- Home
- Email services
- Spam
- Email headers can be spoofed/forged
Email headers can be spoofed/forged
As spam (junk or unsolicited email) continues to increase, we are also seeing 'To:' and 'From:' email header fields being spoofed. Sometimes, the 'From:' address may appear to be from someone you know, from some organization whose name you recognize or from an @yale.edu email account. In reality these spoofed/forged messages do NOT originate from the address that appears in the 'From:' field. See examples below.
Spoofed email from Yale support teams or vendors who do business with Yale
There has been a recent increase in spoofed/forged email messages that appear to come from Yale University ITS support groups and vendors who do business with the University. These email messages often have attachments that when opened infect your computer with malware (virus, worms and/or Trojans).
See examples: support groups || vendors.
ITS is investigating ways for the Yale community to be able to check the validity of internal messages. Until that time we ask that you do not open attachments that you were not expecting, even if the sender appears to be someone you know or from what appears to be an official Yale University source (e.g., service@med.yale.edu or info@med.yale.edu).
Analogy of a letter you get through the US Mail
A paper ENVELOPE address can NOT be spoofed. This address is used to deliver to the correct recipient. The address in an email message CAN be spoofed. Addresses that appear in the To: and From: message headers are the equivalent of the addresses used in the inside of a letter.
In order to be certain of where the letter came from, you must view the envelope--or the FULL HEADERS of an email message.
If you have any concerns about a specific email, please forward the email (including full-headers) to abuse@yale.edu.
Spoofed/Forged email messages examples
Example I: email header information
It is necessary to be able to view the full-header of an email message if you need to forward a spam message or other email that needs to be investigated. Viewing full-headers is also useful if you are interested in getting a more detailed look about where your message originated, but it is not a fool-proof method since email headers can be spoofed or faked. How to view the full headers of an email message.
Example of BRIEF header
-------- Original Message --------
Subject: SANS at the beach, July 13 - 18
Date: Mon, 10 Jun 2002 08:34:39 -0600 (MDT)
From: The SANS Institute
To: Faith McGrath (SD554267)Example of FULL header
-------- Original Message --------
Return-path:
Received: from CONVERSION-DAEMON.biomed.med.yale.edu by biomed.med.yale.edu(PMDF V6.0-24 #37386) id <01KIRGRBUIZ400651U@biomed.med.yale.edu> for~mcgrathf@biomed.med.yale.edu (ORCPT mcgrathf@biomed.med.yale.edu); Mon,10 Jun 2002 10:36:03 -0400 (EDT)
Received: from biomed.med.yale.edu by biomed.med.yale.edu (PMDF V6.0-24 #37386)id <01KIRGR74XNM005WF2@biomed.med.yale.edu> for ~mcgrathf@biomed.med.yale.edu(ORCPT mcgrathf@biomed.med.yale.edu); Mon, 10 Jun 2002 10:35:56 -0400 (EDT)
Received: from CONVERSION-DAEMON.biomed.med.yale.edu by biomed.med.yale.edu(PMDF V6.0-24 #37386) id <01KIRGR1PME800651U@biomed.med.yale.edu> formcgrathf@biomed.med.yale.edu (ORCPT mcgrathf@biomed.med.yale.edu); Mon,10 Jun 2002 10:35:48 -0400 (EDT)
Received: from mr4.its.yale.edu (mr4.its.yale.edu [130.132.50.10])by biomed.med.yale.edu (PMDF V6.0-24 #37386)with ESMTP id <01KIRGQYYRDM007IRA@biomed.med.yale.edu> formcgrathf@biomed.med.yale.edu (ORCPT mcgrathf@biomed.med.yale.edu); Mon,10 Jun 2002 10:3 5:45 -0400 (EDT)
Received: from server2.SANS.ORG (server2.sans.org [167.216.198.40])by mr4.its.yale.edu (8.11.6/8.11.6) with ESMTP id g5AEa3l29404 for; Mon, 10 Jun 2002 10:36:03 -0400 (EDT)
Received: by server2.SANS.ORG (rbkq) id QQF22223 for faith.mcgrath@yale.edu;Mon, 10 Jun 2002 08:34:39 -0600 (MDT)
Content-return: prohibited
Date: Mon, 10 Jun 2002 08:34:39 -0600 (MDT)
From: The SANS Institute
Subject: SANS at the beach, July 13 - 18
Sender: sans@sans.org
To: Faith McGrath (SD554267)
Errors-to: bounce@sans.org
Message-id: <200206106028.QQF22223@server2.SANS.ORG>
X-VMS-To: IN%"faith.mcgrath@yale.edu" "Faith McGrath"
Precedence: bulk
Original-recipient: rfc822;mcgrathf@biomed.med.yale.edu
Example II: spoofed messages from IT support providers
-------- Original Message --------
Return-path:
Received: from CONVERSION-DAEMON.biomed.med.yale.edu by
biomed.med.yale.edu (PMDF V6.1-1 #30532) id
<01LPIAWMTKLC004ZFR@biomed.med.yale.edu> (ORCPT
information.security@med.yale.edu); Wed, 15 Jun 2005 23:37:38 -0400 (EDT)
Received: from DIRECTORY-DAEMON.biomed.med.yale.edu by
biomed.med.yale.edu (PMDF V6.1-1 #30532) id
<01LPIAWM6U4W0048K9@biomed.med.yale.edu> (ORCPT
information.security@med.yale.edu); Wed, 15 Jun 2005 23:37:36 -0400 (EDT)
Received: from med.yale.edu (pcp01845781pcs.nhaven01.ct.comcast.net
[68.63.83.124]) by biomed.med.yale.edu (PMDF V6.1-1 #30532) with ESMTP
id <01LPIAWIJKXA0158VY@biomed.med.yale.edu> for
information.security@med.yale.edu; Wed, 15 Jun 2005 23:37:35 -0400 (EDT)
Date: Wed, 15 Jun 2005 23:38:52 -0400
From: webmaster@med.yale.edu
Subject: Warning Message: Your services near to be closed.
To: information.security@med.yale.edu
Errors-to: david.stagg@yale.edu
Message-id: <01LPIAWJD7360158VY@biomed.med.yale.edu>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary="Boundary_(ID_BOY72YIj5mRiMwCpwsZuXQ)"
X-Priority: 3
X-MSMail-priority: Normal
Comments: YSM Systems Engineering and Security List*Dear user information.security, *
It has come to our attention that your Med User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using Med!
The Med Support Team
+++ Attachment: No Virus (Clean)
+++ Med Antivirus - www.med.yale.edu[account-report.zip attachment]
-------- Original Message --------
Return-path:
Received: from CONVERSION-DAEMON.biomed.med.yale.edu by
biomed.med.yale.edu (PMDF V6.1-1 #30532) id
<01LPI8123K6O0149K8@biomed.med.yale.edu> (ORCPT
information.security@med.yale.edu); Wed, 15 Jun 2005 22:14:55 -0400 (EDT)
Received: from DIRECTORY-DAEMON.biomed.med.yale.edu by
biomed.med.yale.edu (PMDF V6.1-1 #30532) id
<01LPI811N000004S24@biomed.med.yale.edu> (ORCPT
information.security@med.yale.edu); Wed, 15 Jun 2005 22:14:53 -0400 (EDT)
Received: from med.yale.edu (pcp01845781pcs.nhaven01.ct.comcast.net
[68.63.83.124]) by biomed.med.yale.edu (PMDF V6.1-1 #30532) with ESMTP
id <01LPI80Y0KXG0048X4@biomed.med.yale.edu> for
information.security@med.yale.edu; Wed, 15 Jun 2005 22:14:52 -0400 (EDT)
Date: Wed, 15 Jun 2005 22:16:09 -0400
From: info@med.yale.edu
Subject: YOUR NEW ACCOUNT PASSWORD IS APPROVED
To: information.security@med.yale.edu
Errors-to: david.stagg@yale.edu
Message-id: <01LPI80YCIEU0048X4@biomed.med.yale.edu>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary="Boundary_(ID_I7zVkYRW6dylCEDFOgsUYg)"
X-Priority: 3
X-MSMail-priority: Normal
Comments: YSM Systems Engineering and Security List*Dear user information.security, *
You have successfully updated the password of your Med account. If you did not authorize this change or if you need assistance with your account, please contact Med customer service at: info@med.yale.edu
Thank you for using Med!
The Med Support Team
[email-password.zip]
-------- Original Message --------
Return-path:
Received: from CONVERSION-DAEMON.biomed.med.yale.edu by
biomed.med.yale.edu (PMDF V6.1-1 #30532) id
<01LPIBQPANPC0057DR@biomed.med.yale.edu> (ORCPT
information.security@med.yale.edu); Thu, 16 Jun 2005 00:01:53 -0400 (EDT)
Received: from DIRECTORY-DAEMON.biomed.med.yale.edu by
biomed.med.yale.edu (PMDF V6.1-1 #30532) id
<01LPIBQOHWCW001800@biomed.med.yale.edu> (ORCPT
information.security@med.yale.edu); Thu, 16 Jun 2005 00:01:50 -0400 (EDT)
Received: from med.yale.edu (pcp01845781pcs.nhaven01.ct.comcast.net
[68.63.83.124]) by biomed.med.yale.edu (PMDF V6.1-1 #30532) with ESMTP
id <01LPIBQH3BYE00437K@biomed.med.yale.edu> for
information.security@med.yale.edu; Thu, 16 Jun 2005 00:01:49 -0400 (EDT)
Date: Thu, 16 Jun 2005 00:03:01 -0400
From: service@med.yale.edu
Subject: Your password has been updated
To: information.security@med.yale.edu
Errors-to: david.stagg@yale.edu
Message-id: <01LPIBQHOF2G00437K@biomed.med.yale.edu>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary="Boundary_(ID_E27OKZY8aiMUNANDWRUfrA)"
X-Priority: 3
X-MSMail-priority: Normal
Comments: YSM Systems Engineering and Security List*Dear user information.security, *
You have successfully updated the password of your Med account. If you did not authorize this change or if you need assistance with your account, please contact Med customer service at: service@med.yale.edu
Thank you for using Med!
The Med Support Team
+++ Attachment: No Virus (Clean)
+++ Med Antivirus - www.med.yale.edu[updated-password.zip attachment]
-------- Original Message --------
Return-path:
Received: from CONVERSION-DAEMON.biomed.med.yale.edu by
biomed.med.yale.edu (PMDF V6.1-1 #30532) id
<01LPI612GVOG004AOB@biomed.med.yale.edu> (ORCPT
information.security@med.yale.edu); Wed, 15 Jun 2005 21:17:39 -0400 (EDT)
Received: from DIRECTORY-DAEMON.biomed.med.yale.edu by
biomed.med.yale.edu (PMDF V6.1-1 #30532) id
<01LPI6120H5C004S24@biomed.med.yale.edu> (ORCPT
information.security@med.yale.edu); Wed, 15 Jun 2005 21:17:37 -0400 (EDT)
Received: from med.yale.edu (pcp01845781pcs.nhaven01.ct.comcast.net
[68.63.83.124]) by biomed.med.yale.edu (PMDF V6.1-1 #30532) with ESMTP
id <01LPI60T2S0S00319S@biomed.med.yale.edu> for
information.security@med.yale.edu; Wed, 15 Jun 2005 21:17:37 -0400 (EDT)
Date: Wed, 15 Jun 2005 21:18:46 -0400
From: service@med.yale.edu
Subject: You have successfully updated your password
To: information.security@med.yale.edu
Errors-to: david.stagg@yale.edu
Message-id: <01LPI60TM25Q00319S@biomed.med.yale.edu>
MIME-version: 1.0
Content-type: multipart/mixed;
boundary="Boundary_(ID_l8xOUbZCMO2I6v7Aw3WcQA)"
X-Priority: 3
X-MSMail-priority: Normal
Comments: YSM Systems Engineering and Security List*Dear user information.security, *
You have successfully updated the password of your Med account.
If you did not authorize this change or if you need assistance with your account, please contact Med customer service at: service@med.yale.edu
Thank you for using Med!
The Med Support Team
+++ Attachment: No Virus (Clean)
+++ Med Antivirus - www.med.yale.edu[updated-password.zip]
Example III: spoofed messages from a vendor
Date: Tue, 10 Oct 2006 14:18:48 +0400
From: info@butterflyphoto.com
Subject: Order Confirmation number: 37679041
To: @yale.edu
X-YaleITSMailFilter: Version 1.2c (attachment(s) not renamed)
X-Yale-Tagged-Spam: For more info see: http://www.yale.edu/email/spam/content.html
X-Yale-Spam-Score: ********* (9.366)
X-Scanned-By: MIMEDefang 2.52 on 130.132.50.8
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on ninja.med.yale.edu
(ITS-Med - Yale University)
X-Spam-Level: ***
X-Spam-Status: No, score=3.4 required=5.0 tests=HELO_DYNAMIC_IPADDR2,
HELO_DYNAMIC_SPLIT_IP,NO_REAL_NAME,RCVD_NUMERIC_HELO
autolearn=disabled version=3.0.3
Dear Customer,
Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop.
This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.Date : 08 Oct 2006 - 12:40
Order ID : 37679041
Payment by Credit card
Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99
Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).
PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader.
If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.
We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.
You will receive another email with tracking information soon.
We hope you enjoy your order! Thank you for shopping with us!**********************************************************************
This warning has been inserted into this email by the mail system
because this email has an attachment named 37679041.zip
Specific details:Be careful when opening Zip files if you're not sure where they
came from. They can be, and have been, used to transfer viruses
and other destructive programs.Attachment of this type have been known to carry viruses or
other programs which could be harmful to your computer.
We would urge you to be certain that you know who this email
comes from and to save it to disk and check it with an
anti-virus program before using the attachment. If there is any
doubt, DO NOT RUN THE ATTACHMENT.If you need help, you can contact your local support provider by following
this link: http://www.yale.edu/its/help/supportgroups.html or contact the ITS Help Desk at 785-3200 or 432-9000.Please note that the CONTENTS of the attachment have NOT been examined in any way, the action taken was entirely based on the name of the attachment.
**********************************************************************
