Thursday, June 3, 2010

Return Path Education

I received an email from a Mr. Charles Williams today, promising me millions of dollars if I would only send him personal information. Newly unemployed, I took the opportunity to educate myself and did a little detective work on the spammer. Or scammer, since he's "phishing" for personal information.

He reveals a location in the email as well as a phone number! What if I called? From the original email:

Dear Partner,

I want to transfer ($17,300.000.00 ) seventen million three hundred thousand United States Dollars from here in Burkina Faso to overseas account.


1) I did a free email trace to find the location of the IP address of charleswilliams2@mail.mn - it turns out he is located in sunny Ulaanbaatar, Mongolia's capital city. News to me. I couldn't find out any more about Charles without paying $1.95. When I have my millions, perhaps I will invest in that.

2) A few more clicks and I learned what any nerd probably already knew -- that Gmail or any mail server will reveal the electronic journey of all email messages if you click on the button to the right of the reply button -- "show original." You'll arrive at some confusing-looking code...This is called the email "header" -- What is an email header -- The headers contain information about the routing of the email and the originating IP of the email: "At most, you can get the originating IP and the computer name that sent the email. The originating IP can be looked up to determine from where the email was sent. IP address location information DOES NOT contain your street address or phone number. It will most likely determine the city and the ISP the sender used."

3) This information was a bit more of a puzzle to a novice. I repeatedly saw another email address in play -- the "return-path" was linked to a Hotmail - jhyrds29@msn.com. According to a handy tech site, "You’ll notice that there are several Received From’s in the message header. This is because the message header contains the IP addresses of all of servers involved in routing that email to you."

The "reply-to" email was where any personal response would be directed. The "return-path" email is where any bouncebacks would be directed. For example, if you are using an email program like constant contact to launch an e-newsletter to hundreds of contacts but do not wish to receive info about which email addresses are erroneous, the return-path address would field all automatic response or error messages.

4) The originator of this email was:

Return-Path: jhyrds29@msn.com
Received: from user-85c621c774 ([196.28.247.208]) by BLU0-SMTP6.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675).

Photobucket
Screenshot of E-mail Header


5) Using the same email trace service, Jhyrds29@msn.com could be traced via IP to Redmond, WA -- which on the map looked like it would be a great place to go hiking. This was unhelpful. I did not understand whether this was some kind of "exchange" point for the U.S. electronically. The spammer was definitely not American.

6) Using information from the "Received" field, the originating IP address was 196.28.247.208. With the free email trace service, I was astonished to find this sender had not lied about his location. He is indeed located in Burkina Faso, a land-locked nation in Africa. WTF!

7) More mysteries remain... Where does the phone number lead? What is the Hotmail address and why is it linked to Washington state? I had a friend of a friend start communicating with these kinds of spammers -- encouraging them to share their stories with him. The idea makes me nervous, personally, but it is interesting.

No comments: