2005 Hacker Focus: tracking spam (figure) _ Vulnerability Research

I believe that people like me, in the daily life to collect spam is a fixed job? How do you track spammers when you receive junk mail? Many friends will not hesitate to say, of course, find the sender's IP. In fact, there are two main forms of dealing with spam: defense and tracking. Defense focuses on filtering spam or blocking spam, while tracking emphasizes proactively tracing spam sources, warning them, or taking other steps to prevent them. This article will mainly introduce the tracking of the technology of the Mail, through the analysis of the message header, and query to the closest source address, to uncover the spam sender's "truth".
message headers and transmission process

First, we look at what a message header is by using an anti-spam test. Because in most cases, the server will attach information about the sender to the file header of the message. For example, use Tom.com's free mailbox, send a message to spamemail@china.com.cn, then enter the http://mail.china.com.cn/mailbox, after receiving the check (as shown in Figure 1):

Javascript:resizepic (This) border=0>

Figure 1

Click "Mail Header" above the mailbox to see this information:

Return-path: <pwbpub@tom.com>
delivered-to:spamemail@china.com.cn
Received:from 210.72.21.22 (HELO eqmanager2.china.org.cn) (Envelope-from pwbpub@tom.com)
by mx.china.com.cn (quarkmail-1.2.1) with SMTP ID S918541abulbmfs
for spamemail@china.com.cn; Thu, 2 Dec 20:05:48 +0800
x-scanvirus:by Sophos Scan Engine
X-scanresult:clean
X-received:unknown, 202.108.255.195,20041202195628
Received:from Unknown (HELO tom.com) (202.108.255.195)
by localhost with SMTP; 2 Dec 11:56:28-0000
mime-version:1.0
Message-id: <41af02ae.000113.05427@bjapp25>
Date:thu, 2 Dec 19:55:26 +0800 (CST)
from: "=?gb2312? b?chdichvi?= "<pwbpub@tom.com>
to:spamemail@china.com.cn
Subject: =?gb2312? b?wky7+npkvp6y4sru?=
X-priority:3
X-originating-ip: [211.99.190.5]
x-mailer:163net
Content-type: multipart/alternative; boundary= "BOUNDARY-=_YVXUEODEQWFOKHIPGEVKZUOJGYQF"

The other is sent from a different mail server, the middle nature has a transfer process, every turn will be in the top of the file information. The following table lists some of the relevant meanings of the headers, which have a multiplier effect on our analysis of spam.

From: Where the message was sent. It is easy to forge, in analysis, very untrustworthy.

From differs from: field, this line is not usually part of the header, but the mail forwarding program often inserts this line to indicate when the message was received. This line is always the first line of the headers, and can be forged, but not necessarily.

Reply-to: The address to send when replying. It is easy to forge, but often provides clues, such as some spam messages often use this domain to point to a legitimate email address so that spammer can receive a reply to a message.

Return-path: Same as Reply-to:

Sender: Message sender. It's usually a forgery.

Message-id: The message system's unique token when it creates a message. is also the easiest place to be forged. Under normal circumstances, "Message-id:" can determine the system that the sender is logged on to, not just the system that created the message. The structure of the Message-id is directly related to the mail server program, and the IDs produced by different mail servers are not the same, and sometimes different processing of the same mail server can produce dissimilar IDs. Most mail servers contain dates, times, DNS, etc., and some even contain mail user information. such as 0040409085748.91B1.SAN@test.com, is composed of date, time, identity, mail user and DNS.

In-reply-to: May exist when replying, usually pointing to the messgae-id of the original message.

Received: The most reliable head. There are usually a few, form a list of sites, this information indicates the destination process of the mail through the server, the domain is the mail server automatically inserted, spammer can be forged, but after the point of forgery is not forged. This list shows the server path from the bottom up, the top one received: a system or mail server that is the ultimate destination.

The main steps for message delivery are usually performed by the following procedure:

Sender→mua→mta→ (routing) →mta→mda→{filtering}→mua→receiver

Script kid: MUA (mail User agent) represents mail client programs, such as Foxmail, Outlook, Mutt, and so on; the MTA (Mail transport agent or message Transfer agent) represents the messaging agent , which is responsible for storing and forwarding, sending e-mail, after receiving messages from MUA or other MTA, exists locally, analyzes the recipient, or forwards to the other MTA, during which it usually edits and adds headers, such as sendmail, Exchange, etc. The MDA (mail Delivery agent) represents a mail sending agent, which is responsible for sending the message to the user, usually dealing with a specific send operation.

Understanding these links, we can find the clues to the garbage sender's lair.

Junk e-Mail tracking instance

SMTP protocol for us, it should be more familiar, however, this Protocol was created without considering the future of the mail will become garbage, so security is very bad, headers can be arbitrarily created, forged and modified, and the mail server generally does not check the content of the sender, but only concerned about the recipient. This gives spammers the opportunity to forge a message header, for example, through Outlook. In order to deal with ISP monitoring spam, these spammers usually use some mail programs to forward mail to other mail servers, and modify and falsify headers to avoid being tracked. Therefore, our key task now is to identify forged content and obtain real information, based on the actual information to query.

1. Mail header Tracking

    Generally, the content of mail content, Reply-to, and received of the final mail server Help us track the source of spam. For the "Received:" field, we can trace the time zone error, time error, IP address error. Just imagine, a message after a few days or even longer to pass, normal? The following is a message header that modifies the e-mail address and IP address:

Return-path: <spamemail@test.com.cn>
delivered-to:pwbpub@test.com
Received:from mail.test.com.cn ( Unknown [211.167.xxx.xxx])
by test.com (Postfix) with ESMTP ID 590f2160a9 for<pwbpub@test.com>; Thu, 8 Aug 16:48:46 +0800 (CST)
Received:from mail.test.com.cn ([127.0.0.1]) by localhost (mail[127.0.0.1]) (Amav Isd-new, Port 10024) with ESMTP ID 30543-01 for<pwbpub@test.com>; Thu, 8 Aug 16:47:14 +0800 (CST)
Received:from risker.debian.org (Unknown [218.18.xxx.xxx]) bymail.test.com.cn (Po Stfix) with ESMTP ID 32E0817DC17 for<pwbpub@test.com>; Thu, 8 Aug 16:47:06 +0800 (CST)
Date:wed, 5 May-14:36:13 +0800
From:wlj <spamemail@test.com.cn>
to:pwbpub@test.com
Subject:
Message-id: <20040505143613.25dd214b.spamemail@test.com.cn>
mime-version:1.0
Content-type:multipart/mixed;
X-virus-scanned:by amavisd-new at test.com.cn

The message header above is clearly tampered with, including the header content that was added when MUA sent the message and what was added during the MTA process. Now, the key task is to check the "Received:" the delivery process.

First step: Find the following:

Received:from risker.debian.org (Unknown [218.18.xxx.xxx]) by mail.test.com.cn (Postfix) with ESMTP ID 32E0817DC17 for &L t;pwbpub@test.com>; Thu, 8 Aug 16:47:06 +0800 (CST)

With careful analysis, we can see that this is the header content that was inserted when the first MTA received mail from MUA. The MUA's machine name is Risker.debian.org (this is not MUA DNS, but only the machine name), (Unknown[218.18.xxx.xxx]) represents the IP address of the machine, but the DNS of the query is unknown. The message was received by mai.test.com.cn, the mail server was postfix, and ESMTP (extended SMTP) was used, and the ESMTP ID assigned was 32E0817DC17, The delivery target is pwbpub@test.com, receiving time of thu,6 May 2004 16:47:06, and Time zone is +0800 (CST).

Step two: Find the second received: content. Specifically as follows:

Received:from mail.test.com.cn ([127.0.0.1]) by localhost (mail[127.0.0.1)) (Amavisd-new, Port 10024) with ESMTP ID 30543 -01 for <pwbpub@test.com>; Thu, 8 Aug 16:47:14 +0800 (CST)

This is a process performed by the mail server internal program, so the IP address is 127.0.0.1 and is localhost processing, (amavisd-new, Port 10024) indicates that the handler is used by the amavisd-new, Amavisd-new is an interface for anti-virus, filtering, etc. of the mail server.

Step three: Find the third received: content. Specifically as follows:

Received:from mail.test.com.cn (Unknown [211.167.xxx.xxx]) by test.com (Postfix) with ESMTP ID 590f2160a9 for <pwbpub@ test.com>; Thu, 8 Aug 16:48:46 +0800 (CST)

This procedure indicates that the message is passed from the server name Mail.test.com.cn, IP The address is 211.167.xxx.xxx, the receiving mail server is test.com, uses the Postfix service procedure, also commonly uses ESMTP, transmits the target is pwbpub@test.com, the date is thu,8 Aug 2004 16:48:46, the time zone is +0800 (CST).

As you can see from this example, the message delivery process is:

Risker.debian.org (MUA) →mail.test.com.cn (MTA) →localhost (amavisd-new in MTA) →test.com (MTA)

The whole process has been going on for nearly two minutes, however, during the process of tracking spam, the received in this transfer process: there is the possibility of tampering, that is, the sender may use a "camouflage", so to refine a pair of eyes, to determine what information is forged, which is true. For received: The final site is the recipient's own mail server, so the final received is real and reliable, unless your server is already unsafe.

2. Junk AD mail Tracking

Spam messages are especially rampant today. For this type of mail, the content of the contact person, contact phone, contact email, postcode, etc., tracing is very direct. A typical message header of this type is as follows:

Return-path: <fault@spamemail.com>
Delivered-to:pwbpub@test.com
Received:from spamemail.com (Unknown [221.232.11.40])
by test.com (Postfix) with ESMTP ID 399521c124
For <pwbpub@test.com>; Mon, May 11:07:41 +0800 (CST)
From: "Bbcss" <fault@spamemail.com>
Subject: =? GB2312? b?0kgxvrs0tppstcrmtvmxptxqycw=?=
To:pwbpub@test.com
content-type:multipart/mixed;
boundary= "=_NEXTPART_2RFKINDYSADVNQW3NERASDF"; charset= "GB2312"
mime-version:1.0
reply-to:reply@yahoo.com.cn
Date:mon 2004 11:07:45 +0800
X-priority:3
Message-id: <20040524030745.399521C124@test.com>

Now let's do a simple analysis of the message. First find this paragraph:

Received:from spamemail.com (Unknown [221.232.11.40]) by test.com (Postfix) with ESMTP ID 399521c124 for <pwbpub@test.c om>; Mon, May 11:07:41 +0800 (CST)

In this case, the test mail server test.com is trustworthy, so this piece of received information is also reliable, but some of the content may not be true and reliable. The message comes from a machine named Spamemail.com, with an IP address of 221.232 11.40, and a message receipt time of Mon, May 11:07:41 +0800 (CST). Simple check spamemail.com, you can get IP address for spamemail.com [203.207.*.*], it is easy to know that this spamemail.com is just a name. The sender of the message is from: "Bbcss" <fault@spamemail.com>, and the reply address is: reply-to:reply@yahoo.com.cn. In fact, we can speculate that fault@spamemail.com is a forgery, but the reply address may be true; In addition, they must have used some spam messaging tools to forge the sender's address, machine name, and deliver the message directly.

3. Hunt

After the above analysis test, we can get some useful data. Through the analysis of the mail, we can generally find a possible proximity to the source of an e-mail address or an IP address (this IP address may be a victim), with this information to trace, there are still a lot of difficulties, after all, some things are not someone can do, But in some special applications can provide no small help. Now, if we're seeing a letter from a 163.net server (bjmx4.163.net), chasing it from a 263.net server (smtp.x263.net), and then coming down from Ivan (unknown [218.70.*.*]), who is it? There is no doubt that the sender, his IP is 218.70.*.*, with a check the best geographical location of the software "Hunt" look up (as shown in Figure 2):

Javascript:resizepic (This) border=0>

Figure 2

That's from Chongqing. Through a lot of good tools, we can come to uncover the enemy's truth. How do we find out about his IP if the other person is in a chat room or forum? In fact also simple, download a lone swordsman works iphunter, software download address for http://www4.skycn.com/soft/1122.html, after running it, will connect to your computer's IP capture down, and let the other side to connect your computer, Of course, let him unknowingly to connect, and the best way is to put a picture in the chat room or forum, the image URL must be your IP, such as [img]/pic/8/2005-11-15-1615l.jpg [/IMG], as long as the other party to see this (to attract his eyeballs), His computer will automatically open this map, of course, will find your computer up, oh, just in the trap, Iphunter can be his IP capture! The rest is to think about how to teach him!