Wednesday, September 12, 2012

Tracing Email Forgeries

Long and dull, but useful information:..

By now many folks know that emails claiming to be from Fed Ex, or UPS, or the postal service about deliveries are often scams.  But people often ask how do you tell for sure instead of just guessing?  

The way to tell is to look at the email’s “Full Headers.”  While such a display looks daunting there are particular details you are looking for and you can ignore a lot of the other detail.

What you are looking for is the often strangely formatted Received lines.  What you are interested in is what system sent me the email?  Did it really come from UPS or did it come from Moon-buk-tu?

Here is an example.  It claims to be from UPS about a delivery confirmation contained in an attachment.  First of all UPS doesn’t do that, so you know it’s not right from the start, but let’s continue.

Email gets handed off pony express style from one computer to another and there will be a Received line in the email for every “hop.”

Return-Path:
Received: from mail.ups.com (mail.dawee.co.id [203.160.60.139])
    by mymailsystem.blahblah.com (8.13.8/8.13.4) with ESMTP id q8A9vW9W028734
    for ; Mon, 10 Sep 2012 02:57:35 -0700

 Received: from [219.168.131.98] (helo=jsrlvuefbfxn.gjqtj.ru)
    by mail.dawee.co.id with esmtpa (Exim 4.69)
    (envelope-from )
    id 1MM3D6-6022ia-PI
    for ellen@blahblah.com; Mon, 10 Sep 2012 16:54:50 +0700
 
From: "UPS Quantum View"
To:
Subject: Delivery Notification UPS Mon, 10 Sep 2012 16:54:50 +0700


Return-Path - this can be faked so ignore it.
Received lines go in reverse order so the last one to touch it is the one at the top and usually the one you want to look at.  You want to look for the name of your system that receives email for you.  In this case, I’m calling it mymailsystem.blahblah.com.  The top Received line is what sent it to mymailsystem.  That system claims to be mail.ups.com, but look inside the parenthesis.  In an ESMTP Received line what is inside the parens is placed there by the email software and rarely is forged.  What is inside the parens is who really sent the message: dawee.co.id which is a system in Indonesia.  UPS may be an international company, but I can assure you that a system of theirs whose job it is to send email is never going to look like this.  So we can safely conclude that it is a forgery.

The second received line is who sent it to indonesia which implies the Indonesian system may have been hacked/hijacked by a virus intended to send spams and scams.  This line is generated by Exim and I’m not as familiar with how those lines are formatted though I do know they are easiliy configurable and so I don’t trust them as much.  It is interesting that the parens only contain a “helo” which is what the system claims its name is to the mailer (listed as from Russia but very easily faked) and the ip address in the [] doesn’t match it.  The IP address is from Japan. (I checked with http://whatismyipaddress.com/ip/)  
The implication is that the system is lying to the Indonesian system about where it is from.



Here is another example.
This claims to be from the ADP payroll system company.

That first glance a big clue: X-Mailer The Bat!
The Bat! is a mailer that is heavily used by spammers.
Return-Path is just whatever the spammer claimed to be

Return-Path: \ 
Received: from adpmailer.adp.com ([62.198.244.64])
by mymailsystem.blahblah.com (envelope-sender )
with ESMTP id q8ADQiYc012151; Mon, 10 Sep 2012 06:26:45 -0700  

Received: from [207.99.101.96] (helo=eqlcqhhswioo.nxqyhrp.ru)  
by with esmtpa (Exim 4.69) (envelope-from ) id 1MMCKK-1644oq-DH 
for someone@blahblah.com; Mon, 10 Sep 2012 14:26:43 +0100
Date:     Mon, 10 Sep 2012 14:26:43 +0100
From:
"ADP_Online_Invoice_DoNotReply@adp.com"
X-Mailer:
The Bat! (v2.04.7) Business

Looking at the first Received line, i find mymailsystem@blahblah.com which is my example email system.  The system that sent it claims to be adpmailer.adp.com but, again, look inside the parens.  there is no name inside the parens so we have to do a little more work by using http://whatismyipaddress.com/ip/. and it tells us this system is from Denmark which again is not an ADP system.

The system that sent it to the Denmark system is 207.99.101.96 which is a system in New Jersey and again not from Russia as it claimed to be.



This example is basic forged spam.  It claims to be a stock tip from Italy but is really from a system in Russia (.ru inside the parens) that has likely been broken into:

Received: from ppp91-79-82-35.pppoe.mtu-net.ru (ppp91-79-82-35.pppoe.mtu-net.ru [91.79.82.35])
    by mysystem.blahblah.com (8.13.8/8.13.4) with SMTP id q88GA0nQ027380
    for ; Sat, 8 Sep 2012 09:10:04 -0700

Received:
from unknown (HELO ebd) ([35.42.178.112])
    by ppp91-79-82-35.pppoe.mtu-net.ru with ESMTP; Sat, 8 Sep 2012 20:10:48 +0300

Message-ID:
<001b01cd8ddc ab270="ab270" comp1ebd="comp1ebd" d1d0="d1d0">
From: "Keith Greer"
To:
Subject: Stock To Watch!


While the email address (kc_kate@tradenet.it) is a forgery, the name of the Russian system (ppp91-79-82-35.pppoe.mtu-net.ru) has not been - it appears the same both inside and outside of the parens in the Received line.  On the second Received line you can see the system that sent the spam through the Russian one.  Its identity is more protected, but it is likely 35.42.178.112 which is a system in Ann Arbor Michigan owned by Merit Network (who is a college), and I will send the full headers to the Merit Network abuse address which I’m hoping is abuse@merit.edu.  It's likely the Merit system has been broken into as well.

Tuesday, September 11, 2012

Memorizing Passwords and Other Important Stuff

My work has autogenerated passwords that change monthly.

For the most part, I just keep these in a mailbox folder that I refer to, but it saves me a couple of minutes if I just memorize the passwords that I use the most.

If you took piano lessons, or took biology or first aid, or even rock climbing classes you’ve no doubt been introduced to using words in a phrase to remind you of process (called a mnemonic device.)  The piano staff one of Every Good Boy Does Fine and FACE is here (though I must admit to wondering why you need a mnemonic for something that is alphabetical).: http://piano.about.com/od/gettingstarted/ss/notes_2staves.htm

For example: QPEN Query Paul about his Egyptian Name

But the more ridiculous a device is the more memorable it is
What’s even better if you can come up with a silly image.

if you have
TRZ

then a great way to remember it is:  The Red Zebra

After 24 hours I couldn’t remember Query Paul Egyptian Name.  All I could remember was Query Paul, BUT I had no trouble remembering The Red Zebra.

So if a password is
pgr4dn8h

then you can use
purple giraffes are for digging innate holes

This process works well for license plates too

5wwh582

5 women will have 5 to 8 tulips

6act925

6 accordians can toil 9 to 5

Of course the hazard of all this is if you do too good a job, you are stuck with brain cells that are forever occupied with this bit of information long after it isn’t relevant.  In this case, you can always repurpose it.  i use portions of old phone numbers as pin numbers

Saturday, September 08, 2012

A Writer in Training

So I've decided that for my second/retirement career (right now I'm a happy IT person right now and a non-professional dog trainer) is that I want to be a writer.

Writing has always been a part of my life (lit undergrad etc) and I never really realized I had much talent at it until email and the internet where I started writing a lot and people would complement me on it.  Over time I've finally come to realize that it might be something I could semi-seriously persue.

But I have a lot to learn.  I am a great expository writer and I write for work every day and I have two blogs also, but I would like to write fiction and I have limited experience in that.  The big thing is the entire art of storycraft and plots and creating a consistent, credible fictional world.  We all have a good idea of what makes a good story, but to actually create something that someone actually wants to read is a whole 'nuther universe.

So I've started going back over books I've read just to see how the story develops and it's been really interesting.  I'll have to add more to this over time, but things, in particular, I've noticed are.

The beginning drops you right in the middle of something and you are immediately busy trying to figure out what is going on.  Something like: "I ducked as the pig flew by and sailed into the dining room and then I noticed that ground squirrels were drinking whiskey and laughing."  Then the writer will give you more information while the character and you are trying to figure out what to do about the situation.

Another thing I've just noticed, and I'm not sure I quite understand the point of it is hint dropping that will be missed by 90% of first time readers.  "His stance was squared off and seemed vaguely similar to something that my father once did."  Then chapters later it turns out that this person is a missing son of said father.  What is the purpose of doing that?  I can see if it is intriguing, but most of new readers are going to miss the reference.

Then there is the fictional world you build, and you have to understand that readers are going to be comparing your world to other authors.

I'm reading Deborah Harknesses A Discovery of Witches where she has Vampires, Witches, Demons and Humans.  I am a devoted fan of Jim Butcher's Harry Dresden and I can't help but compare the two, and sometimes I feel like Harkness is directly addressing the issue.  For example, when a vampire explains to the main character (a witch) that he doesn't need a specific invitation to cross a threshold. In Butcher's world he would, and my in-house Buffy the Vampire Slayer expert says that in Buffy's world they also would need an invitation.  You could probably write a whole essay comparing all the vampire worlds on this issue (including Anne Rice's and Bram Stoker's)

This is one thing I really like about Science Fiction.  You get to make the rules.  Detailed, reality based, fictional books like the ones that Daniel Silva writes are so perilous because if you get one detail wrong it jars many readers and they really don't like it.  In Science Fiction and Fantasy as long as you are consistent in the world you create you're ok.

More as I learn more.