[conspire] Case study in modern forgery of SMTP headers

Rick Moen rick at linuxmafia.com
Tue Nov 3 18:38:02 PST 2015 

Two forwarded messages.  The first is scam-mail, and the second 
is my analysis of it.  Simultaneous to the cited scam-mail to the BASFA
mailing list, several other mailing lists to which forged sender Michael
Siladi subscribes _also_ received pretty much identical forgeries 
claiming to be from him.


----- Forwarded message from artshow15 <msiladi at ix.netcom.com> -----

Return-path: <basfa-bounces at lists.basfa.org>
Envelope-to: rick at linuxmafia.com
Delivery-date: Tue, 03 Nov 2015 17:02:56 -0800
Received: from che.dreamhost.com ([66.33.216.23])
	by linuxmafia.com with esmtp (Exim 4.72)
	(envelope-from <basfa-bounces at lists.basfa.org>)
	id 1ZtmTU-00008Z-8E
	for rick at linuxmafia.com; Tue, 03 Nov 2015 17:02:55 -0800
Received: from che.dreamhost.com (localhost [127.0.0.1])
	by che.dreamhost.com (Postfix) with ESMTP id B89CA1040F;
	Tue,  3 Nov 2015 17:02:51 -0800 (PST)
X-Original-To: basfa at lists.basfa.org
Received: from homiemail-mx30.g.dreamhost.com (44gallery.info.brontes.org
	[69.163.253.137])
	by che.dreamhost.com (Postfix) with ESMTP id 484DD103D7
	for <basfa at lists.basfa.org>; Tue,  3 Nov 2015 17:02:50 -0800 (PST)
Received: from madmax.dreamhost.com (caiajhbdcbdj.dreamhost.com
	[208.97.132.139])
	by homiemail-mx30.g.dreamhost.com (Postfix) with ESMTP id
	17CE310218CF1
	for <basfa at basfa.org>; Tue,  3 Nov 2015 17:02:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by madmax.dreamhost.com (Postfix) with ESMTP id D419C25C632F
	for <basfa at basfa.org>; Tue,  3 Nov 2015 17:02:49 -0800 (PST)
X-DH-Virus-Scanned: Debian amavisd-new at madmax.dreamhost.com
Received: from godfather.dreamhost.com ([208.97.132.17])
	by localhost (madmax.dreamhost.com [208.97.132.139]) (amavisd-new,
	port 10024) with ESMTP id 7fQmetxqw9VP for <basfa at basfa.org>;
	Tue,  3 Nov 2015 17:02:49 -0800 (PST)
Received: from on6.server6.gr (on6.server6.gr [5.172.198.95])
	by godfather.dreamhost.com (Postfix) with ESMTP id 6EC981EC035
	for <basfa at basfa.org>; Tue,  3 Nov 2015 17:02:49 -0800 (PST)
Received: from [179.218.66.168] (port=59987 helo=WIN-NPPN1JPV75J)
	by on6.server6.gr with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.86) (envelope-from <msiladi at ix.netcom.com>)
	id 1ZtmTN-000qt5-BW; Wed, 04 Nov 2015 03:02:46 +0200
From: artshow15 <msiladi at ix.netcom.com>
To: BASFA <basfa at basfa.org>, Brenna <bsilbory at gmail.com>,
	"Christopher J. Garcia" <garcia at computerhistory.org>,
	melchar <melchar at gmail.com>
Date: Tue, 3 Nov 2015 17:02:33 -0800
Message-ID: <0000d91e4bf8$215a7a9a$5af8d9ed$@ix.netcom.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AdEmwXvQ3d3UsnbLu0mAKAhK2hojEA==
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - on6.server6.gr
X-AntiAbuse: Original Domain - basfa.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ix.netcom.com
X-Get-Message-Sender-Via: on6.server6.gr: authenticated_id: info at roidosins.gr
X-Authenticated-Sender: on6.server6.gr: info at roidosins.gr
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-BeenThere: basfa at lists.basfa.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <basfa-basfa.org>
List-Unsubscribe: <http://lists.basfa.org/options.cgi/basfa-basfa.org>,
	<mailto:basfa-request at lists.basfa.org?subject=unsubscribe>
List-Archive: <http://lists.basfa.org/private.cgi/basfa-basfa.org/>
List-Post: <mailto:basfa at lists.basfa.org>
List-Help: <mailto:basfa-request at lists.basfa.org?subject=help>
List-Subscribe: <http://lists.basfa.org/listinfo.cgi/basfa-basfa.org>,
	<mailto:basfa-request at lists.basfa.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0902363824=="
Errors-To: basfa-bounces at lists.basfa.org
Sender: Basfa <basfa-bounces at lists.basfa.org>
X-SA-Exim-Connect-IP: 66.33.216.23
X-SA-Exim-Mail-From: basfa-bounces at lists.basfa.org
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on linuxmafia.com
X-Spam-Level: *
X-Spam-Status: No, score=1.0 required=4.0 tests=AXB_XRCVD_ROBOT02,BAYES_00,
	HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,
	RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1
Subject: [Basfa] Fw: new message
X-SA-Exim-Version: 4.2.1 (built Tue, 21 Aug 2007 23:39:36 +0000)
X-SA-Exim-Scanned: Yes (on linuxmafia.com)

Hello!

 

New message, please read   [RM: snipping from here the scam-mail payload, 
which was a Web URL]

 

artshow15


_______________________________________________
Basfa mailing list
Basfa at lists.basfa.org
http://lists.basfa.org/listinfo.cgi/basfa-basfa.org


----- End forwarded message -----
----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Tue, 3 Nov 2015 18:30:42 -0800
From: Rick Moen <rick at linuxmafia.com>
To: Geo Mealer <geo at snarksoft.com>
Cc: Michael Siladi <msiladi at ix.netcom.com>
Subject: [Basfa] Fw: new message
Organization: If you lived here, you'd be $HOME already.

[offlist to Geo Mealer and Michael Siladi, commenting on traffic to
basfa at lists.basfa.org]

Geo wrote:

> Looks like there was an email compromise.

Please don't be offended, but I believe this is a guess on your part.
If you don't mind, I'll do header analysis to investigate:


> Please ignore the last two messages (and don't click on the
> links--Google flags them as malware!)
> 
> I'll contact the account holder off-list.


I see that lists.basfa.org is hosted on a Dreamhost IP address.  
Therefore, to see what's going on, note the IPs in the Received 
headers prior to the first Dreamhost one.  Skipping to the first
Dreamhost header:

Received: from godfather.dreamhost.com ([208.97.132.17])
	by localhost (madmax.dreamhost.com [208.97.132.139]) (amavisd-new,
	port 10024) with ESMTP id 7fQmetxqw9VP for <basfa at basfa.org>;
	Tue,  3 Nov 2015 17:02:49 -0800 (PST)
Received: from on6.server6.gr (on6.server6.gr [5.172.198.95])
	by godfather.dreamhost.com (Postfix) with ESMTP id 6EC981EC035
	for <basfa at basfa.org>; Tue,  3 Nov 2015 17:02:49 -0800 (PST)
Received: from [179.218.66.168] (port=59987 helo=WIN-NPPN1JPV75J)
	by on6.server6.gr with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.86) (envelope-from <msiladi at ix.netcom.com>)
	id 1ZtmTN-000qt5-BW; Wed, 04 Nov 2015 03:02:46 +0200

(Downwards is earlier hops the mail took.)

Dreamhost received it from IP 5.172.198.95.  Using 'dig' (rather than
trusting the domain names shown in the Received header), one can
verify that it really is an IP at an ISP In Greece:

$ dig -x 5.172.198.95 +short
on6.server6.gr.
$

Any Received headers past the last one we know for certain is genuine
_could_ be forged and inserted among other genuine ones by
scammers/spammers.  The IP that hands off to Dreamhost (5.172.198.95) 
is that last 100% certain unforged header.  _However_, it's rare that 
scammers/spammers bother to forge Received headers.  So:

79.218.66.168 is the previous and _first_ Received hop.  

$ dig -x 79.218.66.168 +short
p4FDA42A8.dip0.t-ipconnect.de.
$ 

It's in Germany (.de).  The 'dip0' probably indicates 'dialup IP', 
and the 'helo=WIN-NPPN1JPV75' SMTP greeting data suggests the machine
dropping off the scam-mail from client port 59987/TCP to server port
25/TCP (the SMTP port) at the ISP dial-up connection in Germany 
claims to be a Windows desktop box.  

Which I can readily believe, as there are millions of malware-infected
MS-Windows machines on the Internet, pumping out spam and scam-mail for
criminals who operate them as parts of botnets.  In this case, it's a
probable Windows box connecting to a dial-up ISP in Germany.

Michael Siladi is an SFF convention runner in Mountain View, California.
I have extreme doubt that his e-mail address is compromised, and none of
the evidence so suggests.  Nor is it credible that any machine with
access to his e-mail is dropping off mail by dial-up to an ISP in
Germany.

Instead, what is happening here is _forgery_.  Both the 'From:' internal
sender header and the 'From ' SMTP envelope header have been _forged_ 
to say 'msiladi at ix.netcom.com' -- but this mail did not come form
msiladi at ix.netcom.com, and didn't go anywhere near Netcom.

Moreover, Dreamhost appended these diagnostic headers when the mail
transited through its systems:


X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - on6.server6.gr
X-AntiAbuse: Original Domain - basfa.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ix.netcom.com
X-Get-Message-Sender-Via: on6.server6.gr: authenticated_id: info at roidosins.gr
X-Authenticated-Sender: on6.server6.gr: info at roidosins.gr


See that?  It reached Dreamhost from on6.server6.gr.  Not from Michael
Siladi's mailbox, not from Netcom at all.

Now, a significant question is why Dreamhost accepted mail from
on6.server6.gr as being a valid SMTP sender for ix.netcom.com's e-mail.
Examination shows why:  Netcom is not yet bothering to provide
authentication data in the form of SPF or DKIM records.

SPF and DKIM are two ways of indicating, in a 'TXT' (freeform) DNS
record published by a domain, what SMTP sending locations should be
considered authentic.  Here is an example SPF record in my own domain's 
DNS:

$ dig -t txt linuxmafia.com +short
"v=spf1 a mx -all"
$

Translated into English, this says 'You should regard as an authentic 
sending source for linuxmafia.com mail any host that either
linuxmafia.com's "A" record or its 'MX" record points to, and no
others.'

Making that same check for netcom.com reveals that Netcom still
publishes no such information.  Hence, nobody operating an SMTP server
(as Dreamhost does) can weed out imposters impersonating netcom.com 
senders like Michael Siladi.

Michael had nothing to do with this -- and cannot prevent recurrences.
A computer criminal did, and Netcom behaving like it's still 1995
(failing to publish SMTP authentication data) definitely didn't help.


The interesting part of this is that the scammer/spammer shows signs of
having harvested significant data about Michael's correspondents.
This probably was harvested by (once again) a malware-infected
MS-Windows box belonging to someone Michael corresponds with.

I hope this helps.

-- 
Cheers,                        My pid is Inigo Montoya.  You kill -9    
Rick Moen                      my parent process.  Prepare to vi.
rick at linuxmafia.com
McQ!  (4x80)

----- End forwarded message -----

More information about the conspire mailing list