Email Spoofed. Explain?

All we need is an easy explanation of the problem, so here it is.

So, I think my email id might have gotten hacked. Can some one offer their comments and suggestions on this email ? It seems this email went from my mail id to my friend’s email id. The subject is personal and I have not provided it. Also, this email is neither in my ‘Sent’ folder nor in my ‘Trash’ Folder.

Delivered-To: [email protected]
Received: by 10.220.187.65 with SMTP id cv1cs37222vcb;
    Tue, 28 Jun 2011 12:25:05 -0700 (PDT)
Received: by 10.236.176.38 with SMTP id a26mr5411029yhm.410.1309289105028;
    Tue, 28 Jun 2011 12:25:05 -0700 (PDT)
Return-Path: <[email protected]>
Received: from ROCKY (host216-212-117-146.birch.net [216.212.117.146])
    by mx.google.com with ESMTP id l25si2327155yhm.109.2011.06.28.12.25.04;
    Tue, 28 Jun 2011 12:25:05 -0700 (PDT)
Received-SPF: neutral (google.com: 216.212.117.146 is neither permitted nor denied by domain of [email protected]) client-ip=216.212.117.146;
Authentication-Results: mx.google.com; spf=neutral (google.com: 216.212.117.146 is neither permitted nor denied by domain of [email protected]) [email protected]
Message-Id: <[email protected]>
MIME-Version: 1.0
From: "MyFullName"
<[email protected]>
To: [email protected]
X-Priority: 1
 Priority: urgent
Importance: high
Date: 28 Jun 2011 15:25:18 -0400
Subject: Email from [email protected]
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

<Subject>

Here MyEmailId and MyFriend are two email addresses that are not real. Everything else is. I have not posted the Subject as it is personal.

So if my email id was spoofed, how could the spoofer know my personal details ? What are the possibilities ? I run outlook. I installed MacKeeper yesterday (software for cleaning up mac) . Any connections ?

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

There is no hack necessary to send mail with your mail address – anyone can send mails with any sender address to anyone, if the receiving mail server does not have stronger policies. (This is caused by the open structure of the Internet.)

A hack would be necessary to read your mail.

If you want to make sure that no one can send mails in your name, sign your mails (using PGP or S/MIME), and tell all your correspondents that they should discard any non-signed mail claiming to come from you.


Some analysis of the header lines.

The additional two Received lines do not add much.

Received: by 10.220.187.65 with SMTP id cv1cs37222vcb;
    Tue, 28 Jun 2011 12:25:05 -0700 (PDT)
Received: by 10.236.176.38 with SMTP id a26mr5411029yhm.410.1309289105028;
    Tue, 28 Jun 2011 12:25:05 -0700 (PDT)

These are private addresses, inside a local network, and they don’t say from where they receivded the message. (These are the last stations that the message went through before arriving at your friend). If your friend used the Gmail web interface, these most likely are Gmail-internal servers.

Then we have these:

Return-Path: <[email protected]>
Received: from ROCKY (host216-212-117-146.birch.net [216.212.117.146])
    by mx.google.com with ESMTP id l25si2327155yhm.109.2011.06.28.12.25.04;
    Tue, 28 Jun 2011 12:25:05 -0700 (PDT)

The return path shows what was mentioned in the SMTP dialogue as MAIL FROM. This was added by the receiving mail server, most likely the one in the next line: mx.google.com. This server got the mail from a SMTP client who identified itself in the SMTP dialogue as ROCKY, had the IP address 216.212.117.146 (which has a reverse DNS mapping to host216-212-117-146.birch.net).

This seems to be an IP address in the US (assigned by ARIN to Birch Telecom and from them to Premier Mortgage Funding. Either they have a bot-infected computer there, or they really sent the mail. (Or someone earlier in the list was spoofing the whole header.)

Do you know anyone at this location? Does the contents of the mail in any way relate to mortgage funding?

Received-SPF: neutral (google.com: 216.212.117.146 is neither permitted nor denied by domain of [email protected]) client-ip=216.212.117.146;
Authentication-Results: mx.google.com; spf=neutral (google.com: 216.212.117.146 is neither permitted nor denied by domain of [email protected]) [email protected]

These lines are added by the same server, most likely. The server did an SPF check on the mail address and sender’s IP address, and has neither a positive nor negative result.

Google’s SPF DNS records look like this (line breaks by me):

gmail.com.         259  IN   TXT     "v=spf1 redirect=_spf.google.com"

_spf.google.com.   236  IN   TXT     "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19
                                             ip4:66.249.80.0/20 ip4:72.14.192.0/18
                                             ip4:209.85.128.0/17 ip4:66.102.0.0/20
                                             ip4:74.125.0.0/16 ip4:64.18.0.0/20
                                             ip4:207.126.144.0/20 ip4:173.194.0.0/16
                                             ?all"

Some IP ranges (which likely include GMail’s web servers) are explicitely whitelisted, and the rest is mentioned as neutral by the ?all tag at the end.

If the mail were sent from GMails web interface (or via Gmails SMTP authenticated submission port), then there would likely be a “spf=positive” or similar result in the header instead.

Message-Id: <[email protected]>

This message-Id is also added by the accepting mail server.

From: "MyFullName"  <[email protected]>
To: [email protected]

(I suppose name and mail address were on one line.) Now it gets interesting. The sender knew your full name, as well as a fitting mail address. Do a Google search – is this combination public knowledge (i.e. findable on the web)? If not, then it is likely that either someone’s address book got “hacked” (i.e. someone got some malware which is collecting these addresses), or some website where you entered these sold your data.

X-Priority: 1
 Priority: urgent
Importance: high

These header lines would give the mail a quite good chance to get stuck im my filter, I think 🙂

Subject: Email from [email protected]

This is also a typical spam subject line.

<Subject>

I have not posted the Subject as it is personal.

Do I understand right, the text of the mail contains personal details, and not a generic spammy message?
Could this be some text copied from a mail you (or someone else) wrote before?

Other than this, it could be someone who knows you and your friend and who wants to play a prank to both of you.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply