Can e-mail spoofers be identified?

L

LDFerguson

Registered User
Messages
4,695
Hi.

For the past week my ferga.com e-mail domains have been the subject of a fairly concentrated "spoofing" attack. In other words, some unknown entity has been sending out e-mails that appear to have come from info@ferga.com containing an attachment with a virus.

It's not harmful as the e-mails are being sent methodically to different variations of the "@ferga.com" domain, e.g. john@ferga.com, mary@ferga.com etc. Most of the recipient addresses used are non-existent, and as we don't have a catch-all set up, they simply get returned to sender. But as the sender is apparently info@ferga.com, we keep getting the "returned to sender" messages back here.

When they do chance on a valid @ferga.com e-mail address, it's a virus but our anti-virus protection picks it up.

I've contacted our hosting service but they advised to leave it for a week or so and it will go away.

I know it's a sadly common occurrence and being presumably done by some automated program, but it's very irritating. It's also rather worrying that someone can easily imitate any e-mail address they like, which has potentially serious implications. It's similar in principle to someone stealing a box of our business stationery and sending out letters that appear to be from us.

My question is - is there any way to identify the true source of an e-mail, when they have spoofed the e-mail address?
 
I used Spamcop from my home PC a few years back & it seemed to be quite effective. It's great at digging through the spoofed email headers and finding the real source.
 
All you need to do is look at the headers and get the originating ip address, try going to file and options and read back through them ... its will show x received from y at such a date and time, there may be a couple of iterations of this so take the oldest one and then go to http://www.iana.org/ipaddress/ip-addresses.htm and click on the links for the different regions - eg Ripe is for europe and they will show you which ISP gave out the ip address, then simply forward the email (including all headers) to their abuse/customer service dept
 
Liam

Some ISPs offer a service to scan your incoming and outgoing emails for viruses. It may be worth looking into them as an option

C
 
RainyDay - Thanks for the link. I'll have a look at this product.

PaddyC - I've just gone into one of the (many) e-mails this morning which got through and here's the result. I'm afraid it doesn't make an awful lot of sense to me. For what it's worth, Hosting365.ie are my e-mail providers, although that may be obvious to you.

Return-Path: <administrator@ferga.com>
Delivered-To: liam@ferga.com
Received: (qmail 5603 invoked by uid 399); 18 Oct 2005 07:05:02 -0000
Received: from unknown (HELO postie1.hosting365.ie) (82.195.128.252)
by mail.hosting365.ie with SMTP; 18 Oct 2005 07:05:02 -0000
Received-SPF: none (mail.hosting365.ie: domain at ferga.com does not designate permitted sender hosts)
identity=mailfrom; client-ip=82.195.128.252;
envelope-from=<administrator@ferga.com>;
Received: from ferga.com (unknown [82.141.227.225])
by postie1.hosting365.ie (Postfix) with ESMTP id 743CD1DC58C7D
for <liam@ferga.com>; Tue, 18 Oct 2005 08:04:55 +0100 (IST)
From: administrator@ferga.com
To: liam@ferga.com
Subject: Your Account is Suspended
Date: Tue, 18 Oct 2005 08:05:00 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0007_62C31C2B.4C243B35"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20051018070455.743CD1DC58C7D@postie1.hosting365.ie>
Click to expand...

Does this mean anything to you?

Capaill - I have Norton AntiVirus, with a subscription to automatically update definitions which scans incoming and outgoing e-mails for viruses, so the virus threat is minimised. But the bounce-back messages returning the e-mails from "info@ferga.com" to non-existent@ferga.com don't contain viruses and would therefore not be caught anyway.

Thanks all for replies.
 
Liam,

The ip address 82.141.227.225 looks like its the offending ip address which is belonging to an eircom net customer - eircom net have 82.141.192.0/1

route: 82.141.192.0/18descr: eircom, Irelanddescr: customer assignmentsorigin: AS5466remarks: For abuse/spam complaints for addresses from this blockremarks: please contact the techc and/or adminc for the individualremarks: inetnum objects. If this does not resolve the problem toremarks: your satisfaction please contact abuse@eircom.net.remarks: networks@eircom.net should ONLY be used for routing issues.mnt-by: TE-MNTsource: RIPE # FilteredTry and contact the offending customer directly as per eircom net abuse policy and if you don't get an answer then email a few examples with full headers to abuse@eircom.net
As you have said these are bounces from failed virus mails so they don't actually contact the virus and will get through.
 
Liam - the above may be incorrect - when you get the delivery failure is the original message included as an attachment ? If so are these headers from the original virus mail or are these headers just from the bounce .... if its just from the bounce then the eircom net customer is not responsible and their mail server has simply refused the virus mail.
 
Thanks Paddy,

This example I used was from an e-mail that did get through to a correct @ferga.com address, and contained a virus, so I'll use this as my example. I'll forward the e-mail to abuse@eircom.net but will remove the virus attachment first.

Excuse the possibly silly question, but if simply use the Forward button in Outlook, will this preserve the important header information on the e-mail being forwarded?
 
LDFerguson said:
Excuse the possibly silly question, but if simply use the Forward button in Outlook, will this preserve the important header information on the e-mail being forwarded?
Click to expand...
No - open a new message and drag the original one to be reported into that to preserve headers for analysis.
 
ClubMan said:
No - open a new message and drag the original one to be reported into that to preserve headers for analysis.
Click to expand...

If you right click on the mail see if there is forward as attachment, if thats there then use that method.
 
Liam

The outsourced email scanning services should mark those emails as SPAM or a potential threat and block them. It may be worhtwhile to talk to your ISP or email provider to see if they can help.

C
 
Blacknight

I said "SPAM or potential threat" which would include viruses. As per the original post, the emails appear to be bounced non delivery reports coming back to the spoofed ferga.com email addresses. Enough of these Non deilvery reports can clog up a small companies email facilities.

C
 
If you are having issues with this kind of thing then you may need to outsource your email filtering.
 
You must log in or register to reply here.
Back
Top