d3x
21-09-2005, 11:25 AM
spotting fraudulent paypal (and other) emails
We have received another round of fraudulent emails purporting to be from paypal. If like us you have been receiving them, I thought I'd share an easy way to differentiate the dodgy from the legit.
Where did it come from?
To find the source of any email you need access to the header file information. This is generally hidden from the user as it can be rather confusing. I'm not going to tell you how to read a header file, but I will show you how to spot a phoney sender.
If you do want to know more about header files, follow this link: http://www.stopspam.org/email/headers.html
Ok, first up is an example of a legitimate email:
Received: from postman.riba.net ([x.x.x.x]) by borg.inst.riba.net with SMTP
id QQG6YKX7; Wed, 21 Sep 2005 10:42:36 +0100
Received: from umsan1.unitedmedia.com by postman.riba.net(Content Technologies SMTPRS 4.3.12) with SMTP id <T7384b4856bc0a8c8fd5f0@postman.riba.net> for <colin@inc.riba.org>;
Wed, 21 Sep 2005 10:47:42 +0100
From: comics@comicmembers.com
To: colin <colin@inc.riba.org>
Subject: Your Daily Dilbert
Date: Wed, 21 Sep 2005 03:31:00 -0400
This is part of a header for the daily dilbert comic strip. The first section is your system that has received the message. Nothing to worry about there, but the third line is the interesting part.
Received: from umsan1.unitedmedia.com
This is the system the email was sent from. At this point it is possible to spot a relayed message that has a spoofed (forged) email address. Fortunately we already know unitedmedia own the dilbert comics so this is a valid email.
If you are to look at this next example, it becomes quite obvious that the email address has been spoofed.
Received: from postman.riba.net ([x.x.x.x]) by borg.inst.riba.net with SMTP
id N93CCAN9; Mon, 18 Jul 2005 11:39:46 +0100
Received: from wan10.ihredomainadresse.de by postman.riba.net
(Content Technologies SMTPRS 4.3.12) with ESMTP id
<T722e0e75cfc0a8c8fd734@postman.riba.net> for
<tam@inc.riba.org>; Sat, 16 Jul 2005 21:56:11 +0100
Received: by wan10.ihredomainadresse.de (Postfix, from userid 641) id
1BEF4341F6; Sat, 16 Jul 2005 22:05:25 +0200 (CEST)
To: tam@inc.riba.org
Subject: Dear Member
From: PayPaL <support@paypal.com>
Reply-To: support@paypal.com
Received: from wan10.ihredomainadresse.de
This line is the worrying part as the system that sent the email is not owned by paypal. Even though the email address is valid, the email has been sent from another location that has been used as a relay. If you ever find such a discrepancy in an email, always question whether it was sent from the displayed sender or someone purporting to be that person.
You can delve a little deeper into who sent it by using a site called : http://www.dnsstuff.com/
One of the tests that can be performed from here is a dns lookup. This enables you to see who the owner of a particular site really is with their address, email and telephone contact numbers.
Hope this is of some help....
We have received another round of fraudulent emails purporting to be from paypal. If like us you have been receiving them, I thought I'd share an easy way to differentiate the dodgy from the legit.
Where did it come from?
To find the source of any email you need access to the header file information. This is generally hidden from the user as it can be rather confusing. I'm not going to tell you how to read a header file, but I will show you how to spot a phoney sender.
If you do want to know more about header files, follow this link: http://www.stopspam.org/email/headers.html
Ok, first up is an example of a legitimate email:
Received: from postman.riba.net ([x.x.x.x]) by borg.inst.riba.net with SMTP
id QQG6YKX7; Wed, 21 Sep 2005 10:42:36 +0100
Received: from umsan1.unitedmedia.com by postman.riba.net(Content Technologies SMTPRS 4.3.12) with SMTP id <T7384b4856bc0a8c8fd5f0@postman.riba.net> for <colin@inc.riba.org>;
Wed, 21 Sep 2005 10:47:42 +0100
From: comics@comicmembers.com
To: colin <colin@inc.riba.org>
Subject: Your Daily Dilbert
Date: Wed, 21 Sep 2005 03:31:00 -0400
This is part of a header for the daily dilbert comic strip. The first section is your system that has received the message. Nothing to worry about there, but the third line is the interesting part.
Received: from umsan1.unitedmedia.com
This is the system the email was sent from. At this point it is possible to spot a relayed message that has a spoofed (forged) email address. Fortunately we already know unitedmedia own the dilbert comics so this is a valid email.
If you are to look at this next example, it becomes quite obvious that the email address has been spoofed.
Received: from postman.riba.net ([x.x.x.x]) by borg.inst.riba.net with SMTP
id N93CCAN9; Mon, 18 Jul 2005 11:39:46 +0100
Received: from wan10.ihredomainadresse.de by postman.riba.net
(Content Technologies SMTPRS 4.3.12) with ESMTP id
<T722e0e75cfc0a8c8fd734@postman.riba.net> for
<tam@inc.riba.org>; Sat, 16 Jul 2005 21:56:11 +0100
Received: by wan10.ihredomainadresse.de (Postfix, from userid 641) id
1BEF4341F6; Sat, 16 Jul 2005 22:05:25 +0200 (CEST)
To: tam@inc.riba.org
Subject: Dear Member
From: PayPaL <support@paypal.com>
Reply-To: support@paypal.com
Received: from wan10.ihredomainadresse.de
This line is the worrying part as the system that sent the email is not owned by paypal. Even though the email address is valid, the email has been sent from another location that has been used as a relay. If you ever find such a discrepancy in an email, always question whether it was sent from the displayed sender or someone purporting to be that person.
You can delve a little deeper into who sent it by using a site called : http://www.dnsstuff.com/
One of the tests that can be performed from here is a dns lookup. This enables you to see who the owner of a particular site really is with their address, email and telephone contact numbers.
Hope this is of some help....