The Language of Internet Danger He Internet Spawns Files for Messages That Include a Contact Page for a Water System, New Meaning for Random Text to Confuse Filters

by Jen Sharp JenSharp.com The language of Internet danger he Internet spawns files for messages that include a contact page for a water system, new meaning for random text to confuse filters. The recreational activity or club. words that used to be part unnecessary costs Spammer robots are created that of a different vernacular. in time, money, automatically detect an e-mail But as our culture and resources are address format from Web pages changes, passed on to users much like search engines “crawl” Tso does the in the form of sites to index them. Then, the technology higher access that gives fees. Using Where did using the term rise to new filters is only “spam” to mean unsolicited definitions – a temporary e-mail originate? and not always solution, and only The prevailing theory is that it is from the song for the better. worthwhile when they are in Monty Python's famous spam-loving vikings coupled with some of the other Spam and sketch that goes, roughly, "Spam spam spam weapons for combating spam. Filters spam, spam spam spam spam, spam spam spam Spoofing spam..." The vikings, who were sitting in a Today spam is not primarily restaraunt whose menu only included dishes the harmless yet repugnant brick A “spoof” used refer to a satire made with spam, would sing this refrain over and of chopped meat product. It is or parody. The Internet version of a over, rising in volume until it was impossible for now the scourge of the e-mail spoof is not as innocuous. One of the other characters in the sketch to converse inbox. By December 2006 spam the dangerous things about (which was, of course, a large part of the joke.) accounted for 90% of all e-mails. spammers is an ability to “steal an – from www.cybernothing.org And there’s more bad news on the identity.” They can do this even if horizon – it is predicted to get worse. Specialists The Internet spawns new meaning for words that used at the California to be part of a different vernacular. But as our culture based global IT security firm, changes, so does the technology that gives rise to new Secure Computing, predict that the definitions – and not always for the better. volume will fraudster spoofs your e-mail increase to 97% no personal information is given address and uses it as the “Return- by December out. Let’s say a user has an e-mail Path” for their spam e-mails. Any 2007! address on a Web site, on a return path can be used by simply Jen Sharp Like the oil changing a user’s e-mail account JenSharp.com filter on a car, settings. It doesn’t even have to be spam filters work similarly, but a valid e-mail address. It can appear they are not a stand alone solution. that any innocent Internet user is There is simply too much spam! sending out spam, even if it did Filtering means the end user, the not originate from their computer! Internet Service Provider (ISP), A somewhat effective solution and the computer system all have for this is a Javascript snippet that to work together and work harder. is placed directly into the html Yet, spam still gets through as document exactly where the e- spammers incessantly find new mail address will be displayed ways around filters. For example, (see at left.) Another solution is to spammers are now using image use an e-mail address separate

20 THE KANSAS LIFELINE March 2007 from one’s personal will redirect to the address for public use. E-mail header – complete appropriate region. Most Yahoo and Hotmail are of the time, one will find two providers of free from sender to recipient the IP address as part of a e-mail services. From KRWA Wed Jan 10 06:24:34 2007 range of numbers assigned to a company. However, Headers X-Apparently-To: [email protected] via 192.168.12.711; Wed, 10 Jan 2007 06:27:16 -0800 by looking at the range of Not the All-American X-Originating-IP: [192.168.12.711] IP addresses, an double header baseball Return-Path: investigator can narrow game, e-mail headers are Authentication-Results: mta129.sbc.mail.mud.yahoo.com down what company a a sort of “envelope” that from=krwa.net; domainkeys=neutral (no sig) Received: from 192.168.18.408 (EHLO particular spammer uses traces the path of an e- as their ISP. E-mail mail from its sender to its flpi136.sbcis.sbc.com) (192.168.189.408) by mta129.sbc.mail.mud.yahoo.com with SMTP; Wed, 10 addresses can be found recipient. In the sidebar at Jan 2007 06:27:16 -0800 along with physical right shows an example of X-Originating-IP: [192.168.12.711] addresses, and phone an e-mail header. The Received: from vision.worldhosted.com numbers to contact these number following the (vision.worldhosted.com [192.168.12.711]) companies. Since in most Originating IP is usually by flpi136.sbcis.sbc.com (8.13.8 inb/8.13.8) with ESMTP id l0AER40W007437 cases, individuals will the sender’s IP address have a different IP number (the yellow hi-lited line). for ; Wed, 10 Jan 2007 06:27:05 -0800 each time they log on, a An IP address is a Received: from SMTP32-FWD by jensharp.com sleuth will need to report specially assigned (SMTP32) id A037032D0; Wed, 10 Jan 2007 09:22:59 -0500 the IP number and time of number, like a serial Received: from server.haugcomm.com [12.40.38.9] by the abuse to the network number, assigned to the vision.worldhosted.com with ESMTP administrators, who user’s exact computer. (SMTPD32-8.05) id A65E2DE4007C; Wed, 10 Jan 2007 09:21:18 -0500 should be able to use log Although the user can files to contact the assign their own IP Received: from 12.40.38.196.haugcomm.com ([12.40.38.196] helo=[192.168.0.5]) individual involved. ISPs address to their hard by server.haugcomm.com with esmtpa (Exim 4.60) will not give out detailed drive, many Internet (envelope-from ) information about the service providers id 1H4eNR-0006cx-Tg exact user. If that company dynamically assign a for [email protected]; Wed, 10 Jan 2007 08:25:12 -0600 Message-ID: <[email protected]> receives multiple and number to the user as they frequent abuse complaints log onto their service. The Date: Wed, 10 Jan 2007 08:24:34 -0600 From: KRWA about a particular IP IP addresses following User-Agent: Mozilla Thunderbird 1.0.7 address, they can take Received: from tells the (Windows/20050923) action on that spammer, story from top to bottom, X-Accept-Language: en-us, en such as a refusal to the path that e-mail took MIME-Version: 1.0 continue providing service. to reach the user’s To: Jen Sharp Obviously, looking up computer. Online Subject: Re: Web Update an IP address for every databases can be used to References: <[email protected]> In-Reply-To: <[email protected]> spam e-mail would be look up information about Content-Type: multipart/alternative; time consuming and suspect IP addresses. boundary="------070708090509090601050300" nearly impossible. Internet numbers are Content-Length: 422056 However, if there is a assigned by region. particular repetitive Anyone can look up a How do I view a header in my e-mail program? problem, complaining to specific IP address using the ISP of a spammer can any one of these Regional With Outlook Express – Select a message, under main menu: get results. There are also File, Properties, Details tab Internet Registries (RIR) services and shareware With MS Office – Select a message, under main menu: View, and find information available that do this about where that IP Options: Internet Headers at bottom of window With Yahoo – click on Full Headers at the top right of automatically, such as originated (see chart on SpamCop, Spam!Alert, the next page.) It may not the message With Hotmail – on top menu bar at right: Options, Mail Display and Spam Control. Other known immediately what resources can be found at region the IP address is Settings, under Message Headers select Full or Advanced With Thunderbird – under the main menu: View, Headers, All http://spam.abuse.net/ in, but these IP databases userhelp/#report.

March 2007 THE KANSAS LIFELINE 21 The language of Internet danger . . .

World Regional Internet Registries

APNIC – Asia Pacific Network Information Centre www.apnic.net/apnic-bin/whois.pl Asia/Pacific Region RIPE NCC – Réseaux IP Européens Network Europe, the Middle East, Central Asia, and African Coordination Centre www.ripe.net/perl/whois countries located north of the equator ARIN – American Registry for Internet Numbers Canada, the United States, and several islands in www.arin.net/whois the Caribbean Sea and North Atlantic Ocean AfriNIC – African Regional Network Africa Region Information Centre www.apnic.net/apnic-bin/whois.pl LACNIC – Latin American and Caribbean Internet Addresses Registry http://lacnic.net/cgi-bin/lacnic/whois Latin America and some Caribbean Islands ICANN – Internet Corporation for Assigned www.icann.org & www.internic.net Global non-profit organization that oversees Names and Numbers distribution of IP addresses to RIRs

In general, these databases contain details of the networks that are using address space, not the individual users. There are two major types of whois databases. One type contains records on domain names and the other contains IP address (the numerical sequence that serves as an identifier for an Internet server) records .These are IP address databases.

Blog Posters as it is sometimes called. This will private information include lottery “Poster” used to mean a large allow the ability to look up their winners, free Web space, soliciting colorful picture or advertisement – origination information, or donations for a cause, make now it’s someone who posts on a even block their IP address from money fast claims, and chain blog. More and more Internet your site. letters. This is the “Information Age” where data is gold. users are posting to guest books, Phishing forums, newsgroups, and the Protecting personal information is No, it’s not something to do increasingly popular chronological as imperative as keeping valuables at the lake on a lazy Sunday “diary” called a blog. This means, in a safe. afternoon—Internet criminals more opportunities for spammers Users are becoming educated set up fraudulent Web sites or to flood resources and lock up a and more cautious to fraudulent solicitations by e-mail that invite site, or simply to post annoying or e-mails claiming to be a well- users to give them personal data. advertising content. known company asking for They set the bait and hook and sensitive information. So, If a Web site is maintained wait as they phish for fraudsters take it up a notch: a with a contact form, forum, unsuspecting users to believe new extension to phishing is guestbook, newsgroup, or blog, be their scam. Phishers need user vishing, where criminals use the sure to include as part of the cooperation for this to work: their Internet to call users on the phone, information gathered from posters schemes to get your sensitive their IP address, or remote name leaving them an automated

22 THE KANSAS LIFELINE March 2007 And many have thought the controls the group, much like Who to complain to: worst thing a virus could do herding cows, only it is done was to cause a cough and remotely without the user’s America Online: [email protected] fever? In the past, a hacker knowledge or permission. Any Compuserve: [email protected] goal was to write a virus user could be an involuntary Prodigy: [email protected] that would be the most spammer, a Zombie, and not know AT&T WorldNet: [email protected] destructive. Today, viruses it! It is estimated that more than Earthlink: [email protected] are being written 450,000 unique zombies appear [email protected] specifically to create a robot every day! Netcom: [email protected] network or botnet. The For others: postmaster@ (according to internet standard RFC822 (STD 11), botnet goal is to elude all sites are supposed to have such a mailbox) detection by anti- virus software, to “lay Sample complaint letter: message that warns them some low” and quietly take over the user’s computer. Hello. The spammer below is either using your “account” is in jeopardy. They are resources to send out bulk unsolicited commercial told a call is needed to update The botnet collection of compromised machines runs e-mail (spam) or is deceptively trying to make it account information, which of look like he/she is. In either case, a legitimate course includes a credit card programs (worms, Trojan company like yours probably would not approve. number. horses, and viruses) under a The information below should be all you need. common command that Herders and Zombies controls the network. The --begin full headers-- Many think that “Night of the bot herder, or originator, (from abuse.net) Living Dead” defined zombies?

What to do and what not to do. Additional online resources Do’s Don’ts Check these Web sites for additional help: • Subscribe to a blocking list or ask your • Give your e-mail address or other • http://spam.abuse.net/ ISP to do so. personal information when filling in • Install spam-reporting software or forms online unless you are confident in • http://spam.abuse.net/userhelp/howto use an automatic spam reporting service. the reputation of the company and complain.shtml How to complain! • Report spam abuse to sites like confident it’s not an imitation Web site. abuse.net that are dedicated to • Give any private sensitive data such as • www.cauce.org fighting spam. credit card numbers or social security Coalition Against Unsolicited Commercial E-mail numbers unless you are confident you • Complain to ISPs that originate and • www.spamcop.net forward the spam. are dealing with a reputable company List of Resources and not an imitator. • Things change all the time. Keep • www.windweaver.com/nospam2.htm up-to-date, educated and watch for • Never reply to spam, even if it is to send How to Report Spam suspicious activity. a “remove”request. Most spammers ignore such responses, or worse, add • www.abuse.net • Consider using a separate e-mail you to their list of validated e-mail Network Abuse Clearinghouse address for some public activities such addresses that they sell. as chat rooms or contact list on your • www.mynetwatchman.com “Spam the spammer”– this doesn’t Monitoring and reporting worm/ Web site, in order to protect your main • hacking activity address from spammers. help, wastes time, and can validate the user’s address e-mail to the • www.cybernothing.org/faqs/net-abuse-faq.html • If possible, consider setting up a filter to spammer. Spam FAQs block all e-mail unless its address is on the approved list. • Just rely on your filter, or use a manual • www.elsop.com/wrc/nospam.htm filter. This means even more time is List of Links • Write legislators and let them wasted. Filters don’t work that well, and know this is an important issue to you. spammers continue to find ways around • www.ecofuture.org/jme-mail.html List of Links Suggest they promote an ”opt-in” them. You also must act in other ways. approach vs. the current “opt-out”view.

March 2007 THE KANSAS LIFELINE 23