e-­‐‑mail:  

a  rich  
introduction  (2)
Fabrizio d'Amore
[email protected]
 e-­‐‑mail  spoofing
•  activity of altering the e-mail's sender address to the
purpose of making the message looking like
originated from other sender
o  the spoofer will possibly alter other fields

•  easy in the plain Internet e-mail system, since

original SMTP doesn't provide any authentication
o  later, a few mechanisms for authentication have been introduced, such
as SMTP-AUTH

•  most of spam/phishing e-mail messages are

spoofed

E-Mail intro (2) March 2013 2

 a  typical  example

E-Mail intro (2) March 2013 3

 simple  spoofing  session
telnet mail.dis.uniroma1.it 25 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac
Trying 151.100.59.100... OS X 10.7; rv:10.0.2) Gecko/20120216
Connected to mail.dis.uniroma1.it. Thunderbird/10.0.2
Escape character is '^]'. MIME-Version: 1.0
220 Mail Server ESMTP To: Fabrizio d'Amore <[email protected]>
helo babbonatale Subject: Natale 2012 si avvicina.
250 mail.dis.uniroma1.it Content-Type: text/plain; charset=ISO-8859-15
mail from:<[email protected]> Content-Transfer-Encoding: 7bit
250 Ok
rcpt to:<[email protected]> Approfitta ora delle offerte anticipate per il
250 Ok prossimo Natale e ordina immediatamente i tuoi
data regali.
354 End data with <CR><LF>.<CR><LF>
Message-ID: [email protected] Babbo Natale, l'unico
Date: Sat, 03 Mar 2012 18:18:32 +0100 .
From: Babbo Natale 250 Ok: queued as AF3B722FDD
<[email protected]> quit
221 Bye
Connection closed by foreign host.

E-Mail intro (2) March 2013 4

how  to  check  for  spoofing
•  no success-guaranteeing techniques
o  it is often easy to detected spoofed messages
o  sometimes it is hard or almost impossible

•  a good chance is to analyze the complete

message (full header + body)
o  standard e-mail clients normally hide most of the header, since
considered uninteresting
o  the analyst has to get the integral and original message: no standard GUI,
IMAP can be good means
o  check fields From, Return-Path, Reply-To, Received
•  compare values (not all fields necessarily present in header)
•  lookup IP numbers (if any) and check domain names
o  many tools available for that

E-Mail intro (2) March 2013 5

 spam  example
•  message delivered
to official e-mail
address, published
in web site
•  Thunderbird
labeled it as spam
•  sender looks to be
"Mr Jamice
Williams"
•  delivered to
multiple hidden
recipients (BCC)
•  in Thunderbird
(Mac OS) source
(full text) of
message can be
quickly obtained
by pressing CMD-U
E-Mail intro (2) March 2013 6
 spam  analysis

a  few  interesting  
headers

E-Mail intro (2) March 2013 7

 first  hop
questions first hop basic data
a) whom 41.203.64.130 is
registered to? Received: from User ([41.203.64.130])
(envelope-sender
b) whom 121.52.214.219 is <mrjamicewilliamshotmail.com>) by
registered to? 121.52.214.219 with ESMTP for
<[email protected]>; Sat, 10
c) whom euroa- Mar 2012 07:45:31 +0800
gazette.com.au is
registered to?
d) are these data
compatible?

E-Mail intro (2) March 2013 8

  

moreover
•  euroa-gazette.com.au is
registered to
"Euroa Gazette Newspaper", an
Aussie company
•  the website of "The Euroa
Gazette" shows news of October
13, 2009 (message has been sent
on March 10, 2012)

courtesy  of  

E-Mail intro (2) March 2013 9

result  of  first-­‐‑hop  analysis

message has been sent from a host registered to some Nigerian

organization and received by a Chinese organization, that has
been also informed that the final recipient belongs to an Aussie
organization

E-Mail intro (2) March 2013 10

 second  hop
questions second hop basic data
a) whom
mial.uictech.com.cn is Received: from mial.uictech.com.cn

registered to? (unknown [121.52.214.219])

by webmail.dis.uniroma1.it
b) why IP 121.52.214.219 is (Postfix) with SMTP id 1BD9026AF0A

labeled as unknown? for

<[email protected]>; Sat, 10 Mar
c) what compatibility 2012 00:47:01 +0100 (CET)
between such data?

E-Mail intro (2) March 2013 11

 second-­‐‑hop  analysis
>whois uictech.com.cn after three attempts (first
Domain Name: uictech.com.cn ones were void):
ROID: 20061205s10011s12255687-
cn >nslookup uictech.com.cn
Domain Status: ok
Registrant ID: hc812883321-cn Non-authoritative answer:
Registrant Organization: 北京联友 Name: uictech.com.cn
创嘉科技发展有限公司
Registrant Name: 陈文杰 Address: 121.52.214.219
Registrant Email: 
Sponsoring Registrar: 北京万网志成
科技有限公司
Name Server:dns11.hichina.com
Name Server:dns12.hichina.com
Registration Date: 2006-12-05 16:3
2:09
Expiration Date: 2012-12-05 16:32:
09
Dnssec Deployment: N

E-Mail intro (2) March 2013 12

 result  of  analysis
•  message from Nigeria to China (with claimed final
destination in Australia), then from China to Italy looks
scarcely convincing
o  in particular there seems to be no reason why the Chinese server has
delivered it to server in Sapienza (no explicit recipients of Sapienza are
written in message)

•  identity of Chinese server appears to be reasonably

assured, since it is confirmed by Sapienza server
o  if Sapienza server has been captured, confirmation is unreliable

•  initial Nigerian origin is only attested by Chinese server

E-Mail intro (2) March 2013 13

 unwanted  e-­‐‑mail  
messages
•  SPAM = unwanted ads (?)
o  both normal and low quality merchandize (drugs,
pharmacy, dating, online sex, pirated software/
multimedia etc.)
•  frauds/malware
o  "write here your username/password"
o  "write here your credit card number"
o  "help me to retrieve $ 20 000 000 …"
o  "you haven't claimed your € 500 prize"
o  loans and funds at lowest rates
o  "I'm so lonely and looking for love…"
o  "you won the lottery"
o  "the message you have sent is undeliverable”
o  “invoice to be paid: click here”
•  e-mail chain letters
o  exponential growth
•  all of above, joint to low-quality automatic
language translation

E-Mail intro (2) March 2013 14

 basic  e-­‐‑mail  nonalogue
•  disable HTML messages or, at least, disable download of remote
images
o  prevent the sender to validate our e-mail address
•  don't click links (specially if tiny or IP-based URLs)
o  could redirect us to bad web sites containing malware/spyware
•  don't open unknown/unexpected attachments
o  they may contain malware/spyware
o  executables (.exe, .app, .bat etc.), documents(.doc, .pdf etc.) and others (.src, …)
•  activate local anti-spam filter
•  don't participate with chain letters
o  google their contents!
•  protect and respect privacy of other recipients
o  be careful in e-mail forwarding (don't uselessly disclose e-mail addresses)
•  even if non-Windows user, activate anti-virus for protecting your
(Windows) recipients
•  don't provide your personal/sensitive data
o  identity theft!
•  don't click "delete me"
o  may validate your email address
o  OK with known senders

E-Mail intro (2) March 2013 15

 expansion  of  tiny  URLs
how to?
•  click & see
o  risky!

•  use analyzing tools

o  where can we find them?

•  ad hoc services on
the Web
o  e.g.:
http://www.clybs.com/
urlexpander
o  good results?

E-Mail intro (2) March 2013 16