On Sun, Mar 28, 2004 at 09:32:28AM -0600, Cowles, Steve wrote: > jim tate wrote: > > I have been recieveing Bogus email's to sign onto to my bank account, so > > someone can get my userid and password. > > So have I. Plus include bogus e-mails claiming to be AMEX, Home Depot, > PayPal, etc... > > > My Bank say's these are bogus email's and not to respond to them. > > Listen to them. They are correct. Correct, do nothing with them. The best recommendation is the old 'd' key. > > I have been recieveing them in Mozilla mail. > > Shouldn't matter what MUA you are using. Correct. Do learn a pure text MUA (Mail, pine, mutt, elm, etc.) See more about evil HTML below. > > How can I tell where these email will return to , should I reply or > > respond to info requested. ... > > There has got to be a way to back track. ... > > Also, check the html code of the e-mail. Most reference images from your > bank's website, but contain a redirect to some web server that actually > captures your information. Again, try to report this website to the owning > ISP. These are NASTY and difficult to disect without side effects. On behalf of your grandmother, if she entered any information, call you local police and ISP. Do nothing yourself. If you are curious DO NOT OPEN the mail. You might save it and it's headers in a safe place and inspect it with caution using pure text tools. Since it is mail mostly you can look at it with the pager "less" (less /tmp/problem-mail). The cautious might start with "xod -c". The message will begin with headers that might let you track it back to the machine that sent it. Commonly these are hijacked PC's and will be a dead end (unpatched, virus infected, ill managed or just gone). The sender line will often be forged but valid. In the headers you can track down the first responsible mail hop. That ISP may have a process to block the machine or notify the owner. Then there is the message body itself. If you look with cautious text tools you can find a long list of tricks, traps and stuff. As a minimum recent spam contains html that is an education. Each section could be trouble. Caution with the script sections... Invisible or white fonts often hide a mix of words that get the message past many spam tools. Multi byte tricks hide other stuff. Then there may be a single URL that might look like this http://waXXet.yXXoo.com%00@xxxxxxxxxxxxx/manual/images/ (some real numbers are x, Some real letters are X): In effect this gets to http://2xx.1xx.6x.9x/manual/images and not to the url you expect, see, and click on your screen. Then that page will present a form populated in many cases with images from the real company host. It is not enough that they impersonate the company. They also hijack images and their bandwidth for images. If you track the IPaddress in the form/script stuff may come from one country and the data sent to another foreign country. You might get a clue with dig -x 2xx.1xx.6x.9x then follow with whois. In short order you are now in the land of international law and your local police, ISP and even the FBI in the US have no authority. Next is the real nasty bit.... hidden in the html of the original message is often a 'ticker' URL that fetches a single pixel white image from a site that passes a code number and validates that the messages was looked at (BTW: this part is legal). Now your email address has been validated as active and that you are a clicker. You will now get ten time more spam from the next ten places the mailing list is sold to. The nasty bit in this is that if you send your mail to the police for inspection and they look at it with a browser you are validated and no matter how cautious and carefull you were the mailing list owner gets a tally and your spam load builds. These legal one bit images look something like: http://us.click.yahoo.com/aOAbGG/3rxGGG/qmsNGG/PkXolC/ARK SUMMARY: Do not look at spam HTML with anything other than a pure text tool. read it with HTML documentation at hand... clever stuff. -- T o m M i t c h e l l /dev/null the ultimate in secure storage.
