Sunday, November 4, 2007

Gmail making Spam tracking and Reporting just one step easier.

After checking my Email this weekend I noticed that Google has made a lot of changes.
One is the ability to easily view header by clicking the drop down arrow to the right of the "reply" button.

Many times when you receive spam and want to report it, the abuse department of the sender requests that you include full headers. This is what the the "show original" button lets you see:

(NOTE: This is a spam Email I received on Nov 3, the only thing that has been left out is my Email, everything else
is left as is. Highlighed are the sending IPs and Emails)

Delivered-To: Anelite...@gmail.com
Received: by 10.142.114.1 with SMTP id m1cs413197wfc;
Sat, 3 Nov 2007 09:46:11 -0700 (PDT)
Received: by 10.78.186.9 with SMTP id j9mr2269184huf.1194108369681;
Sat, 03 Nov 2007 09:46:09 -0700 (PDT)
Return-Path: <cohen@pinkponk.com>
Received: from CSTLGA-COE-CIP525-01.coastalnow.net.216.166.216.in-addr.arpa ([216.166.216.138])
by mx.google.com with ESMTP id 2si7442642nfv.2007.11.03.09.46.08;
Sat, 03 Nov 2007 09:46:09 -0700 (PDT)
Received-SPF: neutral (google.com: 216.166.216.138 is neither permitted nor denied by domain of cohen@pinkponk.com) client-ip=216.166.216.138;
Authentication-Results: mx.google.com; spf=neutral (google.com: 216.166.216.138 is neither permitted nor denied by domain of cohen@pinkponk.com) smtp.mail=cohen@pinkponk.com
Received: from [216.166.216.138] by taurus-1.siol.net; Sat, 03 Nov 2007 16:49:32 +0000
Message-ID: <000401c81e39$0786d5d8$f9708d81@aengcxn>
From: "bjorne monty" <cohen@pinkponk.com>
To:
Subject: Fw:
Date: Sat, 03 Nov 2007 15:02:09 +0000
MIME-Version: 1.0
Content-Type: text/plain;

format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757

Yahoo:





Hotmail:

To make MSN Hotmail display all header lines:

  • Select Options from the top MSN Hotmail navigation bar.
  • Make sure the Mail category is selected.
  • Choose Mail Display Settings.
  • Set Message Headers to Full.
  • Click OK.
(source: about.com)

As can be seen by the highlighted parts, the IP Address is show in many places. Every user of the internet, whether they are a business, school, or home user is issued a individual IP Address that becomes specific to their router or PC. This IP normally will change after a given length of time called the license period or when ever the router/computer is disconnected or restarted.
When this email is reported to the parent company (in this case "pinkpoke.com") they can:

- simply delete the account and ban that IP Address from their site.

- report the IP Address to the ISP (which can be publicly found by going to nwtools.com) .... this could result in a shutdown of the offender's internet.

- Finally pinkpoke.com could request a court order for the ISP to tell them who abused the account and file a lawsuit against the abuser. The ISP would then have to turn over logs showing what time and address was using that IP Address at the time the spam was sent. One small Email service says they attempt to collect a $10/per spam Email when they prosecute offenders. (now if I could get that for all my Spam... hehehe)

Unfortunately ISPs don't always keep the logs for an extended time (an anonymous source told me only about 8 to 10 days, due to volume and space limits) and therefore if the parent company doesn't act fast, this option will not be available to them. Also spammers have many ways to keep from getting caught.

Spammers stay anonymous by hijacking computers and using them to send their "hate mail" or by using one of the many spoofers available on the internet. A spoofer is a program that allows you to send and Email that looks like someone else. (e.g. I could send an Email from admin.goog@gmail.com just by entering it into a text box.)

Many times the spoofed Emails don't have the same certificates as official Emails and therefore they can be picked up by the spam blocker. A certificate appears in every Email and issued by the domain (Gmail, yahoo, etc) and help programs validate Emails. (note above Email header shows a certificate of neutral)

Analysis:
I hate to break it to you, but "cohen@pinkponk.com" doesn't really exist and that oh-so-special product they advertised doesn't work much better. A check on http://www.nwtools.com came back with the following (check the "Email Validation" radio button for validating Emails):
[Contacting pinkponk.com [213.229.249.143]...]
[Timed out]
A Google searched turn up no other reports of this address either. (sometimes other people have will posted on a particular spammer, what they find out)

I also ran a check on the IP address, I believed it would be a valid home user (maybe hijacked) due to the fact that the full header the "X-Mailer: Microsoft Outlook Express 6.00.3790.2663" signature. Outlook is one of the oldest windows Email programs, and therefore is a breeze to hijack.
OrgName: Mebtel Communications
OrgID: MEBT
Address: 103 South Fifth Street
City: Mebane
StateProv: NC
PostalCode: 27302
Country: US
more.... click here
What do you know? Its valid... and if I sent an Email to abuse@madisonriver.net they might even look into shutting down this spammer, provided they care...

END Notes:
Yahoo has had a quick links to full headers for some time now, but Hotmail requires users to go through some steps to turn the full headers on, and has no quick On/off feature.

The previous way to get Gmail full headers was to click "basic html" at the very bottom of the page and then click option for "full headers" which would appear by the address box. This step by Google to make full headers easier to get at may reduce the time it takes to report spam. Which is good because Spam is one kind of "food" ad that I don't want in my inbox... I get enough "food" ads as it is in the regular mail.

Future post highlights:
I received requests for this post and I am still working on the next planned post: Keydisk security. I should be posting it in about a week or so. If you have ideas or something you want to know how to do that relates to protecting PC user safety let me know... Post on the blog or Email me at the address shown in contact info.