I figured I'd write this up to help people rid the world of phishing and spoofing attempts, especially since people are getting smarter and making their messages more and more real. I learned this from a friend at work who was one of the people on the end of the abuse contact e-mail which is set up to help prevent phishing, so I figured I'd pass on the knowledge. I originally started this earlier, but i clicked on a bookmark and lost nearly this entire post, so this is the second typing of it, so I hope people enjoy.
First, we need to recognize the spoofed message. To do this, people need to know that companies and banks do not send you e-mails with links asking you to update your information. Banks have your information, they don't need it updated. If it needs to be updated, you are the one that will know that, not the banks, so why would they e-mail you about it? Companies (mainly eBay and Paypal) have your information too, and they also give you a way to update your information if needed, but how would they know if any of it changed? Places give you the ability to update this information on your own when it changes for a reason, so they aren't e-mail people about stuff. If you do ever get an e-mail about something requiring your input for the company, just go to your browser and type in the appropriate url, don't trust links in the e-mail. Basically, any e-mail asking you to update your information from a company or bank is a phishing attempt and a spoofed e-mail.
Now that you know that most things reporting to be a bank or company are likely spoofed messages, you can start to do something about it. First, you'll need to view the full header of the e-mail. In Outlook, when you are on an open message, go to "View > Options..." and it will pop up a window with the full header of the e-mail. For Outlook Express, just right click on a message and go to "Properties" and then go to the details tab. For Mozilla Thunderbird, go to "View > Headers > All" and you'll get the full header of the e-mail when you view it. In Eudora, double click on a message to open it in a new window and click the "BLAH BLAH BLAH" button to show the full header. Yahoo! Mail will allow you to do this by changing your view settings. Gmail users can bypass most of this by opening a suspect message and clicking the "Report Phishing" button under more options when a message is open. Unfortunately though, I can't cover all webmail interfaces as they are all different and I don't have access to all of them. If you have a suspect message though or another mail client, post here and we can try and help you out in getting the information needed.
So you can view the full header, but what does all of this information mean? It is mainly routing information on where all the e-mail was on it's trip to you. What we're really interested in is the "Received:" options. What you need to find is the originating IP address, and this can be found in either the "Received:" option closest to the bottom, or one up from that. Make sure that the IP is in the proper format of xxx.xxx.xxx.xxx, where the xxx can be anything from 0-255 for all positions. In the case that there are multiple IPs on the same line, find the one furthest to the left. Once you find the originating IP, copy it as we'll need it for the next step of the process.
Now on to one of the last steps in reporting a phishing attempt, looking up the IP. All IPs are registered to someone, mainly ISPs. To look them up, there are 5 different Whois query sites for different regions of the world. There is the ARIN Whois for North America and parts of Latin America and the Caribbean, LACNIC Whois for the rest of Latin America and South America, AfriNIC Whois for Africa, the RIPE Whois for Europe, the Middle East, and Eastern Asia, and then the APNIC Whois for the rest of Asia and the Pacific Area. Since you have the IP copied, go to the network that covers your locality, or is closest to it and look up the IP that you copied from the spoofed e-mail. If there are extra options at the search page, ignore them and use the default search options. If you results point you to another lookup network, go there and look up the IP from the e-mail. The final query results should list location information of the company that owns the IP or IP set where the e-mail came from. There will be e-mail contact address there for tech contacts and such. The one that is needed is an abuse contact, usually abuse@ some domain. This is the place where a lot of searches will end, as there are many networks that don't see the need for abuse contacts. You could try the tech contact e-mail, but that likely won't help. Now that you have an abuse address, at least hopefully, you can complete the process.
The final step is forwarding the spoofed message to the abuse address that was found, if one was found. When e-mailing, try and forward the full headers that were viewed earlier as it will make the person's life on the other end of the abuse address a little easier. Just forward the message to the address and you can sit back and enjoy knowing that you are now part of the solution to a world full of people trying to take other's lives away. There can be some complications to the abuse e-mail contact, but you'll need to deal with those on an individual basis as some have different address than those published in the whois database for real proposals instead of possibly junk e-mail. If no abuse address is found, as I stated before, you could try the tech contact, but that will likely not get far in many cases. You could also see if your ISP has an abuse contact as they may be able to get more from the message than you or I could. Then there are places like eBay and Paypal that have pages dedicated to keeping people secure, and you could send the e-mail to them if applicable even if you send it to an abuse address.
There are likely going to be glitches in this system, as with everything else. I'm not saying that this will end all messages asking you to update your information either, but it can help. As with anything else around here, if you have questions or comments on this, feel free to post them and I or others will do our best to help you out.
