Investigating E-Mail Attacks MODULE 10
Contents 10.1 Learning Objectives ...... 5 10.2 Electronic Mail (E-mail) ...... 5 10.2.1 E-mail Message Components ...... 6 Figure 1: E-mail Message Components ...... 6 10.2.1.1 Header ...... 6 10.2.1.2 Message Body...... 7 10.2.2 Components of an E-mail System ...... 7 10.2.2.1 User Agent (UA) ...... 7 10.2.2.2 Message Transfer Agent (MTA) ...... 7 10.2.2.3 Message Access Agent (MAA) ...... 7 10.2.2.4 Spool ...... 8 10.2.2.5 Mailbox ...... 8 10.3 Architecture of E-mail ...... 8 10.4 Protocols used in email systems ...... 9 10.4.1 SMTP ...... 9 Figure 3: positions of SMTP, POP3 and IMAP protocols ...... 10 10.4.2 POP3 ...... 10 10.4.3 IMAP ...... 10 10.5 Differences between POP3 and IMAP ...... 11 10.6 Working of E-mail ...... 11 10.7 Types of E-mail ...... 13 10.7.1 Advantages of e-mail ...... 14 10.7.2 Disadvantages of Email ...... 14 10.8 E-mail Attack ...... 15 10. 8.1. Spam ...... 15 10.8.2 Phishing Attacks ...... 16 10.8.3 Spear phishing ...... 16 10.8.4 Whaling Email Attack ...... 16 10.8.5 Virus ...... 17 10.8.6 Pharming...... 17 10.8.7 Ransomware...... 18 10.8.8 Spyware ...... 18 10.8.9 Business Email Compromise (BEC) Attacks...... 18 10.8.10 Account Take Over (ATO) Attack ...... 19 10.9 E-mail Security ...... 19 10.9.1 Organization Email Security Best Practices ...... 19 10.9.2 Individual User Email Security Best Practices...... 20 10.10 Email attacks and crimes ...... 21 10.10.1 Flaming ...... 21 10.10.2 Email spoofing ...... 21 10.10.3 Email bombing...... 21 10.10.4 Email hacking ...... 21 10.10.5 Spams ...... 22 10.10.6 Phishing ...... 22 10.10.7 Email fraud ...... 22 10.10.8 Phishing emails ...... 22 10.11 Privacy in emails ...... 22 10.11.1 Email privacy ...... 22 10.11.2 Email tracking ...... 23 10.12 Email forensics ...... 23 10.12.1 Forensically important email parts ...... 24 10.12.2 Email forensics investigation ...... 26 10.12.3 Analyzing an email ...... 27 10.12.4 Instant Messages ...... 32 10.13 Email forensic tools ...... 32 10.13.1 eMailTrackerPro ...... 33 10.13.2 Online EMailTracer ...... 34 10.14 Summary ...... 34 10.15 Check Your Progress ...... 35 10.16 Model Questions ...... 37 10.17 Further Readings ...... 37 References, Article Source & Contributors ...... 37
Investigating E-Mail Attacks
10.1 LEARNING OBJECTIVES
After the completion of this unit the learner shall be able to:
• Expain emailing and email services. • Corelate the structure of email to extract forensic information. • Categorize email attacks and crimes. • Use few email forensic tools.
10.2 ELECTRONIC MAIL (E-MAIL)
VIDEO LECTURE
E-mail refers to the transmission of messages through the Internet. It is one of the most commonly used technologies on communication networks that may include text, images, audio, video and/or other attachments. In general, the e-mail systems are based on a store- and-forward model and can also send a message to one or more recipients. Neither the users and nor their computers are required to be online at the same time; they need to connect, typically to an e-mail server or a webmail interface to send or receive messages or download it. E-mail servers are capable of accepting, transferring, delivering and storing messages. The list of some free e-mail service providers are AOL, Gmail, Microsoft Outlook, ProtonMail, Rediffmail, Yahoo Mail, Zoho and so on.
10.2.1 E-mail Message Components
The e-mail contains delivery information along with content. It complies with certain standards set by The Internet Engineering Task Force (IETF) [https://www.ietf.org/], so that e- mail can be processed by the various computer systems. An email message consists of two main sections: the header and the body, which has been shown in below figure.
Figure 1: E-mail Message Components
10.2.1.1 Header
The e-mail header contains multiple lines, each of which start with a keyword followed by a colon and additional information. A typical e-mail header contains the From, To, Subject and Date. The From field indicates the e-mail address of the sender. Email addresses are always made up of a username followed by a @ sign and a domain name. For instance, [email protected] is an email address where ‘Bob' is the username and ‘gmail.com' is a domain name. The To field indicates the e-mail address of the recipient. The Date field shows the date in which the e-mail was sent. The Subject field specifies the topic of the e-mail precisely. Additionally, there are more header lines in most e-mails: Cc and Bcc. The Cc refers to carbon copy. The e-mail address provided on the Cc header must receive an exact copy of the message. Furthermore, all the e-mail message recipients receive the To and cc header lines. The Bcc signifies Black Carbon Copy. The e-mail address referred in the Bcc header must get a blind carbon copy of the message. Although, The Bcc header line is not delivered to e-mail recipients.
10.2.1.2 Message Body
The body of the message contains the information that the recipients have to read. The information can be written with text in various character sets, Hypertext Markup Language (HTML), attached files with different format or multimedia content, and so forth.
10.2.2 Components of an E-mail System
The basic components of an e-mail system are: User Agent (UA), Message Transfer Agent (MTA), Message Access Agent (MAA), Spool file and Mail Box. These are explained below.
10.2.2.1 User Agent (UA)
The User Agent (UA) is a program. UA provides services to the user which facilitates the sending and receipt of an e-mail message. A typical UA offers the various services to users, such as compose and send a message, to read the incoming message, allow to reply and forward the incoming message. In addition, a UA manages the mailboxes.
10.2.2.2 Message Transfer Agent (MTA)
The Mail Transfer Agent (MTA) is a server program that is basically responsible for transfer of e- mail message from one system to another. MTA realizes recipient’s e-mail address and deliver the e-mail message to the recipient mailbox. In order to send an e-mail, a system needs a client MTA and in order to receive an e-mail, a system needs a server MTA. If both sender and recipient are connected to the same server machine, MTA directly delivers e-mail message to recipient’s mailbox; otherwise MTA of the sender’s server machine transmits e-mail messages to the MTA of destination (say, recipient’s) server machine. Finally, the recipient’s server machine delivers e- mail messages to the recipient’s mailbox. The delivery of an e-mail message from one MTA to another MTA is done through Simple Mail Transfer Protocol (SMTP).
10.2.2.3 Message Access Agent (MAA) The Message Access Agent (MAA) is a server program which pulls messages from the message store (say, mailbox) and delivers them to the recipient’s user agent. The two well known MAA protocols are Post office Protocol, version 3 (POP3) and Internet Mail Access Protocol (IMAP) which are used to retrieve mail from the message store.
10.2.2.4 Spool A spool is a temporary storage location and is based on queue data structure. Spool kept the e-mails messages on hold until delivery. The e-mail messages are retrieved first in, first out (FIFO) order from the spool by MTA client of sender side server for sending to the MTA server present at the recipient’s side server.
10.2.2.5 Mailbox A mailbox is the storage location of e-mail messages which exist on a remote server. To use e- mail system, each user must have a mailbox that is identified by an email address. Mailbox access is only available to authenticated users. E-mail messages can be downloaded from the mailbox into the user's hard disk. The mailbox keeps all the e-mail messages separately, until deleted by the user. The received e-mail messages are kept in the inbox and the sent e-mail messages are kept in the outbox.
10.3 ARCHITECTURE OF E-MAIL
To explain the architecture of e-mail, a typical scenario is provided, which shown in the figure 2.
Figure 2: A typical scenario which transmits an e-mail message
Furthermore, the figure 2 depicts the components of the email system. These components are used when Alice sends an email message to Bob.
Step 1: Alice uses the UA to prepare the message.
Step 2: Alice connected to the mail server through LAN/WAN. Thus, she needs MTA client and MTA server to send message. Alice’s UA calls MTA client. The MTA client establishes a connection with MTA server, which is running all the time and present in the mail server.
Step 3: The mail server of Alice's site kept all the incoming messages in the spool. The spool is a temporary storage location and is based on queue data structure.
Step 4: The messages are retrieved first in, first out (FIFO) order from the spool by MTA client of Alice's site mail server, then send the messages to the mail server at Bob’s site through internet.
Step 5: MTA server present in the Bob’s site mail server receives the message and stores in the Bob’s mailbox.
Step 6: Bob is also connected to the mail server through LAN/WAN. The Bob’s UA calls MAA client and send requests to the MAA server to retrieve messages from the mailbox. The MTA server runs all the time and present in the Bob’s mail server.
Step 7: The Bob’s UA displays the message.
10.4 PROTOCOLS USED IN EMAIL SYSTEMS
In general, the e-mail system uses three protocols for message communication, such as Simple Mail Transfer Protocol (SMTP), Post Office Protocol, version 3 (POP3), Internet Mail Access Protocol (IMAP). SMTP is a push protocol because it pushes the message from the MTA client to the MTA server. POP3 and IMAP are pull protocols because both protocols pull messages by using MAA client from the MAA server. Figure 3 shows the positions of SMTP, POP3 and IMAP protocols in a typical scenario which transmit an e-mail message from sender to receiver. These protocols are described in brief as follows:
10.4.1 SMTP
The SMTP stands for Simple Mail Transfer Protocol. The SMTP is a client-server protocol that uses port number 25. In general, the SMTP transfers the messages from client MTA to server MTA. In order to send a message, a system must have a client MTA, and for receiving a message, a system must have a server MTA. In order to send a mail, SMTP is used twice. First, SMTP is used between the sender system and the sender’s mail server; next, SMTP is used between the two mail servers. For transferring e-mail message, the SMTP employs three phases, i.e. connection establishment phase, mail transfer phase and connection termination phase. SMTP uses commands and responses to transmit the message between an MTA client and MTA server. The commands are sent from MTA client to MTA server and responses are sent from MTA server to MTA client.
Figure 3: positions of SMTP, POP3 and IMAP protocols
10.4.2 POP3
The POP3 stands for Post Office Protocol, version 3. It is a simple protocol with minimal functionalities, which retrieve e-mail message from mailbox. The POP3 protocol is a client-server protocol, the POP3 client (e.g., MAA client) is installed on the recipient system and the POP3 server (e.g., MAA Server) is installed on the recipient's mail server. A client connects to the server on TCP port 110. The POP3 session has three phases: authorization phase, transaction phase and update phase. In authorization phase, the server verifies the client’s credential and establish the connection. In the transaction phase, the client is allowed to perform various operations (such as, retrieving messages and/or marking messages to be deleted) on the mailbox. During an update phase server delete the messages marked for deletion and terminate the connection. POP3 protocol allows to download the e-mail messages from mail server (say mailbox) to the user's hard disk.
POP3 protocol has several deficiencies. It does not allow the user to create different folders to organize the mail on the server. In addition, POP3 does not allow the user to partially check the contents of the mail before downloading.
10.4.3 IMAP
The IMAP refers to the Internet Message Access Protocol. The IMAP is similar to POP3 and It is also a widely used protocol for retrieving e-mails. Furthermore, IMAP is more complex and more powerful than POP3. It is also based on the client-server model. A client connects to the server through TCP port 143. AMAP provide more features such as, allows to create the folders to organize the e-mails in a hierarchical order; permits to verify the e-mail header before downloading, permission to download the part of the message; makes it possible to create, delete or rename the mailbox on the server; allows to search the e-mails contents using keywords and so forth. 10.5 DIFFERENCES BETWEEN POP3 AND IMAP
POP3 and IMAP are client-server protocols and both are employed to the retrieve the message from the mail server to the recipient’s system. The differences between POP and IMAP are as follows:
Post Office Protocol (POP3) Internet Message Access Protocol (IMAP)
This is a simple protocol with minimal This is a complex protocol with more functionalities. functionalities than POP3.
It allows you to read the mail only after IMAP allows you to check the mail content downloading it. before downloading
The POP server listens on port 110. The IMAP server listens on port 143.
The Message can only be accessed from a The Message can be accessed from multiple single device devices.
To read the email must be downloaded first The content of the e-mail can be partially read onto the local system. without downloading.
The user can not organize mails in the mailbox The user can organize the emails directly on of the mail server. the mail server.
The user cannot create, delete or rename the The user can create, delete or rename the mailbox on the mail server. mailbox on the mail server.
A user may not search the content of mail A user may search the content of mail by before downloading to the local system. using keywords before downloading.
Message header can not be viewed prior to Message header can be viewed prior to downloading. downloading.
10.6 WORKING OF E-MAIL
Email working follows the client server approach. In general the email communication is done via three protocols, such as SMTP, POP3 and IMAP. Suppose Alice wants to send an email message to Bob. The figure 4 describes the path that the email is taken from Alice computer to the Bob’s computer. This depicts the way an e-mail is transmitted from sender to receiver.
First of all, Alice uses an e-mail application to compose the e-mail message. The email message consists the body and the header. The body comprises of the main portion of the message while the header comprises of the subject, e-mail sending date, the sender and recipient address information. The e-mail addresses of Alice’s (i.e., sender) and Bob’s (i.e., recipient) are [email protected] and [email protected], respectively. When Alice clicks the send button of e- mail application, then the SMTP client delivers the message to its SMTP server, which resides on the Alice site’s mail server (i.e., example.net).
The SMTP server, takes the recipient address information from the header and get the domain part of the address to determine the location of the recipient’s server. If the recipient’s domain name is identical to the sender’s domain name, the SMTP merely transfers the e-mail message to the recipient’s mailbox. If the recipient’s domain name is different from the sender’s domain name, the SMTP send a request to the DNS (Domain Name System) server for providing the exact IP address of recipient’s domain name’s hosted email server. Here, Bob’s domain name is gmail.com, which is different from Alice’s domain name (i.e., example.net). Hence, the SMTP send a request to the DNS server for Bob’s mail server (i.e., gmail.com) IP address.
The DNS server translates the domain names to the IP addresses and vice-versa with the help of Mail eXchange (MX) record. After translation, the DNS server sends a response to the requested mail server (i.e., Alice’s mail server). The DNS server response message contains the IP address of the recipient’s mail server (i.e., Bob’s mail server). Next, the e-mail message is transmitted between the mail servers. After receiving the recipient’s mail server IP address from the DNS server, the sender’s mail server (i.e., Alice’s mail server) forward the message with the help of the SMTP client.
The recipient’s mail server (i.e., Bob’s mail server) receive the e-mail message with the help of the SMTP server. Furthermore, the SMTP server will store the e-mail message in the recipient’s mailbox (i.e., Bob’s mailbox) and make it available to the recipient (i.e., Bob).
The recipient (i.e., Bob) retrieves e-mail message from mailbox by using an e-mail application. The e-mail application may use either POP3 or IMAP client-server protocol. In general, the POP3 client or IMAP client is present at the recipient’s (i.e., Bob) e-mail application, whereas the POP3 server or IMAP server is present at the recipient’s mail server (i.e., Bob’s mail server).
10.7 TYPES OF E-MAIL
The brief description of different types of e-mail’s are as follows:
Newsletters: this is the most common type of e-mail that are sent on a consistent schedule (either daily, weekly, or monthly) to all subscribers of the mailing list. Typically, Newsletter e-mails convey important information to their client through a single source that often contain businesses offering, upcoming events, news, certain blog or website and so on.
Lead Nurturing: Lead nurturing is the technique used to establish a relation between brands and consumers. This relationship building takes place through the sales funnel, from user’s first inquiry to making a purchase. A lead nurturing e-mail campaign is an automated, personalized, e-mail campaign, usually sent in several days or weeks, that may affect the purchasing behavior of users. Furthermore, lead-nurturing e-mails are initiated by the potential buyer who takes initial steps, such as clicking on links to a promotional e-mail or downloading complimentary sample.
Promotional e-mails: This is the easy way to educate potential customers on new and existing products or services. Promotional e-mail include coupons or discount offer, access to exclusive content, or invite to attend an event. These types of e-mails are sent to new or existing customers with a limited time offer, hence they take immediate action, such as purchase product, avail the service, and so on.
Standalone e-mails: These e-mails are precisely on one topic, with the intention that readers' attention is not distracted, so that they are more likely to take the steps you want them to take. The standalone e-mails are characterized by any one topic, such as advertising content, brand messages, sign up for the webinar, to buy a particular product, to read the latest blog post of a particular person, consent to receive information bulletin via e-mail and so forth.
Onboarding emails: The onboarding e-mails are transmitted to buyers to acquaint and train them to effective use of the product. It is also known as after-sales e-mails that is used to enhance customer loyalty. The onboarding e-mail make new user habits, convert free users into paying subscribers, and build long-term engagement. Transactional: This e-mail is sent automatically from a sender to a recipient, when the recipient has completed a business transaction or account activity in an application/website. Transactional e-mail often contains valuable information to the customer. Examples of transactional e-mail are purchasing receipts, shipping notification, personalized product notifications, password resets, etc.
Plain-Text e-mails: This is a simple e-mail message which contains text only. The plain-text e- mails are unformatted and the absence of graphics or images. The plain text e-mails can be typically used for sales letters, leave application, blog content, event invitations, survey or feedback requests.
10.7.1 Advantages of e-mail
There are many benefits of e-mail, and these are:
• Cost-effective: E-mail is a very cost-effective service (almost free) that allows you to communicate with other people.
• Accessible anywhere and anytime: E-mail enables users to access messages from anywhere and anytime through an Internet connection.
• Speed and simplicity: E-mails can be easy to compose and immediately delivered to the recipient.
• Mass sending: In a short time an e-mail can be sent to many people.
• Future retrieval: E-mail exchanges are saved and can be retrieved a particular message in feature by searching.
• Message categorization: E-mail provides a simple user interface and categorize messages, so users can easily find specific messages. Additionally, it can help the user to recognize unwanted e-mails such as junk and spam mail.
• Eco-friendly: E-mail reduces paper consumption and contributes to saving the environment.
10.7.2 Disadvantages of Email
There are numerous disadvantages to email, and these are:
• Malicious Use: Anyone who has usernames, passwords and an email address can send an email. Some instances, an unauthorized person fraudulently obtains usernames, passwords of a specific person and send emails to groups of people to spread gossip or misinformation.
• Message overwhelming: There are unsolicited advertising and unwanted messages arriving through e-mail, which cause overwhelming messages.
• Virus Carrier: The viruses can get into the system in numerous ways and infect it. One common way to enter viruses is through e-mail. In some cases, the virus is accompanied by a document or link attached to the email. The virus may infect the system when recipients click on the e-mail and open the attached document/link.
• Cyber threats: E-mail is the gateway to most of cyber threats. An email attack occurs when a malicious actor targets a particular person’s e-mail id with the intention of illegally accessing the system, channelling money, obtain sensitive information such as confidential document or personal messages.
10.8 E-MAIL ATTACK
E-mail is one of the most widely used techniques for message communication. It is utilized by individuals to stay connected with friends and family members. Moreover, almost all business and banking organizations also use e-mail messaging services, such as online purchase confirmations, bank account statements, and so on. As many people in the globe depends on the e-mail, it has become one of the main techniques employed by the cyber criminal.
An email attack may be described as an event in which the email is used to damage or harm an individual or an organization. Although the way of email-based attacks are different, but the goal of cyber criminals is to steal money or data. In order to preserve e-mail security, it is important that everyone need to be aware of the most common types of email attacks and realize their potential impact.
10. 8.1. Spam
Spam is the most commonly known form of email attack and it is an unsolicited e-mail. Cyber criminals send spam emails in bulk to several victims at once. More often Spam e-mails are likely to repeat multiple times (as long as the cyber criminal runs his or her campaign). Spam e-mails are some extent harmless, but more often, spam is used for laying the groundwork for launching other types of email attacks such as spear phishing. Spam e-mail usually contains harmful links, malware or deceptive content. Spam mails are different from the promotional e-mail form companies. The receiving of promotional e-mail can be stoped by just unsubscribe to these e-mails, but Spam e- mail does not stop by unsubscribing. The end goal is to obtain sensitive information such as a social security number or bank account information. Most spam comes from multiple computers on networks infected by a virus or worm. These compromised computers send out as much bulk email as possible.
Safety tip: Ignoring spam is the best policy, and setting up spam filters on e-mail works best. 10.8.2 Phishing Attacks
Phishing is a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by pretending to be a trusted entity. In phishing attacks, cyber criminals are sent the legitimate look e-mail to many users. The purpose of the message is to encourage the receiver to install malware on their device or to share personal or financial information. In general, the phishing emails are not personalized and tend to start with generic greetings like “hello” or “dear sir” and so on. In phishing attacks, lucrative offers mentioned in the email subject lines to lure the victim. Furthermore, the victim is asked to click a link and fill out a form on a phishing website, to capture the credentials. From the mere number of people receiving the email, even if a small percentage of targets fall on the attack means that the attacker is likely to have a certain success.
Safety tip: Never download untrusted email or website attachments. Moreover, don’t share the personal or financial information in any website for lucrative offer.
10.8.3 Spear phishing
Spear phishing is an advanced phishing attack. Spear phishing targets one or a few people in particular and tries to impersonate a trustworthy person or entity. In the spear phishing attack, the cyber criminals spend some time for researching the target’s interests before sending the email. In order to make the email appear legitimate the attacker sends customized emails. In general, spear phishing emails are more sophisticated in their construction and convincing in execution, they are harder to catch.
Safety tip: Never download unreliable email enclosures. As well, do not visit or share personal information on an unreliable website or social site.
10.8.4 Whaling Email Attack
A whaling email attack is a special form of email fraud that has successfully tricked users into revealing sensitive business information and transferring millions of dollars to fraudulent accounts. A whaling email is a form of phishing where hackers send a message that appears to be from a chief executive officer, the chief financial officer or another top class executive. To create a whaling email, attackers will research a targeted individual, usually collecting personal information from online profiles and social media accounts. A whaling email is much more difficult to spot than a regular phishing attack. The design of a whaling email will look identical to an email from a legitimate source, usually someone the recipient knows and trusts. The sender’s email address in a whaling email may be slightly altered from the domain name of a legitimate or trusted company. For example, an email from “[email protected]” may be substituted with “[email protected]”, where the “m” in the original domain is replaced with “rn” that is difficult for a casual observer to spot. Often, a whaling email will have an urgent or a slightly threatening tone that’s intended to encourage the recipient to act quickly and without taking time to confer with others or double-check information. The purpose of a whaling email is to trick the recipient into revealing sensitive information that attackers can use to steal data, or to transfer of funds to a fraudulent account. The content of a whaling email may ask the recipient to transfer money to a vendor or a bank account, to email sensitive data like tax information or payroll files to a spoofed email address, or to visit a spoofed website where the target is asked to enter sensitive information like passwords or bank account numbers. Visiting such a website may also enable attackers to download malware to the victim’s computer.
Safety tip: To stop a whaling cyber attack, need to scans of all inbound email to examine the anomalies in the display name, domain name, recency of the domain. On reply-to information and the body of the message looks for certain words and phrases like "wire transfer", "bank transfer" or "W-2" that may indicate a whaling cyber attack.
10.8.5 Virus
Viruses may spread by email. A virus is a type of malicious code or program that spreads from host to host with the capability of replication. Viruses often hide behind e-mail attachments such as a text message, program file, image, greeting card, audio file, video file, and so on. In general, user interact with e-mail and download the file to the machine at that time virus get deployed through the batch files. When the user run the infected file or program, which in turn causes the virus code to be executed. The virus could quickly spread across the computer system in a short time and can even have the ability to steal passwords or data, log keystrokes, corrupt files and so on. Some viruses are designed to carry out damaging effects such as erasing data or causing permanent damage to the computer hard disk. Some viruses are designed with a view to financial gains. The virus can spread from an infected computer to other computers within the same network and eventually damage the entire network.
Safety tip: Viruses typically reside in word or other office documents. To avoid contact with a virus and stay safe, never download text or email attachments that you’re not expecting, or files from websites you don’t trust.
10.8.6 Pharming
In pharming attack, the attacker misdirects users to a fake website that appears to be official. The fake websites are created by attacker for the purpose of stealing personal information. Once redirected to these fake websites, users are prompted to enter personal information, which is then used to commit identity theft or financial fraud. The pharming attack is done by either infiltrating individual computers or DNS cache poisoning. In the infiltrating individual computer type pharming, the hacker sends an email with a code that modifies the host files of an individual’s computer. In general, a computers maintains a list of previously-visited websites and IP addresses in a locally-stored “hosts” file. Once the host files are infiltrated, they can redirect URLs to a fake version of the website the individual is intending to visit. Even if the user types in the correct URL, the page will redirect. These websites mimic the appearance of real sites so users may not be aware they are victims. The DNS cache poisoning is an older method of pharming. When a user wishes to visit a URL via their internet browser, the browser contacts the DNS server to request the IP address for the desired domain. Each DNS server has maintained its own set of listings or listings obtained from others in the DNS table, or cache. In DNS cache poisoning attack, the attacker rewrites the DNS table, or cache so that user’s URL request redirecting to the IP address of their spoofed website without the user’s knowledge or consent. The DNS cache poisoning event has the potential to affect multiple users at once.
Safety tip: Check to make sure the URL is spelled correctly, Be sure the URL is secure and has “https” before the site name. If you think you are a victim of an attack, clear your DNS cache. If you believe your server is compromised, contact your Internet service provider. Install a VPN for secure online browsing.
10.8.7 Ransomware
Ransomware attack is a type of malware attack and it can enter the systems through an email. Ransomware attacks are usually carried out with the help of a Trojan horse disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. In Ransomware attack, attacker encrypts the victim’s important, predetermined files with a password and making them inaccessible. Finally, attacker leave a note as a text file, demands money (usually, Bitcoin cryptocurrency) in return for the decryption key.
Safety tip: Do not download irrelevant attachments from an e-mail or website. In addition, periodically take the back up of important files and documents.
10.8.8 Spyware
Spyware is a program that enables a criminal to obtain information about a user’s computer activity and sends it over the internet without user knowledge. This information is generally obtained through cookies and the history of the web browser. In addition, to get the information Spyware often includes activity trackers, keystroke gathering, and data capture. Spyware may also install other software, display ads, or reroute web browser activity. In an effort to overcome security measures, spyware normally changes security settings. Spyware often gets carried away with legitimate e-mail, software or Trojan horses.
Safety tip: Never download irrelevant files from an e-mail. Scan the software prior to installation as well as downloading from the website. Furthermore, delete cookies and browser history from time to time.
10.8.9 Business Email Compromise (BEC) Attacks In an BEC attack, an attacker tries to convince a person or organization to believe that it is a reliable contact before stealing money or information.In such attacks, the attacker targets companies that tend to process payments remotely and off-site. An attacker patiently monitors the user's e-mail communication and checks the way the e-mail is handled. Then, in due course, the attacker presents himself or herself as a trustworthy individual or organization and often engages in a conversation through multiple emails, before requesting for payments, credentials or confidential data. This type of attack uses neither links nor attachments to deploy malicious code. Safety tip: Encryption of e-mail reduces the risks associated with data loss and corporate policy violations while allowing crucial business communications. For protection of sensitive data, encrypt the file before sending it by email. At the end of the recipient, the end user will decrypt the file and read the contents of the file.
10.8.10 Account Take Over (ATO) Attack
In ATO attack, an attacker actor gains unauthorized access to an account belonging to someone else. In such an attack, the aim of the cybercriminal is to collect personally identifiable information that will be used in other forms of fraud and identity theft. In this type of attack, the cyber criminals spend time for researching across open databases and social media, looking for relatable information like name, location, phone number, or names of family members, and so on – anything that will help in guessing a password. Once the attacker has identified valid credentials for a user account, then the attacker can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts. Sometime, the attacker sells the working login credentials to others. Often, data taken from an account leads to more ATO and other forms of cyber-attacks.
Safety tip: Use the distinct passwords for separate accounts. Change your passwords from time to time.
10.9 E-MAIL SECURITY
Email allows individuals to communicate with each other. It also provides an opportunity for members of organizations to communicate with each other as well as with members of other organizations. The e-mail was designed to be as open and approachable as possible. As email is an open format, it is available to anyone who can intercept it, which causes security problems. Attackers try to take advantage of the lack of email security to make money by performing their actions, such as read the contents of an email, spam campaigns, malware and phishing attacks, sophisticated targeted attacks, or business email compromise (BEC). The security of emails is therefore an important concern.
E-mail security is a term for describing different procedures and techniques for protecting sensitive information in email communication, user accounts against unauthorized access, spam filtering, data loss or compromise, e-mail encryption, and so on. E-mail security is needed for the holder of an individual e-mail account and a professional organisation. There are many steps that individuals and organizations should take to improve the safety of emails.
10.9.1 Organization Email Security Best Practices
There are some important practices that organization should follow to ensure secure usage of e- mail.
• Make sure webmail applications are able to secure logins and use email encryption technique to protect both email content and attachments.
• Implement a data protection solution to identify sensitive data and prevent them from being lost through e-mail. • Defend malicious attachments using multiple signature-based, static and sandboxing inspections. • Block viruses and spam through a strong and secure e-mail gateway. Implement scanners and other tools to analyze messages and block emails containing malware or other malicious files before they reach your end users. • Use anti-malware and anti-spam protection which can prevent some attacks from reaching users' mail boxes. • Block an advanced mail attack like impersonation or phishing attacks with real-time scanning of all inbound emails. • Stop internal attacks through data loss prevention protocol (DLP) and content control capabilities by scanning incoming and outgoing emails in real time. • Use email scanning and archiving technology to neutralize ransomware attacks.The mail administrator should back up the mail server on a regular basis to archiving of data and information, including those found in e-mail. • Protect against malicious links through URL analysis. Email security software that analyzes and filters each link and attachment within each email, preventing users from accessing URLs or opening attachments that can be malicious. • Prevent spoofing with Domain Name System (DNS) authentication services, which uses SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) protocols to identify legitimate and potentially fraudulent email. • when the company enables employees to access company emails on personal devices Implement security best practices for Bring Your Own Device (BYOD). • Educate employees about email security through security awareness training. The training programme educates the employee about how to avoid being victimized by various types of email attacks, realization of appropriate steps to secure e-mail, and how to prevent sensitive data loss or malware infections via email.
10.9.2 Individual User Email Security Best Practices
There are some important practices that individual users (organization employees) should follow to ensure secure usage of e-mail.
• Use best practices to create strong passwords and regularly modify the password. • Never share your passwords with anybody, including your colleagues and friends. • Use spam filters and antivirus software prior to downloading and uploading files. • Never open attachments or click on hyperlinks in emails received from unknown senders. • Try to send as little sensitive information by e-mail, and only send encrypted sensitive information by e-mail to recipients who need it. • Do not access corporate emails from public WiFi connections. • If an employee of the organization is working remotely or on a personal device, use the Virtual Private Network (VPN) software to access the company's e-mail.
10.10 EMAIL ATTACKS AND CRIMES
Email crimes or attacks can be a direct one where users can use them to harass or intimidate a receiver. There exist lots of crimes which are perpetrated directly using emails. Also email attacks can be indirect where emailing is used as one of the tool to capture sensitive information and perform malpractices or induce malwares into the client system. Let us look into few email attacks or crimes. a. Flaming b. Email spoofing c. Email bombing d. Email hacking e. Spams f. Email frauds g. Email phishing
10.10.1 Flaming Flamming occurs when a person sends a message with angry or antagonistic content. The term is derived from the use of the word Incendiary to describe particularly heated email discussions. Flaming is assumed to be more common today because of the ease and impersonality of email communications: confrontations in person or via telephone require direct interaction, where social norms encourage civility, whereas typing a message to another person is an indirect interaction, so civility may be forgotten.
10.10.2 Email spoofing It occurs when the email message header is designed to make the message appear to come from a known or trusted source. Email spam and phishing methods typically use spoofing to mislead the recipient about the true message origin.
10.10.3 Email bombing It is the intentional sending of large volumes of messages to a target address. The overloading of the target email address can render it unusable and can even cause the mail server to crash.
10.10.4 Email hacking It is illicit access to an email account or email correspondence. 10.10.5 Spams Attackers often send massive email broadcasts with a hidden or misleading incoming IP address and email address.Some users may open the spam, read it, and possibly be tempted by whatever wares or schemes are offered.
10.10.6 Phishing This type of attacks uses email messages from legitimate businesses that the user may be associated with. Although the messages look authentic with all the corporate logos and similar format as the official emails, they ask for verification of personal information such as the account number, password, and date of birth. 20% of unsuspecting victims respond to them, which may result in stolen accounts, financial loss and identity theft.
10.10.7 Email fraud It is the intentional deception made for personal gain or to damage another individual through email. Almost as soon as email became widely used, it began to be used as a means to defraud people. Email fraud can take the form of a "con game" or scam. Confidence tricks tend to exploit the inherent greed and dishonesty of their victims. The prospect of a 'bargain' or 'something for nothing' can be very tempting. Email fraud, as with other 'bunco schemes' usually targets naive individuals who put their confidence in get-rich-quick schemes such as 'too good to be true' investments or offers to sell popular items at 'impossibly low' prices. Many people have lost their life savings due to fraud.
10.10.8 Phishing emails It may contain links to websites that are infected with malware.Phishing is typically carried out by email spoofingor instant-messaging,and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.
10.11 PRIVACY IN EMAILS
10.11.1 Email privacy It is the broad topic dealing with issues of unauthorized access and inspection of electronic mail. This unauthorized access can happen while an email is in transit, as well as when it is stored on email servers or on a user computer. In countries with a constitutional guarantee of the secrecy of correspondence, whether email can be equated with letters and get legal protection from all forms of eavesdropping comes under question because of the very nature of email. This is especially important as more and more communication occurs via email compared to postal mail.
Email has to go through potentially untrusted intermediate computers (email servers, ISPs) before reaching its destination, and there is no way to tell if it was accessed by an unauthorized entity. This is different from a letter sealed in an envelope, where by close inspection of the envelope, it might be possible to tell if someone opened it. In that sense, an email is much like a postcard whose contents are visible to everyone who handles it.
There are certain technological workarounds that make unauthorized access to email hard, if not impossible. However, since email messages frequently cross nation boundaries, and different countries have different rules and regulations governing who can access an email, email privacy are a complicated issue.
A significant fraction of email communication is still unencrypted. In general, encryption provides protection against malicious entities. However, a court order might force the responsible parties to hand over decryption keys;
• Email privacy, without some security precautions, can be compromised because: • Email messages are generally not encrypted. • Email messages have to go through intermediate computers before reaching their destination, meaning it is relatively easy for others to intercept and read messages. • Many Internet Service Providers (ISP) store copies of email messages on their mail servers before they are delivered. The backups of these can remain for up to several months on their server, despite deletion from the mailbox. • The "Received:"-fields and other information in the email can often identify the sender, preventing anonymous communication.
10.11.2 Email tracking It is a method for monitoring the email delivery to intended recipient. Most tracking technologies use some form of digitally time-stamped record to reveal the exact time and date that an email was received or opened, as well the IP address of the recipient.
Email tracking is useful when the sender wants to know if the intended recipient actually received the email, or if they clicked the links. However, due to the nature of the technology, email tracking cannot be considered an absolutely accurate indicator that a message was opened or read by the recipient.
10.12 EMAIL FORENSICS
10.12.1 Forensically important email parts Basically emails information which will be interesting to the investigators are:
a) Email header b) Body of Emails c) The information hidden in the email packets d) Attachments The message header must include at least the following fields:
• From: The email address, and optionally the name of the author(s). In many email clients not changeable except through changing account settings. • Date: The local time and date when the message was written. Like the From: field, many email clients fill this in automatically when sending. The recipient's client may then display the time in the format and time zone local to him/her. The message header should include at least the following fields:
• Message-ID: Also an automatically generated field; used to prevent multiple deliveries and for reference in In-Reply-To: (see below). • In-Reply-To: Message-ID of the message that this is a reply to. Used to link related messages together. This field only applies for reply messages. RFC 3864 describes registration procedures for message header fields at the IANA; it provides for permanent and provisional message header field names, including also fields defined for MIME, netnews, and http, and referencing relevant RFCs. Common header fields for email include:
• To: The email address(es), and optionally name(s) of the message's recipient(s). Indicates primary recipients (multiple allowed), for secondary recipients see Cc: and Bcc: below. • Subject: A brief summary of the topic of the message. Certain abbreviations are commonly used in the subject, including "RE:" and "FW:". • Bcc: Blind carbon copy; addresses added to the SMTP delivery list but not (usually) listed in the message data, remaining invisible to other recipients. • Cc: Carbon copy; Many email clients will mark email in one's inbox differently depending on whether they are in the To: or Cc: list. • Content-Type: Information about how the message is to be displayed, usually a MIME type. • Precedence: commonly with values "bulk", "junk", or "list"; used to indicate that automated "vacation" or "out of office" responses should not be returned for this mail, e.g. to prevent vacation notices from being sent to all other subscribers of a mailing list. Sendmail uses this header to affect prioritization of queued email, with "Precedence: special-delivery" messages delivered sooner. With modern high-bandwidth networks delivery priority is less of an issue than it once was. Microsoft Exchange respects a fine- grained automatic response suppression mechanism, the X-Auto-Response-Suppress header. • References: Message-ID of the message that this is a reply to, and the message-id of the message the previous reply was a reply to, etc. • Reply-To: Address that should be used to reply to the message. • Sender: Address of the actual sender acting on behalf of the author listed in the From: field (secretary, list manager, etc.). • Archived-At: A direct link to the archived form of an individual email message. SMTP defines the trace information of a message, which is also saved in the header using the following two fields:
• Received: when an SMTP server accepts a message it inserts this trace record at the top of the header (last to first). • Return-Path: when the delivery SMTP server makes the final delivery of a message, it inserts this field at the top of the header. Other header fields that are added on top of the header by the receiving server may be called trace fields, in a broader sense.
• Authentication-Results: when a server carries out authentication checks, it can save the results in this field for consumption by downstream agents. • Received-SPF: stores results of Sender Policy Framework (SPF) checks in more detail than Authentication-Results. • Auto-Submitted: is used to mark automatically generated messages. • VBR-Info: claims VBR whitelisting. Vouch by Reference (VBR) is a protocol for adding third-party certification to email.
Figure 1: Tracing spoofed sender.
The trace information of an email can provide lots of clues to the investigators.
The email packets can be captured using packet sniffer software. The email packets can be read very easily unless the user is having email encryption. The encrypted emails are read using the password cracking methodologies as discussed in earlier chapters. The trace of an email, headers and even sometimes the body of the email can be used detect a spoof attack as shown in Figure 1.
10.12.2 Email forensics investigation Email forensics involves capturing, securing and analysing and reporting the email evidences. E-mail forensics aims to study the source and contentsof e-mail messages for evidence, this included identification of the actual sender, recipient, date and time when it wassent, etc. Email Forensic analysis aims at discovering the history ofa message and confirming identity of all involved entities. Apart from message analysis, e-mailforensic also involves investigation of clients or server computers suspectedof being used or misused to carry out e-mail forgery. It might involve inspection of Internetfavorites, Cookies, History, Typed URL’s, Temporary Internet Files, Auto-completionEntries, Bookmarks, Contacts, Preferences, Cache, etc. Several OpenSource software tools are available which helps to perform e-mail header analysisto collect evidence of e-mail fraud.
10.12.3 Analyzing an email A sample header set of an e-mail message sent by [email protected] pretending to be [email protected] and sent to [email protected] is shown in figure 3.
Figure 2: Elaborate email header of a spoofed email. (adapted from: [6])
The Header X-Apparently-To shown in Figure 2 is relevant when mail has been sentas a BCC or to recipients of some mailing list. This field in most of the casescontain the address as in Tofield. But if mail has been sent to a BCC recipient ora mailing list, X-Apparently-To is different from TO field. Some may show TOwhile others may not show it. Thus X-Apparently- To always shows the e-mailaddress of recipient regardless of whether mail has been sent using TO, BCC, CCaddresses or by the use of some mailing list. The Return-Path header is the e-mail address of the mailbox specified by thesender in the MailFromcommand. This address can also be spoofed, if noauthentication mechanism is in place at the sending server it is not possible to determinegenuineness of Return-Path header through header analysis alone.The Received-SPF specifies thatthe mail has come from a domain which either does not have a SPF record or isnot yet a designated permitted sender. If there are some spam filtering software of the receiving serveror MUA the spam score is contained in X-Spam-Ratio field. If this value for the e-mail under study ratio exceeds certain pre-defined threshold, emailwill be classified as spam. X-Originating-IP specified the IP address of the last MTA of the sending SMTPServer, which has delivered the e-mail to the server of [email protected]. In thesample e-mail it is [a2.b2.c2.d2] as shown in item 5. This address is alsocontained in the Received header field.X-Sieve header specifies the name and version of message filtering system. Thispertains to the scripting language used to specify conditions for message filteringand handling. In the sample e-mail the name of the message filtering software isCMU Sieve and its version is 2.3.X-Spam- Charsets header specifies the character set used for filtering themessages. The value for this field in sample e-mail at item 7 indicates that 8-bitUnicode Transformation Format (UTF) has been used by bob’s server. UTF is avariable length character set having a special property of being backwardcompatibleto ASCII.X-Resolved-To address is the e-mail address of the mailbox to which the mail hasbeen delivered by MDA of bob’s server. In most cases, it is the same as XDelivered-To field. X-Delivered-To is the address of the mailbox to which themail has been delivered by MDA of bob’s server. In the sample e-mail both XResolved-To and X- Delivered-To addresses are [email protected] as in item 8 and 9.X-Mail-From header specifies the e-mail address of the mailbox specified by thesender in the MailFromcommand which in the sample e-mail is [email protected] Authentication-Results header in item 11 indicates thatmta1294.mail.mud.bob.com received mail from alice.com domain which neitherhas DomainKeys signature nor DKIM signature.item 12 is the second Received header field containing the trace informationindicating 127.0.0.1 as the IP address of the machine that send the message. Thismachine is actually named mailbox-us-s-7b.xyz.com and has IP addressa2.b2.c2.d2. It has used EHLO SMTP command to send the mail. The mail wasreceived by mta1294.mail.mud.bob.com using SMTP. The message has beenreceived on Tue, 30 Nov 2010 date at 07:36:34 time. The clock is 8 hrs behindGreenwich Mean Time. Item 13 is the first Received header field representing the trace informationindicating MTBLAPTOP as the names of the machine that send the message. Thismachine is not known to the receiver but has an IP address a1.b1.c1.d1 [email protected] is the owner of the mailbox who has sent the message. TheMTA must follow some authentication mechanism to identify its mailbox usersotherwise it is not possible to include authenticated sender’s mailbox address withthe Received field. The message has been received by mailbox-us-s- 7b.xyz.comusing ESMTPA protocol which has been running a program called Postfix. Themessage is for [email protected] and has an ID of 8F0AE139002E. The message hasbeen received on Tue, 30 Nov 2010 at 15:36:23. The clock is set according toGreenwich Mean Time. The From, Subject and Tolines respectively are the e-mail address of the author,subject of the message, and the e-mail address of the intended recipient. Subjectand Toare specified by the sender, and the From address is taken by the systemfrom the current logged in user. However, Fromheader can very easily bespoofed as has been dome in this sample e-mail. The items 14, 15 and 16 inthe sample e-mail show the values of these three fields. The Fromaddress hasbeen spoofed to carry an address [email protected] with a user friendly name Alice.Content-Type, MIME-Version, Content-Transfer-Encoding and Content-length in items 17, 18, 19 and 20 are the MIME headers describing the type of MIMEcontent, transfer encoding, its version and length so that the MUA’s can performproper decoding to render the message successfully on client.This is the address, sender of this e-mail wants recipient to use for sending replyin response to this e-mail. Normally, this is used by the senders to send replies.Carefully crafted sender spoofing combined with fake Reply-To e-mail addresscan lead to serious information leaks. The Reply-To address "Smith"[email protected] in item 21 is an arbitrary address that may belong to some userwho may not be related to the sender in any way. Organization header field indicates that the organization of claimed sender isAlices Organization. Organization header field is an information fieldrepresenting the organization of a sender. It can be misused by the spammer togive a false impression about a sender as has been done in this e-mail. Date header indicates that the e-mail was composed and submitted for delivery onTue, 28 Nov 2010 21:06:22 +0530, which is not in conformity with the date inthe Received field of Para 23.Return-Receipt-To field indicates the e-mail address, MSA, MTA and MDA mustuse for sending delivery notifications such as successful or failure notifications.The address mentioned for this field in item 24 is again an arbitrary address thatmay belong to some user who may not be related to the sender in any way.Disposition-Notification-To field indicates an e-mail address, MUA must usewhen submitting a message indicating that the message has been displayed. This address specified in item 25 is also an arbitrary address that does belong to someuser who may not be related to the sender in any way.item 26 contains the Message-Id of the message which is [email protected]. Generally, adomain name is appended with a unique number by the sending server to form theMessage-Id. In the above sample e-mail message, several fields have been spoofed which canbe detected easily because the first Received field shows the address ofauthenticated sender which is different from the sender of the message. However,address of authenticated sender may not be always included with theauthentication results (in case no authentication mechanism is adhered to orannomizers strip this line). Further, date is also inconsistent as can be noted fromthe comparison of timestamp in Received headers and the date field. Some headerfields with context to authentication and above analysed e-mail message arediscussed further hereby:
SPF mechanisms can be used to describe the set of hosts which are designatedoutbound mailers for the domain. The test besides success or failure may alsoresult into softfail, neutral, none, permerroror temperror. For example, asuccessful Received-SPF entry could be as follows: Received-SPF: pass (mta1104.mail.mud.xyz.com: domain of [email protected] designates a2.b2.c2.d2 as permitted sender)Here, the mta1104.mail.mud.xyz.com MTA notifies its recipient throughReceived-SPF that domain of [email protected] i.e. xyz.com which has an IPaddress a2.b2.c2.d2 is a permitted sender designated by Sender Policy Framework. In case, the domain alice.com had usedDomainKeys and DKIM complaint andhad passed these tests, it could have been as follows: Authentication-Results: mta1294.mail.mud.bob.com from=alice.com; domainkeys=pass (ok); from=a.com; dkim=pass (ok) In this case, it could have included DKIM-Signature and/orDomainKey-Signature fields as follows: DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=alice.com; h=from:to:subject:date:message-id:content-type q=dns/txt; s=s512; bh=XX…………=; b=XXX………==; This is the DKIM Signature signed with SHA1 algorithm. DKIM uses the emailheaders and body to generate a signature. If the headers are rewritten or text is appended to the message body after it has been signed, the DKIM verificationfails. DKIM is backward compatible with the DomainKeys system. When an emailmessage is signed with DKIM, it will include a number of “tags” whosevalues contain authenticating data for the message being sent. In the example email header in figure 3, the tags used are: v= This tag defines the version of this specification that applies to thesignature record. a= The algorithm used to generate the signature (plain-text;REQUIRED). It supports "rsa-sha1" and "rsa-sha256", Signersusually signs using "rsa-sha256". c= It is the canonicalization algorithm 1.e. the method by which theheaders and content are prepared for presentation to the signingalgorithm. d= It is the domain name of the signing domain. h= It is a colon-separated list of header field names that identify theheader fields presented to the signing algorithm. q= It specifies the query method used to retrieve the public key whichby default is dns. s= It is the selector used in the public key. bh= The signature data or public key, encoded as a Base64 string. The example of DomainKeys signature is given below. DomainKeys signaturehas been signed with SHA1 algorithm. DomainKeys-Signature: a= rsa-sha1; q=dns; c=simple; s=s512; d=alice.com; b=XXX……………………………==; When an e-mail message is signed with DomainKeys, it will include a number of“tags” whose values contain authenticating data for the message being sent. In theexample above, the tags used are: a= It is the encryption algorithm used to generate the signature which bydefault is "rsa-sha1". q= It specifies the query method used to retrieve the public key which bydefault is dns. c= It is the canonicalization algorithm 1.e. the method by which theheaders and content are prepared for presentation to the signingalgorithm. s= It is the selector used in the public key. d= It is the domain name of the signing domain. b= The signature data or public key, encoded as a Base64 string. Date header represents the date e-mail was composed and submitted for delivery.However, this filed can also be spoofed as has been done in thissample e-mail message. It can be easily noticed by comparing its value in item 23with the dates in the Received header fields. Message-Id is the message Identification attached to the e-mail message. Every e mail has a unique message ID that helps the administrators to locate the e-mail inserver log. Usually every sending server uses its own custom algorithm togenerate this unique number and append domain name to this to make it uniqueon the internet. This ID can also help to identify the domain of the sender but itcan also be forged to confuse the investigators. The first Received header field representing the trace information contains the IPaddress of the machine used to send the e-mail message. On tracking this IPaddress several cases as explained below are possible: i. The IP address in the Received header field maps to directconnection having a static IP address. In this case, this address isthe address of the sender’s computer. However, if the IP address isdynamic then the logs of the proxy or SMTP server need to beobtained for continuing the e-mail tracking. ii. The IP address contained in the Received header corresponds tosome proxy server. In this case, proxy server’s log must be obtainedto track the sender. Open proxy server may raise some issues for theinvestigators because they do not maintain a strict log of activities.In case SSL is used to log on to HTTP based e-mail server, proxycannot be an issue because IP address of the client shall berecorded. Corporate proxy servers may not be strictly timesynchronized as they may be using Network Time Protocol (NTP)and thus may impede the investigation. ISP proxy servers usuallymaintain a strict and time synchronized log (usingSTIME protocol)and have a clear devised policy to cooperate with the investigators. iii. The tracked IP address maps to some tunnelling server. In this case,tracking source of e-mail will be difficult because tunnelling maybe done in different ways and some are not logged. iv. The IP address in the Received header field maps to SMTP server.In this case, the SMTP server log must be obtained. IP address maymap to SMTP server belonging to ISP, or some corporate or anopen relay. In all cases, logs stored must be obtained. If the logs arestrictly time synchronized, then the sender can be tracked easily.ISP and corporate SMTP servers can provide further details aboutthe particular user such as his contact details and credit card number. v. The IP address contained in the Received field resolves to Annomizers or re-mailers. In this case, investigators must obtainlogs and original e-mail message from the anonymous SMTP orHTTP servers. Further, in case the anonymity is a paid service, useraccount details must also be obtained. It is also possible to add one or more false Received headers in the data field ofthe message with an intention to freeze the investigation. Investigators must paycareful attention to all fields of the Received headers with respect to each otherespecially in terms of delivery methods and date & time. If the delivery methodsvary or the time & date differ considerably, then false headers can be easilyidentified. Otherwise, the investigation shall have to investigate all IP addressesand request logs from all servers. It may be very difficult to track a sender fromthe IP address if the sender has tampered IP address at packet level. Once the source of the e-mail message under investigation has beendetermined or someone is strongly suspected for being the source, his or hercomputer, e-mail client software, web browser, etc. are investigated for traces ofevidence.
10.12.4 Instant Messages Instant Messages (IM) (as mostly referred as chats) has been becoming very popular among users. Emails are mostly attached to inboxes whereas the IMs are based on text cells or forms. Texting on mobile devices has become very popular nowadays with apps like Whatsapp.
IMs too are very important to forensic examiners because nowadays companies are using this form of communicationfor real-time customer service and internal business communication.On the peopleperspective, IMs are used to chat about everything from recipes to personal attributes or opinions. Chats are relayed by way of a server. Same goes for IMs too. IM software are structurally same as e-mail systems the only difference is that IMs are done in real time. at real-timesits necessary to logthe data (communication) as it is being typed. Recovering chat sessions is a matter of chance because the caching abilities of the computer is the elementthat is required to re-create the chat sessions. Some IM software logs conversations, but generally people don’t activate the logs. IMsare migrating to mobile devices like google hangouts etc., IMs in mobiles are somewhat differentfrom desktop computers. The mobile devices are limited in resources or power of conventional desktopcomputers and they therefore use memory differently. Mobiledevices do not cache data in the same way asdesktops;hence, retrieving chats are much more difficult in mobile devices. If we are recording the IMs we can get all the chats. However, it is very difficult looking at the power and other limitations.Logging the activities on client device might help but finding a complete conversationin memory is almost impossible unless chat logging is enabled.
10.13 EMAIL FORENSIC TOOLS
Various software tools have been developed to assist e-mail forensicinvestigation. These include eMailTrackerPro(http://www.emailtrackerpro.com/), EmailTracer (http://www.cyber forensics. in), Adcomplain(http://www.rdrop.com/users/billmc/adcomplain.html), Aid4Mail Forensic(http://www.aid4mail.com/), AbusePipe(http://www.datamystic.com/ abusepipe.html), AccessData’s FTK (www.accessdata.com/), EnCase Forensic (http://www.guidancesoftware.com), FINALeMAIL(http://finaldata2. com), Sawmill- GroupWise (http://www.sawmill.net), Forensics Investigation Toolkit (FIT)(http://www.edecision4u. com/FIT.html), Paraben (Network) E-mail Examiner(http://www.paraben.com/email-examiner.html), etc. These analyse headers of emailmessages to detect the IP address of the originating machine. These toolsoften have abuse reporting features, e-mail classification option, support multipleencryption techniques like Credant, SafeBoot, Utimaco, EFS, PGP, GuardianEdge, Sophos Enterprise and S/MIME. Its current supported e-mail types are:Lotus Notes NSF, Outlook PST/OST, Exchange EDB, Outlook Express DBX,Eudora, EML (Microsoft Internet Mail, Earthlink, Thunderbird, Quickmail, etc.),Netscape, AOL and RFC 833. Some of these claim to be vetted by courts asstandard digital investigation platforms. We will discuss eMailTracker Pro and EmailTracer in little detail.
10.13.1 eMailTrackerPro1 Email tracking is a method for monitoring the email delivery to intended recipient. Most tracking technologies use some form of digitally time-stamped record to reveal the exact time and date that an email was received or opened, as well the IP address of the recipient.
Email tracking is useful when the sender wants to know if the intended recipient actually received the email, or if they clicked the links. However, due to the nature of the technology, email tracking cannot be considered an absolutely accurate indicator that a message was opened or read by the recipient. eMailTrackerPro Standard lets you trace email back to its source, while also scanning each email message to filter out spam and harmful payloads.
Using information contained in the email header, eMailTrackerPro Standard can effectively locate the city or town that an email originated from, including Whois information that you can use to report abuse and shut them down for good. The procedure is as follows:
1. Trace an email using the header: To make the best use of eMailTrackerPro it's important to trace the email header, and not the email address. An email address, such as [email protected] will just run a trace on hotmail.com, and every single time you'll get the same result. An email header is a virtual footprint telling the user where an email has travelled. Each step along the way is recorded. Spammers often try and remove/add lines to confuse where it was sent from. eMailTrackerPro can pick up on patterns and inconsistencies and mark the email as suspected spam, this isn't an exact
1 http://www.emailtrackerpro.com science so anomalies can occur. An example header can be seen on the right, split up into separate lines for understanding purposes. 2. Report Abuse: Abuse reporting is a useful feature for users that want to take a more proactive approach to dealing with spam. EmailTrackerPro provides a platform that auto-generates an abuse report and opens a new email (may not work for all email clients) with the 'to' address filled out to the email spam address detected (as shown on the right). Once the abuse report has been sent to the email provider it is then up to them to take the next steps to shut the account down. Each account that gets shut down is one more step closer to stopping spam in the long run! 3. Spam Filter: The most valuable feature is the ability to trace more than one IP address or domain name at a time. Trace as many IP addresses and domain names as required and either output the results to a new tab or an Excel/HTML file.
10.13.2 Online EMailTracer Resource Centre for Cyber Forensics (RCCF) is a pioneering institute, pursuing research activities in the area of Cyber Forensics. The centre was dedicated to the nation by the then Honorable union minister in August 2008. EmailTracer developed in RCCF is a tool to track email sender’s identity. It analyzes the email header and gives the complete details of the sender like IP address, which is key point to find the culprit and the route followed by the mail, the Mail Server, details of Service Provider etc. EmailTracer traces up to Internet Service Provider level only. Further tracing can be done with the help of ISP and law enforcement agencies. The message-id will be useful for analyzing the mail logs at ISP.
10.14 SUMMARY
1. An email message consists of two main sections: the header and the body. 2. A typical e-mail header contains the From, To, Subject and Date. 3. Email addresses are always made up of a username followed by a @ sign and a domain name. For instance, username@domainname. 4. The body of the message contains the information that the recipients have to read. 5. The basic components of an e-mail system are: User Agent (UA), Message Transfer Agent (MTA), Message Access Agent (MAA), Spool file and Mail Box. 6. The Mail Transfer Agent (MTA) is a server program that is basically responsible for transfer of e-mail message from one system to another. 7. The delivery of an e-mail message from one MTA to another MTA is done through Simple Mail Transfer Protocol (SMTP). 8. The Message Access Agent (MAA) is a server program which pulls messages from the message store (say, mailbox) and delivers them to the recipient’s user agent. 9. The two well known MAA protocols are Post office Protocol, version 3 (POP3) and Internet Mail Access Protocol (IMAP). 10. A mailbox is the storage location of e-mail messages which exist on a remote server. 11. the e-mail system uses three protocols for message communication, such as Simple Mail Transfer Protocol (SMTP), Post Office Protocol, version 3 (POP3), Internet Mail Access Protocol (IMAP). 12. SMTP employs three phases, i.e. connection establishment phase, mail transfer phase and connection termination phase. 13. SMTP uses commands and responses to transmit the message between an MTA client and MTA server. 14. The POP3 session has three phases: authorization phase, transaction phase and update phase. 15. The DNS server translates the domain names to the IP addresses and vice-versa with the help of Mail eXchange (MX) record. 16. An email attack may be described as an event in which the email is used to damage or harm an individual or an organization. 17. E-mail security is a term for describing different procedures and techniques for protecting sensitive information in email communication, user accounts against unauthorized access, spam filtering, data loss or compromise, e-mail encryption, and so on. 18. Laws nowadays give importance to emails and review them with lot of attention. 19. Email services can be Web-based email, POP3 email services, The Internet Message Access Protocol (IMAP), MAPI email servers. Most widely used protocol in emailing is simple mail transfer protocol (SMTP). 20. Few email attacks or crimes are Flaming, Email spoofing, Email bombing, Email hacking, Spams, Email frauds and Email phishing. 21. Email privacy is the broad topic dealing with issues of unauthorized access and inspection of electronic mail. 22. Emails information which will be interesting to the investigators are Email header, Body of Emails, The information hidden in the email packets and Attachments. 23. Email forensics involves capturing, securing and analysing and reporting the email evidences. E-mail forensics aims to study the source and contents of e-mail messages for evidence. 24. Various software tools have been developed to assist e-mail forensic investigation. These include eMailTrackerPro, EmailTracer.
10.15 CHECK YOUR PROGRESS
1. SMTP is a simple
a) TCP protocol b) UDP protocol c) IP protocol d) None of the above
2. A simple protocol used for fetching e-mail form a mailbox is
a) CIMP b) POP3 c) SMTP d) None of the above
3. E-mail address is made up of
a) Single part b) Two parts c) Three parts d) Four parts
4. SMTP stands for
a) Short Mail Transmission Protocol b) Small Mail Transmission Protocol c) Server Mail Transfer Protocol d) Simple Mail Transfer Protocol
5. E-mail addresses separate the user name from the ISP using the ______symbol.
a) & b) $ c) @ d) %
Answers:
1. (a) 2. (b) 3. (b) 4. (d) 5. (c)
10.16 MODEL QUESTIONS
1. Desribe briefly about UA, MTA and MAA. 2. Why do we need SMTP and IMAP for electronic mail? 3. Write the difference between the POP3 and IMAP. 4. Describe working of electronic mail. 5. Write the advantages and dis-advantages of e-mail. 6. What is DNS and its purpose? 7. Explain E-mail Architecture with components by using neat diagram. 8. Write different types of e-mail attacks. 9. Write the some important best practices that organization should follow to ensure secure usage of e-mail. 10. Write the some important best practices that individual users (organization employees) should follow to ensure secure usage of e-mail. 11. Describe the structure of SMTP messaging with a neat diagram. 12. Which headers in SMTP useful in tracing a message sender identity? 13. List and describe atleast 4 email attacks. 14. How is privacy a big issue in emailing? 15. What are the various types of email services?
10.17 FURTHER READINGS
1. Debra Littlejohn Shinder, Michael Cross, Scene of the Cybercrime, syngress 2. Linda Volonino, Reynaldo Anzaldua; Computer Forensics For Dummies, Wiley Publishing, Inc. 3. Gutiérrez, Carlos A., Web Services Security Development and Architecture: Theoretical and Practical issues, IGI Global, 2010.
References, Article Source & Contributors [1] Email - Wikipedia, the free encyclopedia, https://en.m.wikipedia.org/wiki/Mail_headers [2] Email privacy - Wikipedia, the free encyclopedia, https://en.wikipedia.org/wiki/Email_privacy [3] Email tracking - Wikipedia, the free encyclopedia, https://en.wikipedia.org/wiki/Email_tracking [4] E-mail: Message Format | World4Engineers, world4engineers.com/e-mail-message- format/ [5] EMailTracer, http://www.cyberforensics.in/OnlineEmailTracer/index.aspx [6] M. Tariq Banday, Techniques and Tools for Forensic Investigation of E-Mail, International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.6, November 2011 [7] Phishing - Wikipedia, the free encyclopedia, https://en.wikipedia.org/wiki/Phishing
EXPERT PANEL
Dr. Jeetendra Pande, Associate Professor- Computer Science, School of Computer Science & IT, Uttarakhand Open University, Haldwani
Dr. Ajay Prasad, Sr. Associate Professor, University of Petroleum and Energy Studies, Dehradun
Dr. Akashdeep Bharadwaj, Professor, University of Petroleum and Energy Studies, Dehradun
Mr. Sridhar Chandramohan Iyer, Assistant Professor- Universal College of Engineering, Kaman, Vasai, University of Mumbai
Mr. Rishikesh Ojha, Digital Forensics and eDiscovery Expert
Ms. Priyanka Tewari, IT Consultant
Mr. Ketan Joglekar, Assistant Professor, GJ College, Maharastra
Dr. Ashutosh Kumar Bhatt, Associate Professor, Uttarakhand Open University, Haldwani
Dr. Sangram Panigrahi, Assistant Professor, Siksha 'O' Anusandhan, Bhubaneswar
This MOOC has been prepared with the support of
© Commonwealth Educational Media Centre for Asia , 2021. Available in Creative Commons Attribution-ShareAlike 4.0 International license to copy, remix and redistribute with attribution to the original source (copyright holder), and the derivative is also shared with similar license.