Header analysis methodology

This is the email path analyser online tool from DNS Stuff that is showing the results of a header analysis. The information in the diagram above show the results from header number D1 from the drugs category. Showing the source IP address as 12.177.169.227 and the country of origin as being the United States, the email is has been identified as spam and is listed in two spam databases and threat level of the spam has been identified as being high The diagram below is another interface of the tool that represents of the exact delivery path taken by the email.

This is the same header used D1 from the drug catergory in the table on the second online tool that was used, which is called Geobytes spam locator tool. Information that can be derived from the header using this tool is similar to the information supplied by the DNS Stuff email path analyser except that this tool also provides the city of origin, and additional information concerning the exact location of the city and surrounding areas.

This same header D1 is also used with Email track pro analyser. As shown in the diagram above it the origin of the spam is shown as America, the email path is shown and it also provides system information about what services are running.

This is another interface of the software and it shows the senders IP address and the location on a global map. It has also produced evidence that shows that the sender of the mail has used a forged email address. The sender email address is pmapfumo@gmail.com and the recepients address is p.mapfumo@gmail.com.

Spam Category

Number of Header file D1

Domain Whois

Threat Level

Country or path of origin

City of origin

Number of Hops

Source IP Address

Most likely Misdirected

Unknown

High Risk High Risk High Risk High Risk High Risk High Risk High Risk High Risk High Risk High Risk

United States

Bartlesvie

12.177.169.27

No

Number of Spam database listed 5

Spam legislation

Can- Spam Act

D2

Unknown

Romania

Bucharest

89.122.251.15

No

E-Privacy Directive

D3 Drugs D4

Unknown

Brazil

So Paulo

187.104.133.34

No

Unknown

United Arab Emirates Spain

Dubai

92.97.168.129

No

Movimento Brasileiro de Combate ao Spam None

D5

Unknown

Barcelona

92.56.31.228

No

E-Privacy Directive

SC1

Uknown

United States

Miami

10.2.0.165

Yes

Can-Spam Act

SC2 Sexual Content

Uknown

*Portugal/Japan/Uni ted States *Macedonia/Yogslav ia/ United States Bulgaria

New York

192.22.72.131

Yes

E-Privacy Directive

SC3

Unknown

Skopje

38.58.207.252

Yes

None

SC4

Uknown

Sofia

85.118.193.144

No

SC5

Uknown

*Poland/France/Unit ed Kingdom/United

Warsaw

6.146.147.126

Yes

The Law of electronic commerce (2006) E-Privacy Directive

S1

Mp3musicinic.co m Uknown

Low Risk Mediu m Risk Low Risk Low Risk Low Risk High Risk High Risk High Risk High Risk High Risk

States United States

Canton

209.2.33.250

No

Can- Spam Act

S2

United Kingdom

London

83.244.173.11

No

E-Privacy Directive

S3 Services S4

Mp3musicinic.co m Mp3musicinic.co m Mp3musicinic.co m Unknown

United States

Philadelp hia Canton

207.8.203.52

No

Can-Spam Act

United States

209.2.33.250

No

Can-Spam Act

S5

United States

Philadelp hia N/A

207.8.203.52

No

Can-Spam Act

G1

*Brazil (Maybe or unknown) *Italy (Maybe or unknown) United Arab Emirates Saudi Arabia

*127.0.0.1/200. 174.136.196 109.111.251.24 ?(ip reserved) 92.96.80.125

Yes

G2

Unknown

N/A

N/A

Yes

N/A

Movimento Brasileiro de Combate ao Spam E-Privacy Directive

G3 Goods G4

Unknown

Abu Dhabi Jeddah

No

None

Uknown

84.235.75.18

No

None

G5

Unknown

China

Beijing

*127.0.0.1/ 119.181.170.6

Yes

Regulations on Internet E-Mail Services

Header analysis results

This section of the report will have a look at the table above which shows results obtained from the header analysis of 20 emails that were found in a typical users in box. Results from certain sections of the table will be analyised to given an explaination to the findings. The spam category data set revealed that the majority of spam collected over the two week period consisted of drugs `of a sex enhancing drugs or prescription drugs, sexual content which comprised of pornographic or dating sites, services that mainly consisted of online televison and tangible goods which was mainly comprised of watches. The spam categories fall into the same classes as identified by Hulten et al (2004). Who argues that classes can be identified as being domestic, semidomestic and international, meaning that most of the products were of small amounts that were not expensive to transport and were capable of being sold internationally with out legal restrictions. However the reason behind why most of the spam fell into those categories can be attributed to the following reasons, surfing behaviour, location of the email account and how active it was, and impliying that it is more likely that the type of spam received in one country is different to the one received in another. There are many countries that were identified as being the originators of spam sent according to the table above.However the United States is the worst offender supported by the number of appearances in the table above, therefore also supporting the evidence from previous research conducted by Sophos (2004) and Spamhaus (2010). The appearance of other countries mainy of European origin would suggest that it is not the only offender. The inclusion of other foreign countries such as China, Brazil and Romania, that were also identified in Sophos (2004) and Spamhaus (2010) leads to believe that spam in an indeed global problem. The research has shown us that the spammer use a variety of methods to evade detection such as the use of proxies ,open relays, untraceable ip address and the creation of botnets complicating the problem.Therefore it brings the reseacher to question to what extend can the results obtained from the research be relied upon.

There were spam emails that hopped through many countries for instance inorder to invade detection. For instance it was difficult to determine the origin of some of the spam emails in the sexual content section. One example involves header number (SC2), the reason for this is because all the header analysis tools produced different results as to were the spam email

originated from. DNS Stuff which was the main tool used revealed that the spam email was originally from the United States then it went through Japan and Portugal before arriving at the users mail box. Email track pro identified the origin of the spam email as Portugal. Geobytes identified the email as originating from the United States then it went through Australia and Portugal before arriving at the users mail box.Due to the fact that Portugal was the only country that appeared in all of the header analysis results. It was determined that the most likely, true orgin of the spam email was Portugal. Another usual finding was

discovered in header analysis sexual content header number (SC3) the header analysis tools also produced different results as to were the email originated from.DNS Stuff revealed that the spam email was originally from the United States and then it went through the Netherlands and Macedonia before arriving at the users mail box. Email track pro identified the email as originating from Macedonia. Geobytes identified the email as originating from Netherlands and passing through Macedonia before arriving in the users mail box. Due to the fact that Macedonia appeared in all the header analysis results it was determined that the true origin of the spam email was Macedonia.The same methodology was used to determine the the header analysis in sexual content header number (SC5) which also produced different results.Therefore the true origin of the spam email was determined to be from Poland. The reason it was difficult to ascetain the origin of the spam emails is that the emails had been misdirected through mutiple countries and which evdienced by the number was of hops that there had. All of the email emails that were misdirected through multiple countries had five or more hops. Therefore making it uncertain to which of the countries the spam originated from. This shows the lengths to which spammers will go to evade detection. Some of the spam used IP address manipulation by faking the local IP address which is evidenced by the header analysis of goods header number (G1) and number (G5). When this header was run through DNS stuff and Geobytes tools the local host was unknown and on close inspection the local IP address was 127.0.0.1 which is reserved network address that is used for network diagnostic purposes. However the country of origin was correcly identified as Brazil. The same process was conducted on goods header number (G5) which identified the email as originating from China however the local IP address of the email was unknown and also had a 127.0.0.1.

Most of the spam that was analyzed had dynamic IP addresses the significance of this according to Lueg et al (2006) is that the majority of SMTP servers have a static IP address that does not change frequently. Therefore presence of a dynamic host name may prove that the header maybe faked. The email header from goods number (G2) could not be read, and produced invalid errors when run through DNS stuff and Email track pro, but when it was processed through Geobytes the country of origin was identified as Italy. A manual analysis of the email showed that the local IP address of the email was reserved IP address 127.0.0.1 and in comparison to other headers revealed that there were no distiguishing features in the header information that would have produced an invalid header error for this email header. The majority of the spam emails identified appeared in more once in spamlists. Which indicated that the paths that spam emails took using mail servers was checked against known spamlists. However there were some emails from the domain mp3musicinic.com which were found in the users spam folder. All the emails from mp3musicinic.com were not listed in any spam blacklists nor were there identified as spam by any of the email analyzers. It can be argued that the most likely reason for this abnormality is that the reseachers email account provider used a content analysis tool amongst other technologies to detect spam which might have not been used by the email analyzers Availability of spam legislation of each of the countries identified were examined and, the United States, China, Brazil and most of the countries in the European Union all have some form of spam legislation. However this was found to be a very small a very small percentage, therefore it can be argued that on an international scale, only a small minority of countries have some form of spam legislation. In addition Wikipedia has a list of countries that have some form of legislation, which can be found on at the following URL:

http://en.wikipedia.org/wiki/E-mail_spam_legislation_by_country. However whether this can be relied on is another matter as anyone can upload data on Wikipedia. Countries such as the United States, China, and Brazil have some form of legislation but are still the worst offenders. This supports Walls (2004) and Jones (2006) research that argues countries like the United States have been criticised for not imposing harsh penalties for spammers, and of managing the spam problem rather than making it an unlawful activity.Therefore spam legislation has not done much to mitigate the flow of spam.However this has not being helped by foreign ISP unwillingnes to cooperate in tracking spammers.

The expansion of the European Union means that countries that did not have spam legislation now have duty to under the E-Privacy Directive. Whether the outcome of this will result in less
spam being from some of these countries is yet to be unknown.

DNS Stuff assigned threat levels to the spam emails, and the majority of spam was marked as being of high risk. Which was determined by they appearance in spam lists, the spam email paths and the headers analysis. This left only the spam that was mainly from the services category that tended to be of low risk; however it was still marked as spam and was found in researchers spam folder. One email address was marked being of medium risk rating and was identified as spam. This allowed the reseacher to conclude that any email that poised any form of risk was identified as spam. A reverse DNS tool which was used by DNS Stuff revealed that the most spam domains were not listed in a Whois database, proving that the spam email address domains were forged, even from popular email providers like Hotmail, Yahoo or Gmail.