Always Use Protection: A Teen's Guide to Safe Computing
Shop

 

Privacy - Inside a Spam Scam

One of the best ways to figure out whether a spam email is also a scam is to look at the message source. All major Email programs allow you to view the source of an Email message.

 

Here's a sample Email I received recently:

 

Picture of scam message

 

(Ok, I know most teens will just throw it out, since they probably don't have a Citibank account, but it's a good example for learning about scams, and you never know when you may be called on to help your parents figure out if a message is a scam or not).

 

At first glance, this message might look real - the bank asking your help to verify a problem. But you should be skeptical - if the bank really had a problem with your account they would be much more likely to write or call. But you can't be sure it's a scam until you look at the message source. Let's take a look (my comments are in red, green indicates changes made for privacy reasons, some headers deleted to save space)

 

From - Mon Jan 12 02:48:17 2004 

 

Here begins a list that indicates the servers that handled the mail in transit

Received: from mailt1.apress.com ([192.168.245.18]) by exchange.INTERNAL.APRESS.COM with Microsoft SMTPSVC(5.0.2195.5329); Mon, 12 Jan 2004 02:42:47 -0800 

Received: from adelphia.net ([68.69.5.110] RDNS failed) by mailt1.apress.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 12 Jan 2004 02:42:47 -0800 

 

The last "Received" entry lists the machine that first received the email from the sender. In this case it's on one of adelphia.net machines. adelphia is an ISP (you can check www.adelphia.com to figure this out), so the sender is probably one of their customers. While it's not uncommon for businesses to use ISPs to host their sites (like this one), odds are pretty good a message from a large company like citibank would start from a citibank.com domain. So this is suspicious.

Received: from pa-rochester2b-110.pit.adelphia.net (pa-rochester2b-110.pit.adelphia.net [68.69.5.110]) by adelphia.net (8.12.8p1/8.12.8) with ESMTP id gyszr86117 for <myname@apress.com>; Tue, 13 Jan 2004 00:38:44 -0400 (EST) 

Date: Tue, 13 Jan 2004 00:38:42 -0400 (EST) 

 

This is a pretty clumsy scam - obviously a real citibank message would have a citibank.com return address!

From: Citibank <citibank74541@collegeclub.com

 

"X" headers are non-standard. X-Mailer identifies the mailer program, which in this case included the sender's Email address (or a fake one he added?). Oops!

X-Mailer: The Bat! (v1.61) Personal Reply-To: someones_name@collegeclub.com X-Priority: 3 (Normal) 

Message-ID: <398182087.7304492226146@collegeclub.com

To: myname@apress.com 

Subject: Important Fraud Alert from Citibank 

MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------33110960088209" 

Return-Path: someones_name@collegeclub.com 

X-OriginalArrivalTime: 12 Jan 2004 10:42:47.0625 (UTC) FILETIME=[D195CB90:01C3D8F8]

 

Obviously this is a very clumsy scam - this person left traces back to himself (or someone's account he's stolen or faked) all over the message. So it's obvious it's a scam.

But the final proof is here. HTML, as you know, is a text format. But email messages can contain multiple parts. For example: An email message can include both plain text and HTML versions of a message. It can also include images. Because images can't be represented in text, there is a way to encode them - to represent the binary image data as text. That's called base64 encoding.

 

Here's what a section header looks like. In this case the content contains HTML, but it's been encoded as base64. Why? So it will be hard for you to see the original HTML. NO LEGITIMATE SITE WILL ENCODE HTML INTO BASE64. So if you see a section like this, that has a Content-Type of text/html, but is encoded so you can't read it, you can be 99.9% sure it's a scam.

 

------------33110960088209 

Content-Type: text/html; charset=iso-8859-1 

Content-Transfer-Encoding: base64

 

DQo8aHRtbD4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUg

Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PWlzby04ODU5LTEiPg0KPHN0eWxlI

HR5cGU9InRleHQvY3NzIj4NCjwhLS0NCi5zdHlsZTEge2ZvbnQtZmFtaWx5OiBBcmlh

bH0NCi5zdHlsZTQge2ZvbnQtc2l6ZTogMXB4fQ0KLS0+DQo8L3N0eWxlPg0KPC9oZ

WFkPg0KPGJvZHkgYmdjb2xvcj0iI2ZmZmZmZiIgdGV4dD0iIzAwMDAwMCIgbGluaz

0iIzAwMDAwMCIgdmxpbms9IiMzMzk5Y2Mi 

.

. (ommitted to save space)

.

Yz0iaHR0cDovL2NpdGkuYnJpZGdldHJhY2suY29tL2Vjcm0vcGl4ZWwvP0JURGF0YT0

0MDIxQTcyNzk2Njc3NkY1ODVENDU1M0I4QjJBM0E2QUI4RDk3OEI4MUY2RTFFNkY

4MjhEQzgzMiZNc2dJRD1GMTMxNERGM0MyQkE0Q0NDQkE0NzRDRUE2QThGNjI0O

CIgd2lkdGg9MSBoZWlnaHQ9 MSBib3JkZXI9MD48L3A+IA0KPC9ib2R5Pg0KPC9odG1sPg0K ------------33110960088209

 

 
Buy your copy of Always Use Protection today from your local bookstore or online:

 

Amazon.com

 

 

 

Copyright © 2005 by Daniel Appleman All Rights Reserved. [contact] [privacy]