Re: Bogus Email- Need help to do detective work

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Mar 28, 2004 at 09:32:28AM -0600, Cowles, Steve wrote:
> jim tate wrote:
> > I have been recieveing Bogus email's to sign onto to my bank account, so
> > someone can get my userid and password.
> 
> So have I. Plus include bogus e-mails claiming to be AMEX, Home Depot,
> PayPal, etc...
> 
> > My Bank say's these are bogus email's and not to respond to them.
> 
> Listen to them. They are correct.


Correct, do nothing with them.  The best recommendation is the old 'd' key.


> > I have been recieveing them in Mozilla mail.
> 
> Shouldn't matter what MUA you are using.

Correct.

Do learn a pure text MUA (Mail, pine, mutt, elm, etc.)
See more about evil HTML below.

> > How can I tell where these email will return to , should I reply or
> > respond to info requested.
...
> > There has got to be a way to back track.
...
> 
> Also, check the html code of the e-mail. Most reference images from your
> bank's website, but contain a redirect to some web server that actually
> captures your information. Again, try to report this website to the owning
> ISP.

These are NASTY and difficult to disect without side effects.

On behalf of your grandmother, if she entered any information,
call you local police and ISP.  Do nothing yourself.

If you are curious DO NOT OPEN the mail.

You might save it and it's headers in a safe place and inspect it with
caution using pure text tools.  Since it is mail mostly you can look
at it with the pager "less" (less /tmp/problem-mail).  The cautious
might start with "xod -c".

The message will begin with headers that might let you track it back
to the machine that sent it.  Commonly these are hijacked PC's and
will be a dead end (unpatched, virus infected, ill managed or just gone).
The sender line will often be forged but valid.

In the headers you can track down the first responsible mail hop.
That ISP may have a process to block the machine or notify the owner.

Then there is the message body itself.

If you look with cautious text tools you can find a long list of
tricks, traps and stuff. As a minimum recent spam contains html that
is an education.

Each section could be trouble.
Caution with the script sections...

Invisible or white fonts often hide a mix of words that get
the message past many spam tools.   Multi byte tricks 
hide other stuff.

Then there may be a single URL that might look like this

 http://waXXet.yXXoo.com%00@xxxxxxxxxxxxx/manual/images/
 (some real numbers are x, Some real letters are X):

In effect this gets to  http://2xx.1xx.6x.9x/manual/images
and not to the url you expect, see, and click on your screen.

Then that page will present a form populated in many cases with images
from the real company host.  It is not enough that they impersonate
the company.  They also hijack images and their bandwidth for images.
If you track the IPaddress in the form/script stuff may come from one
country and the data sent to another foreign country.  You might get a
clue with dig -x 2xx.1xx.6x.9x then follow with whois.  In short order
you are now in the land of international law and your local police,
ISP and even the FBI in the US have no authority.

Next is the real nasty bit.... hidden in the html of the original
message is often a 'ticker' URL that fetches a single pixel white
image from a site that passes a code number and validates that the
messages was looked at (BTW: this part is legal).  Now your email
address has been validated as active and that you are a clicker.  You
will now get ten time more spam from the next ten places the mailing
list is sold to.

The nasty bit in this is that if you send your mail to the police for
inspection and they look at it with a browser you are validated and no
matter how cautious and carefull you were the mailing list owner gets
a tally and your spam load builds.


These legal one bit images look something like:

    http://us.click.yahoo.com/aOAbGG/3rxGGG/qmsNGG/PkXolC/ARK

SUMMARY:  Do not look at spam HTML with anything other than a pure text tool.
read it with HTML documentation at hand... clever stuff.



-- 
   T o m M i t c h e l l 
   /dev/null the ultimate in secure storage.



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux