Archive for August, 2008

Detecting Spam/Phishing

Monday, August 18th, 2008

You’ve seen emails with titles like

  • UPS Tracking Number 0917799165
  • please verify your account information
  • Mail Returned.
  • Weekly Top News

Do you automatically open these official sounding emails without looking at anything else?

I hope not!

You are setting yourself up for trouble. A few years ago I saw a web professional start filling one of these forms out because she was fooled by how “real” it looked. Luckily, she started paying attention to what she was doing before she hit send and gave someone her bank account numbers.

So what are some of the common warning signs and how can you uncover the truth?

  1. Very few, if any, companies will ask you for account numbers, any sort of ID numbers, passwords, usernames, etc via email. They keep things on file and assume they are correct. This is almost always a sure sign of spam.  If you forget a needed piece of information such as a username or password, they will either:
    a) send an email to the email address on file with new instructions to get into their system
    b) ask you some questions that you have previously answered that only you should know the answer (and let you in after to answer those questions–they may require you to change your password in the process.)
  2. Do you recognize the sender. If it looks like it might be legitmate but it is questionable, look the “header” information on the email and pay particular attention to the names there. (My last blog has more information on how to retrieve the header information.)
  3. Account or ID numbers with the wrong numbers with the wrong number of digits or other information that shows the sender was sloppy.
  4. Does the subject make it look like it is one of many emails on this topic that they send out regularly, such “Top News Stories Today” or  “News Digest,”  (from your news outlet of choice) “Today’s Tip to Lose Weight” (from your favorite diet service), “This week’s Specials” (from your favorite retailer).  In this case, check the headers.

How to Know Who Really Sent an Email

Monday, August 11th, 2008

Ever get an email from “Evelyn?” Who is Evelyn? Is she a long lost friend, a neighbor, a relative you just learned you had, or someone hoping you know an Evelyn and will open their pharmaceutical advertisement?

It may appear that you don’t know until you actually open the email, but that is not true. When you first open an email it very much like looking at the outside envelope of mail you get from the postal service. Both systems have a delivery address and a return address. In both cases, anyone can put what ever return address they want to. For instance, I could send out a thank you note on behalf of my parents. While doing the return address, I could forget who is “sending” the mail and put my personal address instead of my parents. The recipient would not know who actually sent the mail until the opened it.

The “from” address that displays in your email browser works the same way. The sender can put what ever he wants.

However, I cannot fake the post office that actually takes the regular mail and sends it for me. They add an ink stamp or two to on the front of the envelope. Responsible email servers also leave signatures identifying the “post office” or sender. This information is stored in the “Header” information of the email.

  • Outlook: you can get to this information by right clicking on the email in question. In the pop-up menu select “Message Options.”
  • Webmail (Horde): When you rollover the sender’s name in the email list, the system has a cursor pop-up that shows a real email address. (which can be faked, but is often not bothered with.)

Below is a sample header from Outlook sent from “John Hannah” Notice in particular the number of ways that the sender can be identified. If you see something odd in any of them, be very concerned:

  • Notice the sections in Red–that is what the server puts in to tell you where it really came from
  • Notice the section in Blue–that is what you typically see from your email browser.
  • Purple is a comment from me
  • The grey text has been changed just to keep it out of the public domain. (Some of us are just paranoid; no use in attracting any more spam than I need to.)

X-Spam-Flag: YES
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.6 required=4.0 tests=BAYES_99,HELO_LH_HOME,
RDNS_NONE,TRACKER_ID,TVD_SPACE_RATIO autolearn=no version=3.2.3
* 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
* 2.0 TRACKER_ID BODY: Incorporates a tracking ID number
Received: from speedtouch.lan ([IPS Address]) by myserver with MailEnable ESMTP; Mon, 11 Aug 2008 11:09:32 -0400
Message-ID: <01c8fb78$d21fb600$c9eded40@maintainedtw91>
From: “John Hannah” <> The section betwen < and > can be faked. This is the address that shows up when in the rollover in webmail.
To: my name<>
Subject: [SPAM] SpecialPrices100mgBestQuality
Date: Mon, 11 Aug 2008 06:09:32 -0900
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
X-Spam: Not detected
Return-Path: <>
<>–Sometimes faked also
Sender: <>
X-Spam-Prev-Subject: SpecialPrices100mgBestQuality

    Please come back when we have finished our re-branding and have republished this site