the sending server) to process the email. We find out further down in the header that Spam Assassin has already processed the email.

The second line (above) indicates the return path email address. The third line indicates that a mail server that identifies itself as MAIL2 has received this email from a mail server that identifies itself as mail9.vawebworks.com. The simple name MAIL2 would indicate to us that it is the internal name used to identify a specific computer at VAWebWorks. The internal IP address 10.10.12.2 confirms this. Private network IPs often start with the number 10. No public IP address ever starts with the number 10.

This means that at least two computers at the sending email server handled this email before sending it on to the recipient email server. We find out from the following lines that the first computer at the sending email server processed the email with Spam Assassin. (You can learn more about Spam Assassin at Wikipedia.) 

X-SMSpamC: processed
Return-Path: < jranacondam@dc.rr.com>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.2 (2007-07-23) on spam4.vawebworks.com
    from 10.10.12.2 at Wed, 24 Oct 2007 16:09:54 -0500 
X-Spam-Level: *********
X-Spam-Status: Yes, score=9.9 required=7.0 tests=BODY_ENHANCEMENT,
DATE_IN_FUTURE_24_48,DK_POLICY_SIGNSOME,FRT_BIGGERMEM1,HELO_DYNAMIC_IPADDR,
HTML_MESSAGE,INVALID_DATE_TZ_ABSURD,SARE_ADLTSUB2,SARE_ADULT2,SARE_SUB_PENIS,
    SARE_WEOFFER,SPF_SOFTFAIL autolearn=disabled version=3.2.2 
X-Spam-Report: 
    *  0.0 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 
    *      1)
    *  0.2 INVALID_DATE_TZ_ABSURD Invalid Date: header (timezone does not 
    *      exist)
    *  1.2 SARE_ADLTSUB2 Contains possible adult words 
    *  1.7 SARE_SUB_PENIS subject has likely spammer phrase or word
    *  0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails
    *  0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 
    *  2.8 DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after Received: date
    *  0.3 SARE_WEOFFER BODY: Offers Something
    *  0.0 FRT_BIGGERMEM1 BODY: ReplaceTags: Bigger / Larger, Penis / Member
    *  1.6 BODY_ENHANCEMENT BODY: Information on growing body parts
    *  1.4 SARE_ADULT2 BODY: Contains adult material 
    *  0.0 HTML_MESSAGE BODY: HTML included in message

This is a lot of stuff. But essentially, it is VAWebWorks' own internal IP (10.10.12.2) having taken the email and processed it for spam using the Spam Assassin utility. VAWebWorks recognizes this email as spam and identifies it as such. The VAWebWorks email server is set to identify spam but it does not block it. Instead it inserts the text “**SPAM**” into the subject line and allows it to be retrieved by the recipient. This allows you, the account holder, to determine how you will deal with email identified as spam. You can set your own email filter in your email app to send all email identified as spam by the VAWebWorks server straight to a spam folder if you choose to.

Next, we come to the line, again written by the VAWebWorks server, that indicates where the email originated. This is another line that cannot be forged by the spammer. 

Received: from ppp-78.9.163.50.revip2.asianet.co.th [78.9.163.50] 
   by mail2.VAWebWorks.com with SMTP; Wed, 24 Oct 2007 16:08:28 -0500

This indicates to us that the email originated in Thailand (asianet.co.th) at IP address 78.9.163.50 and was received by mail2.vawebworks.com. Note that mail2.vawebworks.com is the public name of the mail server identified higher up in the header simply as MAIL2.

Now we come to the last hidden lines of the header. This is the only place the spammer can insert forged header lines. After these lines, we see the public lines of the header (From, To, Subject, Date, etc). These final hidden lines do not match with what we know from the rest of the header. It is likely that these lines have been inserted into the header by the spammer. They are a forgery designed to confuse anyone who might want to determine where the email originated.

Return-Path: 
Received: from 65.24.7.20 (HELO clmboh-01.mgw.rr.com)
     by boldhope.com with esmtp (JQUVWKGBIY IELNO)
     id 4DbWGj-HGgeiQ-T2
     for majordomo@boldhope.com; Thu, 25 Oct 2007 04:08:29 -1700

Later lines (higher in the header) consistently indicate that the return path is jranacondam@dc.rr.com. This line appears to be inserted by the spammer to match with the email address he has entered as the From (below). Likewise the Received line doesn’t match with later lines. To fit with the rest of the header this line would need to indicate that it is received by asianet.co.th. Instead it indicates it is received by boldhope.com, a domain that doesn’t match with anything else in the header and clearly designed to mislead the recipient. Since boldhope.com is a domain that is hosted by VAWebWorks, we know it is not a mail server, yet this line indicates that the email is received by boldhope.com. (Only email servers can receive email.)

The rest of the header indicates to us who the email was originally mailed to and the sending name and email address that the spammer wants us to see. For example we can see that the email was mailed to majordomo@boldhope.com. 

Message-ID: <0c2d01c81682$06aeaed0$3288083a@Beodyn>
From: "Beodyn Q. Mason" 
To: "Claude E. Morales" < majordomo@boldhope.com>
Subject: **SPAM** You'll be surprised with your bigger penis
Date: Thu, 25 Oct 2007 04:08:29 -1700
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1165
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Spam-Prev-Subject: You'll be surprised with your bigger penis

When I saw that the email was mailed to majordomo@boldhope.com, I immediately wondered why it didn't bounce back to the sender. I never created such a mailbox for Boldhope.com. So I visited my mail server (at VAWebWorks) to look at the email accounts that I created for Boldhope.com and discovered the problem!

The VAWebWorks server DOES NOT RELAY this email to mail@cltaz.org as Randall had asserted. The VAWebWorks server sees itself as the final destination for the email. Boldhope.com is a domain hosted by VAWebWorks for both the website and email.

The email account, majordomo@boldhope.com, does not exist. But when I set up the email accounts for Boldhope.com, I was asked by the website owner to create a catchall account that takes any and all email to any email address at @boldhope.com and forward it to mail@cltaz.com. (I do not do this anymore and had forgotten that I had done it for boldhope.com.)

So the VAWebWorks server is not at fault and is not being hijacked by the spammer as Randall was asserting. My mail server is, in fact, working just as it should. It is doing what I set it up to do years ago.

So, knowing this, it was actually an easy problem to solve. I simply removed the catchall account. Then all mail going to these made-up addresses (such as majordomo@boldhope.com) would simply bounce back to the reply address.

Get our VA Web Works eMinistry Letter
Email:

In fact, if you are receiving a lot of spam, the first thing you should do is make sure that you have no catchall email account on your domain. I would even go so far as to say, “Remove all catchall accounts even if you aren’t currently receiving a lot of spam.” They’re just not a good idea.

Secondly, I recommend that you report all blatant spam through SpamCop.net. I get a lot of spam every day and I certainly do not report it all. But when I see that my email address has been hijacked so that it looks like the spam is coming from me, I do report this. And I recommend that you do the same. SpamCop.net has made the process very simple. You sign up for a free account, and then you cut and paste the entire email into a form on their server and hit ‘Submit’. This allows them to analyze it and send it to the ISP it originated at so they can deal with the spammer.

This has been a long article. I hope it has been worth the read to you. If you have any questions, please feel free to write to me at ricky@vawebworks.com. I get a lot of email and can’t always give a full reply to everyone, but I promise I will respond in some way to every email I receive. if I get a question that comes up frequently, I will add it to the VAWebWorks.com FAQ page.

Return to Nov. 2007 eMinistry Letter

Site Map