Bogus Email- Need help to do detective work

Jeff Vian jvian10 at charter.net
Sun Mar 28 23:24:36 UTC 2004 

Thank you Tom

Your message below should be an education to many, and just amplifies 
the earlier discussion on why HTML  should not ever be used (or allowed) 
on a mailing list.

The big problem in that respect is I have received a lot of these spams, 
that *appeared* to be coming from the mailing list but were of the 
_forged sender_ variety.

Your biggest and best suggestion is *NEVER open suspicious mail except 
with a pure text tool*.

Tom 'Needs A Hat' Mitchell wrote:

>On Sun, Mar 28, 2004 at 09:32:28AM -0600, Cowles, Steve wrote:
>  
>
>>jim tate wrote:
>>    
>>
>>>I have been recieveing Bogus email's to sign onto to my bank account, so
>>>someone can get my userid and password.
>>>      
>>>
>>So have I. Plus include bogus e-mails claiming to be AMEX, Home Depot,
>>PayPal, etc...
>>
>>    
>>
>>>My Bank say's these are bogus email's and not to respond to them.
>>>      
>>>
>>Listen to them. They are correct.
>>    
>>
>
>
>Correct, do nothing with them.  The best recommendation is the old 'd' key.
>
>
>  
>
>>>I have been recieveing them in Mozilla mail.
>>>      
>>>
>>Shouldn't matter what MUA you are using.
>>    
>>
>
>Correct.
>
>Do learn a pure text MUA (Mail, pine, mutt, elm, etc.)
>See more about evil HTML below.
>
>  
>
>>>How can I tell where these email will return to , should I reply or
>>>respond to info requested.
>>>      
>>>
>...
>  
>
>>>There has got to be a way to back track.
>>>      
>>>
>...
>  
>
>>Also, check the html code of the e-mail. Most reference images from your
>>bank's website, but contain a redirect to some web server that actually
>>captures your information. Again, try to report this website to the owning
>>ISP.
>>    
>>
>
>These are NASTY and difficult to disect without side effects.
>
>On behalf of your grandmother, if she entered any information,
>call you local police and ISP.  Do nothing yourself.
>
>If you are curious DO NOT OPEN the mail.
>
>You might save it and it's headers in a safe place and inspect it with
>caution using pure text tools.  Since it is mail mostly you can look
>at it with the pager "less" (less /tmp/problem-mail).  The cautious
>might start with "xod -c".
>
>The message will begin with headers that might let you track it back
>to the machine that sent it.  Commonly these are hijacked PC's and
>will be a dead end (unpatched, virus infected, ill managed or just gone).
>The sender line will often be forged but valid.
>
>In the headers you can track down the first responsible mail hop.
>That ISP may have a process to block the machine or notify the owner.
>
>Then there is the message body itself.
>
>If you look with cautious text tools you can find a long list of
>tricks, traps and stuff. As a minimum recent spam contains html that
>is an education.
>
>Each section could be trouble.
>Caution with the script sections...
>
>Invisible or white fonts often hide a mix of words that get
>the message past many spam tools.   Multi byte tricks 
>hide other stuff.
>
>Then there may be a single URL that might look like this
>
> http://waXXet.yXXoo.com%00@2xx.1xx.6x.9x/manual/images/
> (some real numbers are x, Some real letters are X):
>
>In effect this gets to  http://2xx.1xx.6x.9x/manual/images
>and not to the url you expect, see, and click on your screen.
>
>Then that page will present a form populated in many cases with images
>from the real company host.  It is not enough that they impersonate
>the company.  They also hijack images and their bandwidth for images.
>If you track the IPaddress in the form/script stuff may come from one
>country and the data sent to another foreign country.  You might get a
>clue with dig -x 2xx.1xx.6x.9x then follow with whois.  In short order
>you are now in the land of international law and your local police,
>ISP and even the FBI in the US have no authority.
>
>Next is the real nasty bit.... hidden in the html of the original
>message is often a 'ticker' URL that fetches a single pixel white
>image from a site that passes a code number and validates that the
>messages was looked at (BTW: this part is legal).  Now your email
>address has been validated as active and that you are a clicker.  You
>will now get ten time more spam from the next ten places the mailing
>list is sold to.
>
>The nasty bit in this is that if you send your mail to the police for
>inspection and they look at it with a browser you are validated and no
>matter how cautious and carefull you were the mailing list owner gets
>a tally and your spam load builds.
>
>
>These legal one bit images look something like:
>
>    http://us.click.yahoo.com/aOAbGG/3rxGGG/qmsNGG/PkXolC/ARK
>
>SUMMARY:  Do not look at spam HTML with anything other than a pure text tool.
>read it with HTML documentation at hand... clever stuff.
>
>
>
>  
>

More information about the fedora-list mailing list