The headers that can be forged are:
- Subject, Date, Message-ID
- Recipients: From, To, CC
- Content body
- Any arbitrary headers such as the X-Mailer and X-Message-Info
- The initial Received headers
The headers that cannot be forged are:
- The final Received headers
- The originating mail server, including:
- IP address
- Subsequent timestamps
A header view of a phishing email that was sent targeting Citibank customers might look something like this:
Received: from 157.red-80-35-106.pooles.rima-tde.net (157.Red-80-35-106.pooles.rima-tde.net [126.96.36.199]) by mail.nwsup.com (8.13.0/8.13.0) with SMTP id i6KCInwW020143; Tue, 20 Jul 2004 08:18:51 -0400 Received: from jomsi9.hotmail.com ([188.8.131.52]) by p77-ewe.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 20 Jul 2004 11:01:16 -0200 Received: from aeronauticsaranf21 (bub[184.108.40.206]) by hotmail.com (mcak97) with SMTP id <40364465887f8mut> Tue, 20 Jul 2004 11:01:16 -0200 From: "Citibank" <firstname.lastname@example.org> To: "'Novell2'" <email@example.com> Subject: Attn: Citibank Update! Date: Tue, 20 Jul 2004 14:03:16 +0100 Message-ID: <1575948b156d80$0sv4mtq8$296tas263sil@edmondsonvl9695>
We want to read Received headers from top to bottom in this case. As we learned earlier, at the very top is the final Received header, which cannot be forged. In this case, the previous hop before the message landed at its final destination was through 157.red-80-35-106.pooles.rima-tde.net. This address can be verified by a forward lookup of the IP, which resolves to this. The next Received line says it is from jomsi9.hotmail.com, which we should doubt--first, because it is tough to forge email from a web email service in general, and second, the IP address and hostnames for the Hotmail domains do not exist on the Internet.
The bottom Received header is clearly a fake header, since there is no real domain associated and IP address is untraceable. So, relying on what we know, the only known accurate header is 220.127.116.11--and oh, what a surprise, a whois (www.whois.org) lookup on the IP shows the location to be in Estonia, which happens to be a popular country for phishing and other electronic fraud. Also, this IP address has been on record at the SPAMHAUS (www.spamhaus.org) Real Time Block List, meaning that it was probably an open relay at some point in time and used to send abusive email.
Looking at context clues, we note the timestamps on the two forged Received headers. It is extremely unlikely that the timestamps would be at the exact same time, as indicated here.
The Message-ID is definitely not a Hotmail one, since Hotmail message IDs take a form similar to BAY19-F30997BCBE3A45FF3DB16698E3D0@phx.gbl. Hotmail also sends an X-Originating-IP as well as a few other abuse-tracking headers, which are definitely not included in the phishing email.
General clues within the header usually identify whether it is forged or not. The obvious one is the Received headers being inconsistent with mismatched From and by fields. The HELO name does not match the IP address, there are nonstandard headers in general placed within the email, and wrong or "different" formats of the Date, Received, Message-ID, and other header labels.
Here are some more specific clues regarding this email header:
- The time zone on the Hotmail header doesn't match the geographical location, nor does the Date header.
- The asterisk in the From domain cannot originate from Hotmail and generally is not legitimate;
- SMTPSVC is Exchange's SMTP connector, which is used consistently throughout Hotmail.
- Hotmail records a Received header matching Received: from [browser/proxy IP] with HTTP; [date].
- Hotmail systems are usually set to GMT.
Let's compare the suspicious mail to a legitimate Hotmail message:
Received: from hotmail.com (bay19-f30.bay19.hotmail.com [18.104.22.168]) by mail.sendingemail.com (Postfix) with ESMTP id 4F6A7AAA8E for <firstname.lastname@example.org>; Tue, 5 Apr 2005 21:46:27 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 5 Apr 2005 21:45:50 -0700 Message-ID: <BAY19-F30997BCBE3A45FF3DB16698E3D0@phx.gbl> Received: from xx.7.239.24 by by19fd.bay19.hotmail.msn.com with HTTP; Wed, 06 Apr 2005 02:45:50 GMT X-Originating-IP: [xx.7.239.24] X-Originating-Email: [email@example.com] X-Sender: firstname.lastname@example.org From: "Hotmail Account" <email@example.com> To: firstname.lastname@example.org Date: Wed, 06 Apr 2005 02:45:50 +0000
A quick comparison to the phishing email makes it quite obvious that the previous email headers were not authentic and definitely not from Hotmail. The final Received header shows accurately that it was received from Hotmail, and if we did a forward DNS lookup on the IP, it would match Hotmail. The second Received header is the internal mail pickup service and demonstrates that there was an extra hop from the user sending email from the Web outgoing to the Internet. The initial Received header is authentic, displaying our IP address and the mail relay it was picked up by. It also states that we performed this action via HTTP on a certain date and time based in the GMT time zone.
We also note the X-headers; in this case they are being used for abuse tracking so that one can quickly identify the IP address of the originator. X-headers are user-defined fields, usually marked by other vendors outside the MTA; they are usually nonstandard and vendor-specific. The X-Originating-Email matches the From: field, and the dates are sufficiently accurate and do not look suspicious. All in all, you can see a vast difference between a suspicious set of headers and a properly formed email. This does not mean that forged headers are always this obvious, but there are some clues that may give it away if you know how to read them.
10 tips in 10 minutes: Phishing exposed
Tip 1: Email basics for Exchange admins
Tip 2: Understanding email delivery
Tip 3: Anonymous phishing email
Tip 4: How phishers forge email headers
Tip 5: Phishers use of open relays and proxy servers
Tip 6: How phishers send anonymous email
Tip 7: Phishers techniques for email harvesting
Tip 8: Phishers, hackers and insiders
Tip 9: Sending spam; phishing tools of the trade
Tip 10: Phishing email and spam filters