phishing is a technique that's pretty common and fact is you can never really be sure how authentic the mail you have recieved is.. This is because SMTP sucks. SMTP is a protocol (Layer 5) for sending email which is built over TCP/IP. All messages whether request or response are accompanied by 'Headers'. Headers are meta describing data which give technical information of the sent/recieved message. A standard SMTP message has a header called 'From'. If you want to send a message from some other email-id, for ex.
me@somewhere.com, the message you send should have the header:
From:
me@somewhere.com
and the recieving client will believe that
me@somewhere.com has sent the message. I made a script in php that does this.. and it is just a 2 line script. Literally 2 lines.
How to be protected from phising tricks
I'll give the example with my gmail account. I have a yahoo email id:
tritium_skinz@yahoo.com. I will send two mails to my gmail account. One from Yahoo! Mail and one from the site mentioned above. After sending the mails, this was what my inbox looked like:
*img89.imageshack.us/img89/8273/inboxpre1pw4.jpg
Both the messages even have the Yahoo! promo signature down there.. thereby looking as if they were sent from a Yahoo! server. Proffesional spammers/phishers will go to any heights to make fake elements look real. There are around 500-600 illegal sites which are designed *exactly* like PayPal, for ex.
Now coming back to the topic. I open any one of the message. Next, I bring down the menu near the 'Reply' button and click on 'Show Original'.
*img89.imageshack.us/img89/5755/inboxpre2dv2.jpg
It opens a new window, in which a text file is displayed. This is the *exact* message that the gmail servers recieved. It includes all the headers in the message. In those headers, check for 'Recieved: ' headers. These are the the headers in the mail i sent:
Fake email:
Code:
Delivered-To: rohan2kool@gmail.com
Received: by 10.114.197.6 with SMTP id u6cs426556waf;
Tue, 16 Oct 2007 23:41:01 -0700 (PDT)
Received: by 10.90.102.20 with SMTP id z20mr12176585agb.1192603261161;
Tue, 16 Oct 2007 23:41:01 -0700 (PDT)
Return-Path: <nobody@pyar.jaanhost.com>
Received: from pyar.jaanhost.com (8a.51.1343.static.theplanet.com [67.19.81.138])
by mx.google.com with ESMTP id 30si3520549hso.2007.10.16.23.41.00;
Tue, 16 Oct 2007 23:41:01 -0700 (PDT)
Received-SPF: neutral (google.com: 67.19.81.138 is neither permitted nor denied by best guess record for domain of nobody@pyar.jaanhost.com) client-ip=67.19.81.138;
Authentication-Results: mx.google.com; spf=neutral (google.com: domain of tritium_skinz@yahoo.com does not designate 67.19.81.138 as permitted sender) smtp.mail=nobody@pyar.jaanhost.com
Received: from nobody by pyar.jaanhost.com with local (Exim 4.63)
(envelope-from <nobody@pyar.jaanhost.com>)
id 1Ii2aR-00009z-Tb
for rohan2kool@gmail.com; Wed, 17 Oct 2007 02:40:59 -0400
Here, in the last 'Recieved: ' and the first 'Recieved: ' header, it is clear that the message originated from jaanhost.com and was recieved by google from jaanhost.com. There was no role of any Yahoo! server whatsoever. Now here is the header from the Yahoo! Mail:
Code:
Delivered-To: rohan2kool@gmail.com
Received: by 10.114.197.6 with SMTP id u6cs426461waf;
Tue, 16 Oct 2007 23:39:11 -0700 (PDT)
Received: by 10.64.142.10 with SMTP id p10mr15784173qbd.1192603151032;
Tue, 16 Oct 2007 23:39:11 -0700 (PDT)
Return-Path: <tritium_skinz@yahoo.co.in>
Received: from web94503.mail.in2.yahoo.com (web94503.mail.in2.yahoo.com [203.104.16.243])
by mx.google.com with SMTP id e15si3706033qbe.2007.10.16.23.39.08;
Tue, 16 Oct 2007 23:39:11 -0700 (PDT)
Received-SPF: neutral (google.com: 203.104.16.243 is neither permitted nor denied by domain of tritium_skinz@yahoo.co.in) client-ip=203.104.16.243;
DomainKey-Status: good (test mode)
Authentication-Results: mx.google.com; spf=neutral (google.com: 203.104.16.243 is neither permitted nor denied by domain of tritium_skinz@yahoo.co.in) smtp.mail=tritium_skinz@yahoo.co.in; domainkeys=pass (test mode) header.From=tritium_skinz@yahoo.co.in
Received: (qmail 66556 invoked by uid 60001); 17 Oct 2007 06:39:07 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.co.in;
h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
b=Jkm1zyayJpdojfWlolRV8s8B7ZMoBtPKCuW4NNU55uxwH83y6j6ruDGdFIdFdAknUsznjVcFLl0WBRpvZcbvutBcbvsBKPPTR/rnmKRTNVkUtVCtrB7AQ5+eZCeQ2O8G9TdNrum9wc/o6t0/G9EfMYIwKMF4ZVURC0iSOvmHnNw=;
X-YMail-OSG: 7uzK78cVM1nGUj9wqncQXYWlLU17gEAZ6_q5O_J.2m_tyCdtpH4bkQjw7JJUzC__DYCRdzvdGFJQbJBTVCcG5wfgkff8sjVacgMz1Gql5VAx8QYSaeQU7.gmtQ--
Received: from [59.95.207.31] by web94503.mail.in2.yahoo.com via HTTP; Wed, 17 Oct 2007 07:39:07 BST
Check the 5th and the 2nd last line. It tells that the message was recieved from Yahoo! servers and also originated there itself. Also, the origination need not necessarily be a Yahoo! server. If i'd have sent it from for ex., Thunderbird on my PC.. the last Recieved: header would show my IP address and then the 2nd last Recieved: header would most probably show the involvement of a Yahoo! server. What is important is the first Recieved: header. It tells where Google recieved the message from. There might be cases, where it doesn't seem authentic.. you must check the route the message followed. In case of reputed services like Yahoo!, MSN, GMail etc., it should never be the case.
Some services like the one I used to send the fake mail provide their services for pranks only.. and not abuse. So, they include AntiAbuse headers. In my fake mail I recieved some additional headers which clearly said that this message is a phished one and in case of abuse should be reported. But do note that proffesional spammers will use their own solutions for this specific purpose.
I hope this helps.
[edit]
dammnit.. i was late from kalpik's post by i believe the time it took me to write that reply.
kalpik said:
You can always spot fakes from the headers.. This one says "mailed-by: pyar.jaanhost.com". Though i know of a way by which i can use any mail host's OWN email servers to send the mails.. Those are harder to spot as fakes.
Pretty unfortunately.. that is possible too. For example, i am running php. I need to set my outgoing server as the gmail server. Now, the thing here is that I need access to the gmail server, which I can get using my rohan[NOSPAM]2[NOSPAM]kool@gmail.com email address and the associated password. Once that is done, I just use the mail() function to send a mail with fake From: headers.. [NOTE: the mail id must be something like
arandomguy@google.com] and it gets sent via the gmail servers.
A problem here is that I can send a mail from
rohan@tritiumx.com too from gmail.com, which is what I used to do [when i had a domain] using thunderbird, coz my hosting service had a limit on the outgoing mial. Now, clearly this is a legit mail, but since it would have only the GMail server in the headers, this mail might be considered to be a phished one.