Ways to tell a phishing email...

Sorry for the delay in the second part of this Anti phish Blog. Been real busy these weeks. Well here it goes...

Now that you have got the basic knowledge of protecting yourself against Phishing. How do you tell a real mail from a phishing email? There are three important factor we can focus on in this blog.

1) Objective of Mail
2) SMTP header ( I hope you did some read up as mention by my earlier blog)
3) The hyperlink in the email and URL cloaking

Objective of Mail

If the objective of the email is to obtain your password and other confidential personal informations by bringing you to a link and entering your ID and password, such email have high chance of being a spoof mail. Thought not 100%, almost all mails that i had encounter that asking for such informations over the electronic format are spoof mails. Call the relevant organisation to verify the authenticity of the mails. **Please do not click on the hyperlink and call the number shown on the website, the number can be FAKE.

SMTP Header

This is a little more technical, but i will make it simple and hope you people can understand from it.

To see the email header, you'll need to view the properties of the email. To do this in MS Outlook 2007 for instance, you can right click the email (before opening), then select 'Message Option' from the 'drop down' menu. You will see an "Internet Header" box which shows the header.

**Example shown below:

Here is a comparison between the headers of a spoofed and a genuine eBay email.

The spoof header:

Return-Path:
Delivered-To: webmaster@millersmiles.co.uk
Received: (qmail 21262 invoked from network); 6 Jun 2003 21:21:49 -0000
Received: from unknown (HELO mail.almtal.net) (217.16.118.12)
by server16.donhost.co.uk with SMTP; 6 Jun 2003 21:21:49 -0000
Received: from localhost (mail.almtal.net [127.0.0.1])
by mail.almtal.net (8.11.6/8.8.7) with SMTP id h56LRD008495
for ; Fri, 6 Jun 2003 23:27:16 +0200
Message-Id: <200306062127.h56LRD008495@mail.almtal.net>
From:
To:
Subject: ebaY Contest
Date: Fri, 6 Jun 2003 23:27:13 +0200
X-Mailer: sendEmail-1.40
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

The genuine header: (see a copy of this email)

Return-Path:
Delivered-To: millersmiles-auctions@millersmiles.co.uk
Received: (qmail 36907 invoked from network); 9 Jun 2003 10:22:29 -0000
Received: from unknown (HELO mx5.smf.ebay.com) (66.135.209.200)
by server16.donhost.co.uk with SMTP; 9 Jun 2003 10:22:29 -0000
Received: from miami.smf.ebay.com (miami.smf.ebay.com [66.135.215.166])
by mx5.smf.ebay.com (8.12.3/8.12.3) with ESMTP id h59AMQG9000488
for ; Mon, 9 Jun 2003 03:22:26 -0700
Received: from rhv-kas-03.corp.ebay.com (rhv-kas-03.corp.ebay.com [64.68.79.239])
by miami.smf.ebay.com (8.11.6+Sun/8.11.6) with SMTP id h59AMfZ10198
for ; Mon, 9 Jun 2003 03:22:41 -0700 (PDT)
Message-Id: <200306091022.h59AMfZ10198@miami.smf.ebay.com>
Date: Mon, 09 Jun 2003 03:22:28 -0700
To: millersmiles
Subject: Re: (KMM72404455V54089L0KM)
From: eBay United Kingdom Customer Support
Reply-To: eBay United Kingdom Customer Support
MIME-Version: 1.0
Content-Type: text/plain; charset = "us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Kana 6.0

See the differences .....

The 'Received: from Unknown (HELO xxx.xxxx.xxx) part tells us the details of the machine that the email was sent from. In this case, the spoof shows a machine with the ID 'mail.almtal.net' with IP address 217.16.118.12, whereas eBay's genuine email has come from a machine with the ID mx5.smf.ebay.com and IP address 66.135.209.200. When querying a whois lookup (aka DNS look up, or reverse look up) it is clear that the genuine email has originated from eBay's mail server at IP 66.135.209.200 (eBay, San Jose, CA), whereas the spoof has come from a different machine at an IP address that is owned by someone in Wien, Austria.

The handling mail server has further added an identifier for the sending server, in the case of the spoof, Received: from localhost (mail.almtal.net [127.0.0.1]) which is either an internal mail server, or a mail server running on the same machine. Whereas, eBay's genuine email, correctly shows that the sending server was identified as miami.smf.ebay.com [66.135.215.166 (which again proves to be owned by eBay when conducting a whois lookup).

The email server and mail software version are shown by the handling server as the email is relayed from ISP to ISP, and the spoof shows by mail.almtal.net (8.11.6/8.8.7), which is again NOT eBay's mail server which is shown correctly in the genuine email as by mx5.smf.ebay.com (8.12.3/8.12.3). ** ( Example lifted from http://www.millersmiles.co.uk)

The hyperlink in the email and URL cloaking

Now how many can tell which of the hyperlink below is real just by looking?

1)http://www.arofanatics.com/forums/showthread.php?t=316662

2)http://www.arofanatics.com-securitycheckw8grhgakdj-jd7788-accountmaintenace-4957725-s5982ut-aw-ebayconfirm-secure/
3)http://www.clubhyundai.org

Out of the three link above, only one of it will lead you to where it show as it is. Hyperlink can be easily spoof and often user are trick to website looking similar or 99% the same as the usual website. This phishing site are hosted at different servers and the organsation being spoof would take sometime to bring down the spoof site or to notifiy their customers. Therefore it is important to know about such tricks being used and know how to avoid them. When you move your mouse cursor over the link it will show you the actual website you will be brought to.

There are many ways a email can be spoof and honestly there isn't much we can do about it. But knowing the threat is there and not protecting yourself against it is pure foolishness, isn't it?

Basic defence you should have on Phishing!

Phishing … the dangerous scam. So how do we protect ourselves from it?

Before I go on to explaining how we detect a phishing email, there are a few things that we have to keep in mind when dealing with emails.
1) Read carefully all details/contents of official email sent to you by organizations or personnel requesting information from you.
2) Never click on link in Email to bring you to the sites. Cut on paste the link on the Internet Explorer/ Firefox address bar instead.
3) No organization will request you to send your confidential information such as banking ID and password through email.
4) Update your software and browser to anti phishing supported module. Most browser now support anti phishing capablilty.
5) Update your anti virus with anti spoof/phish capability
Now that you have equipped yourself with the basic defence, prepare yourself on the tactics of spotting the phishing mail in my next blog.

** Will be more technical. Good to understand a bit on SMTP header before reading my follow up blog on spotting of phishing mail.**

Phishing or Fishing??

Phishing or Fishing??

It is kinda irritating to received mail from a person or organization that claim to be another person or organization. BUT, for those who received and actually believe the sender, the damaged is gonna be more then just being irritated.

“Phishing” that sound like “Fishing” is the act of pretending/ impersonating to be someone or some organizations with the intention of tricking someone into leaking/giving out confidential informations. Common example will be phishing email of banks sent out by spammers/hackers with the intention of “fishing” for confidential informations. Victims of phishing would lose their whole entire bank balance if they are not careful and the person or organizations being phished would suffer more then just monetary lost.

Though there are many anti spam companies out in the market that claim to be able to detect phishing mails, it is important to know that many of these engines used by these companies uses definitions/database to detect phishing/spoof mails. Therefore there will always be a windows period that we are at risk when there is a new phishing mails or sites launched to fish out new victims.

There are few ways to keep ourselves better protected and also to detect phishing mails and act. I will be filling in the ways to protect ourselves and how to detect these phishing act in the follow up blogs. Stay close…stay tight.. stay protected! :)

Magnet, Nets, MegaNet or Botnet??? Part 2 of 2

So now that you have an idea of what is botnet, are you part of it?

Botnet computer are computer infected with Trojan or malicious code design to allow remote control of the infected computer. Many still have the traditional thinking that botnet are controlled using Internet Relay Chat (IRC) which is a dying trend. But the actual fact is that botnet are very much alive as hackers are using a mixture of protocol and stealth technique to infect and control infected machines. According to researched, as many as 1.5 million botnet have been found and the number are growing.

Botnet computer are not immune from detection. There will be signs and trails of infection and prevention can be practiced. Simple task will be looking out for unusual running of services, process and going through the log files. If you suspect that your computer had been infected, do the following;

1) Update your operating system and internet application to prevent as much vulnerabilities as possible
2) Install a different anti-virus on your operating system and do a full updated scan. Your existing anti-virus are most likely to be compromised and by updating it and doing a full scan won’t help most of the time.
3) Install and run a updated malware/spyware application. There are lots of freeware in the Internet. “Spybot – Search & Destroy” is one of my favourite.
4) Go through the services and spot unusual services.
Once you have done the above and you are pretty sure that you are free from being a botnet, install a personal firewall. Firewall wall normally closed all unnecessary ports and this make your computer a difficult for the hacker.

All these actions won’t guarantee that you won’t be part of a botnet someday. But no prevention is 100% and by making your computer a difficult target, chances of you being part of the botnet network is being narrow down by a great margin!

As the saying goes. “The only way not to make mistake is not to do anything. But in today’s world, that would probably be the biggest mistake” - Sun Tze

Magnet, Nets, MegaNet or Botnet??? Part 1 of 2

Do you know that your computer would be compromised and be part of a group of computer used to sent out spam mail or carry out attack on others computer without your knowing?

Which of the terms below represent a group of compromised system used for malicious activities??

1) MegaNet
2) Botnet
3) Nets
4) Magnet

Read on if you are clueless about this. I will be explaining Botnet and how to prevent your computer from being part of it.

Basically botnet are a group of compromised system normally infected by Worms or Trojans control by hackers to carry out malicious operation such as Spamming, Distributed Denial of Services attack, etc The common questions on Botnet are such as I have anti virus do I still get infected?, I am behind a firewall, so I should be safe right? And how do I know if I am part of a botnet?

Anti Virus software would normally do a pretty good job in keeping out the viruses, worms, Trojan, etc. But between the time when a new malicious code was found flooding the internet and the virus definition file was release by the vendors, there would be a window period that your system could be compromised. Unlike virus, worms are autonomous. They have their own transport and mechanism and are independence and could self replicate themselves to other system in the network. Often when a PC has been compromised, a install or update of virus definition files would also not detect the worms as it would return a false call to the scan from the anti virus software. This explain why often you heard of people saying why their latest anti virus software are not detecting the virus.

Trojan often come in disguised, remember the “Trojan Horse” event? Trojan often come in the form of a useful software that the user could use and is lured into downloading it from the internet. I am sure many of you have experiences a pop up from your anti virus detecting a Trojan after downloading a program from the Internet. But what happen if it is not detected? The answer is your system is probably a member of an xzy botnet.

Ask yourself, can your firewall detect what you sent from your email? Traditionally, your firewall can’t do so. Firewall act as a gate between your system/network and the Internet. It only work on ports. And this gateway doesn’t work for email ports, else if it does, no mail can be sent out of the network. This also explain the reason why companies need separate anti spam appliance or Unified threat Machine (UTM) for their SMTP port. So can your firewall wall protect you from being a botnet spammer? I guess the answer is obvious.

End Part 1 of 2

SPAM BUSTER! Part 4 of 4

Crytography – “zpv dbou tff nf!”

The most commonly use form of crytography used in Anti spam would probably be DomainKeys Indentify Mails (DKIM). Similary to SPF, DKIM is interested in indentifying the sender. But on top of that, DKIM also help in protecting the integrity of the mail content. DKIM does it by using a set of keys and by providing positive identification of the signer’s identity along with an encrypted “hash” of the message content allowing messages to be checked to verify that they are from purported senders (authentication) and have arrived unaltered (message integrity).
There are 3 main important keys in DKIM.
1) Digital Signature
2) Definittion of the field over which the digital signature was calculate
3) Sending Domain
The public key was published to the public Domain Name Server (DNS). When the receiver received the mail, it checked the DKIM signature against the sender’s public key through the DNS. If the incoming message cannot be verified then the receiving server knows it contains a spoofed address or has been tampered with or changed. A failed message can then be rejected, or it can be accepted but have it tagged according with “certainly spam”, “probably spam”, etc.

Email is an important form of communication in our lives and because of the heavy usage of email, spam are here to stay. Spam evolved quickily making it very difficult to stop them forever. Therefore we need different combination of anti spam technologies to put up an effective fight against spam. Hope this set of blogs would give you a better insight of anti spam technologies.

End of Part 4

SPAM BUSTER! Part 3 of 4

Authentication – “Are you real?”

Normally sender won’t be sending thousands of emails per day, therefore authentication or challenge method won’t be hindering their flow of production. But for spammer sending bulk mails in thousands, this method would definitely slow down their rate of successful sending and most spammer don’t even provide a valid return address!

The most common form of authentication method is as the method itself called “Self Authenticate”. This method is effective and would have zero or little false positive.
Example would be, Calvin sent Philip a email. Philip’s Anti spam appliance hold on to the email and sent a authentication mail back to Calvin asking him to verify his “Sending”. Once Calvin had verified by a return mail, his email address will be automatically added to the “Permitted sender” list and no further authentication mail will be send to him in future. The questions are “What happen if he didn’t reply the mail? Or if Calvin Anti spam appliance after receiving the Challenge mail from Philip’s Anti spam appliance sent the same challenge back to Philip? Normally for anti spam appliance with self authentication features, would parked these mail that was unauthenticated in various places. These could include “Certainly Spam”, “Probably Spam” or “Maybe Spam”. Depending on the features and functions used by the anti spam appliances, various different scenarios could happen here. Therefore for user choosing self authentication as their spam fighting tool, it is important to know and understand the nature and behaviour of the anti spam appliance against un-authenticated mails.

Greylisting is another form of challenge that is popular in many anti spam appliance. Unlike Self authentication that required user intervention, what is does is that it rejected the mail with a "450 temporary rejection". Most servers will try again after receiving the error. But for spammer that send thousands of mails a day would not do so. Therefore it greatly cut down the numbers of spam in the process.

Such methods would help in prevent spam but can never stop spam completely. Self authentication or Greylisting method can be an additional form of load for the appliance as well. Therefore when considering usage of this method, we have to take into the consideration of the numbers of users and load of the mails.

End of Part 3

SPAM BUSTER! Part 2 of 4

Reverse Lookup – “Hello, who are you?”

Spamming is illegal in almost every countries, therefore almost all spammer used forged “From” address. Such forged addresses normally appear to be from trusted domain such as XX@yahoo.com, XX@gmail.com , etc. Another reason that Spammer forge email addresses is that most ISP have clauses that prevent spamming. Therefore forging of email address prevent ISP from locking down their network. So if we could prevent spammer from forging the “from” address, we would greatly reduce the numbers of spam. So how do we do that?

Reverse lookup basically is a process that associated a Host with a given IP address/ IP address revolve to a given host name. Spammer forgery address normally would not have a pointer record (PTR) to fulfill this requirement. Sender Policy Framework (SPF) is one of the methods used in reverse lookup to prevent email address forgery. SPF is a process where dedicated host are specified in the SMTP transaction stating the allow hosts to be allow to sent mail out of the domain. With SPF enforced, spammer would not be able to forge an email address undetected and action would be taken against forge mail accordingly.

In my earlier blog explaining how email is send, I mention about mail server searching for the assigned email server to received the mail based on the MX record associated with the recipient domain name. Similarly, the reversed lookup communicated with the DNS associated with the re-verse-MX record (RMX) to determine if the email from that particular domain is send by a permitted host. Reverse lookup seem like a good solution, but it is not without its own limitation.

One important thing that we must take into consideration when activating reverse lookup is that the sender's IP address may not be in the reverse DNS lookup record, or the sending server may have multiple names for the same IP, not all of which may be available from the reverse DNS lookup record. An example of such will be users in host-less or vanity domain.

End of Part 2

SPAM BUSTER! Part 1 of 4

Let’s get back to the corporate world on spam fighting. Fortunately for many users sitting behind the computer screen, the jobs of fighting spams are left to the IT departments.
The problems here is that there are many companies in the markets providing anti spam solutions comprising of many difference package of solutions. So who do we choose? Many IT department brought anti appliance based on Sales talk. That is the greatest mistake, as a wrong appliance in place will cause much inconvenient on lost of emails, denial of services and lots of false positives. This blog is to help IT department on deciding the technologies best suitable for their environment.
I will not be listing the product brands and company names. Rather, I will list down the technologies available in the market, explain each of them and tell you which combination of the technologies is best in my point of view.

4 Type of key technologies uses in fighting Spam.

Filter – The old school method

Filter is commonly used by most anti spam appliances as one of their tools in blocking spam. Types of filters includes “Word list” or “Spam Dictionary”, “Black List” and “White list” of IP address, “Hash-Table” and “Bayesian spam filtering”. In my personal point of view, filter system are dangerous as it often result if high level of false positive rate especially in the early stage of implementation. It also required high level of user intervention due to the fast evolving changes in spam content and therefore need to fine tune the spam filter rules frequently.

Why did I say high level of false positive? Imagine that we use the word “SEX”. In most cases, “sex’ will be classified as a spam word. But if in the email that contain “Hi Joe, did you catch the show “Sex in the city” last night? This email will be block even though it is a harmless email between two friends. This are just one example, but you will be surprise to see common words listed in a default “spam dictionary” and you can imagine the numbers of mails to be blocked without an intensive level of fine tuning the “word list”.

While we are smart in adding in the key words appearing in the spam mail, Spammer are as good at modifying the words as well. I am pretty sure you people had seen “Viagra” to appear as “V1agr@”, ‘Vi@gra” or “V!agra”, etc. These words escape the “spam dictionary” and therefore result in false negative.

Filter system is effective with frequent fine tuning of the filtering system use. “Word list’, “Black list” of IP, etc must be updated frequently. Bear in mind that filter do not stop spam, it merely stop what you highlighted in your system. Even so, checking of misclassified email frequently is important to avoid missing of important mails.

End of Part 1