Penn State Home

                                        

   

 

Policies & Guidelines

SOS Services

Incident Reporting

Security Guides

Setting Passwords

SOS Staff

FAQ

ITS Site Search:



ITS sponsored a security awareness campaign

Can't Find It? Ask SOS


Examples of E-mail Headers

To analyze headers read from bottom to top, starting from the From: line. Understand that each location or "hop" which handled the message adds one Received: line above the last. The originating IP address should appear in [brackets] not (parentheses) only. The top, or most recent Received: line will be the e-mail server that you accessed to check your e-mail. Most of the time the originating IP address will be in the first set of brackets, as you read up the headers. Time zone information may help you to pick out the bogus Received: lines in e-mail headers. The true originating IP addresses are in green in the headers below. Forged portions of headers are red. Penn State user IDs in these examples have been changed to xyz123@psu.edu for confidentiality.

Printable Version of this Page

  1. Common e-mail worm, which carried an attachment that was infected with the  W32.Mimail.A@mm.  IP Addresses are not forged. (printable .pdf version)

  2. Two real hops, with no forgery, of a spam e-mail, before arriving at Penn State. (printable .pdf version)

  3. An example of a spammer using web-based e-mail, as the mailer for the spam.  The spammer still needs an ISP to use this Internet service, so the hop from [80.88.128.12] is not forged.  (printable .pdf version)
  4. Mass spam message. The first Received: “paragraph” is forged (printable .pdf version)
  5. The first Received From line is faked.  The second has a forged portion, but the originating IP address is the true first hop. (printable .pdf version)

  6. Three hops, within a spam e-mail, where the spammer attempted to generate confusion by inserting 3 bogus hops into the headers. (printable .pdf version)

 

a.  A common e-mail worm, which carried an attachment that was infected with the  W32.Mimail.A@mm.  IP Addresses are not forged.  The address admin@psu.edu does not exist. 

Received: from f05n09.cac.psu.edu (r02a08.cac.psu.edu [146.186.15.18])
by seawolf.aset.psu.edu (8.9.32.1/8.9.3) with ESMTP id RAA1400926
for abc123@e-mail.psu.edu>; Tue, 2 Dec 2003 17:28:58 -0500
Received:(from daemon@localhost);by f05n09.cac.psu.edu (8.9.3p2.1/8.9.3)
id RAA36718 for abc123@e-mail.psu.edu; Tue, 2 Dec 2003 17:28:58 -0500
From:admin@psu.edu
Received: from localhost (69-162-40-193.stcgpa.adelphia.net[69.162.40.193]);by f05n09.cac.psu.edu (8.9.3p2.1/8.9.3) with SMTP id
RAA134936;
for Tue, 2 Dec 2003 17:28:11 -0500
 Date: Tue, 2 Dec 2003 17:28:11 -0500
Message-Id: <200312022228.RAA134936@f05n09.cac.psu.edu>
X-PH:V4.1@f05n09
To: xxx <xyz123@psu.edu;
Reply-To:admin@psu.edu
X-Mailer:The Bat! (v1.61)
X-Priority: 2 (High)Subject: your account anolyypc
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------CEDF5D290026C8C"-----------CEDF5D290026C8C
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit Hello there, I would like to inform you about important information regarding your e-mail address. This e-mail address will be expiring.
Please read attachment for details.
Best regards,
Administrator
ureukouk

The Received: “paragraphs” give information about the three hops of this e-mail’s travel, a simple three step trip, and all of it actually happened.  There are no forged Received: lines in this example.  e-mail headers are always read from last to first, as the server at each hop adds its own information to the beginning of the headers. 

This e-mail traveled from a customer of Adelphia Cable, to Penn State, to the person it was addressed to. 

********

TECHNICAL CONCEPT

A word about the timestamps found throughout the headers, which indicate the date, current time, and time zone of each hop.  Here is a sample:

Mon, 1 Dec 2003 03:10:09 -0500

The very last part of the timestamp, -0500, is the time difference in hours, from Greenwich Mean Time (GMT), which is indicative of the time zone at the location of the hop.  In the Eastern Time Zone, we are -0500 during Eastern Standard Time, and -0400 during Eastern Daylight Time.  In the Pacific Time Zone, they are at -0800 during Pacific Standard Time, and -0700 during Pacific Daylight Time. (three hours behind Eastern Time) In e-mail from the United Kingdom, you will see -0000 or GMT/UTC, from Japan you will see +0900. 

Under most Internet traffic conditions, it only takes a couple of seconds to move from one hop to the next, even if an e-mail travels a great physical distance.  The time an e-mail takes to travel one hop within a 100 MBS network, can be measured in milliseconds.

Time zone information may help you to pick out the bogus Received: lines in e-mail headers, when determining the portions of the headers that have been forged. For example if the Received from: entries are several hours apart, have the wrong time zone, or non-sequential date/time.

return to the top

b. Two real hops, with no forgery, of a spam e-mail, before arriving at Penn State.  You may recognize the message body as the beginning of one of the Nigerian Advance Fee Fraud variation.

In this case, the mail hopped from its origin within an Italian ISP, through the same ISP’s smtp, or out-going, e-mail server.  This is actually the legitimate way to send e-mail.  Allowing for the six hour time zone difference, 4 seconds between hops is reasonable (when being sent with 10,000 others). 

Received: from f04n09.cac.psu.edu (f04s09.cac.psu.edu [128.118.141.37])   by seawolf.aset.psu.edu (8.9.3p2.1/8.9.3) with ESMTP id KAA2224280
for <abc123@e-mail.psu.edu>; Mon, 1 Dec 2003 10:29:49 -0500
Received: (from daemon@localhost)
by f04n09.cac.psu.edu (8.9.3p2.1/8.9.3) id KAA39602
for abc123@e-mail.psu.edu; Mon, 1 Dec 2003 10:29:48 -0500
Received: from smtp3.libero.it (smtp3.libero.it [193.70.192.127])
by f04n09.cac.psu.edu (8.9.3p2.1/8.9.3) with ESMTP id KAA48974
for <xyz123@psu.edu>; Mon, 1 Dec 2003 10:29:46 -0500
Received: from libero.it [193.70.192.64] by smtp3.libero.it (7.0.020-DD01)
id 3F6F068F008B77EC; Mon, 1 Dec 2003 16:29:42 +0100
 Date: Mon, 1 Dec 2003 16:29:42 +0100
Message-Id: <HP831I$F83BCC286922B6E1F0C969DA2A7D7216@libero.it>
Subject: hello
MIME-Version: 1.0
X-Sensitivity: 3
Content-Type: text/plain; charset=iso-8859-1
X-PH: V4.1@f04n09
From: "philip_elim\@libero\.it" <philip_elim@libero.it>
To: "philip_elim" <philip_elim@libero.it>
X-XaM3-API-Version: 4.1 (B19)
X-type: 0
X-SenderIP: 66.133.34.12
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by seawolf.aset.psu.edu id KAA2224280

Dear Respectful
 Good day,  

I have to first of all apologise for taking you unawares by the contents of this message. I had to send the message straightaway because of the short time involved in what I demand of you. Please treat this message with utmost seriousness and swiftness. 

Apart from the fact that you will be adequately rewarded, I will forever show my gratitude. 

I am philip Savimbi, son of the late Angolan Leader Gen.Jonas Savimbi who was killed last year. I got your contact details from the internet because I really have no time and I needed an anonymous person abroad whom I hope I can trust. I pray I am not making wrong judgement by coming to you.

return to the top

c. An example of a spammer using web-based e-mail, as the mailer for the spam.  The spammer still needs an ISP to use this Internet service, so the hop from [80.88.128.12]is not forged.

Received: from f05n13.cac.psu.edu (r02a04.cac.psu.edu[146.186.15.14])
by seawolf.aset.psu.edu (8.9.3p2.1/8.9.3)
with ESMTP id SAA2736196 for <xyz123@psu.edu>; Mon, 1 Dec 2003 18:20:02 -0500
Received: from daemon@localhost) 
by f05n13.cac.psu.edu (8.9.3p2.1/8.9.3);id SAA126224
for xyz123@psu.edu; Mon, 1 Dec 2003 18:20:01 -0500
Received:from web25009.mail.ukl.yahoo.com (web25009.mail.ukl.yahoo.com [217.12.10.45]) 
by f05n13.cac.psu.edu (8.9.3p2.1/8.9.3) with SMTP id SAA307170  
for <xyz123@psu.edu>; Mon, 1 Dec 2003 18:20:00 -0500
Message-ID: <20031201231959.79070.qmail@web25009.mail.ukl.yahoo.com>
Received: from [80.88.128.12] by web25009.mail.ukl.yahoo.com via HTTP;
 on, 01 Dec 2003 23:19:59 GMT
Date: Mon, 1 Dec 200323:19:59 +0000 (GMT)
X-PH: V4.1@f05n13
From:=?iso-8859-1?q?adele=20thomas?= <adelethomas03@yahoo.co.uk>
Subject:RE: MESSAGE
To: xyz123@psu.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit 
FROM THE DESK OF MR ADELE THOMAS
ADELE THOMAS AND ASSOCIATES
e-mail:adelethomas01@yahoo.co.uk 
ATT:Sir/Madam,
RE:YOUR INHERITANCE FUND CLAIM OF  LATE MRS CASANDRA RYAN. 
First, I must solicit your confidence in this transaction, this is by virtue of its nature as being utterly CONFIDENTIAL. I am  Adele Thomas,legal adviser to the Executive Director (Banking and Treasury Operations)with the Union Bank of Nigeria.

 

return to the top

d. Mass spam message. The first Received: “paragraph” is forged (remember to read this last-to-first).  That is, it was inserted by the spammer’s e-mail sending program into the headers, ahead of the first real hop. What to look for?  The spammer set his mailing program to insert this faked line to correctly read the time to be one hour different and one time zone away from the real first hop, but forgot to change the date.     

Received: from f05n09.cac.psu.edu (r02a08.cac.psu.edu [146.186.15.18])
by seawolf.aset.psu.edu (8.9.3p2.1/8.9.3) with ESMTP id QAA1437756
for <abc123@e-mail.psu.edu>; Wed, 3 Dec 2003 16:40:49 -0500
Received: (from daemon@localhost
by f05n09.cac.psu.edu (8.9.3p2.1/8.9.3) id QAA256286
for abc123@e-mail.psu.edu; Wed, 3 Dec 2003 16:40:36 -0500
Received:from wiley-197-68346.roadrunner.nf.net (wiley-197-68346.roadrunner.nf.net [205.251.233.5])
by f05n09.cac.psu.edu (8.9.3p2.1/8.9.3) with SMTP id QAA318728;
Wed, 3 Dec 2003
 Received: from [69.33.16.227] by wiley-197-68346.roadrunner.nf.net with ESMTPid 00928511; Fri, 21 Nov 2003 15:39:09 -0600
Message-ID: <6gf93$i314w-$dw3-$4@2y97tg211>
X-PHV4.1@f05n09
From: "Joyce Xiong" <xpi06dy@yahoo.com>
Reply-To: "Joyce Xiong" <xpi06dy@yahoo.com>
 To: xyz123@psu.edu
Cc: <xyz123@psu.edu>, <xyz123@psu.edu>
Subject: Tramadol.l Xanax.x Vicodin.n Valium.m m
Date: Fri, 21 Nov 03 15:39:09 GMT
X-Mailer: QUALCOMM Windows Eudora Version 5.1
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="ED_8._.F_75._8"
X-Priority: 3
X-MSMail-Priority: Normal
 

Many Specials running this week 
THE RE.AL THING
not like the other sites that
imitate these products. 
No hidd.en char.ges - Fast Delivery
Vic.odin Val.ium Xan.ax
Via.gra Diaz.epam Alpra.zolam
So.ma Fior.icet Amb.ien
Stil.nox Ult.ram Zo.loft
Clon.azepam At.ivan Tr.amadol
Xeni.cal Cele.brex Vi.oxx
Pro.zac Bus.par Much M.ore....

return to the top

 

e. The first Received from line is faked. The second has a forged portion, but the originating IP address in brackets is the true first hop.  

Received: from f05n11.cac.psu.edu (r02a07.cac.psu.edu [146.186.15.17])by seawolf.aset.psu.edu
(8.9.3p2.1/8.9.3) with ESMTP id MAA1851396 for <abc123@e-mail.psu.edu>;
Sun, 30 Nov 2003 12:28:53 -0500
Received: (from daemon@localhost)by f05n11.cac.psu.edu
(8.9.3p2.1/8.9.3) id MAA142628 for abc123@e-mail.psu.edu;
Sun, 30 Nov 2003 12:28:53 -0500
Received: from 146.186.15.17 ([213.185.120.6])by f05n11.cac.psu.edu
(8.9.3p2.1/8.9.3) with SMTP id MAA185572;
Sun, 30 Nov 2003 12:28:40 -0500
 Received: from [23.112.138.113] by 146.186.15.17 id gpY0elB36adr for
<xyz123@psu.edu>; Sun, 30 Nov 2003 16:25:21 -0100
Message-ID: <wg-$w0c$43if3101-9q-4--456w6@fkpo21>
X-PH: V4.1@f05n11
From: "Reuben Youngblood" <fn812j@hotmail.com>
Reply-To: "Reuben Youngblood" <fn812j@hotmail.com>
To: xyz123@psu.edu
Subject: handspfke vivorcee a
 Date: Sun, 30 Nov 2003 16:25:21 GMT
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="BD24.CAA.98E_EF2"
X-Priority: 3
X-MSMail-Priority: Normal
Content-Type: text/html;

BRAND NEW COLON CLEANSER PRODUCT
 The average person contains 5 to 25 pounds of waste build up in their colon. This leads to being overweight, colon cancer, deadly toxins and parasite build up.

You're about to discover the true secrets about your colon and digestive system and how it significantly impacts your health and enhances your weight loss program. Plain, simple and to the point information that is vitally important to your overall good health.

return to the top

 

 f. Three hops, within a spam e-mail, where the spammer attempted to generate confusion by inserting 3 bogus hops into the headers.

The first three hops are forgeries because the time stamps don't match, and the message was not passed to next machine properly.  When a message from a hop is received by the next hop, the by must correlate with the domain name of the subsequent hop.

sparc.isl.net and its corresponding IP address should be reflected in the next Received: from line, but it is not. A similar situation exists in the second and third Received: from lines.  

67.22.42.81 is a forged optional machine name; it does not correspond to the true IP address [68.170.238.28] .

Received: from f05n11.cac.psu.edu (r02a07.cac.psu.edu [146.186.15.17])
 by seawolf.aset.psu.edu  (8.9.3p2.1/8.9.3) with ESMTP id LAA1138928
for < abc123@e-mail.psu.edu>; Tue, 2 Dec 2003 11:15:17 -0500
Received: (from daemon@localhost)
by f05n11.cac.psu.edu (8.9.3p2.1/8.9.3) id LAA126680
for abc123@e-mail.psu.edu; Tue, 2 Dec 2003 11:15:15 -0500
Received: from 67.22.42.81 (fl-westboca-u3-c3c-28.atlsfl.adelphia.net [68.170.238.28])
by f05n11.cac.psu.edu (8.9.3p2.1/8.9.3) with SMTP id LAA275008
for <xyz123@psu.edu>; Tue, 2 Dec 2003 11:15:07 -0500
Message-Id: <200312021615.LAA275008@f05n11.cac.psu.edu>
Received: from [204.80.13.95] by asy100.as122.sol.superonline.com with smtp; Dec, 02 2003 7:57:51 AM -0800
Received: from 167.90.49.93 ([167.90.49.93]) by mailout2-eri1.midsouth.rr.com with esmtp; Dec, 02 2003 6:46:42 AM +1100
Received: from 177.139.227.166 ([177.139.227.166]) by sparc.isl.net with QMQP; Dec, 02 2003 6:02:44 AM +1200
 X-PH: V4.1@f05n11
From: bsuC:"\messages\names_a.txt" <geogoston@cs.elte.hu>
To: xyz123@psu.edu
Cc:
Subject: Hot OTC Gold: (UDVE) Target Price .43
Sender: bsuC:"\messages\names_a.txt" <geogoston@cs.elte.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Date: Tue, 2 Dec 2003 08:13:11 -0800
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
 

Mining Stock News achieved record results for our Investment Alerts in
November as Gold reached its highest levels for the year.
 
MINING STOCKS ARE EXPLODING!
Precious metals are making new highs and holding their gains.
Gold mining stocks are the hot flyers of the OTC.
Historical cycles show that a strong rally in gold ignites the major producers
which is followed by soaring undervalued OTC gold plays.

Results for our November Investment Alerts:
Apolo Gold (APLL) +411% (.09 to .46)
World Ventures (WVNTF) +321% (.19 to .80)

Mining Stock News Investment Alert for December:
United Development International (UDVE)

return to the top

 

Printable Version of this Page
   
ITS Logo
 

 

 The Pennsylvania State University © 2005. All rights reserved.
Alternative Media - Nondiscrimination Statement
This site maintained by Security Operations and Services,
a unit of Information Technology Services.

For assistance, contact Security Operations and Services.
Provide site feedback to the Security Webmaster.

Last revised: 05/16/2005

 

  
6C8C