Entries Tagged as 'Default'

How to validate an email message to see if it is spam, a virus, or a phishing attack.

Just recently I've been getting a few emails that appear to be from folks who are my Facebook friends, however, these emails are short and only contain a short message and a link to a web site. Being the untrusting cautious type that I am, I do not trust these emails, and neither should you. The following describes how to test an email message to see if it's from your friend or from someone attempting to do you harm.

Important: Never EVER click on a link in an email that you're not absolutely certain is safe.

The following is an email message I received that appeared to come from my Aunt. I have been marking these messages as "junk" in thunderbird, so Thunderbird has learned that I consider messages like these junk, but when I first started getting them, they looked like normal messages.

phishing email

The first thing I notice is that the email my "Aunt" is sending from looks like it is from someone named "Tracy". Why would my aunt be sending me email from Tracy's account? Yes, big red flag there.

Verify The Source

In the next few paragraphs I'm going to show you how to check ANY message you get to see where it came from. This is an incredibly accurate indication of if a message is safe to read or not.

First, you start out by looking at the email "Headers". The Headers are the bits of information that email servers tack on to an email message when it passes through them. SOME headers are created by the email client that sends it, so not all headers can be trusted, but most of the time the server traversal record can be used to make a fairly accurate decision about whether an email message is safe or not.

To view the message headers in Thunderbird, I clicked on "Other Actions", then selected "View Source" from the drop-down menu. Other email readers have different ways of showing you the headers, but in general it is pretty easy to find if you poke around a little.

thunderbird view source

So, now that we can see the source of the message, let's take a look at the server traversal record, which I've highlighted below:

email server traversal record

The server traversal record headers, like any other header, can be forged. However, it takes some effort to forge the server traversal records, so these headers are *usually* trustworthy. In my example above, you can see that this email message originated from 82.211.142.40, and sent the message by logging in to smtpauth03.mfg.siteprotect.com.

So, since the email message came from the 82.211.142.40 IP address, let's take a look at that and see where that IP is located. We can see where an IP is assigned by doing what's called a "Who Is" on the IP Address. I like using ARIN's web site for this purpose, which you can find over at http://whois.arin.net/ui.

The "Who Is" search box is up in the top right. Let's enter the IP Address there and see where it came from:

ARIN whois

The WhoIs will give us a lot of information about the IP Address, what networks it belongs to, and so forth, but the interesting information for most folks is at the very bottom of the results:

arin whois results

So, if my Aunt really did send this message, apparently she did so from Amsterdam, using someone elses email account. Yeah.... right....

Most likely, this is a case of a compromised email account (poor tracy) being used to send out phishing attacks. The web address in the email that was sent to me probably contained an "attack" of some sort - something Flash or Java-based probably - and the attacker probably got my name and the name of my Aunt from our public facebook accounts.

Hopefully you found some of the information here helpful, and you can use it yourself to check messages you get from your "friends" that contain nothing but links.

Hope this helps!

imported-ancestor