How to track down the true source of an email

Posted by on

I keep explaining this on every non-technical messageboard I visit whenever a member gets a virus. Rather than keep typing it out every time, I decided to do it up really nice one final time.

How to track down the true source of an email

This guide shoud let just about anyone figure out how to analyze the virus and spam emails they get to find the true source, and what to look at to help figure out whose PC it is that’s sending out this garbage. I hope this helps someone out there learn a little more, and I hope it helps stop some of the needless blame that innocent victims get when their email address is spoofed as the sender (note that it just as easily could’ve been your address that the email was “from” and the other person’s address that it was sent to).

I’m also going to rant a bit about stupid mail server AV programs. I know that every Netsky virus mail has a spoofed sender address. I know that every Bagle email has a spoofed sender address. Everybody knows that these (and other) email worms use spoofed addresses. So why do these “state of the art” AV programs tell the mail server to bounce the message back to the “from” address? If an attachment infected with CIH is detected, alert the sender. CIH is a file virus – it spreads between files on one PC. If the attachment has CIH, then other files on that PC have CIH also. Bouncing the message back to the sender lets them know they have a virus.

However, bouncing a Netsky/Bagle message back to the “sender” address only tells the person that somewhere a PC with their email address on it has a virus. It’s possible that an infected PC could send out an email with the owner’s address as the “from” address, but it’s just as possible for any other PC to send it out as being from that address. Alerting the “sender” of the email most likely will just confuse an innocent bystander whose PC isn’t infected. Vendors, add a simple check in your super-duper AV program that says “if detectedvirus.type == spoofing, then don’t bounce email”. That’s all it takes, just one little check. I don’t think I’m that much smarter than you guys, but I guess I could be…

Get infected, lose your connection

Posted by on

Comcast cutting off spam ‘zombies’

Sweet. Comcast is starting to disable cable connections of PCs infected with mass-mailing worms. While I’m sure it won’t completely stop spam, many spammers are now using zombified PCs to do their dirty work, and Comcast is known for its huge numbers of clueless users. This will help those of us getting bombarded with all this spam, and hopefully these users will learn that failing to secure their PCs does lead to unwanted consequences. Maybe these consequences will even make them realize that they really are affecting others with their actions (or lack thereof).

Bloody Pinguin

Posted by on

Wow, this is a really bloody version of the Pinguin game I posted before. It’s the same concept, but it involves spikes, landmines, explosions, and flying heads. Give it a shot sometime if you like the first ones.

Get your email through spam filters

Posted by on

I just added a link to Habeas there on the left. They use a unique approach to guarantee that your email makes it through spam filters. If you agree not to spam, you can license their poem. You put this in your mail headers. Many spam filters are configured to recognize the Habeas poem, so they let the email pass through. That’s great, you say, but can’t anyone just put the poem in their email headers to get it past filters? That’s where Habeas’ power lies. Their poem is a copyrighted work. If you use it against their licensing terms, they sue you under existing and proven copyright laws for devaluing their work. No worries about how judges will interpret the technical side of things, or if they’ll even have any clue about it. Spamming is stopped via existing, proven, understood laws. As you can see, it’s a unique way to handle the issue, and it works.

Businesses and email providers can sign up to have all of their outgoing mail tagged with the headers by having their users agree to the Habeas terms. Individuals can get a personal license for free. Once you do that, you can configure your mail client or mail server to embed the headers in each email you send. You can also download a proxy for Windows. Your mail client sends all mail to the proxy and the proxy sends it to the actual mail server after embedding the headers.

A new setting has been added to Mozilla (including Thunderbird) to embed custom headers in each email. The easiest way to add the proper settings is to install chromEdit. Once you’ve got that installed, just pick Edit User Files on your Tools menu, click on the user.js tab, and add the following:

// Add Habeas headers to outgoing mail
user_pref("mail.identity.id1.headers","habeas1,habeas2,habeas3,habeas4,habeas5,habeas6,habeas7,habeas8,habeas9");
user_pref("mail.identity.id1.header.habeas1", "X-Habeas-SWE-1: winter into spring");
user_pref("mail.identity.id1.header.habeas2", "X-Habeas-SWE-2: brightly anticipated");
user_pref("mail.identity.id1.header.habeas3", "X-Habeas-SWE-3: like Habeas SWE(tm)");
user_pref("mail.identity.id1.header.habeas4", "X-Habeas-SWE-4: Copyright 2002 Habeas (tm)");
user_pref("mail.identity.id1.header.habeas5", "X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this");
user_pref("mail.identity.id1.header.habeas6", "X-Habeas-SWE-6: email in exchange for a license for this Habeas");
user_pref("mail.identity.id1.header.habeas7", "X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant");
user_pref("mail.identity.id1.header.habeas8", "X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this");
user_pref("mail.identity.id1.header.habeas9", "X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.");

Click Save and that’s it. Mozilla will now add those lines to every outgoing mail automatically. The setting is per-account, so if you have multiple email accounts you’ll need to add a copy of that for each account, but changing id1 to the proper id# corresponding to the mail account. With this tidbit of code and taking the time to fill out the app linked above, you’ll be guaranteeing that your legitimate mail makes it through just about every mail filter out there.

I don’t know anything about Habeas’ business licensing, but the personal one is free, so I figure it can only help. Many common filters already recognize the Habeas poem, and Habeas seems to be doing a good job of enforcing its use (which keeps it worthwhile).

More VeriSign stupidity

Posted by on

VeriSign sues ICANN over Sitefinder

This is the stupidest thing I’ve seen in a while. When VeriSign put up Sitefinder before, the uproar over all the stuff it broke was huge. VeriSign is interfering with the basic operation of the internet addressing system. ICANN is in charge of maintaining order in that system. ICANN is doing exactly what they’re supposed to.

http://www.verisign.com/corporate/about/contact/index.html is VeriSign’s contact page. Get a hold of them and let them know how you feel. Use the toll-free phone numbers, as it’s harder for them to ignore phone calls than emails. Tell them that you’re unhappy that they’re breaking a great deal of the internet’s functionality so that they can do a bit more advertising on the World Wide Web (which is only a small part of the internet). ICANN is far from perfect, but at least they’re not mucking up huge portions of the internet for a few more bucks.

http://slashdot.org/article.pl?sid=04/02/26/235256 is the /. article with lots of great comments too. This one pretty much sums it up:

The Internet Corporation for Assigned Names and Numbers has no authority to prevent VeriSign from rolling out a search engine for users who mistype Internet addressees, VeriSign said, as well as another feature that allows users to sign up for a waiting list for desirable domain names.

Hey Verisign: We don’t care if you want to make a search engine for miss-spelled domains, nor do we care if you want to setup a domain name waiting list. In fact the only thing that bothers anyone is that you’re breaking DNS to force us to use them.

If this was really about setting up a search engine and nothing else they could just register vs-sitefinder.com and vs-domain-wait-list.com and be in business. Instead they insist on pissing on their responsibility to maintain a functional DNS system in order to achieve some sort of edge over the competition.

Is there some sort of contest for the most hated corporation going on between Microsoft, SCO, and Verisign?

You get what you pay for…

Posted by on

I recently tried one of those sites where they give you something free, but you have to click through a bunch of ads (full of junk you’re supposed to sign up for). Luckily I have the ability to use aliases with my mail account, so all the junk that I’m getting that I didn’t sign up for is easily identified. I’ve tried unsubcribing from every email I’ve gotten, to no avail. I don’t care if that just confirms the address or signs me up for more junk, because it’s a throwaway alias. It’ll just make it easier to identify the spam. They should really watch who they pick on…

So anyway, they obviously have absolutely no regard for my wishes. I’m not trying to advocate doing anything illegal, but here’s the info if you want to let them know how you feel or something.

Yours to count on,
David Wroblicky
DnAenterprises@paychecksforlife.com
Casselberry, Fl
407-695-0235 (WhitePages.com Reverse Lookup)
407-463-7130
http://dnaenterprises.paychecksforlife.com/index.cfm

http://www.bbbonline.org/profile.asp?ID=103092511583635811 is the link to paychecksforlife.com’s BBB info page. It lists gary@pfladmin.com as the address of Gary Walker, Vice President, in case you need to contact him for anything.

I hope that was useful to someone.