blog | edwards research » networking

Spam Forensics II

Jim — Fri, 24 Sep 2010 18:39:08 +0000

Our email contained an attachment in html:




  
  


Greetings from Amazon.com.



We're sorry.  You've written to an address that cannot accept
incoming

e-mail.  But that's OK--this automated response will direct
you to the

right place at Amazon.com
to answer your question or help you contact

customer service if you need further assistance.



You will find the answers to the most common questions here:



 Ordering: http://www.amazon.com/help/ordering

 Where's My Stuff: http://www.amazon.com/help/wheres-my-stuff

 Gift Certificates: http://www.amazon.com/gift-certificates

 Promotions: http://www.amazon.com/o/tg/browse/-/565778/

 Shipping Options: http://www.amazon.com/help/shipping

 Returns: http://www.amazon.com/returns



If your question is not answered by the above links, we invite you to

search our Help Desk at http://www.amazon.com/help



If you need to modify an unshipped order or make changes to your

account or subscriptions, you may do so online at any time via

Your Account:  http://www.amazon.com/your-account



We hope our online resources meet all your needs.  If you've
explored

the above links but find you still need to get in touch with us,

please click the "Contact Customer Service" link on our main Help page.



Thanks for shopping at Amazon.com.



Sincerely,



Amazon.com Customer Service

http://www.amazon.com

Which is pretty boring, containing some amazon links and otherwise benign code, except for line 37, which contains two JavaScript sections (formatting added):

The first section is quickly identified as a simple FrameBuster.

The section section simply inline inserts the value of the string, once it is unescaped. Using the tool found here, I unescaped the JavaScript string without worrying about what it did.

The result is (formatting added):



    
        
            
                
                    This Web Page was protected by HTMLPower,  Click here to Register

This HTML meta tag “refreshes” or redirects your browser to whatever page is specified, in this case http://graduationoutfitters.co.za/1.html. (In case you’re wondering, the .za TLD is South Africa)

The humorous thing is, after looking at the pullsoft.com link, is appears the spammer used their software to encode the meta refresh tag, and the software appended a little advertisement. How thoughtful.

After all that, nothing crazy — a forged email header, an (unnecessarily) encoded html meta refresh tag and one more spam for the bit bucket.

Spam Forensics I

Jim — Fri, 24 Sep 2010 18:30:09 +0000

I’ve been getting a lot of these emails coming through my Gmail filters — and on searching, I found a lot more were caught. After a quick look around I found a blog post discussing the most recent barrage over at geofffox.com and decided to look into it more closely.

Here is what the message in “original form” with headers (I modified the headers — see below):

Delivered-To: {my_name}@gmail.com
Received: by 10.216.17.75 with SMTP id i53cs3487wei;
        Fri, 24 Sep 2010 00:33:03 -0700 (PDT)
Received: by 10.223.114.194 with SMTP id f2mr3098412faq.71.1285313582949;
        Fri, 24 Sep 2010 00:33:02 -0700 (PDT)
Return-Path: <{my_initials}+caf_={my_name}=gmail.com@{oneofmydomains.com}>
Received: from mail-fx0-f53.google.com (mail-fx0-f53.google.com [209.85.161.53])
        by mx.google.com with ESMTP id 15si1933947fax.156.2010.09.24.00.33.02;
        Fri, 24 Sep 2010 00:33:02 -0700 (PDT)
Received-SPF: neutral (google.com: 209.85.161.53 is neither permitted nor denied by best guess record for domain of {my_initials}+caf_={my_name}=gmail.com@{oneofmydomains.com}) client-ip=209.85.161.53;
Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.161.53 is neither permitted nor denied by best guess record for domain of {my_initials}+caf_={my_name}=gmail.com@{oneofmydomains.com}) smtp.mail={my_initials}+caf_={my_name}=gmail.com@{oneofmydomains.com}
Received: by mail-fx0-f53.google.com with SMTP id 14so1830412fxm.12
        for <{my_name}@gmail.com>; Fri, 24 Sep 2010 00:33:02 -0700 (PDT)
Received: by 10.223.104.71 with SMTP id n7mr3115235fao.27.1285313582681;
        Fri, 24 Sep 2010 00:33:02 -0700 (PDT)
X-Forwarded-To: {my_name}@gmail.com
X-Forwarded-For: {my_initials}@{oneofmydomains.com} {my_name}@gmail.com
Delivered-To: archellian001@{oneofmydomains.com}
Received: by 10.223.108.197 with SMTP id g5cs3379fap;
        Fri, 24 Sep 2010 00:33:02 -0700 (PDT)
Received: by 10.101.69.6 with SMTP id w6mr3307377ank.207.1285313582003;
        Fri, 24 Sep 2010 00:33:02 -0700 (PDT)
Return-Path: 
Received: from ARDBVPNZJS ([117.196.230.243])
        by mx.google.com with ESMTP id c4si4326905anc.186.2010.09.24.00.32.03;
        Fri, 24 Sep 2010 00:33:01 -0700 (PDT)
Received-SPF: neutral (google.com: 117.196.230.243 is neither permitted nor denied by best guess record for domain of brushwoodzd279@rotulosjethro.com) client-ip=117.196.230.243;
Received: from 5802.rotulosjethro.com ([207.171.164.40])
	by rotulosjethro.com with esmtp (Exim 4.69)
	id C5B7C3-A452D9-9E
	for ashleybentley@sammyk.com; Fri, 24 Sep 2010 13:01:19 +0530
Date: Fri, 24 Sep 2010 13:01:19 +0530
From: "Barbra Ladner" 
To: ashleybentley@sammyk.com
Message-ID: <74583179.15516372984772561261.JavaMail.abhi114b879f20@rotulosjethro.com>
Subject: hello
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_Part_023295_191642150.1971937775771"

------=_Part_023295_191642150.1971937775771
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Please find attached my CV for your attention.

------=_Part_023295_191642150.1971937775771
Content-Type: text/html; name="78238doc.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="78238doc.html"

(Base64 encoded data here)

------=_Part_023295_191642150.1971937775771--

First of all, I forward all of the mail to any address at one of my domains to my personal gmail address. That means that legitimate email addresses and random strings both end up headed to my gmail account. (I then employ a whitelist filter in Gmail). But to avoid having the email addresses scooped up by spiders, I edited them in the header with tags like {my_name}, {my_initials} and {oneofmydomains.com}.

The email address it was sent to was: archellian001@{oneofmydomains.com} — and the archellian001 is called the “local-part” in email lingo. In this case, the local-part is clearly just a random string (name?) and some numbers. Nothing on that domain would suggest archellian would be a good name to choose.

The return path and sender are both listed as: brushwoodzd279@rotulosjethro.com — likely a forgery.

Starting at the beginning of the email’s life, we see:

Received: from 5802.rotulosjethro.com ([207.171.164.40])
	by rotulosjethro.com with esmtp (Exim 4.69)
	id C5B7C3-A452D9-9E
	for ashleybentley@sammyk.com; Fri, 24 Sep 2010 13:01:19 +0530

Now 207.171.164.40 traces back to mm-notify-out-1102.amazon.com and this was verified with a DNS lookup for mm-notify-out-1102.amazon.com and it indeed returned 207.171.164.40. I also tried a DNS lookup for 5802.rotulosjethro.com which failed and rotulosjethro.com which returned an ISP in Spain. So this adds credibility to the idea that this is whole hop is a forgery but we’ll know better soon.

The next hop reports,

Received: from ARDBVPNZJS ([117.196.230.243])
        by mx.google.com with ESMTP id c4si4326905anc.186.2010.09.24.00.32.03;
        Fri, 24 Sep 2010 00:33:01 -0700 (PDT)

We can be relatively certain this is not a forgery. The reason is that the recipient reports themselves as mx.google.com and recall that the email was sent to {oneofmydomains.com}.

So far, the reported path was:

5802.rotulosjethro.com ([207.171.164.40])   ->   rotulosjethro.com
ARDBVPNZJS ([117.196.230.243])   ->   mx.google.com

So either:

The Amazon IP address (207.171.164.40) actually did send the email to ARDBVPNZJS (117.196.230.243) (perhaps an Amazon Web Hosting client) and the DNS settings and mail records of rotulosjethro.com has changed since.
117.196.230.243 is the originating sender who forged the first receipt header.

Most likely its the second case. A test to see if 117.196.230.243 was up showed that it did not respond to ping or attempts to open a connection on port 22 (SSH) or 25 (SMTP) — this seems unlikely for a legitimate mail server. Further tests show that the IP is registered to BSNL, an Indian ISP.

Also note where gmail checked the SPF record of rotulosjethro.com:

Received-SPF: neutral (google.com: 117.196.230.243 is neither permitted nor denied by best guess record for domain of brushwoodzd279@rotulosjethro.com) client-ip=117.196.230.243;

This exposes one of weaknesses of SPF. Although SPF can help prevent others from impersonating you or your domain, it does little to prevent spam. This is because all a spammer needs to do is find a domain that doesn’t have an SPF whitelist defined, such that SPF checks return neutral, and use that domain name to send out an unlimited number of emails. As long as one domain is yet to implement an SPF whitelist, SPF will not be effective against this sort of forgery spam.

I don’t see much else interesting in the header, it bounces around internal private Gmail networks and is ultimately delivered.

So then I decided to have a look into what the attachment contained….

Continue to Spam Forensics II

ping fails but dig / nslookup works?

Jim — Wed, 20 Jan 2010 20:27:11 +0000

I’ve now run into two scenarios where this happened. The most recent was after I had to kill a vpnc process (used to connect to a cisco VPN).

It looks like this:

[james@workstation ~]$  ping google.com
ping: unknown host google.com

[james@workstation ~]$  dig google.com +short
72.14.204.147
72.14.204.99
72.14.204.103
72.14.204.104

What ended up happening was that the VPN was configured to tunnel all traffic through it, so when it re-wrote the /etc/resolv.conf file, it didn’t append the VPN nameservers to the nameservers provided to us by our DHCP lease, but completely overwrote them. I’m assuming that when you closed the VPN it would replace the resolv.conf file with the one containing the non-VPN nameservers but since I killed it, it was not restored.

Anyway, the fix was easy but finding it out was annoying.

All you have to do is release and renew your DHCP lease.

You could try:

dhclient -r; dhclient

… but I was on an SSH connection and I didn’t quite trust the second command to be run after I lost the connection when the lease was released (this seems like a silly fear but whatever).

Instead I wrote a bash script and put it in a file:

#!/bin/bash
#refreshlease.sh
IFACE="eth0"

dhclient -r ${IFACE}
dhclient ${IFACE}

… and ran that over the SSH connection. The connection seemed to get dropped for a few seconds but then came back up. Checking /etc/resolv.conf showed that my original nameservers were, in fact, back and I was able to resolve DNS queries:

[james@workstation ~]$  ping google.com
PING google.com (64.233.169.105) 56(84) bytes of data.
64 bytes from yo-in-f105.1e100.net (64.233.169.105): icmp_seq=1 ttl=238 time=31.1 ms

Gigabit LAN Upgrade

Jim — Fri, 06 Nov 2009 22:40:08 +0000

Not much time to post, so I’ll post the quick bandwidth test we did between two machines before and after the LAN upgrade:

Some notes:

For a bandwidth tester we used iperf, a linux script that has been ported to windows via a cygwyn build.
- For Linux we just ran “yum install iperf”
- For Windows we googled “iperf windows”, but here is one binary from UCF.
The real path just explains the connection between the two units.
The window size was automatically determined by iperf.
The 10 second test duration is iperf’s default.

And the same data graphically:

As you can see, there is considerable bandwidth improvement, even for the integrated NIC (and the PCI NIC is more than twice as fast as that!)

How To: Speed up X Tunneling over SSH

Jim — Fri, 06 Nov 2009 07:52:26 +0000

I use PuTTY (actually, I use PuTTY tray) and XWin Server to run Linux GUI applications in Windows. Basically, I have a headless Linux server running and I connect to it via SSH. While 90% of the things I do on it are command-line based, I’ve yet to find a real good strategy for developing true linux C/C++ applications from a Windows machine, so I end up running Eclipse on the headless box with the windows tunneled to my Windows system. (I say true because I know I could use something like MinGW or Cygwin and get 99% of the functionality, but I’m picky about that last 1%). Also, I know there is a really interesting project underway in the Eclipse community to get CDT to build and debug remotely (Remote Development Tools), but I ran into all kinds of problems getting it to work and it really wasn’t worth the time I was spending on it. Further, X tunneling over SSH worked great.

I wasn’t satisfied though.

My LAN’s throughput chokepoint was my router, limiting connections to 100Mbps so I went ahead and ordered a Gigabit switch and upgraded my cabling (it was pretty shoddy) and one of my NICs. Before they come in though, I decided to explore some ways to improve tunneling without hardware changes.

The first thing I looked into was changing SSH cipers.

You can look at the available ciphers in PuTTY by going into the configuration window, and under Connection, clicking SSH. You should see something like this:

You can change the the order that these ciphers are considered simply by clicking Up or Down and rearranging them. I like to put the one I want at the top, then immediately following it with the “–warn below here–” tag, so I know definitively whether I’m getting my #1 choice.

But how do I know which ciper to choose?

Thats a good question, and I didn’t know either. I did some extremely quick googling and I didn’t get a very definitive answer in the 2 or 3 pages I landed on, but I did find a nice command to run a benchmark on your local system so you can find out for yourself. The command was:

openssl speed -engine padlock -evp *ciper*

Where *ciper* is replaced by the name of the cipher you wish to test. Executing this command starts an OpenSSL script which runs through the algorithm on locally on your computer, measuring the number of computations it can perform per second.

I extended this command with a simple tweak that allowed me to loop through the script using mulitple different ciphers:

for ENC in aes-256-cbc bf bf-ecb rc4 rc4-40 bf-cfb bf-ofb des3 des ; do openssl speed -engine padlock -evp ${ENC} ; done

After executing this, I walked away for a little (probably takes less than 5 mintutes but I didn’t want to introduce any more variability by messing around during the benchmark) and when I cameback it has maybe 150 lines of output, about 15 for each ciper.

Being the quantitative dude that I am, I immediately threw the data into Excel and plotted the processing throughput (in KBps and given on the last line of each iteration) vs block size (given on the second to last line).

The results were really surprising. Here’s the table I compiled:

Where the highlighted cells indicate maximum throughput for each column or blocksize. Its pretty apparent from this that RC4 really flys, but the table above doesn’t do the improvement justice. Lets look at the data plotted:

Note: The label on the vertical axis incorrectly states the units as KBps when they are, in fact, MBps.

(click for full-size)

Wow, that is really a tremendous difference between the two RC4 ciphers and the rest, more often than not doubling the throughput of their alternatives.

So with such a huge difference in performance, certainly the RC4 cipher is the default cipher in PuTTY, right? Actually, no. At least in my vanilla PuTTY installations, RC4 (AKA Arcfour in PuTTY) is fairly low on the list, only preferred over DES.

I’m not a cryptographer, and I’m not well versed on the differences between the ciphers certainly not well enough to give any informed opinion on which cipher to choose from a security point of view, but from a sheer speed point of view, it would seem that RC4 would preferred.

Now our network is secured from the WAN side by a firewall on our router which we are trusting to prevent unauthorized access to the LAN side, so for us, encrypting SSH sessions that strictly live on the LAN side with a possibly sub-par cipher was acceptable if it provided the latency improvement that it looked like it would. Your circumstances may differ and I urge you to consider all of them before you go changing settings.

Given that you’ve considered them, and you’re comfortable, lets go ahead and change the ciper priorities and see if we get any improvement.

Simply by clicking the cipher we want to move, then the Up / Down buttons, we were able to configure our priorities to this:

The idea here being that if, for some reason, we can’t establish a link with RC4, we’ll be notified. We could then go back into the settings and move the “–warn below here–” line down a line and try again, hoping to connect with the Blowfish ciper, the second quickest cipher or otherwise receive a warning.

Results

Unfortunately, I don’t have any quantitative data to show the latency improvement, although I suppose you could demonstrate a bandwidth / throughput increase by doing a file transfer, however it is abundantly clear that there was, in fact, a huge latency improvement. Things that caused annoying lag (eg clicking on the scrollbar to scroll quickly) showed a noticeable improvement.

As it is, without real data to show the improvement, you are left to experiment with the settings yourself, and, given you feel comfortable, I strongly encourage doing so — as it really seems to make a difference.

I’ll be sure to check back here when we receive the Gigabit hardware and present a before and after look at our LAN transfer speeds.

LAN DNS Resolution with WRT54G DD-WRT’s DNSMasq (Linux and Windows 7)

Jim — Thu, 17 Sep 2009 07:18:50 +0000

I have a ton of computers.

I have a quad-core AMD box (running Fedora 11), an AMD Phenom II X4 955 Black Edition box (running Windows 7), a few random head-less desktops, a laptop (F11) and a netbook (F11).

I run a fileserver on one box, I run an X session through ssh on my Windows box to access linux GUI stuff, I frequently transfer files between computers and I wanted to be able to access them by my defined hostname rather than the dynamic IP address my router assigned them (WRT54G running DD-WRT v24 SP1).

Now you may say, “dude, just give them static IP’s and be done with it.” I considered that, but I would much rather remember “tophat” and “fractal” than 192.168.1.5 and 192.168.12. Plus I’m a nerd and if there’s a way, I’ll figure it out.

… so I figured it out.

Windows will automatically report the Hostname of the computer (I think Windows calls it the Computer Name), so you won’t have to configure that. You will however, have to allow your router to cache the hostnames and resolve them to IPs, and you will need to configure Linux to report the hostname when a DHCP lease is acquired.

Configure Router

Login to your router
Click on the “Services” tab
Under DNSMasq enable both options (“Enable DNSMasq” and “Enable Local DNS”)
Click “Apply Settings”

Configure Linux to Report Hostnames

Disclaimer: This is using Fedora 11 – other distros/versions may vary.
You should really pick a unique hostname per interface, so in the case that they’re both connected there isn’t a conflict.
As root, or with appropriate permissions, edit /etc/sysconfig/network-scripts/ifcfg-{interface} (ie /etc/sysconfig/network-scripts/ifcfg-eth0).
Add this line:

DHCP_HOSTNAME=fractal

Save the file
Restart the network service (sudo service restart network, or use the GUI)
Release your DHCP lease (sudo dhclient -r)
Renew your DHCP lease (sudo dhclient or ifconfig {interface} down; ifconfig {interface} up)

Configure Windows 7 to resolve hostnames (source)

Go into Network Connections (I just typed “Network Connections” om the start icon -> run box)
Right click on your Network Adapter and go into Properties
Select “Internet Protocol Version 4 (TCP/IPv4)”
Under the General Tab click Advanced
Under the DNS Tab select the radio button that says “Append these DNS suffixes (in order)”
Click “Add…”
Enter a single period in the text box and click “Add.”
Click OK in the “Advanced TCP/IP Settings” Dialog
Click OK in the “Local Area Connection Properties” Dialog

And there you go.