« When Your eBay Account is Stolen | Main | A Phony eBay Survey Phish »

November 15, 2005

Every once in awhile, a spammer's spewing machine goes haywire and fires out a message that reveals all of the placeholders in his template—placeholders that are supposed to be filled with real-looking (but truly phony) information. A lot of this bogus information is intended only for spam processing software or those of us humans who look at spam message headers for clues about their origin. Frankly, I wonder why spammers who use zombie PCs to relay their spam bother with concocting a phony header trail. I doubt that their "tricks" fool anyone.

I'll share with you one that got trapped in my server's "suspects" bin. From the looks of it, the message was going to be an eBay phishing message. Here it is verbatim except for a few disguised items to protect the innocent (me) and the clueless (the IP address of the swbell.net customer whose zombied PC was used to send it to me):


From #FROM_EMAIL@eBay.com Sat Nov 5 02:10:06 2005
Received: from xx-xx-xxx-xx.ded.swbell.net (gzqbaanmli@xx-xx-xxx-xx.ded.swbell.net [xx-xx-xxx-xx]) by dannyg.com (8.12.11) id jA599vMc040581 for <x@dannyg.com>; Sat, 5 Nov 2005 02:10:05 -0700 (MST
Received: from #RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR.bilow.com (IDENT:0@#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR.bilow.com [#TO_DOMAIN]
     by #RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR#RAND_LC_CHR.beach.net (8.10.0.Beta12/8.10.0.Beta#RAND_DIGIT#RAND_DIGIT) with ESMTP id g26Iqxs0#RAND_DIGIT#RAND_DIGIT#RAND_DIGIT#RAND_DIGIT
     for <#FROM_EMAIL>; #RAND_DATE_TIME
Message-ID: <167#RAND_DIGIT#RAND_DIGIT5285.10#FROM_EMAIL>
Date: #RAND_DATE_TIME
From: "#FROM_NAME" <#FROM_EMAIL@eBay.com>


#TO_CC_HEADER
Subject: #SUBJECT
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit


#MESSAGE_BODY


Each item beginning with "#" is a placeholder, followed by a label or key used to tell the merging program running on the zombie PC what kind of text to insert. For instance, "#FROM_EMAIL" is probably to be replaced with either a fixed predetermined "from" user ID or one from a list. Other placeholders include "#RAND_LC_CHR" (random lowercase character) and "#RAND_DIGIT" (random digit). Notice how header data commonly consists of sequences of random characters or digits, sometimes interspersed with fixed characters. For example, the second Received: header generates random-character server names for the bilow.com and beach.net domains. The Message-ID: header (sometimes used in correctly configured email servers to assign a trackable identifier to an outgoing message) has a combination of fixed and random numbers, followed by a repeat of the phony email user ID plugged in earlier.

Spammers who break various laws (e.g., using a zombied PC in the U.S.) cover their tracks pretty well—as far as the real source of the outgoing message goes. And given how phony a message's header information can be (all but the data that your own server adds to the header), I usually don't bother with anything past the top Received: header line (I don't have any further internal transfers in my system, so the top one is the one that my server adds—and at that, only the domain name and IP address inside the parentheses and square brackets are reliable).

You can learn all about email headers and other tricks in Spam Wars. If you're new to this stuff, they may look imposing and confusing. But with a little practice and handholding from the book, you'll become a pro in no time. Such knowledge can also help you determine if that email message appearing to come from your bank really did come from your bank.