Heading Spammerifically
Being able to read email headers is a very useful skill.
Yesterday morning, a friend of mine had three emails in her business account inbox telling her to go click the link to activate her “My Opera” account. She was suspicious of them, as was I (she has a very good eye for spam and is a careful web surfer–if she isn’t assured of the safety of a link, she won’t click it). Furthermore, despite my best efforts, I cannot pry her away for IE, because that’s what she’s used to; I know that she has never been to the My Opera website.
Since I know that My Opera–or any other site, for that matter–doesn’t send emails of that sort to persons who have never visited the website, I told her that her suspicions were probably correct and asked her what happened when she moused over the links–sure enough, the links were redirections which did not point to My Opera.
I asked her to forward the emails to me, but they did not arrive–I suspect my ISP’s spam filters caught them. Nevertheless, I posted a general warning to the opera.general newsgroup and one of the netizens there forwarded me a copy, with header intact, of one that he had gotten.
Just by looking at the headers, I knew the email was fraudulent. Looking at the body in plain text, rather than in HTML, confirmed it. (Opera makes viewing plain text easy.)
Last night, I settled down to have some quality time with WHOIS. I found the following:
- The “Return-Path” in the email header was spoofed. The listed email address returned a “user unknown.”
- The email originated from a server in the Ukraine.
- The links in the body of the email redirected, not to Opera’s servers, but to servers in Korea.
My L33t Hack0rz Sk1lz are not L33t enough for me to tell from a WHOIS whether the servers in question have been pwned. The probability is that the scam is being run by someone not directly connected with them and that the outfits running the servers haven’t secured them properly against incorporation into botnets.
You can the email I was working on and the output of the WHOIS queries here (PDF).
Most email clients hide the headers and the source code by default. Some are friendlier to the header and source views than others. Here is an excellent article on reading headers.
Full Disclosure: I have a My Opera account. I don’t use any of the social networking features, but I do use Opera Link.