Professional Documents
Culture Documents
This is the email path analyser online tool from DNS Stuff that is showing the results of a header analysis. The information in the diagram above show the results from header number D1 from the drugs category. Showing the source IP address as 12.177.169.227 and the country of origin as being the United States, the email is has been identified as spam and is listed in two spam databases and threat level of the spam has been identified as being high The diagram below is another interface of the tool that represents of the exact delivery path taken by the email.
This is the same header used D1 from the drug catergory in the table on the second online tool that was used, which is called Geobytes spam locator tool. Information that can be derived from the header using this tool is similar to the information supplied by the DNS Stuff email path analyser except that this tool also provides the city of origin, and additional information concerning the exact location of the city and surrounding areas.
This same header D1 is also used with Email track pro analyser. As shown in the diagram above it the origin of the spam is shown as America, the email path is shown and it also provides system information about what services are running.
This is another interface of the software and it shows the senders IP address and the location on a global map. It has also produced evidence that shows that the sender of the mail has used a forged email address. The sender email address is pmapfumo@gmail.com and the recepients address is p.mapfumo@gmail.com.
Spam Category
Domain Whois
Threat Level
City of origin
Number of Hops
Source IP Address
Unknown
High Risk High Risk High Risk High Risk High Risk High Risk High Risk High Risk High Risk High Risk
United States
Bartlesvie
12.177.169.27
No
Spam legislation
D2
Unknown
Romania
Bucharest
89.122.251.15
No
E-Privacy Directive
D3 Drugs D4
Unknown
Brazil
So Paulo
187.104.133.34
No
Unknown
Dubai
92.97.168.129
No
D5
Unknown
Barcelona
92.56.31.228
No
E-Privacy Directive
SC1
Uknown
United States
Miami
10.2.0.165
Yes
Can-Spam Act
Uknown
New York
192.22.72.131
Yes
E-Privacy Directive
SC3
Unknown
Skopje
38.58.207.252
Yes
None
SC4
Uknown
Sofia
85.118.193.144
No
SC5
Uknown
*Poland/France/Unit ed Kingdom/United
Warsaw
6.146.147.126
Yes
S1
Mp3musicinic.co m Uknown
Low Risk Mediu m Risk Low Risk Low Risk Low Risk High Risk High Risk High Risk High Risk High Risk
Canton
209.2.33.250
No
S2
United Kingdom
London
83.244.173.11
No
E-Privacy Directive
S3 Services S4
United States
207.8.203.52
No
Can-Spam Act
United States
209.2.33.250
No
Can-Spam Act
S5
United States
207.8.203.52
No
Can-Spam Act
G1
*Brazil (Maybe or unknown) *Italy (Maybe or unknown) United Arab Emirates Saudi Arabia
Yes
G2
Unknown
N/A
N/A
Yes
N/A
G3 Goods G4
Unknown
No
None
Uknown
84.235.75.18
No
None
G5
Unknown
China
Beijing
*127.0.0.1/ 119.181.170.6
Yes
There were spam emails that hopped through many countries for instance inorder to invade detection. For instance it was difficult to determine the origin of some of the spam emails in the sexual content section. One example involves header number (SC2), the reason for this is because all the header analysis tools produced different results as to were the spam email
originated from. DNS Stuff which was the main tool used revealed that the spam email was originally from the United States then it went through Japan and Portugal before arriving at the users mail box. Email track pro identified the origin of the spam email as Portugal. Geobytes identified the email as originating from the United States then it went through Australia and Portugal before arriving at the users mail box.Due to the fact that Portugal was the only country that appeared in all of the header analysis results. It was determined that the most likely, true orgin of the spam email was Portugal. Another usual finding was
discovered in header analysis sexual content header number (SC3) the header analysis tools also produced different results as to were the email originated from.DNS Stuff revealed that the spam email was originally from the United States and then it went through the Netherlands and Macedonia before arriving at the users mail box. Email track pro identified the email as originating from Macedonia. Geobytes identified the email as originating from Netherlands and passing through Macedonia before arriving in the users mail box. Due to the fact that Macedonia appeared in all the header analysis results it was determined that the true origin of the spam email was Macedonia.The same methodology was used to determine the the header analysis in sexual content header number (SC5) which also produced different results.Therefore the true origin of the spam email was determined to be from Poland. The reason it was difficult to ascetain the origin of the spam emails is that the emails had been misdirected through mutiple countries and which evdienced by the number was of hops that there had. All of the email emails that were misdirected through multiple countries had five or more hops. Therefore making it uncertain to which of the countries the spam originated from. This shows the lengths to which spammers will go to evade detection. Some of the spam used IP address manipulation by faking the local IP address which is evidenced by the header analysis of goods header number (G1) and number (G5). When this header was run through DNS stuff and Geobytes tools the local host was unknown and on close inspection the local IP address was 127.0.0.1 which is reserved network address that is used for network diagnostic purposes. However the country of origin was correcly identified as Brazil. The same process was conducted on goods header number (G5) which identified the email as originating from China however the local IP address of the email was unknown and also had a 127.0.0.1.
Most of the spam that was analyzed had dynamic IP addresses the significance of this according to Lueg et al (2006) is that the majority of SMTP servers have a static IP address that does not change frequently. Therefore presence of a dynamic host name may prove that the header maybe faked. The email header from goods number (G2) could not be read, and produced invalid errors when run through DNS stuff and Email track pro, but when it was processed through Geobytes the country of origin was identified as Italy. A manual analysis of the email showed that the local IP address of the email was reserved IP address 127.0.0.1 and in comparison to other headers revealed that there were no distiguishing features in the header information that would have produced an invalid header error for this email header. The majority of the spam emails identified appeared in more once in spamlists. Which indicated that the paths that spam emails took using mail servers was checked against known spamlists. However there were some emails from the domain mp3musicinic.com which were found in the users spam folder. All the emails from mp3musicinic.com were not listed in any spam blacklists nor were there identified as spam by any of the email analyzers. It can be argued that the most likely reason for this abnormality is that the reseachers email account provider used a content analysis tool amongst other technologies to detect spam which might have not been used by the email analyzers Availability of spam legislation of each of the countries identified were examined and, the United States, China, Brazil and most of the countries in the European Union all have some form of spam legislation. However this was found to be a very small a very small percentage, therefore it can be argued that on an international scale, only a small minority of countries have some form of spam legislation. In addition Wikipedia has a list of countries that have some form of legislation, which can be found on at the following URL:
http://en.wikipedia.org/wiki/E-mail_spam_legislation_by_country. However whether this can be relied on is another matter as anyone can upload data on Wikipedia. Countries such as the United States, China, and Brazil have some form of legislation but are still the worst offenders. This supports Walls (2004) and Jones (2006) research that argues countries like the United States have been criticised for not imposing harsh penalties for spammers, and of managing the spam problem rather than making it an unlawful activity.Therefore spam legislation has not done much to mitigate the flow of spam.However this has not being helped by foreign ISP unwillingnes to cooperate in tracking spammers.
The expansion of the European Union means that countries that did not have spam legislation now have duty to under the E-Privacy Directive. Whether the outcome of this will result in less
spam being from some of these countries is yet to be unknown.
DNS Stuff assigned threat levels to the spam emails, and the majority of spam was marked as being of high risk. Which was determined by they appearance in spam lists, the spam email paths and the headers analysis. This left only the spam that was mainly from the services category that tended to be of low risk; however it was still marked as spam and was found in researchers spam folder. One email address was marked being of medium risk rating and was identified as spam. This allowed the reseacher to conclude that any email that poised any form of risk was identified as spam. A reverse DNS tool which was used by DNS Stuff revealed that the most spam domains were not listed in a Whois database, proving that the spam email address domains were forged, even from popular email providers like Hotmail, Yahoo or Gmail.