In our inaugural Ask the Engineer column we have asked Bryan Gilliom, our Vice President of Technical Services, to answer a perennial question we get at our Help Desk all the time. In this column we will strive to answer your questions about technology and how things work in simple and understandable terms.
I am often called by customers who have either received "bounce" or "recipient" unreachable messages for mail they never sent, or sometimes they have received a call from one of their customers or vendors complaining about a virus-infected e-mail that claims to have come from them. People are often confused and spend a great deal of time scanning and checking their machines only to find nothing amiss.
The important thing to understand is that the Internet e-mail system was designed in a much earlier and more trusting time. What you see when you open an e-mail in the From Line and other information is based on hidden information called the Header, which is part of the mail message. There is nothing special or magical about this information, and it can easily be falsified to read almost anything you want. A benevolent example of this might be one in which your "From" address shows your real name, rather than your e-mail address. This makes it easier for people to quickly see who the e-mail is from, rather than having to decode who BGilliom@InLine.com is for example.
Unfortunately, virus writers and spammers regularly manipulate this information to hide the origins of their e-mails. In the case of spammers, the reasons are obvious since their activities are not appreciated at best and illegal at worst. For viruses the reasons are even more diabolical. Early e-mail viruses used the infected machine's copy of Outlook or other mail client to send out its infected e-mails. This had a downside though in that infections were quickly tracked back to the source and stopped. It was as simple as contacting the person who had sent you the e-mail and telling them to check their machine. Modern e-mail worms use their own internal mail engines to send out their messages, and choose not only the recipients at random from addresses found on the machine, but also falsify the sender from those same addresses. This makes it harder to track the viruses back to the source and prolongs the period of time the virus has to work.
So when the victim receives the virus-infected e-mail, it may say that it came from you, but in reality it was sent by a completely different machine. The only way you were involved is that both of your e-mail addresses existed somewhere on the infected machine. In some cases where this infected e-mail is sent to an expired or bad e-mail address, the recipient mail server, following normal procedure will send back an unknown recipient, or other "bounce" message, and since you are the forged sender the message will come back to your machine.
Luckily, much like on the show CSI that has become so popular on TV, we do have some clues to work with if we know where to look. Hidden in this mail header is a track of every step the mail has taken on its trip across the internet. It is a little like looking at the tracking information on the UPS or FedEx web site for your holiday presents, with dates, times and server names for each step on its path. With a little bit of know how and detective work a knowledgeable person can track down a wealth of information from this header. This can often include the original location from which the mail originated. This isn't the kind of thing most users can easily decipher, but InLine's trained Help Desk staff can assist our customers in identifying and hopefully tracking these stray messages back to their origin.
If you want to play CSI on your own, or you're just curious to see what kind of interesting stuff is in these mystical headers, if you are using Microsoft Outlook you can right click on any mail message, select Options and look at the section labeled Internet Headers on the resulting screen. If you have a question you would like answered, click here or send a message to AskTheEngineer@InLine.com. We will be picking the best questions for future columns.