jim tate wrote:
I have been recieveing Bogus email's to sign onto to my bank account, so someone can get my userid and password.
So have I. Plus include bogus e-mails claiming to be AMEX, Home Depot, PayPal, etc...
My Bank say's these are bogus email's and not to respond to them.
Listen to them. They are correct.
I have been recieveing them in Mozilla mail.
Shouldn't matter what MUA you are using.
How can I tell where these email will return to , should I reply or respond to info requested.
I wouldn't reply. It's probably forged anyway.
There has got to be a way to back track.
Check the e-mail headers and find the open relay that sent these e-mails. Then report this open relay to the ISP that owns the netblock. Good luck! A lot of these so called open relay IP addresses are the "throw away" variety. Used only once.
Also, check the html code of the e-mail. Most reference images from your bank's website, but contain a redirect to some web server that actually captures your information. Again, try to report this website to the owning ISP.
I hope I can get the linux community help me to track down the low life crooks.
It's easy to track down and report where these e-mails came from. The hard part is getting the owning ISP to do anything about it. ISP's probably receive hundreds (if not thousands) of these complaints a day.
BTW: I phoned up my grandmother and educated her on this new breed of spam (identity theft).
Steve Cowles
On Sun, Mar 28, 2004 at 09:32:28AM -0600, Cowles, Steve wrote:
jim tate wrote:
I have been recieveing Bogus email's to sign onto to my bank account, so someone can get my userid and password.
So have I. Plus include bogus e-mails claiming to be AMEX, Home Depot, PayPal, etc...
My Bank say's these are bogus email's and not to respond to them.
Listen to them. They are correct.
Correct, do nothing with them. The best recommendation is the old 'd' key.
I have been recieveing them in Mozilla mail.
Shouldn't matter what MUA you are using.
Correct.
Do learn a pure text MUA (Mail, pine, mutt, elm, etc.) See more about evil HTML below.
How can I tell where these email will return to , should I reply or respond to info requested.
...
There has got to be a way to back track.
...
Also, check the html code of the e-mail. Most reference images from your bank's website, but contain a redirect to some web server that actually captures your information. Again, try to report this website to the owning ISP.
These are NASTY and difficult to disect without side effects.
On behalf of your grandmother, if she entered any information, call you local police and ISP. Do nothing yourself.
If you are curious DO NOT OPEN the mail.
You might save it and it's headers in a safe place and inspect it with caution using pure text tools. Since it is mail mostly you can look at it with the pager "less" (less /tmp/problem-mail). The cautious might start with "xod -c".
The message will begin with headers that might let you track it back to the machine that sent it. Commonly these are hijacked PC's and will be a dead end (unpatched, virus infected, ill managed or just gone). The sender line will often be forged but valid.
In the headers you can track down the first responsible mail hop. That ISP may have a process to block the machine or notify the owner.
Then there is the message body itself.
If you look with cautious text tools you can find a long list of tricks, traps and stuff. As a minimum recent spam contains html that is an education.
Each section could be trouble. Caution with the script sections...
Invisible or white fonts often hide a mix of words that get the message past many spam tools. Multi byte tricks hide other stuff.
Then there may be a single URL that might look like this
http://waXXet.yXXoo.com%00@2xx.1xx.6x.9x/manual/images/ (some real numbers are x, Some real letters are X):
In effect this gets to http://2xx.1xx.6x.9x/manual/images and not to the url you expect, see, and click on your screen.
Then that page will present a form populated in many cases with images from the real company host. It is not enough that they impersonate the company. They also hijack images and their bandwidth for images. If you track the IPaddress in the form/script stuff may come from one country and the data sent to another foreign country. You might get a clue with dig -x 2xx.1xx.6x.9x then follow with whois. In short order you are now in the land of international law and your local police, ISP and even the FBI in the US have no authority.
Next is the real nasty bit.... hidden in the html of the original message is often a 'ticker' URL that fetches a single pixel white image from a site that passes a code number and validates that the messages was looked at (BTW: this part is legal). Now your email address has been validated as active and that you are a clicker. You will now get ten time more spam from the next ten places the mailing list is sold to.
The nasty bit in this is that if you send your mail to the police for inspection and they look at it with a browser you are validated and no matter how cautious and carefull you were the mailing list owner gets a tally and your spam load builds.
These legal one bit images look something like:
http://us.click.yahoo.com/aOAbGG/3rxGGG/qmsNGG/PkXolC/ARK
SUMMARY: Do not look at spam HTML with anything other than a pure text tool. read it with HTML documentation at hand... clever stuff.
Thank you Tom
Your message below should be an education to many, and just amplifies the earlier discussion on why HTML should not ever be used (or allowed) on a mailing list.
The big problem in that respect is I have received a lot of these spams, that *appeared* to be coming from the mailing list but were of the _forged sender_ variety.
Your biggest and best suggestion is *NEVER open suspicious mail except with a pure text tool*.
Tom 'Needs A Hat' Mitchell wrote:
On Sun, Mar 28, 2004 at 09:32:28AM -0600, Cowles, Steve wrote:
jim tate wrote:
I have been recieveing Bogus email's to sign onto to my bank account, so someone can get my userid and password.
So have I. Plus include bogus e-mails claiming to be AMEX, Home Depot, PayPal, etc...
My Bank say's these are bogus email's and not to respond to them.
Listen to them. They are correct.
Correct, do nothing with them. The best recommendation is the old 'd' key.
I have been recieveing them in Mozilla mail.
Shouldn't matter what MUA you are using.
Correct.
Do learn a pure text MUA (Mail, pine, mutt, elm, etc.) See more about evil HTML below.
How can I tell where these email will return to , should I reply or respond to info requested.
...
There has got to be a way to back track.
...
Also, check the html code of the e-mail. Most reference images from your bank's website, but contain a redirect to some web server that actually captures your information. Again, try to report this website to the owning ISP.
These are NASTY and difficult to disect without side effects.
On behalf of your grandmother, if she entered any information, call you local police and ISP. Do nothing yourself.
If you are curious DO NOT OPEN the mail.
You might save it and it's headers in a safe place and inspect it with caution using pure text tools. Since it is mail mostly you can look at it with the pager "less" (less /tmp/problem-mail). The cautious might start with "xod -c".
The message will begin with headers that might let you track it back to the machine that sent it. Commonly these are hijacked PC's and will be a dead end (unpatched, virus infected, ill managed or just gone). The sender line will often be forged but valid.
In the headers you can track down the first responsible mail hop. That ISP may have a process to block the machine or notify the owner.
Then there is the message body itself.
If you look with cautious text tools you can find a long list of tricks, traps and stuff. As a minimum recent spam contains html that is an education.
Each section could be trouble. Caution with the script sections...
Invisible or white fonts often hide a mix of words that get the message past many spam tools. Multi byte tricks hide other stuff.
Then there may be a single URL that might look like this
http://waXXet.yXXoo.com%00@2xx.1xx.6x.9x/manual/images/ (some real numbers are x, Some real letters are X):
In effect this gets to http://2xx.1xx.6x.9x/manual/images and not to the url you expect, see, and click on your screen.
Then that page will present a form populated in many cases with images from the real company host. It is not enough that they impersonate the company. They also hijack images and their bandwidth for images. If you track the IPaddress in the form/script stuff may come from one country and the data sent to another foreign country. You might get a clue with dig -x 2xx.1xx.6x.9x then follow with whois. In short order you are now in the land of international law and your local police, ISP and even the FBI in the US have no authority.
Next is the real nasty bit.... hidden in the html of the original message is often a 'ticker' URL that fetches a single pixel white image from a site that passes a code number and validates that the messages was looked at (BTW: this part is legal). Now your email address has been validated as active and that you are a clicker. You will now get ten time more spam from the next ten places the mailing list is sold to.
The nasty bit in this is that if you send your mail to the police for inspection and they look at it with a browser you are validated and no matter how cautious and carefull you were the mailing list owner gets a tally and your spam load builds.
These legal one bit images look something like:
http://us.click.yahoo.com/aOAbGG/3rxGGG/qmsNGG/PkXolC/ARK
SUMMARY: Do not look at spam HTML with anything other than a pure text tool. read it with HTML documentation at hand... clever stuff.
On Sun, Mar 28, 2004 at 05:24:36PM -0600, Jeff Vian wrote:
Thank you Tom
You are welcome.... This is a complex and moving topic. Legal types here are busy trying to write laws to control it. But will always be a year or two behind. Take advantage of a good ISP.... replace the ones that do not provide good filter and isolation services.
Do not let the legislature get involved in technology. Get them to focus on the fraud. Bad laws will only make things hard for the good guys.
Your message below should be an education to many, and just amplifies the earlier discussion on why HTML should not ever be used (or allowed) on a mailing list.
Of interest my "spamassassin" settings flagged and isolated my own message because I was 'too explicit' in my message. Your reply triggered a good score even after feeding my message back into the mix because you did not trim the original message.
I am not down on HTML, it is marvelous and has it's place. I just look at the text portions. With the right settings in .mailcap "lynx" will do the right thing for mutt. Pine has a wonderful and almost safe text manager for html (uses lynx as a filter). These let me see mail from friends and family... For the good ones from friends and family I locally bounce the message to a spare account and use a browser based mail tool.
Most html messages on high volume lists do get tossed by me.
Netscape, mozilla, opera, etc all have preference settings that are invaluable in this. Scan the home pages for each...
Most ISP's have good filters. Set up content filters for Mom and Grandma at first as if they were 5 year old.
-
Cowles, Steve -
Jeff Vian -
Tom Mitchell