Attack emails can be malware delivery, cross-site scripting attack XSS), plain spam, or phishing.
Just how do you identify an attack email? Simple. Make sure view the email message in its original format - the format that is being parsed by the SMTP servers. In the original view, we will see where the email message came from, which SMTP server sent it, which google servers certified and delivered it. Using this type of scrutiny, we will be certain that either the email message is valid, or it is an attack email. In Gmail, click on the pull down arrow beside the "Reply" link, the choose "Show original". You will see something like so: Delivered-To: [email protected] Received: by 10.100.173.4 with SMTP id v4cs172442ane; Sat, 26 Sep 2009 14:36:25 -0700 (PDT) Received: by 10.210.96.1 with SMTP id t1mr1875666ebb.17.1254000984341; Sat, 26 Sep 2009 14:36:24 -0700 (PDT) Return-Path: <[email protected]> Received: from out1.fundp.ac.be (out1.fundp.ac.be [138.48.4.135]) by mx.google.com with ESMTP id 1si2472743ewy.110.2009.09.26.14.36.23; Sat, 26 Sep 2009 14:36:24 -0700 (PDT) Received-SPF: pass (google.com: domain of [email protected] 138.48.4.135 as permitted sender) client-ip=138.48.4.135; Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 138.48.4.135 as permitted sender) [email protected] Received: from webkot.fundp.ac.be (webkot.fundp.ac.be [138.48.182.50]) by out1.fundp.ac.be (8.13.1/8.13.1) with ESMTP id n8QLaH5h004646 for <[email protected]>; Sat, 26 Sep 2009 23:36:17 +0200 Received: from localhost (webkot.fundp.ac.be [127.0.0.1]) by webkot.fundp.ac.be (Postfix) with ESMTP id 788FC6701CC for <[email protected]>; Sat, 26 Sep 2009 23:36:17 +0200 (CEST) X-Virus-Scanned: amavisd-new at webkot.be X-Amavis-Alert: BAD HEADER SECTION, Improper use of control character (char 0D hex): From: Microsoft Update <[email protected]>\r Received: from webkot.fundp.ac.be ([138.48.182.50]) by localhost (webkot.be [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w5UwNEEEgEGp for <[email protected]>; Sat, 26 Sep 2009 23:36:17 +0200 (CEST) Received: by webkot.fundp.ac.be (Postfix, from userid 81) id 517796701CE; Sat, 26 Sep 2009 23:35:20 +0200 (CEST) To: [email protected] Subject: Please, update your computer ! From: Microsoft Update <[email protected]> Reply-To: MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 8bit Message-Id: <[email protected]> Date: Sat, 26 Sep 2009 23:35:20 +0200 (CEST) X-FUNDP-MailScanner-Information: Please contact the ISP for more information X-FUNDP-MailScanner: Found to be clean X-FUNDP-MailScanner-From: [email protected] X-Spam-Status: No <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="content-type"> <title></title> </head> <body> <font color="#587edc" size="3"><b>We invite you to update your computer. </b></font><br> <br> To install the latest version of the browser, go to the site by clicking on the link below: <br> <a href="http://tinyurl.com/y8gr9u5";><br> http://update.microsoft.com/windowsupdate/computerno=25451511/ </a><font size="2"><br> <br> </font>Once the update download, follow these steps: <font size="2"><br> <ol> <li>Look WindowsUpdate file, usually it is on the desktop after the download. </li> <li>Double Click WindowsUpdate </li> <li>Wait 2 minutes for the update is done and it's good</li> </ol> </font> </body> </html> This email claims that it came from Microsoft Windows Update. But looking at the mail header, it is farther from the truth. Delivered-To: [email protected] Received: by 10.100.173.4 with SMTP id v4cs172442ane; Sat, 26 Sep 2009 14:36:25 -0700 (PDT) Received: by 10.210.96.1 with SMTP id t1mr1875666ebb.17.1254000984341; Sat, 26 Sep 2009 14:36:24 -0700 (PDT) *Return-Path: <[email protected]>* *Received: from out1.fundp.ac.be (out1.fundp.ac.be [138.48.4.135]) by mx.google.com with ESMTP id 1si2472743ewy.110.2009.09.26.14.36.23; Sat, 26 Sep 2009 14:36:24 -0700 (PDT)* Received-SPF: pass (google.com: domain of [email protected] 138.48.4.135 as permitted sender) client-ip=138.48.4.135; Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 138.48.4.135 as permitted sender) [email protected] *Received: from webkot.fundp.ac.be (webkot.fundp.ac.be [138.48.182.50]) by out1.fundp.ac.be (8.13.1/8.13.1) with ESMTP id n8QLaH5h004646 for <[email protected]>; Sat, 26 Sep 2009 23:36:17 +0200 Received: from localhost (webkot.fundp.ac.be [127.0.0.1]) by webkot.fundp.ac.be (Postfix) with ESMTP id 788FC6701CC for <[email protected]>; Sat, 26 Sep 2009 23:36:17 +0200 (CEST)* X-Virus-Scanned: amavisd-new at webkot.be X-Amavis-Alert: BAD HEADER SECTION, Improper use of control character (char 0D hex): From: Microsoft Update <[email protected]>\r *Received: from webkot.fundp.ac.be ([138.48.182.50]) by localhost (webkot.be [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w5UwNEEEgEGp for <[email protected]>; Sat, 26 Sep 2009 23:36:17 +0200 (CEST) Received: by webkot.fundp.ac.be (Postfix, from userid 81) id 517796701CE; Sat, 26 Sep 2009 23:35:20 +0200 (CEST)* So if I'm going to reply to this email, I'll be most certainly either get to send email to the spammer/phisher/bot owner, or my reply email will be dropped/bounced provided that the SMTP server was a hacked node. Another thing to note is in the body of the email message. To install the latest version of the browser, go to the site by clicking on the link below: <br> *<a href="http://tinyurl.com/y8gr9u5";><br>* http://update.microsoft.com/windowsupdate/computerno=25451511/ </a><font size="2"><br> <br> Yes, the link doesn't point to a valid Microsoft website :). Most likely this will be either a dropper, or an XSS initiator. What can you do at this point in time? Do not click the link, delete the email immediately. If you are adventurous enough, you can trace where the server is. And if you are "crafty" enough, communicate with the "owner". That's it for this public service message. Good luck and stay safe! -- Penguin, penguin, and more penguin. Believe that within the brain is a brain, and within it another brain, and so on and so forth. -- Penguin, penguin, and more penguin. Believe that within the brain is a brain, and within it another brain, and so on and so forth.
_________________________________________________ Kagay-Anon Linux Users' Group (KLUG) Mailing List [email protected] (http://lists.linux.org.ph/mailman/listinfo/klug) Searchable Archives: http://archives.free.net.ph
