How does this happen?

[36183]

i got the strangest email. i am using Gmail with apples mail client and today i got a email only showing a date and message.

somehow someone managed to hide their address, i never knew that sending emails like this was possible, is it a bug in gmail? (and if this is common i am going to feel like an idiot). just wondering if anyone knows anything about this or has experienced anything like this.

Bobak

 

[Jay42]

I've gotten a lot of blank mail messages (no subject, to, or from) but never something like that. That's interesting, no links or anything.

 

[plinden]

That's easy to do. Email is delivered using "envelope" information, not the contents of the From/To/CC headers etc. It's just that normally email clients add the information in headers as a courtesy.

For instance, if you have access to sendmail, you can send an email like this (I may get the exact sequence wrong. I can never remember if the MAIL FROM: should come before the RCPT TO: ):
HELO
<mail server responds>
RCPT TO: abc@gmail.com
<mail server responds>
MAIL FROM: def@gmail.com
<mail server responds>
DATA
<mail server responds>
Hello Beauty!
.

<mail server responds with mail sent successfully message>

The recipient gets an email with no From, To or Subject headers. The Date header, among other headers e.g. routing information, is usually added by the server.

It's this sequence that e.g. Outlook or gmail uses, only the DATA section will include information on From and To, e.g.:
DATA
<mail server responds>
From: def@gmail.com
To: abc@gmail.com

Hello Beauty!
.

<mail server responds>

 

[36183]

I checked the message with Gmails web client and it is there is not much difference.

 

[36183]

That's easy to do. Email is delivered using "envelope" information, not the contents of the From/To/CC headers etc. It's just that normally email clients add the information in headers as a courtesy.

For instance, if you have access to sendmail, you can send an email like this (I may get the exact sequence wrong. I can never remember if the MAIL FROM: should come before the RCPT TO: ):
HELO
<mail server responds>
RCPT TO: abc@gmail.com
<mail server responds>
MAIL FROM: def@gmail.com
<mail server responds>
DATA
<mail server responds>
Hello Beauty!
.

<mail server responds with mail sent successfully message>

The recipient gets an email with no From, To or Subject headers. The Date header, among other headers e.g. routing information, is usually added by the server.

that very interesting, but how do people get access to "sendmail" and is it possible to trace the IP of the person that send the mail?

 

[Mitthrawnuruodo]

Does it reveal anything else if you enable View -> Message -> Long Headers?

 

[XNine]

There's also some undergroudn tools that will make emails completely anonymous.

I got a message a little while ago from an email address that was "undeliverable" when I replied to it, and it had some kind of encryption description in the message body like: "7 digit code. Blowfish" or some crap like that. I'll have to dig it up and see what it said, shwo it here. Very odd.

 

[plinden]

that very interesting, but how do people get access to "sendmail" and is it possible to trace the IP of the person that send the mail?

Sendmail often runs on unix machines. There may even be a version in Mac OSX, but I'm not sure.
Edit: you can try opening a Terminal window and typing "telnet localhost 25" and see what happens. I'm chained to a Windows PC at the moment so can't check myself.

It's too easy to spoof the headers in emails to determine where they come from. That's how spammers hide their identity.

 

[36183]

Does it reveal anything else if you enable View -> Message -> Long Headers?

it does indeed but i am not totally sure about what all the information means.

 

[36183]

Sendmail often runs on unix machines. There may even be a version in Mac OSX, but I'm not sure.
Edit: you can try opening a Terminal window and typing "telnet localhost 25" and see what happens. I'm chained to a Windows PC at the moment so can't check myself.

It's too easy to spoof the headers in emails to determine where they come from. That's how spammers hide their identity.

i found this when i did a version tracker search. seems a bit old. i may play with it later.

edit:

i tired the telnet command. no luck though.

 

[Mitthrawnuruodo]

it does indeed but i am not totally sure about what all the information means.

Well you got an IP address that leads to a Korean firm:

whois 58.226.183.99

OrgName:    Asia Pacific Network Information Centre
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

ReferralServer: whois://whois.apnic.net

NetRange:   58.0.0.0 - 58.255.255.255
CIDR:       58.0.0.0/8
NetName:    APNIC-58
NetHandle:  NET-58-0-0-0-1
Parent:
NetType:    Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
NameServer: NS-SEC.RIPE.NET
Comment:    This IP address range is not registered in the ARIN database.
Comment:    For details, refer to the APNIC Whois Database via
Comment:    WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment:    ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment:    for the Asia Pacific region. APNIC does not operate networks
Comment:    using this IP address range and is not able to investigate
Comment:    spam or abuse reports relating to these addresses. For more
Comment:    help, refer to http://www.apnic.net/info/faq/abuse
RegDate:    2004-05-04
Updated:    2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName:   APNIC Whois Contact
OrgTechPhone:  +61 7 3858 3100
OrgTechEmail:  search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2006-01-17 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      58.224.0.0 - 58.239.255.255
netname:      HANANET
descr:        Hanaro Telecom, Inc.
descr:        Shindongah Bldg, 43, Taepyeongno2-ga, Jung-gu, Seoul
country:      KR
admin-c:      SIJ1-AP
tech-c:       SIJ1-AP
descr:        ************************************************
descr:        Allocated to KRNIC Member.
descr:        If you would like to find assignment
descr:        information in detail please refer to
descr:        the KRNIC Whois Database at:
descr:        "http://whois.nida.or.kr/english/index.html"
descr:        ************************************************
status:       ALLOCATED PORTABLE
mnt-by:       MNT-KRNIC-AP
mnt-lower:    MNT-KRNIC-AP
changed:      hm-changed@apnic.net 20050627
source:       APNIC

person:       Seung Il Jeon
address:      Dacom, Seoul
country:      KR
phone:        +82-2-2089-0580
fax-no:       +82-2-2089-0706
e-mail:       jeonsi@bora.net
e-mail:       abuse@bora.net
e-mail:       security@bora.net
nic-hdl:      SIJ1-AP
remarks:      If related with spam, send mail to abuse@bora.net
remarks:      If related with security, send mail to security@bora.net
remarks:      Only for personal contact, send mail to jeonsi@bora.net
mnt-by:       MNT-KRNIC-AP
changed:      jeonsi@bora.net 20041105
source:       APNIC

So you could forward the mail, with the long headers to abuse@bora.net, or just mark it as junk, but keep an eye on things and see if you get any more from that place...

 

[plinden]

it does indeed but i am not totally sure about what all the information means.

The Received headers are routing information added by each of the mail servers/routers the message passed through. The third one is the first one, if you know what I mean, ie. the server mx.gmail.com thinks it got the message from IP 58.226.183.99.

 

[36183]

thanks for all the help.

i can understand a questionable business using anonymous emails, but i dont understand why a korean firm would send me a message with such meaningless content. or maybe someone closer to home may have just used a proxy (is that possible? if so i could see how people could use something like this to send abusive or joke emails).

 

[Mitthrawnuruodo]

thanks for all the help.

i can understand a questionable business using anonymous emails, but i dont understand why a korean firm would send me a message with such meaningless content. or maybe someone closer to home may have just used a proxy (is that possible? if so i could see how people could use something like this to send abusive or joke emails).

Well, one possible scenario (out of many) is that there sits an infected PC (aka zombie) somewhere in Korea (or elsewhere) sending out lots and lots of mail for some spammer/mail address harvester. Lets say they send out mails to 1 000 000 gmail accounts, and then get 990 000 mails in return saying "this is not a valid" address (to that employment@01research.com address), then they know the other 10 000 is...

 

[plinden]

thanks for all the help.

i can understand a questionable business using anonymous emails, but i dont understand why a korean firm would send me a message with such meaningless content. or maybe someone closer to home may have just used a proxy (is that possible? if so i could see how people could use something like this to send abusive or joke emails).

It could be an ISP, being used by a spammer or a zombie PC. ISPs tend to have large blocks of IP addresses, as the whois search in Mitthrawnuruodo's post shows. Even if that's the originating IP address the spammer is probably long gone.

There's really no point in spending much time trying to track this down unless you use the experience to learn more about how the internet and email works.

 

[CanadaRAM]

Servers within the Korean educational system are notorious for being open proxies - I don't know why Korea, particularly, but they don't seem to be able to enforce security. An open Proxy or an open Relay are machines that are insecure where a spammer can 'bounce' their mail off the server to you and you can't trace it back beyond the proxy.