Linda's Soapbox
~~
Editorial by Linda Johnson
eMail Headers and What They Reveal
This is a follow-up on my last editorial,
Hey! You Sent Me a Virus. Recently, I have been accused again of
sending a virus when I didn't, once in a public email support group, and
once privately, I received an email from a "service" which is supposed to
alert people that they are sending viruses. I replied to this
"service" and asked them if they actually read the header on the mail to be
sure it came from me. They replied that no, they hadn't done that, but
when they did go back and do that, they saw that the email did NOT originate
from me at all.....geesh, now I have to do their work for them. *sigh*
So, I thought it would be good to share with you all, how to check the
headers of your email to see where the email actually came from.
In my MSO email support group, the bugbear virus was distributed to many
of the members and appeared to come from me. Thankfully, member Greg
Chapman knows how to read these headers, so he explained to the group where
this really came from and I am going to share his explanation here
(reprinted with his permission):
Yep, you're right; it didn't come through here which makes me wonder a
little more about the mechanics of bugbear. I wonder how many subscribers
actually did get a copy?
Anyway, proof is in the pudding. The infected message originated in Canada
24.203.83.178 (Videotron in Montreal). All freelists messages originate from
a system called 'turing' (after the mathematician) that resides in
Iquest's network based in Indianapolis, IN.
Here are the relevant headers from the infected message:
"Received: from gagne ([24.203.83.178]) by VL-MS-MR001.sc1.videotron.ca (iPlanet
Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002))"
And, for comparison, here's a valid header stack for freelists:
"Received: from turing.(none) (localhost [127.0.0.1]) by
turing.freelists.org (FreeLists Mail Multiplex) with ESMTP id 43E39949D1;
Fri, 29 Nov 2002 00:21:54 -0500 (EST)"
"Received: with ECARTIS (v1.0.0; list mso); Fri, 29 Nov 2002 00:21:48 -0500
(EST)"
"Delivered-To: mso@freelists.org"
"Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by
turing.freelists.org (FreeLists Mail Multiplex) with ESMTP id 3D76F945BD for
<mso@freelists.org>; Fri, 29 Nov 2002 00:21:47 -500 (EST)"
"Received: from master (pcp01354806pcs.benslm01.pa.comcast.net
[68.80.111.40]) by mtaout01.icomcast.net (iPlanet Messaging Server 5.2
HotFix 1.05 (built Nov 6 2002))"
In a valid freelists posting, the originator is always in the headers
and the demark for when it entered the freelists system to be processed
is indicated by the "Delivered-To:" stamp.
If you're not used to reading mail headers, the method for identifying
the route a message traveled is to find the bottom-most "Received:"
entry, recognize it as the first SMTP hop and then read each successive
"Received:" line, in order, above it. That should describe the complete
route. In the case of the infected message, it appears the source system
is still masked by the SMTP relay server for that subscriber network.
Greg Chapman
http://www.mousetrax.com
"Counting in binary is as easy as 01, 10, 11!
With thinking this clear, is coding really a good idea?"
Now. How do you view an email header? Well, it's done
differently in all email programs. But, my email program is Outlook
and the way you do it in there is to right click on any mail in your inbox
and choose Options from the shortcut menu. In the options box, at the
bottom, you will see this:
In Outlook Express, it's similar. Just right click a mail in your
inbox and choose Properties from the shortcut menu. Click on the
Details tab at the top of the Properties box and you will see this:
Also, one of ABC's subscribers, who is an AOL beta tester, sent me this
info about AOL 8.0 (reprinted with his permission):
I was reading your information explaining how those particular viruses
work, and I was thinking you have (most likely) quite a few AOL subscribers
who may not know of this tip. The newest version of AOL (8.0) has a new
twist to the "details" link when an e-mail is open. It not only shows the
path over the internet (as with prior versions) that the mail traveled, but
in the LAST line it will actually say something like "Apparently from JoeDoe@WhoKnows.com",
if it is of the virus sent variety . I can usually tell when one is suspect,
but after having a friend try to track down why his virus protection says
he's clean, but he kept getting mails saying he's sending a virus (sound
familiar?), I noticed this new option. So far it has been correct on all
that I have checked, and the "apparently from" address is usually the REAL
sending machine.
I don't really know if this option is retro to earlier versions, but I
will let you know if I find out anything. I do AOL's beta testing, and this
feature was not included until the final "gold" or "GM" version.
Another note: After speaking with another beta tester, he said that
these viruses can also spoof the return address in the "details" section. I
have no confirmation on this as of yet, but I will keep you updated on
anything I find.
I thought I would include a snapshot of the "details" portion of an infected
e-mail to show what I am talking about.
Hope this helps some AOL users
Sincerely
GK Nevil
DOA Computers
Boise, Idaho
rasinhl@aol.com
All email programs allow you to view the full headers. I'm sure you
can find the option in the program you are using. Just be sure to do
this BEFORE you accuse some innocent person of sending you a virus.
Be kind to strangers....practice Safe Cyber!
Happy Computing!
Linda
Linda Johnson is a
college instructor of all of the Microsoft Office Programs, as well
as Adobe PhotoShop and Windows. She also teaches online distance
learning classes in Excel, Outlook, PowerPoint, Publisher, and Word at
Eclectic Academy. She has worked helpdesk and teaches
and lectures at many local businesses and tech schools in her area. Support this
newsletter by checking out Linda's eBooks, MS Word MAGIC!, Book
I: Fonts, Fun & Formats and Book
II: Table Wizardry,
How
To Get Started As a Software Trainer, and
her newest series of MSOffice
eBook Tutorials and CD
|
,
