Modern Computer Viruses are almost NEVER from whom they claim to be from
This is one that I’ve probably talked about before, but it’s worth rehashing because of a call I had this afternoon. A customer had been receiving phone calls and email messages from folks asking that he stop sending them a virus. Essentially all of the viruses were claiming to be from his email address and he was very concerned that his system had been compromised.
I was skeptical, but agreed to take a look at one. When I got there I found a few “Delivery failed” bounces from the flood that apparently had gone out and started looking. For starters, he uses bellsouth.net The bounce messages include the header of the emails that were going out. They indeed claimed to be from his address, but a close look at the ONLY header tag revealed the truth. The message had not come from a bellsouth.net customer, but from within the newsouth.net netblock.
So, several minutes later I found and verified that abuse@nuvox.net was the correct address to report it to and I attached the message headers and sent it off. Frankly there is nothing else we can do at this point. Which, is aggravating, but that’s the way it is.
The analogy I always use to explain to folks is this. Say I was sending a real letter in an envelope. I write the envelope out to whoever I want to receive it and I want to hide my address, so I choose another address (1600 Pennsylvania Avenue maybe…) So, I use that as the return address and drop it in the mail. It still gets to the recipient.
Let’s look at a simple email header…..
Return-Path:
Received: from mxsf28.cluster1.charter.net ([10.20.201.228]) by
mtai03.charter.net (InterMail vM.6.01.04.01 201-2131-118-101-20041129) with
ESMTP id
<20050720234417.KXAO4452.mtai03.charter.net@mxsf28.cluster1.charter.net>
for
Received: from mxip11a.cluster1.charter.net (mxip11a.cluster1.charter.net
[209.225.28.141]) by mxsf28.cluster1.charter.net (8.12.11/8.12.11) with
ESMTP id j6KNi1uV019821 for
19:44:16 -0400
Received: from web53702.mail.yahoo.com (206.190.37.23) by
mxip11a.cluster1.charter.net with SMTP; 20 Jul 2005 19:44:09 -0400
Received: (qmail 81942 invoked by uid 60001); 20 Jul 2005 23:44:08 -0000
Message-ID: <20050720234408.81937.qmail@web53702.mail.yahoo.com>
Received: from [MYIPADDRESS] by web53702.mail.yahoo.com via HTTP; Wed, 20
Jul 2005 16:44:08 PDT
Date: Wed, 20 Jul 2005 16:44:08 -0700 (PDT)
From:Some Sender
Subject: Test
To: some address@charter.net
Did I say simple?…. Well yes, there’s a lot, but we can quickly start identifying what’s important and what’s not. Subject: From: To: lines are simple and look straight forward, these can be anything the sender, or the senders software wants them to be. The Return Path is similar – usually it’s the sender address, but it doesn’t have to be, in fact this can be any address the sending software wants to stamp it. In this example I’ve stripped out some tags that are unimportant, virus scanning checks, message encoding details. Those are safely ignored.
You might see we have a Message-ID and Date field. The date field is usually stamped as the message is sent, Message-ID from the first mailserver along the chain. For the above example I sent from my yahoo mail account to my charter mail account. (Addresses have been changed.)
The next part is the real meat of things…. Received tags. These tags can only be added, not altered. For every mailserver “transaction”, or handing off of the message from one machine to another (sometimes one program on a machine to another program on the same machine) a Received tag is added. Think about it like the post office cancelling the stamp on the letter, it tells the date and place that the letter passed through. The same is true of Received tags, only EACH machine along the way gets to stamp it.
So which one is first…?
If you look at the above you will see Return Path, then Received. This first received tag is the Last one added, so let’s see if we can analyze it a bit.
Received: from mxsf28.cluster1.charter.net ([10.20.201.228]) by
mtai03.charter.net
OK – we’ve handed off from a mail exchanger to my charter.net mailserver…. this is the end of the process, let’s backtrack a bit….
Received: from mxip11a.cluster1.charter.net (mxip11a.cluster1.charter.net
[209.225.28.141]) by mxsf28.cluster1.charter.net
Ok this was where mxsf28 got my message from yet another mail exchanger. (In between these two was some sort of virus scan that I clipped to keep things a bit neater, so one is a dedicated virus/junk scanner).
Received: from web53702.mail.yahoo.com (206.190.37.23) by
mxip11a.cluster1.charter.net with SMTP
OK, so charter received the message from what looks like a web mail at Yahoo… we’re getting there…
Received: (qmail 81942 invoked by uid 60001);
Ok – this is qmail (a mail server program receiving the message from an unknown source)
Received: from [MYIPADDRESS] by web53702.mail.yahoo.com via HTTP;
Aha – here’s the source… it looks like webmail received the message using http (hypertext transfer protocol… this is web protocol essentially.) and it was received from my ip address, which I don’t think would be wise to publish…. but an ip address is a series of numbers, for instance 192.168.0.200 is a private ip address (Local area networks might use this address for ONE machine), 69.36.180.58 would be an example of a public address (the machine that’s serving up these web pages lives at that address.
Now, I’ve trimmed out dates in the above list, but I rarely look at them unless there seems to be an added entry in the Received: log, then I start looking at the dates to see if ones out of line, or spend more time trying to figure out if each of the message “handoffs” make sense.
So, let’s pick a random junkmail or virus and see what we find…. Reach into the virus filter and pull out a phishing scheme email….
Return-Path: <>
Delivered-To: virus-quarantine
X-Envelope-To:
X-Envelope-From:
X-Quarantine-Id:
Received: from averyjparker.com (averyjparker.com [69.36.180.58])
by myinhousemailserver (Postfix) with ESMTP id 2D94044804
for
Received: from 216.127.92.116 (ns0.lugardesexo.com [216.127.92.116] (may be forged))
by averyjparker.com (8.11.6/8.11.6) with SMTP id j6KF3Y414283;
Wed, 20 Jul 2005 09:03:35 -0600
Received: from 138.178.120.98 by ; Wed, 20 Jul 2005 12:55:35 -0300
Message-ID:
From: "Wells Fargo Security Service"
Reply-To: "Wells Fargo Security Service"
To: sever aladdre ssesatmydomain.com
Subject: Fraud Prevention Measures
Date: Wed, 20 Jul 2005 18:59:35 +0300
OK – Date, From, To Subject, Reply-To we all now these can be anything, as can X-Envelope-From and To, these are added on my mailserver when it retrieves mail from outside.
So, the first received tag….
Received: from averyjparker.com (averyjparker.com [69.36.180.58])
by myinhousemailserver (Postfix)
OK – I’ve altered the name of my inhouse server, but this is the inhouse server picking the message up from the web site, notice the ip address that I mentioned earlier.
Received: from 216.127.92.116 (ns0.lugardesexo.com [216.127.92.116] (may be forged))
by averyjparker.com
Hmmm.. it looks legitimate, but my mailer seems to think something about this isn’t kosher….
So, I’ve turned to the shell to try a ping…
PING ns0.lugardesexo.com (66.98.184.23)
hmmm… ping resolves the name as a different IP address. This is fishy. When we see an entry like this, trust the number in the brackets [216.127.92.116] Usually when a mailserver (in this case averyjparker.com) receives a message from anywhere, it records who they are and who they say they are. In this case, they were 216.127.92.116, but they said they were ns0.lugardesexo.com
Ok…. next
Received: from 138.178.120.98 by ;
Now this is a VERY strange entry. No link up to the number listed above. I think this is fake, added to through us off the trail. So the last valid entry had averyjparker.com receiving the message from 216.127.92.116
Time to dig a bit.
Enter Sam Spade Well, after all it feels like sleuthing here…. www.samspade.org has a collection of tools that can be of help here… I use IP whois which is a few entries down the page and enter the above address.
Here’s most of what I get…
Server Used: [ whois.arin.net ]
216.127.92.116 = [ ns0.lugardesexo.com ]
OrgName: Everyones Internet Inc.
OrgID: EVRY
Address: 390 Benmar
Address: Suite 200
City: Houston
StateProv: TX
PostalCode: 77060
Country: US
NetRange: 216.127.64.0 - 216.127.95.255
CIDR: 216.127.64.0/19
NetName: EVRY-BLK-10
NetHandle: NET-216-127-64-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment:
RegDate:
Updated: 2002-05-08
TechHandle: RW172-ARIN
TechName: Williams Randy
TechPhone: 1-713-579-2850
TechEmail: admin@ev1.net
OrgAbuseHandle: ABUSE477-ARIN
OrgAbuseName: ABUSE
OrgAbusePhone: 1-713-579-2850
OrgAbuseEmail: abuse@ev1.net
?What? ns0.lugardesexo.com? appears in whois lookups at one address and pings at another. Possible, but it sure looks fishy. The site is hosted by ev1.net and at the bottom here you see the OrgAbuseEmail ( ab us e@ev1.net )
The abuse address for most domains is where you would send complaints of spamming, viruses, or other obnoxious activies coming from a site that resides in their network. Since we don’t have an entry of the machine at 216.127.92.116 receiving the mail message, just sending it I suspect this was the originator and at this point would send an abuse report.
I won’t though and here’s why….
This is the only message I’ve received from this originator out of hundreds that I receive. I usually only send in abuse reports when the incoming tide is noticable. Now, you might say, but if you can get that one machine cleaned up that will help a bit. Maybe, but… abuse desks are flooded with complaints already. By only reporting the most obnoxious/prolific spammers and virusmailers I think there’s a better chance of getting things cleaned up. I could literally spend all my time trying to trace the viruses and junkmails I get, Then, likely the abuse admin at each locale would probably recognize my email address and remember I’m the crank that complains about every drop of email that’s forged. In other words, let’s call in abuse admins for the big fires and let the little ones smolder.
Anyway, this has been a long and in-depth review of the whole issue. I think I can hear a few people throwing the computers out the window and calling to buy carrier pigeons.