On the case with Sam Spade

By M. E. Kabay, Network World |  Business

In this newsletter, I thought some readers would enjoy seeing the steps in finding out the details of yet another e-mail scam: fraudulent click-throughs.

On Dec. 23, 2000, I received an HTML invitation from a stranger to try a "new game." Unimpressed by the warmth of the invitation and suspicious of any attachment, I looked at the source code and found some peculiar aspects:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">








TARGET="_top" onmouseover="window.status='CLICK IT';return true">

<font size="+1">click here</font></A><IMG

SRC="http://www.whispa.com/tracking/exposure.dll?263589" WIDTH=1 HEIGHT=1

BORDER=0><br><br>To join new game for free<br>No charge</p>



The source suggested that the intent of this information was primarily to track responses, not to convey information.

I then turned to the Sam Spade 1.14 network utility (see http://www.samspade.org/ssw/ for details of this useful freeware) and quickly found that the headers were forged.

Between the asterisks below is what the program returned to me (note that the commentary -- e.g., "My comments are just hints" -- is the program's, not mine.):


12/27/00 16:22:21 Input

The Received: headers are the important ones to read

My comments are just hints, and should be considered only

an opinion. I may have guessed wrong, or things may have

changed since I was written

Sender: Lisa@netvision.net.il

Received: from mgw-mp.sric.sri.com (mgw-mp.sric.sri.com

[]) by spdmgaae.compuserve.com

(8.9.3/8.9.3/SUN-1.9) with ESMTP id PAA02807 for

<mkabay@compuserve.com>; Sat, 23 Dec 2000 15:13:11 -0500


This received header was added by your mailserver

spdmgaae.compuserve.com received this from mgw-mp.sric.sri.com

(IP addresses match)

Received: from mailgw1.netvision.net.il ([])

by mgw-mp.sric.sri.com (Netscape Messaging Server 3.6)

with ESMTP id AAA14C6 for

<mkabay@atomictangerine.com>; Sat, 23 Dec 2000

12:12:38 -0800

mgw-mp.sric.sri.com received this from mailgw1.netvision.net.il

(IP addresses match)

Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:






Ask a Question