We will take look internet mail headers and learn how to read them. (The best way to read is from bottom to up). This will be useful to identify a spoofed E-mail came to your organization or to be able to get the sender IP address so that it can be blocked either on exchange or depending upon your configuration, smart host mail gateways and etc.
First we need to spoof an E-mail; here is an easy way to do, go to my blog (assuming you are on it).On the bottom Trouble shooting Links click on mail relay testing tool now we would achieve the same result by going to command line
Telnet arcsmtp14.redcross.org 25
220 Donate blood today ESMTP Give blood and save lives today (250 mean Hi)
Helo <SpamKing@Spamkingdom.com> ( you could just put, <>, it means null reverse-path
250 2.1.0 MAIL ok
Rcpt to:<oz@Usa.redcross.org> Recipient to giving the receiver information
250 2.0.0 Ok
Subject: Spoofing Practices
I am Spam King and I am about to Spoof your E-mail ad Blah blah blah
250 2.6.0 message received
Quit ( exit telnet session)
Now we will learn and identify the spoofed e-mails and where it originated from. In the example, I have sent mail to firstname.lastname@example.org and I claimed to be email@example.com Now if the mail servers were performing RDNS (reverse DNS) they will be doing this.I am sitting on a server and claiming to be a valid user from @SMTP.org Domain. First thing the server who I am talking too will say, HI oz@SMTp25.org let me ask ROOT DNS servers where you located then, the Mail server will do a recursive query to its configured Public DNS servers and will say
Hey, this IP address X.Y.Z.E is claiming to be autherative SMTP domain for @SMTP25.org, is IP address is matching the IP address of the registered Domain.
DNS servers than will do another Recursive query to ROOT servers, and asking where is SMTP25.org, ROOT server will say, We don't know, but we know where .ORG domains are, here is the IP address go and ask them, Than I do another recursive query to .ORG domains and ask SMTP25.org, and the DNS server who has the record for this DNS SMTP name space will say, Yes I am the Autherative Domain, I have the registration for this Domain, and this is my IP address A.B.C.D Now answers will go back to your DNS server and your DNS servers are now, know that I am not the person who I clam to be, and Close the connection. IF mail server won't do, perform RDNS records, you can claim to be the president of united state, and mail server will tell you
250 meaning Sure MR. President
Below is the mail headers, I have taken from the e-mail I send it to myself, if you pay attention
The sender address is my E-mail address and recipient address is the same.
In a perfect world when a mail server accept SMTP connection it would do reserve DNS
Microsoft Mail Internet Headers Version 2.0
Received: from nhqdtcsmtp3.archq.ri.redcross.net ([10.160.9.234]) by EX1VS.archq.ri.redcross.net with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 2 May 2007 15:40:05 -0400
Received: from arcsmtp14.redcross.org ([22.214.171.124]) by nhqdtcsmtp3.archq.ri.redcross.net with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 2 May 2007 15:40:05 -0400
Received: from arcsmtp14.redcross.org (127.0.0.1) by arcsmtp14.redcross.org (MlfMTA v3.2r1b3) id h73jqu0171sp for <firstname.lastname@example.org>; Wed, 2 May 2007 15:34:07 -0400 (envelope-from
Received: from box2 ([126.96.36.199])
by arcsmtp14.redcross.org (SonicWALL 188.8.131.5239)
with SMTP; Wed, 02 May 2007 15:34:07 -0400
Subject: Spoofing King Spam King
X-OriginalArrivalTime: 02 May 2007 19:40:05.0105 (UTC) FILETIME=[AECD5E10:01C78CF1]
Date: 2 May 2007 15:40:05 -0400
Now look at the line in the middle says
" Received: from box2 ([184.108.40.206])"
email@example.com , now lets see if this IP address is really represent the mail domain @SMTP25.org ?
Go back to my Blog, on the right lover corner, Click the link which says "Arin Who is "In the search place the IP address "220.127.116.11" which Claims to be the autherative SMTP domain for firstname.lastname@example.org., fair enough the name servers comes up as
So obvious they are not @Usa.Redcross.org. Now you know you are dealing with Spoofed E-mail