Mail tagged as "Authenntic Sender", what is it?
Thread Starter
Join Date: Feb 2000
Location: asia
Posts: 542
Likes: 0
Received 0 Likes
on
0 Posts
Mail tagged as "Authentic Sender", what is it?
I have a mail account which gets very little spam, maybe one a month.
However, a spam mail item has just arrived, which is different. Outlook displays the message
Authentic Sender, Hash:JlFgNdEc
At the top of the message, and at the end, in the body of the mail message is
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBRyYyJjGc5ftAw8wRAt63AKCihQc0plRlfwJHQ3qA4LwoIQVqQQCd EvcR sV4sbbE6Nw1EtDwlDVZ+SBgSC -----END PGP SIGNATURE-----
I've not seen this before - are the 2 things related?
Does it contain anything useful to track down the sender of the spam?
However, a spam mail item has just arrived, which is different. Outlook displays the message
Authentic Sender, Hash:JlFgNdEc
At the top of the message, and at the end, in the body of the mail message is
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBRyYyJjGc5ftAw8wRAt63AKCihQc0plRlfwJHQ3qA4LwoIQVqQQCd EvcR sV4sbbE6Nw1EtDwlDVZ+SBgSC -----END PGP SIGNATURE-----
I've not seen this before - are the 2 things related?
Does it contain anything useful to track down the sender of the spam?
Last edited by stickyb; 30th Sep 2004 at 10:43.
Join Date: Sep 1998
Location: Sydney, Australia
Posts: 513
Likes: 0
Received 0 Likes
on
0 Posts
If genuine, all that stuff is associated with a program called PGP - Pretty Good Privacy.
PGP, first developed in the '90's by Phillip Zimmerman, an American, is an excellent encryption and digital signature program. The program is so good that the FBI wanted the code so that crims wouldn't have an advantage over them. Zimmerman "declined" and all sorts of harassment followed, including imprisonment or the threat of it. Eventually 2 versions were released, one for the USA for which the FBI holds a "master key" and one international for which they don't. (That may have changed since 9-11). So much for the potted history
What you're seeing, if it's genuine, is the digital signature of the sender, and yes, the two things are related.
If the email is spam it's possible the spammer has cut and pasted the digital signature stuff from another email, or has actually used PGP to make his rubbish look more genuine.
You can check if a PGP digital signature is valid only if you have PGP installed yourself (I think). There are versions for various operating systems, hence the reference to Free BSD.
You can find out more about PGP here. It's quite interesting.
AA
PGP, first developed in the '90's by Phillip Zimmerman, an American, is an excellent encryption and digital signature program. The program is so good that the FBI wanted the code so that crims wouldn't have an advantage over them. Zimmerman "declined" and all sorts of harassment followed, including imprisonment or the threat of it. Eventually 2 versions were released, one for the USA for which the FBI holds a "master key" and one international for which they don't. (That may have changed since 9-11). So much for the potted history
What you're seeing, if it's genuine, is the digital signature of the sender, and yes, the two things are related.
If the email is spam it's possible the spammer has cut and pasted the digital signature stuff from another email, or has actually used PGP to make his rubbish look more genuine.
You can check if a PGP digital signature is valid only if you have PGP installed yourself (I think). There are versions for various operating systems, hence the reference to Free BSD.
You can find out more about PGP here. It's quite interesting.
AA
Last edited by Ausatco; 29th Sep 2004 at 23:00.
Guest
Posts: n/a
If it was a bona fide signed message, it would begin with:
"----- BEGIN PGP SIGNED MESSAGE -----".
The bit at the bottom would be essentially similar, though with newlines at appropriate points. The garbage-looking bit, in a real signed PGP message, would be unique to the message text and to the sender's encryption key.
The "Authentic Sender" bit, whatever it is, is not PGP.
This looks to me like spam designed to appear digitally signed (to an unsophisticated spam filter).
Incidentally, GnuPG is an open-source free substitute for PGP.
Edited for accuracy
"----- BEGIN PGP SIGNED MESSAGE -----".
The bit at the bottom would be essentially similar, though with newlines at appropriate points. The garbage-looking bit, in a real signed PGP message, would be unique to the message text and to the sender's encryption key.
The "Authentic Sender" bit, whatever it is, is not PGP.
This looks to me like spam designed to appear digitally signed (to an unsophisticated spam filter).
Incidentally, GnuPG is an open-source free substitute for PGP.
Edited for accuracy
Last edited by Tuba Mirum; 2nd Oct 2004 at 07:57.
Thread Starter
Join Date: Feb 2000
Location: asia
Posts: 542
Likes: 0
Received 0 Likes
on
0 Posts
The PGP bit is just text on the tail end of the message, and could have been cut and pasted, but the Authentic sender bit seems to be in a header or something, it is not displayed as part of the text but as part of the headers - to/from/etc
Thread Starter
Join Date: Feb 2000
Location: asia
Posts: 542
Likes: 0
Received 0 Likes
on
0 Posts
Just got another one, here is the header. Anyone help me decipher it?
Sender: [email protected]
Received: from w114.z064221070.chi-il.dsl.cnc.net (w114.z064221070.chi-il.dsl.cnc.net [64.221.70.114])
by siaag2ah.compuserve.com (8.12.11/8.12.7/SUN-2.17) with SMTP id i8UIlCIm017572;
Thu, 30 Sep 2004 14:48:07 -0400 (EDT)
Message-Id: <[email protected]>
Received: from TRBOG-CK06 (20.88.248.128) by 64.221.70.114; Thu, 30 Sep 2004 14:49:15 -0500
From: "Dr. " <[email protected]>
To: [email protected]
Subject: New Canadian Generic Drugstore
Date: Thu, 30 Sep 2004 14:49:15 -0500
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_00XS_01C5673YF_09E.488M63F0"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-message-flag: Authentic Sender, Hash: OySnZpBf
X-Virus-Scanned: clamd / ClamAV version 0.70, clamav-milter version 0.70j
What is the significance of x-message flag: Authentic sender
Sender: [email protected]
Received: from w114.z064221070.chi-il.dsl.cnc.net (w114.z064221070.chi-il.dsl.cnc.net [64.221.70.114])
by siaag2ah.compuserve.com (8.12.11/8.12.7/SUN-2.17) with SMTP id i8UIlCIm017572;
Thu, 30 Sep 2004 14:48:07 -0400 (EDT)
Message-Id: <[email protected]>
Received: from TRBOG-CK06 (20.88.248.128) by 64.221.70.114; Thu, 30 Sep 2004 14:49:15 -0500
From: "Dr. " <[email protected]>
To: [email protected]
Subject: New Canadian Generic Drugstore
Date: Thu, 30 Sep 2004 14:49:15 -0500
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_00XS_01C5673YF_09E.488M63F0"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-message-flag: Authentic Sender, Hash: OySnZpBf
X-Virus-Scanned: clamd / ClamAV version 0.70, clamav-milter version 0.70j
What is the significance of x-message flag: Authentic sender
Guest
Posts: n/a
I'm open to correction here, but I think it is an attempt to look as though the sender takes part in a scheme such as Sender Policy Framework (SPF), which is intended to provide for proper authentication of the sender of an email. Not being a participant in SPF, I have no emails to compare this one to, unfortunately.
SPF has other elements than this "Authentic Sender" anyway, without which it doesn't work as a system: it involves amended DNS entries, as I understand it.
So taking your first example, what we have is a spammer inserting "clues" designed to fool an unsophisticated mail agent or recipient into thinking the message has some kind of spurious validity. All too common, unfortunately.
If you invest in some client anti-spam software that uses "Bayesian" methods, you can train it to recognise and bin things like this. One example (for Outlook users) is Outclass/POPFile.
SPF has other elements than this "Authentic Sender" anyway, without which it doesn't work as a system: it involves amended DNS entries, as I understand it.
So taking your first example, what we have is a spammer inserting "clues" designed to fool an unsophisticated mail agent or recipient into thinking the message has some kind of spurious validity. All too common, unfortunately.
If you invest in some client anti-spam software that uses "Bayesian" methods, you can train it to recognise and bin things like this. One example (for Outlook users) is Outclass/POPFile.
The Oracle
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
stickyb,
It looks like it came from either here:
Or here:
It looks like the sender was using M$ Outlook to send it form. (Good chance they were hit by Malware and are sending it out without knowing.)
Too bad you do not have the X-ClientAddr IP.
Take Care,
Richard
It looks like it came from either here:
OrgName: XO Communications
OrgID: XOXO
Address: Corporate Headquarters
Address: 11111 Sunset Hills Road
City: Reston
StateProv: VA
PostalCode: 20190-5339
Country: US
ReferralServer: rwhois://rwhois.eng.xo.com:4321/
NetRange: 64.220.0.0 - 64.221.255.255
CIDR: 64.220.0.0/15
NetName: XOXO-BLK-5
NetHandle: NET-64-220-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NAMESERVER1.CONCENTRIC.NET
NameServer: NAMESERVER2.CONCENTRIC.NET
NameServer: NAMESERVER3.CONCENTRIC.NET
NameServer: NAMESERVER.CONCENTRIC.NET
Comment:
RegDate:
Updated: 2003-08-08
OrgAbuseHandle: XCNV-ARIN
OrgAbuseName: XO Communications, Network Violations
OrgAbusePhone: +1-866-285-6208
OrgAbuseEmail: [email protected]
OrgTechHandle: XCIA-ARIN
OrgTechName: XO Communications, IP Administrator
OrgTechPhone: +1-703-547-2000
OrgTechEmail: [email protected]
OrgID: XOXO
Address: Corporate Headquarters
Address: 11111 Sunset Hills Road
City: Reston
StateProv: VA
PostalCode: 20190-5339
Country: US
ReferralServer: rwhois://rwhois.eng.xo.com:4321/
NetRange: 64.220.0.0 - 64.221.255.255
CIDR: 64.220.0.0/15
NetName: XOXO-BLK-5
NetHandle: NET-64-220-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NAMESERVER1.CONCENTRIC.NET
NameServer: NAMESERVER2.CONCENTRIC.NET
NameServer: NAMESERVER3.CONCENTRIC.NET
NameServer: NAMESERVER.CONCENTRIC.NET
Comment:
RegDate:
Updated: 2003-08-08
OrgAbuseHandle: XCNV-ARIN
OrgAbuseName: XO Communications, Network Violations
OrgAbusePhone: +1-866-285-6208
OrgAbuseEmail: [email protected]
OrgTechHandle: XCIA-ARIN
OrgTechName: XO Communications, IP Administrator
OrgTechPhone: +1-703-547-2000
OrgTechEmail: [email protected]
OrgName: Computer Sciences Corporation
OrgID: CSC-68
Address: 3170 Fairview Park Drive
City: Falls Church
StateProv: VA
PostalCode: 22042
Country: US
NetRange: 20.0.0.0 - 20.255.255.255
CIDR: 20.0.0.0/8
NetName: CSC
NetHandle: NET-20-0-0-0-1
Parent:
NetType: Direct Assignment
NameServer: NS1.CSC.COM
NameServer: NS2.CSC.COM
Comment:
RegDate: 1989-09-04
Updated: 2002-05-31
TechHandle: PG618-ARIN
TechName: Gross, Pete
TechPhone: +1-703-641-3322
TechEmail: [email protected]
OrgAbuseHandle: PG618-ARIN
OrgAbuseName: Gross, Pete
OrgAbusePhone: +1-703-641-3322
OrgAbuseEmail: [email protected]
OrgTechHandle: PG618-ARIN
OrgTechName: Gross, Pete
OrgTechPhone: +1-703-641-3322
OrgTechEmail: [email protected]
OrgID: CSC-68
Address: 3170 Fairview Park Drive
City: Falls Church
StateProv: VA
PostalCode: 22042
Country: US
NetRange: 20.0.0.0 - 20.255.255.255
CIDR: 20.0.0.0/8
NetName: CSC
NetHandle: NET-20-0-0-0-1
Parent:
NetType: Direct Assignment
NameServer: NS1.CSC.COM
NameServer: NS2.CSC.COM
Comment:
RegDate: 1989-09-04
Updated: 2002-05-31
TechHandle: PG618-ARIN
TechName: Gross, Pete
TechPhone: +1-703-641-3322
TechEmail: [email protected]
OrgAbuseHandle: PG618-ARIN
OrgAbuseName: Gross, Pete
OrgAbusePhone: +1-703-641-3322
OrgAbuseEmail: [email protected]
OrgTechHandle: PG618-ARIN
OrgTechName: Gross, Pete
OrgTechPhone: +1-703-641-3322
OrgTechEmail: [email protected]
It looks like the sender was using M$ Outlook to send it form. (Good chance they were hit by Malware and are sending it out without knowing.)
Too bad you do not have the X-ClientAddr IP.
Take Care,
Richard