Discussion:
Bogus Email- Need help to do detective work
(too old to reply)
jim tate
2004-03-28 15:01:35 UTC
Permalink
I have been recieveing Bogus email's to sign onto to my bank account, so
someone can get my userid and password.
My Bank say's these are bogus email's and not to respond to them.
I have been recieveing them in Mozilla mail.
How can I tell where these email will return to , should I reply or
respond to info requested.
There has got to be a way to back track.
I hope I can get the linux community help me to track down the low life
crooks.
Just think how many people are falling for this scam, it could be your
dear little grandmother, BEASTS.

Jim Tate
Robert Spangler
2004-03-28 15:17:31 UTC
Permalink
Post by jim tate
There has got to be a way to back track.
Look at the headers. All the information is listed there. Read them carefully
as they know how to hide the information even though it's right in front of
you.
--
Regards
Robert

Smile..... It increases your face value.
Alexander Dalloz
2004-03-28 15:18:12 UTC
Permalink
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account, so
someone can get my userid and password.
My Bank say's these are bogus email's and not to respond to them.
I have been recieveing them in Mozilla mail.
How can I tell where these email will return to , should I reply or
respond to info requested.
There has got to be a way to back track.
I hope I can get the linux community help me to track down the low life
crooks.
Just think how many people are falling for this scam, it could be your
dear little grandmother, BEASTS.
Jim Tate
Have a look at the mail in plain format (I am not common if and how
Mozilla mail can do that). Normally those fake mails are in HTML and you
need to look at them in raw format to see the HTML tags, to where they
direct. I sometimes get faked eBay mails and inspecting the HTML code
you can see that the URI links do not direct to eBay but Russian or
Romanian hosts.

You should too have a look at the full email header. There you can
follow the path the email took through the different mailservers.

Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2174.nptl
Sirendipity 17:14:07 up 9 days, 56 users, load average: 0.22, 0.19,
[ ????? ?'????? - gnothi seauton ]
my life is a planetarium - and you are the stars
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040328/9f8f1d28/attachment.bin
Pedro Fernandes Macedo
2004-03-28 15:34:34 UTC
Permalink
Post by Alexander Dalloz
Have a look at the mail in plain format (I am not common if and how
Mozilla mail can do that). Normally those fake mails are in HTML and you
need to look at them in raw format to see the HTML tags, to where they
direct. I sometimes get faked eBay mails and inspecting the HTML code
you can see that the URI links do not direct to eBay but Russian or
Romanian hosts.
You should too have a look at the full email header. There you can
follow the path the email took through the different mailservers.
Alexander
To see the raw e-mail message on mozilla , go to the "View" menu ,
"Message body as" and choose "plain text". This will give you all the
headers , unformatted html code , etc.
If there are links in the message , see if they point to ip addresses..
Send the message source to your bank ,so can they can give this
information to the police so they can track down these criminals.

--
Pedro Macedo
Christopher Ness
2004-03-28 15:54:44 UTC
Permalink
Post by Pedro Fernandes Macedo
To see the raw e-mail message on mozilla , go to the "View" menu ,
"Message body as" and choose "plain text". This will give you all the
headers , unformatted html code , etc.
If there are links in the message , see if they point to ip addresses..
Send the message source to your bank ,so can they can give this
information to the police so they can track down these criminals.
--
Pedro Macedo
Now that you are in the source, you can see which "open relay" the
spammer originated from. Unfortunately there really isn't too much any
one person can do about it. You could try to contact
{postmaster,abuse,root}@originating.server.tld

That is; send an email to postmaster at spammer.com, abuse at spammer.com, ...
and tell them to lock down their mail machine.
Hopefully one of them will get through and the owner will oblige.

Best of luck, but I wouldn't hold my breath. Yes that is rather
pessimistic, but also realistic.

Chris
--
Software Engineering IV,
McMaster University
PGP Public Key: http://nesser.org/pgp-key/

10:49:54 up 1:59, 2 users, load average: 0.09, 0.12, 0.18

Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040328/b89b80aa/attachment.bin
Clint
2004-03-28 16:05:03 UTC
Permalink
Post by Pedro Fernandes Macedo
To see the raw e-mail message on mozilla , go to the "View" menu ,
"Message body as" and choose "plain text". This will give you all the
headers , unformatted html code , etc.
If there are links in the message , see if they point to ip addresses..
Send the message source to your bank ,so can they can give this
information to the police so they can track down these criminals.
--
Pedro Macedo
My Moz 1.6 behaves differently than described above.

To view the message as plain text, use the instructions given above, but
this will not display headers, html source code, etc. (View -> Message
body as -> plain text)

To see the *source* (html code, url's etc.), I carry out these instructions:

View -> Message Source

on the open email message. This will then allow an inspection of the
mailto's and links.
--
Clint <clint at penguinsolutions.org>
Pedro Fernandes Macedo
2004-03-28 20:05:37 UTC
Permalink
Post by Clint
My Moz 1.6 behaves differently than described above.
To view the message as plain text, use the instructions given above,
but this will not display headers, html source code, etc. (View ->
Message body as -> plain text)
To see the *source* (html code, url's etc.), I carry out these
View -> Message Source
on the open email message. This will then allow an inspection of the
mailto's and links.
Opsss.. my bad.. I didnt remmember the "message source" option in the
view menu...

--
Pedro Macedo
Pedro Fernandes Macedo
2004-03-28 20:05:37 UTC
Permalink
Post by Clint
My Moz 1.6 behaves differently than described above.
To view the message as plain text, use the instructions given above,
but this will not display headers, html source code, etc. (View ->
Message body as -> plain text)
To see the *source* (html code, url's etc.), I carry out these
View -> Message Source
on the open email message. This will then allow an inspection of the
mailto's and links.
Opsss.. my bad.. I didnt remmember the "message source" option in the
view menu...

--
Pedro Macedo
Chris Kloiber
2004-03-29 07:22:25 UTC
Permalink
Post by Pedro Fernandes Macedo
Post by Alexander Dalloz
Have a look at the mail in plain format (I am not common if and how
Mozilla mail can do that). Normally those fake mails are in HTML and you
need to look at them in raw format to see the HTML tags, to where they
direct. I sometimes get faked eBay mails and inspecting the HTML code
you can see that the URI links do not direct to eBay but Russian or
Romanian hosts.
You should too have a look at the full email header. There you can
follow the path the email took through the different mailservers.
Alexander
To see the raw e-mail message on mozilla , go to the "View" menu ,
"Message body as" and choose "plain text". This will give you all the
headers , unformatted html code , etc.
If there are links in the message , see if they point to ip addresses..
Send the message source to your bank ,so can they can give this
information to the police so they can track down these criminals.
--
Pedro Macedo
Once you have the plain text with headers, print it and give it to your
bank officer. What those guys are doing is a federal crime, and the
FBI/CIA should be hunting them down like the dogs they are.
--
Chris Kloiber, RHCX
Red Hat, Inc.
Christopher Ness
2004-03-28 15:54:44 UTC
Permalink
Post by Pedro Fernandes Macedo
To see the raw e-mail message on mozilla , go to the "View" menu ,
"Message body as" and choose "plain text". This will give you all the
headers , unformatted html code , etc.
If there are links in the message , see if they point to ip addresses..
Send the message source to your bank ,so can they can give this
information to the police so they can track down these criminals.
--
Pedro Macedo
Now that you are in the source, you can see which "open relay" the
spammer originated from. Unfortunately there really isn't too much any
one person can do about it. You could try to contact
{postmaster,abuse,root}@originating.server.tld

That is; send an email to postmaster at spammer.com, abuse at spammer.com, ...
and tell them to lock down their mail machine.
Hopefully one of them will get through and the owner will oblige.

Best of luck, but I wouldn't hold my breath. Yes that is rather
pessimistic, but also realistic.

Chris
--
Software Engineering IV,
McMaster University
PGP Public Key: http://nesser.org/pgp-key/

10:49:54 up 1:59, 2 users, load average: 0.09, 0.12, 0.18

Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040328/b89b80aa/attachment-0002.bin
Clint
2004-03-28 16:05:03 UTC
Permalink
Post by Pedro Fernandes Macedo
To see the raw e-mail message on mozilla , go to the "View" menu ,
"Message body as" and choose "plain text". This will give you all the
headers , unformatted html code , etc.
If there are links in the message , see if they point to ip addresses..
Send the message source to your bank ,so can they can give this
information to the police so they can track down these criminals.
--
Pedro Macedo
My Moz 1.6 behaves differently than described above.

To view the message as plain text, use the instructions given above, but
this will not display headers, html source code, etc. (View -> Message
body as -> plain text)

To see the *source* (html code, url's etc.), I carry out these instructions:

View -> Message Source

on the open email message. This will then allow an inspection of the
mailto's and links.
--
Clint <clint at penguinsolutions.org>
Chris Kloiber
2004-03-29 07:22:25 UTC
Permalink
Post by Pedro Fernandes Macedo
Post by Alexander Dalloz
Have a look at the mail in plain format (I am not common if and how
Mozilla mail can do that). Normally those fake mails are in HTML and you
need to look at them in raw format to see the HTML tags, to where they
direct. I sometimes get faked eBay mails and inspecting the HTML code
you can see that the URI links do not direct to eBay but Russian or
Romanian hosts.
You should too have a look at the full email header. There you can
follow the path the email took through the different mailservers.
Alexander
To see the raw e-mail message on mozilla , go to the "View" menu ,
"Message body as" and choose "plain text". This will give you all the
headers , unformatted html code , etc.
If there are links in the message , see if they point to ip addresses..
Send the message source to your bank ,so can they can give this
information to the police so they can track down these criminals.
--
Pedro Macedo
Once you have the plain text with headers, print it and give it to your
bank officer. What those guys are doing is a federal crime, and the
FBI/CIA should be hunting them down like the dogs they are.
--
Chris Kloiber, RHCX
Red Hat, Inc.
Pedro Fernandes Macedo
2004-03-28 15:34:34 UTC
Permalink
Post by Alexander Dalloz
Have a look at the mail in plain format (I am not common if and how
Mozilla mail can do that). Normally those fake mails are in HTML and you
need to look at them in raw format to see the HTML tags, to where they
direct. I sometimes get faked eBay mails and inspecting the HTML code
you can see that the URI links do not direct to eBay but Russian or
Romanian hosts.
You should too have a look at the full email header. There you can
follow the path the email took through the different mailservers.
Alexander
To see the raw e-mail message on mozilla , go to the "View" menu ,
"Message body as" and choose "plain text". This will give you all the
headers , unformatted html code , etc.
If there are links in the message , see if they point to ip addresses..
Send the message source to your bank ,so can they can give this
information to the police so they can track down these criminals.

--
Pedro Macedo
jim tate
2004-03-28 15:28:05 UTC
Permalink
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account,
so someone can get my userid and password.
My Bank say's these are bogus email's and not to respond to them.
I have been recieveing them in Mozilla mail.
How can I tell where these email will return to , should I reply or
respond to info requested.
There has got to be a way to back track.
I hope I can get the linux community help me to track down the low
life crooks.
Just think how many people are falling for this scam, it could be
your dear little grandmother, BEASTS.
Jim Tate
How do I edit the email in Mozilla or pull it out of Mozilla to edit.
Jim Tate
Cowles, Steve
2004-03-28 15:32:28 UTC
Permalink
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account, so
someone can get my userid and password.
So have I. Plus include bogus e-mails claiming to be AMEX, Home Depot,
PayPal, etc...
Post by jim tate
My Bank say's these are bogus email's and not to respond to them.
Listen to them. They are correct.
Post by jim tate
I have been recieveing them in Mozilla mail.
Shouldn't matter what MUA you are using.
Post by jim tate
How can I tell where these email will return to , should I reply or
respond to info requested.
I wouldn't reply. It's probably forged anyway.
Post by jim tate
There has got to be a way to back track.
Check the e-mail headers and find the open relay that sent these e-mails.
Then report this open relay to the ISP that owns the netblock. Good luck! A
lot of these so called open relay IP addresses are the "throw away" variety.
Used only once.

Also, check the html code of the e-mail. Most reference images from your
bank's website, but contain a redirect to some web server that actually
captures your information. Again, try to report this website to the owning
ISP.
Post by jim tate
I hope I can get the linux community help me to track down
the low life crooks.
It's easy to track down and report where these e-mails came from. The hard
part is getting the owning ISP to do anything about it. ISP's probably
receive hundreds (if not thousands) of these complaints a day.

BTW: I phoned up my grandmother and educated her on this new breed of spam
(identity theft).

Steve Cowles
Tom 'Needs A Hat' Mitchell
2004-03-28 23:03:27 UTC
Permalink
Post by Cowles, Steve
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account, so
someone can get my userid and password.
So have I. Plus include bogus e-mails claiming to be AMEX, Home Depot,
PayPal, etc...
Post by jim tate
My Bank say's these are bogus email's and not to respond to them.
Listen to them. They are correct.
Correct, do nothing with them. The best recommendation is the old 'd' key.
Post by Cowles, Steve
Post by jim tate
I have been recieveing them in Mozilla mail.
Shouldn't matter what MUA you are using.
Correct.

Do learn a pure text MUA (Mail, pine, mutt, elm, etc.)
See more about evil HTML below.
Post by Cowles, Steve
Post by jim tate
How can I tell where these email will return to , should I reply or
respond to info requested.
...
Post by Cowles, Steve
Post by jim tate
There has got to be a way to back track.
...
Post by Cowles, Steve
Also, check the html code of the e-mail. Most reference images from your
bank's website, but contain a redirect to some web server that actually
captures your information. Again, try to report this website to the owning
ISP.
These are NASTY and difficult to disect without side effects.

On behalf of your grandmother, if she entered any information,
call you local police and ISP. Do nothing yourself.

If you are curious DO NOT OPEN the mail.

You might save it and it's headers in a safe place and inspect it with
caution using pure text tools. Since it is mail mostly you can look
at it with the pager "less" (less /tmp/problem-mail). The cautious
might start with "xod -c".

The message will begin with headers that might let you track it back
to the machine that sent it. Commonly these are hijacked PC's and
will be a dead end (unpatched, virus infected, ill managed or just gone).
The sender line will often be forged but valid.

In the headers you can track down the first responsible mail hop.
That ISP may have a process to block the machine or notify the owner.

Then there is the message body itself.

If you look with cautious text tools you can find a long list of
tricks, traps and stuff. As a minimum recent spam contains html that
is an education.

Each section could be trouble.
Caution with the script sections...

Invisible or white fonts often hide a mix of words that get
the message past many spam tools. Multi byte tricks
hide other stuff.

Then there may be a single URL that might look like this

http://waXXet.yXXoo.com%00 at 2xx.1xx.6x.9x/manual/images/
(some real numbers are x, Some real letters are X):

In effect this gets to http://2xx.1xx.6x.9x/manual/images
and not to the url you expect, see, and click on your screen.

Then that page will present a form populated in many cases with images
from the real company host. It is not enough that they impersonate
the company. They also hijack images and their bandwidth for images.
If you track the IPaddress in the form/script stuff may come from one
country and the data sent to another foreign country. You might get a
clue with dig -x 2xx.1xx.6x.9x then follow with whois. In short order
you are now in the land of international law and your local police,
ISP and even the FBI in the US have no authority.

Next is the real nasty bit.... hidden in the html of the original
message is often a 'ticker' URL that fetches a single pixel white
image from a site that passes a code number and validates that the
messages was looked at (BTW: this part is legal). Now your email
address has been validated as active and that you are a clicker. You
will now get ten time more spam from the next ten places the mailing
list is sold to.

The nasty bit in this is that if you send your mail to the police for
inspection and they look at it with a browser you are validated and no
matter how cautious and carefull you were the mailing list owner gets
a tally and your spam load builds.


These legal one bit images look something like:

http://us.click.yahoo.com/aOAbGG/3rxGGG/qmsNGG/PkXolC/ARK

SUMMARY: Do not look at spam HTML with anything other than a pure text tool.
read it with HTML documentation at hand... clever stuff.
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
Jeff Vian
2004-03-28 23:24:36 UTC
Permalink
Thank you Tom

Your message below should be an education to many, and just amplifies
the earlier discussion on why HTML should not ever be used (or allowed)
on a mailing list.

The big problem in that respect is I have received a lot of these spams,
that *appeared* to be coming from the mailing list but were of the
_forged sender_ variety.

Your biggest and best suggestion is *NEVER open suspicious mail except
with a pure text tool*.
Post by Tom 'Needs A Hat' Mitchell
Post by Cowles, Steve
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account, so
someone can get my userid and password.
So have I. Plus include bogus e-mails claiming to be AMEX, Home Depot,
PayPal, etc...
Post by jim tate
My Bank say's these are bogus email's and not to respond to them.
Listen to them. They are correct.
Correct, do nothing with them. The best recommendation is the old 'd' key.
Post by Cowles, Steve
Post by jim tate
I have been recieveing them in Mozilla mail.
Shouldn't matter what MUA you are using.
Correct.
Do learn a pure text MUA (Mail, pine, mutt, elm, etc.)
See more about evil HTML below.
Post by Cowles, Steve
Post by jim tate
How can I tell where these email will return to , should I reply or
respond to info requested.
...
Post by Cowles, Steve
Post by jim tate
There has got to be a way to back track.
...
Post by Cowles, Steve
Also, check the html code of the e-mail. Most reference images from your
bank's website, but contain a redirect to some web server that actually
captures your information. Again, try to report this website to the owning
ISP.
These are NASTY and difficult to disect without side effects.
On behalf of your grandmother, if she entered any information,
call you local police and ISP. Do nothing yourself.
If you are curious DO NOT OPEN the mail.
You might save it and it's headers in a safe place and inspect it with
caution using pure text tools. Since it is mail mostly you can look
at it with the pager "less" (less /tmp/problem-mail). The cautious
might start with "xod -c".
The message will begin with headers that might let you track it back
to the machine that sent it. Commonly these are hijacked PC's and
will be a dead end (unpatched, virus infected, ill managed or just gone).
The sender line will often be forged but valid.
In the headers you can track down the first responsible mail hop.
That ISP may have a process to block the machine or notify the owner.
Then there is the message body itself.
If you look with cautious text tools you can find a long list of
tricks, traps and stuff. As a minimum recent spam contains html that
is an education.
Each section could be trouble.
Caution with the script sections...
Invisible or white fonts often hide a mix of words that get
the message past many spam tools. Multi byte tricks
hide other stuff.
Then there may be a single URL that might look like this
http://waXXet.yXXoo.com%00 at 2xx.1xx.6x.9x/manual/images/
In effect this gets to http://2xx.1xx.6x.9x/manual/images
and not to the url you expect, see, and click on your screen.
Then that page will present a form populated in many cases with images
from the real company host. It is not enough that they impersonate
the company. They also hijack images and their bandwidth for images.
If you track the IPaddress in the form/script stuff may come from one
country and the data sent to another foreign country. You might get a
clue with dig -x 2xx.1xx.6x.9x then follow with whois. In short order
you are now in the land of international law and your local police,
ISP and even the FBI in the US have no authority.
Next is the real nasty bit.... hidden in the html of the original
message is often a 'ticker' URL that fetches a single pixel white
image from a site that passes a code number and validates that the
messages was looked at (BTW: this part is legal). Now your email
address has been validated as active and that you are a clicker. You
will now get ten time more spam from the next ten places the mailing
list is sold to.
The nasty bit in this is that if you send your mail to the police for
inspection and they look at it with a browser you are validated and no
matter how cautious and carefull you were the mailing list owner gets
a tally and your spam load builds.
http://us.click.yahoo.com/aOAbGG/3rxGGG/qmsNGG/PkXolC/ARK
SUMMARY: Do not look at spam HTML with anything other than a pure text tool.
read it with HTML documentation at hand... clever stuff.
Tom 'Needs A Hat' Mitchell
2004-03-29 00:35:35 UTC
Permalink
Post by Jeff Vian
Thank you Tom
You are welcome....
This is a complex and moving topic. Legal types here are busy
trying to write laws to control it. But will always be a year or
two behind. Take advantage of a good ISP.... replace the ones
that do not provide good filter and isolation services.

Do not let the legislature get involved in technology. Get them
to focus on the fraud. Bad laws will only make things hard for
the good guys.
Post by Jeff Vian
Your message below should be an education to many, and just amplifies
the earlier discussion on why HTML should not ever be used (or allowed)
on a mailing list.
Of interest my "spamassassin" settings flagged and isolated my own
message because I was 'too explicit' in my message. Your reply
triggered a good score even after feeding my message back into the mix
because you did not trim the original message.

I am not down on HTML, it is marvelous and has it's place. I just
look at the text portions. With the right settings in .mailcap "lynx"
will do the right thing for mutt. Pine has a wonderful and almost
safe text manager for html (uses lynx as a filter). These let me see
mail from friends and family... For the good ones from friends and
family I locally bounce the message to a spare account and use a
browser based mail tool.

Most html messages on high volume lists do get tossed by me.

Netscape, mozilla, opera, etc all have preference settings
that are invaluable in this. Scan the home pages for each...

Most ISP's have good filters. Set up content filters for Mom and
Grandma at first as if they were 5 year old.
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
Tom 'Needs A Hat' Mitchell
2004-03-29 00:35:35 UTC
Permalink
Post by Jeff Vian
Thank you Tom
You are welcome....
This is a complex and moving topic. Legal types here are busy
trying to write laws to control it. But will always be a year or
two behind. Take advantage of a good ISP.... replace the ones
that do not provide good filter and isolation services.

Do not let the legislature get involved in technology. Get them
to focus on the fraud. Bad laws will only make things hard for
the good guys.
Post by Jeff Vian
Your message below should be an education to many, and just amplifies
the earlier discussion on why HTML should not ever be used (or allowed)
on a mailing list.
Of interest my "spamassassin" settings flagged and isolated my own
message because I was 'too explicit' in my message. Your reply
triggered a good score even after feeding my message back into the mix
because you did not trim the original message.

I am not down on HTML, it is marvelous and has it's place. I just
look at the text portions. With the right settings in .mailcap "lynx"
will do the right thing for mutt. Pine has a wonderful and almost
safe text manager for html (uses lynx as a filter). These let me see
mail from friends and family... For the good ones from friends and
family I locally bounce the message to a spare account and use a
browser based mail tool.

Most html messages on high volume lists do get tossed by me.

Netscape, mozilla, opera, etc all have preference settings
that are invaluable in this. Scan the home pages for each...

Most ISP's have good filters. Set up content filters for Mom and
Grandma at first as if they were 5 year old.
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
Jeff Vian
2004-03-28 23:24:36 UTC
Permalink
Thank you Tom

Your message below should be an education to many, and just amplifies
the earlier discussion on why HTML should not ever be used (or allowed)
on a mailing list.

The big problem in that respect is I have received a lot of these spams,
that *appeared* to be coming from the mailing list but were of the
_forged sender_ variety.

Your biggest and best suggestion is *NEVER open suspicious mail except
with a pure text tool*.
Post by Tom 'Needs A Hat' Mitchell
Post by Cowles, Steve
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account, so
someone can get my userid and password.
So have I. Plus include bogus e-mails claiming to be AMEX, Home Depot,
PayPal, etc...
Post by jim tate
My Bank say's these are bogus email's and not to respond to them.
Listen to them. They are correct.
Correct, do nothing with them. The best recommendation is the old 'd' key.
Post by Cowles, Steve
Post by jim tate
I have been recieveing them in Mozilla mail.
Shouldn't matter what MUA you are using.
Correct.
Do learn a pure text MUA (Mail, pine, mutt, elm, etc.)
See more about evil HTML below.
Post by Cowles, Steve
Post by jim tate
How can I tell where these email will return to , should I reply or
respond to info requested.
...
Post by Cowles, Steve
Post by jim tate
There has got to be a way to back track.
...
Post by Cowles, Steve
Also, check the html code of the e-mail. Most reference images from your
bank's website, but contain a redirect to some web server that actually
captures your information. Again, try to report this website to the owning
ISP.
These are NASTY and difficult to disect without side effects.
On behalf of your grandmother, if she entered any information,
call you local police and ISP. Do nothing yourself.
If you are curious DO NOT OPEN the mail.
You might save it and it's headers in a safe place and inspect it with
caution using pure text tools. Since it is mail mostly you can look
at it with the pager "less" (less /tmp/problem-mail). The cautious
might start with "xod -c".
The message will begin with headers that might let you track it back
to the machine that sent it. Commonly these are hijacked PC's and
will be a dead end (unpatched, virus infected, ill managed or just gone).
The sender line will often be forged but valid.
In the headers you can track down the first responsible mail hop.
That ISP may have a process to block the machine or notify the owner.
Then there is the message body itself.
If you look with cautious text tools you can find a long list of
tricks, traps and stuff. As a minimum recent spam contains html that
is an education.
Each section could be trouble.
Caution with the script sections...
Invisible or white fonts often hide a mix of words that get
the message past many spam tools. Multi byte tricks
hide other stuff.
Then there may be a single URL that might look like this
http://waXXet.yXXoo.com%00 at 2xx.1xx.6x.9x/manual/images/
In effect this gets to http://2xx.1xx.6x.9x/manual/images
and not to the url you expect, see, and click on your screen.
Then that page will present a form populated in many cases with images
from the real company host. It is not enough that they impersonate
the company. They also hijack images and their bandwidth for images.
If you track the IPaddress in the form/script stuff may come from one
country and the data sent to another foreign country. You might get a
clue with dig -x 2xx.1xx.6x.9x then follow with whois. In short order
you are now in the land of international law and your local police,
ISP and even the FBI in the US have no authority.
Next is the real nasty bit.... hidden in the html of the original
message is often a 'ticker' URL that fetches a single pixel white
image from a site that passes a code number and validates that the
messages was looked at (BTW: this part is legal). Now your email
address has been validated as active and that you are a clicker. You
will now get ten time more spam from the next ten places the mailing
list is sold to.
The nasty bit in this is that if you send your mail to the police for
inspection and they look at it with a browser you are validated and no
matter how cautious and carefull you were the mailing list owner gets
a tally and your spam load builds.
http://us.click.yahoo.com/aOAbGG/3rxGGG/qmsNGG/PkXolC/ARK
SUMMARY: Do not look at spam HTML with anything other than a pure text tool.
read it with HTML documentation at hand... clever stuff.
Tom 'Needs A Hat' Mitchell
2004-03-28 23:03:27 UTC
Permalink
Post by Cowles, Steve
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account, so
someone can get my userid and password.
So have I. Plus include bogus e-mails claiming to be AMEX, Home Depot,
PayPal, etc...
Post by jim tate
My Bank say's these are bogus email's and not to respond to them.
Listen to them. They are correct.
Correct, do nothing with them. The best recommendation is the old 'd' key.
Post by Cowles, Steve
Post by jim tate
I have been recieveing them in Mozilla mail.
Shouldn't matter what MUA you are using.
Correct.

Do learn a pure text MUA (Mail, pine, mutt, elm, etc.)
See more about evil HTML below.
Post by Cowles, Steve
Post by jim tate
How can I tell where these email will return to , should I reply or
respond to info requested.
...
Post by Cowles, Steve
Post by jim tate
There has got to be a way to back track.
...
Post by Cowles, Steve
Also, check the html code of the e-mail. Most reference images from your
bank's website, but contain a redirect to some web server that actually
captures your information. Again, try to report this website to the owning
ISP.
These are NASTY and difficult to disect without side effects.

On behalf of your grandmother, if she entered any information,
call you local police and ISP. Do nothing yourself.

If you are curious DO NOT OPEN the mail.

You might save it and it's headers in a safe place and inspect it with
caution using pure text tools. Since it is mail mostly you can look
at it with the pager "less" (less /tmp/problem-mail). The cautious
might start with "xod -c".

The message will begin with headers that might let you track it back
to the machine that sent it. Commonly these are hijacked PC's and
will be a dead end (unpatched, virus infected, ill managed or just gone).
The sender line will often be forged but valid.

In the headers you can track down the first responsible mail hop.
That ISP may have a process to block the machine or notify the owner.

Then there is the message body itself.

If you look with cautious text tools you can find a long list of
tricks, traps and stuff. As a minimum recent spam contains html that
is an education.

Each section could be trouble.
Caution with the script sections...

Invisible or white fonts often hide a mix of words that get
the message past many spam tools. Multi byte tricks
hide other stuff.

Then there may be a single URL that might look like this

http://waXXet.yXXoo.com%00 at 2xx.1xx.6x.9x/manual/images/
(some real numbers are x, Some real letters are X):

In effect this gets to http://2xx.1xx.6x.9x/manual/images
and not to the url you expect, see, and click on your screen.

Then that page will present a form populated in many cases with images
from the real company host. It is not enough that they impersonate
the company. They also hijack images and their bandwidth for images.
If you track the IPaddress in the form/script stuff may come from one
country and the data sent to another foreign country. You might get a
clue with dig -x 2xx.1xx.6x.9x then follow with whois. In short order
you are now in the land of international law and your local police,
ISP and even the FBI in the US have no authority.

Next is the real nasty bit.... hidden in the html of the original
message is often a 'ticker' URL that fetches a single pixel white
image from a site that passes a code number and validates that the
messages was looked at (BTW: this part is legal). Now your email
address has been validated as active and that you are a clicker. You
will now get ten time more spam from the next ten places the mailing
list is sold to.

The nasty bit in this is that if you send your mail to the police for
inspection and they look at it with a browser you are validated and no
matter how cautious and carefull you were the mailing list owner gets
a tally and your spam load builds.


These legal one bit images look something like:

http://us.click.yahoo.com/aOAbGG/3rxGGG/qmsNGG/PkXolC/ARK

SUMMARY: Do not look at spam HTML with anything other than a pure text tool.
read it with HTML documentation at hand... clever stuff.
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
John Thompson
2004-03-28 16:37:20 UTC
Permalink
On Sun, 28 Mar 2004 10:01:35 -0500
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account,
so someone can get my userid and password.
My Bank say's these are bogus email's and not to respond to them.
I have been recieveing them in Mozilla mail.
How can I tell where these email will return to , should I reply or
respond to info requested.
Look at the headers (go to "View...Headers...All" in Mozilla). The last "Received:" header will tell you the originating system. Here's a typical spam on my system:

Received: from ms-smtp-03.rdc-kc.rr.com (ms-smtp-03.rdc-kc.rr.com [24.94.166.129])
by amayatra.os2.dhs.org (8.12.11/8.12.8) with ESMTP id i2PFLA1s030205
for <john at os2.dhs.org>; Thu, 25 Mar 2004 09:21:10 -0600 (CST)
(envelope-from vxxcek at jcpenney.com)
Received: from ms-mss-01 ([10.15.8.21])
by ms-smtp-03.rdc-kc.rr.com (8.12.10/8.12.7) with ESMTP id i2OB7dtq019845
for <john at os2.dhs.org>; Wed, 24 Mar 2004 05:07:39 -0600 (CST)
Received: from ms-mta-01 (ms-mta-01-smtp [10.15.8.71])
by ms-mss-01.rdc-kc.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
with ESMTP id <0HV2007VRUWRZB at ms-mss-01.rdc-kc.rr.com> for john at os2.dhs.org
(ORCPT johnthompson at new.rr.com); Wed, 24 Mar 2004 05:07:39 -0600 (CST)
Received: from kcmx03.mgw.rr.com (kcmx03.mgw.rr.com [24.94.165.192])
by ms-mta-01.rdc-kc.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
with ESMTP id <0HV2002HAUWRCP at ms-mta-01.rdc-kc.rr.com> for
johnthompson at new.rr.com (ORCPT johnthompson at new.rr.com); Wed,
24 Mar 2004 05:07:39 -0600 (CST)
Received: from 218-162-16-57.HINET-IP.hinet.net
([218.162.16.57])
by kcmx03.mgw.rr.com (8.12.10/8.12.8) with SMTP id i2OB7XUp029336 for
<johnthompson at new.rr.com>; Wed, 24 Mar 2004 06:07:35 -0500 (EST)
Date: Wed, 24 Mar 2004 16:06:56 +0500
From: Jeffry Price <vxxcek at jcpenney.com>
Subject: Fwd: Get Any Pills. Our Doctors Write Prescriptions. Overnight FedEx. Secure. Discreet
To: johnthompson at new.rr.com

The last Received: header shows that the email came from "218-162-16-57.HINET-IP.hinet.net" (IP address 218.162.16.57). Feed this IP address into "whois" to find out who is responsible for this spam:

[john at starfleet john]$ whois 218.162.16.57
[Querying whois.apnic.net]
[Redirected to whois.twnic.net]
[Querying whois.twnic.net]
[whois.twnic.net]
Chunghwa Telecom Data communication Business Group
No.21, Hsin-Yi Rd., sec. 1
Taipei
TW

Netname: HINET-NET
Netblock: 218.162.0.0/15

Administrator contact:
Chung Yung Kang (CYK-TW) cykang at ms1.hinet.net
+886-2-2322-3442

Technical contact:
Chung Yung Kang (CYK-TW) cykang at ms1.hinet.net
+886-2-2322-3442

You can complain to the contacts listed, but I don't recommend trusting them. In many cases this will simply confirm your address as "live" and put you on more spam lists. Alternatively, you can forward the entire spam (all headers included) to your ISP, your bank, and the federal government's spam report address: uce at ftc.gov

Unless there's obvious fraud involved, I just use the information to feed my spam filter so the next one gets dumped before it hits my Inbox.
--
-John (JohnThompson at new.rr.com)
Mike Klinke
2004-03-28 16:49:30 UTC
Permalink
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank
account, so someone can get my userid and password.
My Bank say's these are bogus email's and not to respond to them.
I have been recieveing them in Mozilla mail.
How can I tell where these email will return to , should I reply or
respond to info requested.
There has got to be a way to back track.
I hope I can get the linux community help me to track down the low
life crooks.
Just think how many people are falling for this scam, it could be
your dear little grandmother, BEASTS.
Jim Tate
It's almost certain that the originating source of the e-mail has been
broken into and hijacked from its rightful owner and he/she probably
doesn't even know his/her system has sent out any email. It would be
a pretty stupid crook, indeed, that would use a traceable mail server
to send this stuff out.

Use "whois" to find out who owns the originating mail server and alert
the owner, also alert the web page host, and both up stream service
providers.

Regards, Mike Klinke
Ron Herardian
2004-03-29 00:08:12 UTC
Permalink
As others have pointed out you can retrace the path of the message through the Received lines in the message header. This type of scam requires the use of a URL. The message body is HTML and the text associated with the URL appears to be the URL of your bank. However, if you copy the link location or examine the raw HTML code (just open your mail file in a text editor) you'll see that the actual URL is an IP address. The owner of this IP network (you can look it up) is associated in some way with the scam. Usually, these will be offshore IP networks.

Ron
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account, so
someone can get my userid and password.
My Bank say's these are bogus email's and not to respond to them.
I have been recieveing them in Mozilla mail.
How can I tell where these email will return to , should I reply or
respond to info requested.
There has got to be a way to back track.
I hope I can get the linux community help me to track down the low life
crooks.
Just think how many people are falling for this scam, it could be your
dear little grandmother, BEASTS.
Jim Tate
--
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
--
Global System Services Corporation (GSS)
650 Castro Street, Suite 120, Number 268, Mountain View, CA 94041, USA
+1 (650) 965-8669 phone, +1 (650) 965-8679 fax, +1 (650) 283-5241 mobile
rherardi at gssnet.com, http://www.gssnet.com

"The best way to predict your future is to create it." - Stephen Covey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rherardi.vcf
Type: text/x-vcard
Size: 1287 bytes
Desc: Card for Ron Herardian
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040328/27f1d9f8/attachment.vcf
jim tate
2004-03-28 15:01:35 UTC
Permalink
I have been recieveing Bogus email's to sign onto to my bank account, so
someone can get my userid and password.
My Bank say's these are bogus email's and not to respond to them.
I have been recieveing them in Mozilla mail.
How can I tell where these email will return to , should I reply or
respond to info requested.
There has got to be a way to back track.
I hope I can get the linux community help me to track down the low life
crooks.
Just think how many people are falling for this scam, it could be your
dear little grandmother, BEASTS.

Jim Tate
Robert Spangler
2004-03-28 15:17:31 UTC
Permalink
Post by jim tate
There has got to be a way to back track.
Look at the headers. All the information is listed there. Read them carefully
as they know how to hide the information even though it's right in front of
you.
--
Regards
Robert

Smile..... It increases your face value.
Alexander Dalloz
2004-03-28 15:18:12 UTC
Permalink
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account, so
someone can get my userid and password.
My Bank say's these are bogus email's and not to respond to them.
I have been recieveing them in Mozilla mail.
How can I tell where these email will return to , should I reply or
respond to info requested.
There has got to be a way to back track.
I hope I can get the linux community help me to track down the low life
crooks.
Just think how many people are falling for this scam, it could be your
dear little grandmother, BEASTS.
Jim Tate
Have a look at the mail in plain format (I am not common if and how
Mozilla mail can do that). Normally those fake mails are in HTML and you
need to look at them in raw format to see the HTML tags, to where they
direct. I sometimes get faked eBay mails and inspecting the HTML code
you can see that the URI links do not direct to eBay but Russian or
Romanian hosts.

You should too have a look at the full email header. There you can
follow the path the email took through the different mailservers.

Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2174.nptl
Sirendipity 17:14:07 up 9 days, 56 users, load average: 0.22, 0.19,
[ ????? ?'????? - gnothi seauton ]
my life is a planetarium - and you are the stars
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040328/9f8f1d28/attachment-0002.bin
jim tate
2004-03-28 15:28:05 UTC
Permalink
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account,
so someone can get my userid and password.
My Bank say's these are bogus email's and not to respond to them.
I have been recieveing them in Mozilla mail.
How can I tell where these email will return to , should I reply or
respond to info requested.
There has got to be a way to back track.
I hope I can get the linux community help me to track down the low
life crooks.
Just think how many people are falling for this scam, it could be
your dear little grandmother, BEASTS.
Jim Tate
How do I edit the email in Mozilla or pull it out of Mozilla to edit.
Jim Tate
Cowles, Steve
2004-03-28 15:32:28 UTC
Permalink
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account, so
someone can get my userid and password.
So have I. Plus include bogus e-mails claiming to be AMEX, Home Depot,
PayPal, etc...
Post by jim tate
My Bank say's these are bogus email's and not to respond to them.
Listen to them. They are correct.
Post by jim tate
I have been recieveing them in Mozilla mail.
Shouldn't matter what MUA you are using.
Post by jim tate
How can I tell where these email will return to , should I reply or
respond to info requested.
I wouldn't reply. It's probably forged anyway.
Post by jim tate
There has got to be a way to back track.
Check the e-mail headers and find the open relay that sent these e-mails.
Then report this open relay to the ISP that owns the netblock. Good luck! A
lot of these so called open relay IP addresses are the "throw away" variety.
Used only once.

Also, check the html code of the e-mail. Most reference images from your
bank's website, but contain a redirect to some web server that actually
captures your information. Again, try to report this website to the owning
ISP.
Post by jim tate
I hope I can get the linux community help me to track down
the low life crooks.
It's easy to track down and report where these e-mails came from. The hard
part is getting the owning ISP to do anything about it. ISP's probably
receive hundreds (if not thousands) of these complaints a day.

BTW: I phoned up my grandmother and educated her on this new breed of spam
(identity theft).

Steve Cowles
John Thompson
2004-03-28 16:37:20 UTC
Permalink
On Sun, 28 Mar 2004 10:01:35 -0500
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account,
so someone can get my userid and password.
My Bank say's these are bogus email's and not to respond to them.
I have been recieveing them in Mozilla mail.
How can I tell where these email will return to , should I reply or
respond to info requested.
Look at the headers (go to "View...Headers...All" in Mozilla). The last "Received:" header will tell you the originating system. Here's a typical spam on my system:

Received: from ms-smtp-03.rdc-kc.rr.com (ms-smtp-03.rdc-kc.rr.com [24.94.166.129])
by amayatra.os2.dhs.org (8.12.11/8.12.8) with ESMTP id i2PFLA1s030205
for <john at os2.dhs.org>; Thu, 25 Mar 2004 09:21:10 -0600 (CST)
(envelope-from vxxcek at jcpenney.com)
Received: from ms-mss-01 ([10.15.8.21])
by ms-smtp-03.rdc-kc.rr.com (8.12.10/8.12.7) with ESMTP id i2OB7dtq019845
for <john at os2.dhs.org>; Wed, 24 Mar 2004 05:07:39 -0600 (CST)
Received: from ms-mta-01 (ms-mta-01-smtp [10.15.8.71])
by ms-mss-01.rdc-kc.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
with ESMTP id <0HV2007VRUWRZB at ms-mss-01.rdc-kc.rr.com> for john at os2.dhs.org
(ORCPT johnthompson at new.rr.com); Wed, 24 Mar 2004 05:07:39 -0600 (CST)
Received: from kcmx03.mgw.rr.com (kcmx03.mgw.rr.com [24.94.165.192])
by ms-mta-01.rdc-kc.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
with ESMTP id <0HV2002HAUWRCP at ms-mta-01.rdc-kc.rr.com> for
johnthompson at new.rr.com (ORCPT johnthompson at new.rr.com); Wed,
24 Mar 2004 05:07:39 -0600 (CST)
Received: from 218-162-16-57.HINET-IP.hinet.net
([218.162.16.57])
by kcmx03.mgw.rr.com (8.12.10/8.12.8) with SMTP id i2OB7XUp029336 for
<johnthompson at new.rr.com>; Wed, 24 Mar 2004 06:07:35 -0500 (EST)
Date: Wed, 24 Mar 2004 16:06:56 +0500
From: Jeffry Price <vxxcek at jcpenney.com>
Subject: Fwd: Get Any Pills. Our Doctors Write Prescriptions. Overnight FedEx. Secure. Discreet
To: johnthompson at new.rr.com

The last Received: header shows that the email came from "218-162-16-57.HINET-IP.hinet.net" (IP address 218.162.16.57). Feed this IP address into "whois" to find out who is responsible for this spam:

[john at starfleet john]$ whois 218.162.16.57
[Querying whois.apnic.net]
[Redirected to whois.twnic.net]
[Querying whois.twnic.net]
[whois.twnic.net]
Chunghwa Telecom Data communication Business Group
No.21, Hsin-Yi Rd., sec. 1
Taipei
TW

Netname: HINET-NET
Netblock: 218.162.0.0/15

Administrator contact:
Chung Yung Kang (CYK-TW) cykang at ms1.hinet.net
+886-2-2322-3442

Technical contact:
Chung Yung Kang (CYK-TW) cykang at ms1.hinet.net
+886-2-2322-3442

You can complain to the contacts listed, but I don't recommend trusting them. In many cases this will simply confirm your address as "live" and put you on more spam lists. Alternatively, you can forward the entire spam (all headers included) to your ISP, your bank, and the federal government's spam report address: uce at ftc.gov

Unless there's obvious fraud involved, I just use the information to feed my spam filter so the next one gets dumped before it hits my Inbox.
--
-John (JohnThompson at new.rr.com)
Mike Klinke
2004-03-28 16:49:30 UTC
Permalink
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank
account, so someone can get my userid and password.
My Bank say's these are bogus email's and not to respond to them.
I have been recieveing them in Mozilla mail.
How can I tell where these email will return to , should I reply or
respond to info requested.
There has got to be a way to back track.
I hope I can get the linux community help me to track down the low
life crooks.
Just think how many people are falling for this scam, it could be
your dear little grandmother, BEASTS.
Jim Tate
It's almost certain that the originating source of the e-mail has been
broken into and hijacked from its rightful owner and he/she probably
doesn't even know his/her system has sent out any email. It would be
a pretty stupid crook, indeed, that would use a traceable mail server
to send this stuff out.

Use "whois" to find out who owns the originating mail server and alert
the owner, also alert the web page host, and both up stream service
providers.

Regards, Mike Klinke
Ron Herardian
2004-03-29 00:08:12 UTC
Permalink
As others have pointed out you can retrace the path of the message through the Received lines in the message header. This type of scam requires the use of a URL. The message body is HTML and the text associated with the URL appears to be the URL of your bank. However, if you copy the link location or examine the raw HTML code (just open your mail file in a text editor) you'll see that the actual URL is an IP address. The owner of this IP network (you can look it up) is associated in some way with the scam. Usually, these will be offshore IP networks.

Ron
Post by jim tate
I have been recieveing Bogus email's to sign onto to my bank account, so
someone can get my userid and password.
My Bank say's these are bogus email's and not to respond to them.
I have been recieveing them in Mozilla mail.
How can I tell where these email will return to , should I reply or
respond to info requested.
There has got to be a way to back track.
I hope I can get the linux community help me to track down the low life
crooks.
Just think how many people are falling for this scam, it could be your
dear little grandmother, BEASTS.
Jim Tate
--
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
--
Global System Services Corporation (GSS)
650 Castro Street, Suite 120, Number 268, Mountain View, CA 94041, USA
+1 (650) 965-8669 phone, +1 (650) 965-8679 fax, +1 (650) 283-5241 mobile
rherardi at gssnet.com, http://www.gssnet.com

"The best way to predict your future is to create it." - Stephen Covey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rherardi.vcf
Type: text/x-vcard
Size: 1287 bytes
Desc: Card for Ron Herardian
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040328/27f1d9f8/attachment-0002.vcf
Continue reading on narkive:
Loading...