ITSD Computing and Communications Services News
June, 2003

CCS News Home
Back Issues
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
TEID
  Tip of the Month: Email Forgeries Are Confusing and Increasing, Thanks to Viruses

Recently, the Computer Infrastructure Technologies Group (CITG) was contacted by a Lab employee with a question about a message (a series of letters and numbers) apparently sent from the employee’s Lab email address to a woman in cyberspace. The woman wrote back to the employee, asking how he got her email address, adding she got a similar message from another unknown sender.

The employee forwarded the message as an attachment to CITG and asked if the group could provide any insight. Here’s the response:

“Thanks for including the message as an attachment. As with spam, this guarantees that all the relevant information is included. This message that *appeared* to come from you was a forgery. There are two distinguishing features of it that lead to this conclusion (aside from you not recalling sending it):

1. Although the "From:" address is indeed employee@lbl.gov (easily forged), the "Return-Path:" (which can also be forged) is not. Return-Path: ardaghcastle@prodigy.net

2. The "Received:" headers, which show the path the mail took from one place to another (which I believe can *also* be changed, though this is tough) show that the mail didn't pass through any lbl.gov mail servers:

> Received: from pimout3-ext.prodigy.net ([207.115.63.102]) by
> mc4-f42.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Sun, 13
> Apr 2003 13:42:20 -0700
> Received: from Nqo (adsl-64-173-21-10.dsl.sntc01.pacbell.net
> [64.173.21.10])by pimout3-ext.prodigy.net (8.12.9/8.12.3) with SMTP id
> h3DKg89e028202for <Sandraklt@hotmail.com>; Sun, 13 Apr 2003 16:42:08 -0400

"Received:" headers are read from bottom to top and the wording is a bit weird; mail is discussed as being received "from A by B"). The first one shows the message being received:
from the client (adsl-64-173-21-10.dsl.sntc01.pacbell.net) by the first mail server (pimout3-ext.prodigy.net).

“Unless you use a prodigy.net mail server, this is almost certainly a forgery.”

Such forgeries are usually the result of a worm (a worm is a virus that automatically propagates itself) and the number is increasing. The unwitting “sender” in whose name the email was forged sometimes receives a “You sent us a virus” message in return. This doesn’t mean, though, that the email contained a virus or that the alleged sender’s system is infected.