Analysing spam emails. How do people do it?

hybernia

Knowing how to spot the "forensic clues" that distinguish a genuine email from a fake one has always puzzled me. I never open any email that either wasn't expected, or has come from somewhere I don't recognise, but that's about as far as it goes.

Our computers run Vista with Avast antivirus "live shield" email scanning. We have Windows Mail (used to be Outlook Express.) So when a suspicious email comes in we right-click and open Properties in a drop-down menu. Then go through various screens relating to the message. At which stage hubby often goes "ah", sounding like Sherlock Holmes.

I must be a very dumb Doctor Watson, he has explained to me what he's looking for but I still don't get it. So I thought I would pop in here with an email received late last night from Halifax plc and entitled HBOS plc - Account Upgrade Notice for 2011.

The email went directly into the Windows Mail Junk Email box. But even if it hadn't I would have know it was a fake because we don't have a Halifax account. The reference to "Account Upgrade" is a dead giveaway too, can't these scammers think of something new to get you to give them your details? And when I used 'Properties' to look at the 'Message Source' content, it is laughably illiterate:

"Due to concerns, and for the safety and integrity of the Halifax account we have issued this warning message. However, failure to update your records will resume account suspension."

Nigerian gibberish. But a mass of details at the top of the page (the 'Internet Headers') are sadly also gibberish to me. This is what they look like, I have only altered the details of our name and email address and put those changes in italics:

__________________________________________________________

X-Apparently-To: hybernia-at-email-provider via an IP address; Fri, 21 Jan 2011 17:57:35 +0000

Received-SPF: none (mta1029.bt.mail.ukl.yahoo.com: domain of [EMAIL="onlineservice@halifax.co.uk"]onlineservice@halifax.co.uk[/EMAIL] does not designate permitted sender hosts)

X-YMailISG: l86yKc4cZApQYg7Pgg_cPiAUPydzjHT28.R1mn7zZURa_HBf
JQUqCIwpHzVsEjEfkGyf.FF_XFxg19SiKSpAFVVxdyZ2wxrYC_.dpC391A.q
.gtMdC9RRQd4KdXQ8.gP2jGbWTTH57R5m6LPijS0Mp9OSTXbrkfHHqxIuvAd
ikfBy2oZuIXLdFqpBdEKdM1AckWB5z379k1aYpm70IgcojIF.YMRILkseubq
KrT4PSKN2_N84UDpDLdQVvj8AmdxOcXsvubWIJUyQyhyUzpoTpK9LT02eojD
Ouj5EKnTu2kextr8XxSDZDMXYTr_6esvumtLAxRUTs_UNqJNVwAbeP2IiYqg
nkcBkb8IuuzxIGYJzKXFKVkAowcoJkV1P5D74ep78xesUQqKvVOtWk4VUY.l
FppohIkmief586kE662zTqwM.RI4FPdAbfGjiYC_Z27HtoGShZfPmH806I8o
Kc2EmgvFTdA9SvZsOi_xFjEgDWhC514YU0O7byx_LRU5AIRQVDBHVhaeh7fw
JCOiyuOHMT7BHV1yd.5.kwbb0o9M_bfhoa.hDc4C7kd._ZZDfrTAPWv6..XI
jV4X4_vujNwldLqmtfw-

X-Originating-IP: [24.154.1.218]

Authentication-Results: mta1029.bt.mail.ukl.yahoo.com from=halifax.co.uk; domainkeys=neutral (no sig); from=halifax.co.uk; dkim=neutral (no sig)

Received: from 24.154.1.218 (EHLO mx-4.zoominternet.net) (24.154.1.218) by mta1029.bt.mail.ukl.yahoo.com with SMTP; Fri, 21 Jan 2011 17:57:35 +0000

Received: from pop-3.zoominternet.net ([24.154.1.46])
by mx-4.zoominternet.net with bizsmtp
id yHxY1f00q0zZQi001HxYAc; Fri, 21 Jan 2011 12:57:32 -0500
X-CM-Cat: ??
X-CNFS-Analysis: v=1.1 cv=U3/s03PiY6zcunZpzzFPD84f/HwQa2IQ3zROBPusZ5k= c=1
sm=1 a=Dyoqhi_TatcA:10 a=8K5wPaVxxW4A:10 a=Cfj4BQAnxiAA:10
a=aqc479ULYc5VdXQzU2f97A==:17 a=485j-6XuAAAA:8 a=2sTOY36_AAAA:8
a=A3NI4ZcrbhTovVwrkPIA:9 a=T6Kb6R0cepv2mrIc2BgA:7
a=vLz5RhyAb_oMHpv5X6L-Za7NWj4A:4 a=Ft8UYL4EG9YA:10
a=0ntVQ2IJgaDB9+cKfyOMFw==:117

X-CM-Score: 0.00

X-Scanned-by: Cloudmark Authority Engine

Received: (qmail 28417 invoked from network); 21 Jan 2011 17:57:07 -0000

Received: from 152.249.103.97.cfl.res.rr.com (HELO User) ([EMAIL="jjvorp@"]jjvorp@[/EMAIL][97.103.249.152])
(envelope-sender <[EMAIL="Onlineservice&#64;halifax.co.uk"]Onlineservice@halifax.co.uk[/EMAIL]>)
by pop-3.zoominternet.net (qmail-ldap-1.03) with SMTP
for <[EMAIL="hutchy174&#64;hotmail.com"]hutchy174@hotmail.com[/EMAIL]>; 21 Jan 2011 17:57:07 -0000

From: "Halifax Plc"<[EMAIL="Onlineservice&#64;halifax.co.uk"]Onlineservice@halifax.co.uk[/EMAIL]>

Subject: HBOS plc - Account Upgrade Notice For 2011.

Date: Fri, 21 Jan 2011 18:57:02 +0100

MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

X-Antivirus: avast! (VPS 110121-0, 21/01/2011), Inbound message

X-Antivirus-Status: Clean

___________________________________________________________


I *know* this message never came from Halifax or HBOS, but where did it originate then? For example, it says the message was received from pop-3.zoominternet.net ([24.154.1.46]) by mx-4.zoominternet. net with bizsmtp.

So has one bit of zoominternet sent something to another bit of zoominternet? (Whatever zoominternet happens to be.)

But then there's even more about the "received" process, Received: from 152.249.103.97.cfl.res.rr.com (HELO User) ([EMAIL="jjvorp&#64;[97.103.249.152"]jjvorp@[97.103.249.152[/EMAIL]])
(envelope-sender <[EMAIL="Onlineservice&#64;halifax.co.uk"]Onlineservice@halifax.co.uk[/EMAIL]>)
by pop-3.zoominternet.net (qmail-ldap-1.03) with SMTP
for <[EMAIL="hutchy174&#64;hotmail.com"]hutchy174@hotmail.com[/EMAIL]>; 21 Jan 2011 17:57:07 -0000

So is that the key piece of evidence? Someone or something called jjvorp at that IP address?

And as I'm definitely not called "hutchy" -- I don't use hotmail at all as I've always understood it to be less secure than gmail -- then what does that hotmail address have to do with anything?

Sorry for being so ignorant, and for the length of this post, but this has nagged me for absolute ages!

If any of the really bright people who post on this Board have any time to spare as and when, that would be just so very helpful. As it is at the moment, I feel like I'm playing Cluedo but not only can I not tell a gun from a candlestick, I don't know which is the drawing room and which is the library. :o:o

Mr_Oink

hybernia wrote: »

Knowing how to spot the "forensic clues" that distinguish a genuine email from a fake one has always puzzled me.

I think your headers are out of order (could be the way you've posted it or the way the client has presented it).

Kicking off, you can't trust the headers (save for the top 'received from' line usually). This has probably been keyed on content, as the DNS mechanisms that could have caught this don't exist.

What *is* important here is Halifax and their appalling lack of SPF records that would have helped to stop this phishing forgery. For a bank it is shameful. To add insult to this they are hosting their name records on main BT servers, so BT should know better:

dig @8.8.8.8 -t TXT halifax.co.uk

; <<>> DiG 9.5.0-P2 <<>> &#64;8.8.8.8 -t TXT halifax.co.uk
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9533
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;halifax.co.uk.            IN    TXT

;; AUTHORITY SECTION:
halifax.co.uk.        718    IN    SOA    ns0.bt.net. hostmaster.bt.net. 2002103301 28800 7200 604800 86400

;; Query time: 37 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 22 13:34:03 2011
;; MSG SIZE  rcvd: 88

dig &#64;8.8.8.8 -t SPF halifax.co.uk

; <<>> DiG 9.5.0-P2 <<>> &#64;8.8.8.8 -t SPF halifax.co.uk
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49621
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;halifax.co.uk.            IN    SPF

;; AUTHORITY SECTION:
halifax.co.uk.        22    IN    SOA    ns0.bt.net. hostmaster.bt.net. 2002103301 28800 7200 604800 86400

;; Query time: 44 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 22 13:34:09 2011
;; MSG SIZE  rcvd: 88

As for the 'who', well like you point out the originating IP appears to be a mail server for zoominternet.net in the USA. This appears on a couple of minor blacklists (but appears on a number of whitelists too). Another header claims to have connected into this from a client machine belonging to a Warner cable broadband customer in California. This may be forged, but it looks entirely possible. Is this likely to be some guy sat on his PC, a hijacked BOT running on said PC or a compromised mail account with zoominternet and the client is just acting a proxy. It's anyone's guess.

The key to how this ended in your junk folder will not be thanks to the mechanisms that exists to catch this stuff before it gets anywhere near your PC. Thanks to Halifax and BT's inability to set up proper DNS records that would help stop this, your content scanner has been given the job and managed to, thankfully, catch it. Even where an enterprise solution (Cloudmark) missed it. Some may call that irresponsible, some may call it negligent. Pat whatever it is that filtered that on your local system on the back, because the enterprise stuff upstream let you down!

That said, with anti-spam you have to air on the side of caution. Customers will always chastise for false positives, and complain bitterly of any false negatives. You can't win. If an anti-spam system could contain a human reading each mail it would be easy and 100% reliable, but it's just a computer program taking 'most likely' guesses at it based on what it knows.

I'd personally not waste that much time thinking about it. I spent a couple of years examining these things for a living and it's all pretty dull, but the fact that Cloudmark missed it has made my day :-)

poppy10_2

To be honest, you don't need to be a forensic computer scientist or delve through email headers to detect the vast majority of spam/fishing emails. One look at the subject line alone for that email ("HBOS plc - Account Upgrade Notice For 2011") would have been enough for me to delete it without opening it - it's obvious that it's a fishing scam.

In any case, never click on a link in an email claiming to be from your bank, even if you think it is genuine. Always access your bank's website by typing in the URL yourself or clicking on a saved bookmark.

hybernia

Omigod, Mr Oink! What a wonderful response! (And if only I was bright enough to follow all of it. . . ) Just to recap on your post then:

Mr_Oink wrote: »

.... What *is* important here is Halifax and their appalling lack of SPF records that would have helped to stop this phishing forgery. For a bank it is shameful. To add insult to this they are hosting their name records on main BT servers, so BT should know better:

Is that something I could email Haliax / HBOS about? Tell them that I've only got this 'phishing' email (presumably, along with many others throughout the country today) because it is just too lax with its security?

Mr_Oink wrote: »

As for the 'who', well like you point out the originating IP appears to be a mail server for zoominternet.net in the USA. This appears on a couple of minor blacklists (but appears on a number of whitelists too). Another header claims to have connected into this from a client machine belonging to a Warner cable broadband customer in California. This may be forged, but it looks entirely possible. Is this likely to be some guy sat on his PC, a hijacked BOT running on said PC or a compromised mail account with zoominternet and the client is just acting a proxy. It's anyone's guess.

I know I must be really sad and should get out more, but your theorising is fascinating. To be able to extract so much information from my 'Internet headers' is just amazing!

Mr_Oink wrote: »

The key to how this ended in your junk folder will not be thanks to the mechanisms that exists to catch this stuff before it gets anywhere near your PC. Thanks to Halifax and BT's inability to set up proper DNS records that would help stop this, your content scanner has been given the job and managed to, thankfully, catch it. Even where an enterprise solution (Cloudmark) missed it. Some may call that irresponsible, some may call it negligent. Pat whatever it is that filtered that on your local system on the back, because the enterprise stuff upstream let you down!

Well we just have Avast antivirus (free edition) installed, and have done for a long time. We aren't that computer savvy but we did try various free AVs (like Avira and AVG) but went back to Avast because it has never let us down. And its "Real Time Scanning" has always seemed (to us) to be pretty clever, the other AVs we had in the past didn't seem to be as proactive. (And then of course there were all those terrible adverts / nag screens from Avira.)

Mr_Oink wrote: »

I'd personally not waste that much time thinking about it. I spent a couple of years examining these things for a living and it's all pretty dull, but the fact that Cloudmark missed it has made my day :-)

I've never heard of 'Cloudmark' but I'm glad that what it's done / hasn't done has been of interest!

Many thanks, Mr Oink. :T

PS: I'm still bewildered though at that email address in the 'Internet Headers', the one about a Mr Hutchy at hotmail. It isn't me and it doesn't appear to be the scammer's so what it's doing there, I don't know. . .

poppy10 wrote: »

To be honest, you don't need to be a forensic computer scientist or delve through email headers to detect the vast majority of spam/fishing emails. One look at the subject line alone for that email ("HBOS plc - Account Upgrade Notice For 2011") would have been enough for me to delete it without opening it - it's obvious that it's a fishing scam.

In any case, never click on a link in an email claiming to be from your bank, even if you think it is genuine. Always access your bank's website by typing in the URL yourself or clicking on a saved bookmark.

Hi Poppy, thanks for your reply. It's my fault, I wasn't trying to say in my first post that I was worried or anything, more that I was intrigued, really. I check and empty my junk email folder regularly, and as you say, I never open anything (especially an attachment!) that seems dodgy. And I *never* follow an email link (I used to buy and sell a lot on eBay, and it was amazing, the number of phony eBay and PayPal emails I received, all wanting me to click on a link and "update" my account. They really must think people are stupid.)

I knew immediately that this Halifax / HBOS email was a phony just like other scam emails I have had and deleted in the past. But this time I thought I'd really like to know more about it, just out of personal interest (oh, no, that doesn't mean I'm going to be a phishing scammer myself.)

From time to time we hear of how scammers have "improved" or "refined" their tactics and how "new threats" are following on from old ones. So I thought well, I might be better prepared for whatever next the scammers might do, if I had a better understanding of how they operate now.

debitcardmayhem

Ps if that is you on the line which says

for <hu

......I would delete it

poppy10_2

debitcardmayhem wrote: »

Ps if that is you on the line which says

for <hu

......I would delete it

No, that's not her:

hybernia wrote: »

for <[EMAIL="hutchy174&#64;hotmail.com"]hutchy174@hotmail.com[/EMAIL]>; 21 Jan 2011 17:57:07 -0000

I'm definitely not called "hutchy" -- I don't use hotmail at all

debitcardmayhem

Thanks Poppy, missed that old eyes you know.

dojoman

I use Mailwasher Pro and if an Email looks suspicious I just bounce it back to the sender.

Mr_Oink

dojoman wrote: »

I use Mailwasher Pro and if an Email looks suspicious I just bounce it back to the sender.

errrr, and when that sender is faked (which is 99.999999% of the time) you are backscattering - making you *worse* than the original spammer. Really - *don't* do that, it is so anti-social it is beyond belief.

hybernia

We had Mailwasher but uninstalled it. Although it was optional to "beat the spammers at their own game" (or words to that effect) it struck us as daft that any software developer who knew anything about the Internet would be advising recipients of spam to establish a two-way relationship with the spammer by confirming receipt of such mail.

I've never heard of 'back scattering' before (Mr Oink is a real fountain of knowledge on here:)) but even if more than 99% of the effort in bouncing back spam is wasted and simply clutters up traffic, there's still a dangerous chance that it's returned to source.

I don't know if Mailwasher has sorted itself out now. But it did seem to us that what it was proposing was similar to telling people who receive unwanted mail from some place they've never heard of to use the "Unsubscribe" link. Well, we all know what happens to people who blithely "unsubscribe", they confirm that their email address is live so it's sold on to scammer list brokers and next thing, the "unsubscribed" gets flooded with more spam in a day than they've had in a month.

PS: thanks for the concern, debitcardmayhem. It was a nice thought and good of you to mention it, especially as I could easily have made a silly mistake with all that technical stuff!

Mr_Oink

You hit a real important point on the head there Hybernia. That is the concept of 'pulse'. Forgetting that nearly 'froms' will be forged for a moment, and assuming the address was real - responding confirms you have a 'pulse' and that your email address to be alive. It's a bad plan quite aside from the backscattering issue.

Some scanners (and these are usually enterprise or SOHO stand alone units) follow links in emails. This too is a bad plan because of the old 'pulse' concept. Some of the smarter ones just look up the authoritative name servers for any domains used in links - and check them against a blacklist. That seems to be a fair balance and won't trigger any 'opened' type beacons.