Request for help with mail spoofing

Request for help with mail spoofing

geoffrey mendelson geoffreymendelson at gmail.com
Wed Feb 17 14:51:26 IST 2010 

On Feb 17, 2010, at 1:49 PM, Geoff Shang wrote:
>
>
> A person in the blindness community has been posting to various  
> mailing lists in the last few days.  They have been sending mail in  
> the name of well-respected list members with relevant-looking  
> subject lines, but placing offensive material in the body of the  
> message.

First of all, how do you know that this is a person as you put it in  
the blindness community? It could just be one of those people that  
disrupt groups because they can, and found a bunch of people to annoy.  
Eventually they get tired of these things and move on to a different  
community.

You also should check the email addresses. One common trick used by  
commercial posters is to post using a real name with a different email  
address. For example, if your email address were geoffshang at gmail,  
they would open an account geoffshang at yahoo. Or use a different  
country, instead of hotmail.com, open one at hotmail.co.uk.

These guys tend to hit hard and fast, post one email advertising their  
business and move on, but script kiddies do it too.

I had that happen to me once where I publicly exposed someone for it  
and was abused because this person was a close friend and a respected  
member of their community. When I pointed out that the person would  
have been asleep when they posted the message and they had opened a  
new email account at another provider just to post the message, I  
never heard anything at all, neither an appology from the people  
abusing me nor the person who was spoofed thanking me for pointing it  
out.


> I'm not asking here about blocking this sort of mail, as this is  
> something I can have addressed elsewhere.  What is concerning me is  
> how it's being done.
>
> The person seems to be able to find a host that they can send  
> through. This host is easy enough to find from the message headers.   
> The problems are finding out how they are doing what they are doing  
> with the host concerned, and the fact that connections to these  
> hosts seem to be coming from multiple machines which appear on the  
> surface to be anonymous proxies.
>
> The host I dealt with on Monday had an account compromised (or at  
> least said they did) on one of their machines which is not their  
> mail server. Now clearly they could prevent this by preventing  
> trafic from port 25 going out to the world, but perhaps there are  
> reasons for not doing this. They also appear to be accepting telnet  
> connections which seems nuts to me... But anyway, I digress.  They  
> are disinclined to take this matter further due to the complexity  
> involved, though they might change their mind when I tell them we  
> got another one from their IP address today.

I'm not sure how disinclined they would be if CEO of the company  
received a copy of  the email.

> Meanwhile, we've seen examples from other (presumably) compromised  
> hosts.
>
> This person is obviously doing this to get a kick out of it, and  
> he's clearly becoming arrogant.   He just sent a message to one of  
> the lists which includes a bash script.  As the list mostly deals  
> with Windows technical support queries, he probably figured no-one  
> would understand what it was, or that even if anyone did, nothing  
> could be done to catch him or stop him.

I don;t understand. 99.99% of windows users don't run bash. Why send  
them a bash script? I think sloppy is correct, but I wonder if it is a  
real person or just a "junk bot" sending stuff out. At one point it  
found the mailing list in someone's contacts list and is just dumping  
crap to it.


> This script seems to make use of socks proxies, which is something I  
> don't know about.  It also calls some perl code which I also don't  
> understand. So I don't exactly understand what they are doing.

Send me a copy. Or publish it, we can argue over what it does.


> Now that I look at it, it appears that this person is using the Tor  
> network (torproject.org) to do this.  Since the whole point of Tor  
> is to hide your tracks, I'm not at all confident about tracking this  
> person down unless they make a mistake.

They will. A person who does this kind of thing can go on for years  
without being caught as long as they are careful. It's like the guy  
who takes one egg out of a carton at the supermarket and hides it in  
his pocket. Next week, he takes a carrot. As long as he takes only one  
small item, and is very careful not to be observed, he can do it  
indefinitely.

But he will become overconfident or sloppy. He might not look  
carefully for cameras, or a person watching him, or just have bad  
luck, someone will see him.
Or he will move up from one egg to a roast. He will do something too  
big to overlook.

You have to keep watching him, and keep meticulous notes. Eventually  
he will reveal himself.

I recently had that happen, A few years ago someone wrote me  
threatening emails under an assumed name (but with a real, but rarely  
used email address) because I called his scam a scam on a public list.  
Recently I offered something to give away, and he since forgotten  
about our exchange. I wrote him and asked if he also used the other  
email address because we had discussed a camera or something like that  
(we had 10 years ago). He said, yes that is me too.

You just have to wait and be patient.

It would be best that the mailing lists be set to posting by members  
only, and new members are moderated until approved.

Geoff.


-- 
geoffrey mendelson N3OWJ/4X1GM
Jerusalem Israel geoffreymendelson at gmail.com
New word I coined 12/13/09, "Sub-Wikipedia" adj, describing knowledge  
or understanding, as in he has a sub-wikipedia understanding of the  
situation. i.e possessing less facts or information than can be found  
in the Wikipedia.

More information about the Linux-il mailing list