How does this happen?

Discussion in 'Mac Apps and Mac App Store' started by 36183, Jan 18, 2006.

  1. 36183 Guest

    Joined:
    Jun 24, 2004
    #1
    i got the strangest email. i am using Gmail with apples mail client and today i got a email only showing a date and message.

    somehow someone managed to hide their address, i never knew that sending emails like this was possible, is it a bug in gmail? (and if this is common i am going to feel like an idiot). just wondering if anyone knows anything about this or has experienced anything like this.

    Bobak
     

    Attached Files:

  2. Jay42 macrumors 65816

    Jay42

    Joined:
    Jul 14, 2005
    #2
    I've gotten a lot of blank mail messages (no subject, to, or from) but never something like that. That's interesting, no links or anything.
     
  3. plinden macrumors 68040

    plinden

    Joined:
    Apr 8, 2004
    #3
    That's easy to do. Email is delivered using "envelope" information, not the contents of the From/To/CC headers etc. It's just that normally email clients add the information in headers as a courtesy.

    For instance, if you have access to sendmail, you can send an email like this (I may get the exact sequence wrong. I can never remember if the MAIL FROM: should come before the RCPT TO: ):
    HELO
    <mail server responds>
    RCPT TO: abc@gmail.com
    <mail server responds>
    MAIL FROM: def@gmail.com
    <mail server responds>
    DATA
    <mail server responds>
    Hello Beauty!
    .

    <mail server responds with mail sent successfully message>

    The recipient gets an email with no From, To or Subject headers. The Date header, among other headers e.g. routing information, is usually added by the server.

    It's this sequence that e.g. Outlook or gmail uses, only the DATA section will include information on From and To, e.g.:
    DATA
    <mail server responds>
    From: def@gmail.com
    To: abc@gmail.com

    Hello Beauty!
    .

    <mail server responds>
     
  4. 36183 thread starter Guest

    Joined:
    Jun 24, 2004
    #4
    I checked the message with Gmails web client and it is there is not much difference.
     

    Attached Files:

  5. 36183 thread starter Guest

    Joined:
    Jun 24, 2004
    #5
    that very interesting, but how do people get access to "sendmail" and is it possible to trace the IP of the person that send the mail?
     
  6. Mitthrawnuruodo Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #6
    Does it reveal anything else if you enable View -> Message -> Long Headers?
     
  7. XNine macrumors 68040

    XNine

    Joined:
    Apr 7, 2005
    Location:
    Why are you wearing that stupid man suit?
    #7
    There's also some undergroudn tools that will make emails completely anonymous.

    I got a message a little while ago from an email address that was "undeliverable" when I replied to it, and it had some kind of encryption description in the message body like: "7 digit code. Blowfish" or some crap like that. I'll have to dig it up and see what it said, shwo it here. Very odd.
     
  8. plinden macrumors 68040

    plinden

    Joined:
    Apr 8, 2004
    #8
    Sendmail often runs on unix machines. There may even be a version in Mac OSX, but I'm not sure.
    Edit: you can try opening a Terminal window and typing "telnet localhost 25" and see what happens. I'm chained to a Windows PC at the moment so can't check myself.

    It's too easy to spoof the headers in emails to determine where they come from. That's how spammers hide their identity.
     
  9. 36183 thread starter Guest

    Joined:
    Jun 24, 2004
    #9
    it does indeed but i am not totally sure about what all the information means.
     

    Attached Files:

  10. 36183 thread starter Guest

    Joined:
    Jun 24, 2004
    #10
    i found this when i did a version tracker search. seems a bit old. i may play with it later.

    edit:

    i tired the telnet command. no luck though.
     

    Attached Files:

  11. Mitthrawnuruodo Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #11
    Well you got an IP address that leads to a Korean firm:

    Code:
    whois 58.226.183.99
    
    OrgName:    Asia Pacific Network Information Centre
    OrgID:      APNIC
    Address:    PO Box 2131
    City:       Milton
    StateProv:  QLD
    PostalCode: 4064
    Country:    AU
    
    ReferralServer: whois://whois.apnic.net
    
    NetRange:   58.0.0.0 - 58.255.255.255
    CIDR:       58.0.0.0/8
    NetName:    APNIC-58
    NetHandle:  NET-58-0-0-0-1
    Parent:
    NetType:    Allocated to APNIC
    NameServer: NS1.APNIC.NET
    NameServer: NS3.APNIC.NET
    NameServer: NS4.APNIC.NET
    NameServer: TINNIE.ARIN.NET
    NameServer: NS.LACNIC.NET
    NameServer: NS-SEC.RIPE.NET
    Comment:    This IP address range is not registered in the ARIN database.
    Comment:    For details, refer to the APNIC Whois Database via
    Comment:    WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
    Comment:    ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
    Comment:    for the Asia Pacific region. APNIC does not operate networks
    Comment:    using this IP address range and is not able to investigate
    Comment:    spam or abuse reports relating to these addresses. For more
    Comment:    help, refer to http://www.apnic.net/info/faq/abuse
    RegDate:    2004-05-04
    Updated:    2005-05-20
    
    OrgTechHandle: AWC12-ARIN
    OrgTechName:   APNIC Whois Contact
    OrgTechPhone:  +61 7 3858 3100
    OrgTechEmail:  search-apnic-not-arin@apnic.net
    
    # ARIN WHOIS database, last updated 2006-01-17 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    % [whois.apnic.net node-1]
    % Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html
    
    inetnum:      58.224.0.0 - 58.239.255.255
    netname:      HANANET
    descr:        Hanaro Telecom, Inc.
    descr:        Shindongah Bldg, 43, Taepyeongno2-ga, Jung-gu, Seoul
    country:      KR
    admin-c:      SIJ1-AP
    tech-c:       SIJ1-AP
    descr:        ************************************************
    descr:        Allocated to KRNIC Member.
    descr:        If you would like to find assignment
    descr:        information in detail please refer to
    descr:        the KRNIC Whois Database at:
    descr:        "http://whois.nida.or.kr/english/index.html"
    descr:        ************************************************
    status:       ALLOCATED PORTABLE
    mnt-by:       MNT-KRNIC-AP
    mnt-lower:    MNT-KRNIC-AP
    changed:      hm-changed@apnic.net 20050627
    source:       APNIC
    
    person:       Seung Il Jeon
    address:      Dacom, Seoul
    country:      KR
    phone:        +82-2-2089-0580
    fax-no:       +82-2-2089-0706
    e-mail:       jeonsi@bora.net
    e-mail:       abuse@bora.net
    e-mail:       security@bora.net
    nic-hdl:      SIJ1-AP
    remarks:      If related with spam, send mail to abuse@bora.net
    remarks:      If related with security, send mail to security@bora.net
    remarks:      Only for personal contact, send mail to jeonsi@bora.net
    mnt-by:       MNT-KRNIC-AP
    changed:      jeonsi@bora.net 20041105
    source:       APNIC
    
    So you could forward the mail, with the long headers to abuse@bora.net, or just mark it as junk, but keep an eye on things and see if you get any more from that place...
     
  12. plinden macrumors 68040

    plinden

    Joined:
    Apr 8, 2004
    #12
    The Received headers are routing information added by each of the mail servers/routers the message passed through. The third one is the first one, if you know what I mean, ie. the server mx.gmail.com thinks it got the message from IP 58.226.183.99.
     
  13. 36183 thread starter Guest

    Joined:
    Jun 24, 2004
    #13
    thanks for all the help.

    i can understand a questionable business using anonymous emails, but i dont understand why a korean firm would send me a message with such meaningless content. or maybe someone closer to home may have just used a proxy (is that possible? if so i could see how people could use something like this to send abusive or joke emails).
     
  14. Mitthrawnuruodo Moderator emeritus

    Mitthrawnuruodo

    Joined:
    Mar 10, 2004
    Location:
    Bergen, Norway
    #14
    Well, one possible scenario (out of many) is that there sits an infected PC (aka zombie) somewhere in Korea (or elsewhere) sending out lots and lots of mail for some spammer/mail address harvester. Lets say they send out mails to 1 000 000 gmail accounts, and then get 990 000 mails in return saying "this is not a valid" address (to that employment@01research.com address), then they know the other 10 000 is... ;)
     
  15. plinden macrumors 68040

    plinden

    Joined:
    Apr 8, 2004
    #15
    It could be an ISP, being used by a spammer or a zombie PC. ISPs tend to have large blocks of IP addresses, as the whois search in Mitthrawnuruodo's post shows. Even if that's the originating IP address the spammer is probably long gone.

    There's really no point in spending much time trying to track this down unless you use the experience to learn more about how the internet and email works.
     
  16. CanadaRAM macrumors G5

    CanadaRAM

    Joined:
    Oct 11, 2004
    Location:
    On the Left Coast - Victoria BC Canada
    #16
    Servers within the Korean educational system are notorious for being open proxies - I don't know why Korea, particularly, but they don't seem to be able to enforce security. An open Proxy or an open Relay are machines that are insecure where a spammer can 'bounce' their mail off the server to you and you can't trace it back beyond the proxy.
     

Share This Page