How phishers send anonymous email

Learn how factors, such as Proxy chains and location, help phishers to successfully send anonymous email; and why onion-routing may hinder tracking of these offenders.

When sending emails, most email clients to do not support SOCKS for the very reason that they do not want to contribute to the already existing spam epidemic. In this case, there are two options: Use a bulk-mailing tool that supports proxies, including SOCKS, or use a program like SocksChain (http://ufasoft.com) for Windows or Proxychains (www.proxychains.sf.net) for UNIX. This essentially "proxifies" any connection you set so that you can use any networked application through SOCKS. With the Proxychains programming you can also chain your proxies together to set a route and improve your odds against someone tracking you.

Let's "socksify" a Telnet session and create a proxy chain that we can use to send email and view the headers to relish our accomplished anonymity. To begin, we first need to set up our chain (see Figure 6):

Figure 6
Figure 6 Proxy Chain Setup (Click on image for enlarged view.)

Next we set up our "socksify" host so that when we Telnet, we will Telnet to 127.0.0.1 port 1080, and it will redirect to our mail server. Now as we Telnet to 127.0.0.1: 1080, SockChain automatically begins to create its routes, as shown in Figure 7.

Figure 7
Figure 7 Established Chain of Proxies (Click on image for enlarged view.)

We will now see the following:

Trying 127.0.0.1...
Connected to mail.sendingemail.com.
Escape character is '^]'.
220 mail.sendingemail.com ESMTP Postfix
HELO hostname
250 mail.sendingemail.com Hello 
sender.sendingemail.com [193.145.101.10], pleased to meet you 
MAIL FROM: madeup@spoofedemail.com
250 Ok
RCPT TO: me@sendingemail.com
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
 
Message body.
.
250 Ok: queued as 64A20E4D6A
QUIT
221 Bye

And our email will look like the following:

Return-Path: <madeup@spoofedemail.com>
X-Original-To: me@sendingemail.com
Delivered-To: me@sendingemail.com
Received: by mail.sendingemail.com (Postfix, from userid 1999)
id 64A20E4D6A; Tue,  5 Apr 2005 22:21:17 -0700 (PDT)
Received: from hostname (193.145.101.10)
by mail.sendingemail.com (Postfix) with SMTP id 73F50EDD2B
for 
 
  ; Tue,  5 Apr 2005 22:21:13 -0700 (PDT)
 Message-Id: <20050406023267.64A20E4D6A@mail.sendingemail.com>
Date: Tue,  5 Apr 2005 22:21:13 -0700 (PDT)
From: madeup@spoofedemail.com
To: me@sendingemail.com
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on 
mail.sendingemail.com
X-Spam-Status: No, hits=2.3 required=5.0 tests=
BAYES_90,NO_REAL_NAME
autolearn=no version=2.63
Message body.
 

In this example, notice that our IP address is now quite different than the previous email, indicating that we have successfully sent an anonymous email.

Of course, there are more elements than just chaining arbitrary proxies together to "safely" send your phishing emails. In most cases, you would want to be on a proxy server that is outside the country you have targeted. This will help you establish some sort of safety zone so that you are untouchable by the law in the targeted country. If a proxy you used was located in the United States and you attacked an American target, there is a very good chance that the proxy would be served a subpoena for the logs in a very short amount of time. In comparison, depending on your actual location and whether the foreign authorities had any interest, the length of time it would take to get any help from the foreign proxy, even if they kept logs, would be next to a millennium, if at all. Many phishers count on the fact that they are not in the country they are targeting, which gives them sort of an added invincibility, although this depends on the country they are physically located in. An ever-growing method that is being implemented by phishers and spammers today is the botnet approach, which allows spammers to use drones of victim computers to perform their evil deeds. We cover botnets in detail in a later chapter.

From law enforcement's perspective, the ability to quickly track is essential to apprehending these criminals. But on the other side of the fence are the privacy advocates, who also have a valid point regarding anonymity. In the esoteric world of cryptography—specifically, the approach to addressing true anonymity, in which anonymity, according to Paul Syverson, has a more strict definition of "being indistinguishable in a group"—the Electronic Frontier Foundation (EFF) is supporting an anonymous Internet communication system. The intent and purpose of the system is to prevent any type of network traffic analysis to be successful at all. Traffic analysis is a form of surveillance that assists in establishing who is communicating to whom over a public network. The information that can be gathered by this type of analysis allows investigators to profile habits, behavior, and interests of a certain group. This system is known as The Onion Router, or TOR (http://tor.eff.org). Ironically, onion-routing research was first done by the U.S. Navy (www.onion-router.net) in a rumored effort to protect the military's interests regarding their access to Web sites without giving away the fact that they are the ones accessing them. Another ironic point is that they encouraged (http://yja.com/onion.htm) the public community to run onion routers, thus performing a public duty to protect the military.

But now that it is supported by the EFF (TOR), the political and legal opposition from some world governments, along with the question of "What if?" have begun, especially in a time where cyber-crime is on the rise at an extremely aggressive rate. Technologies like TOR that allow anonymous communication would only put us farther away from tracking the individuals; as though it weren't difficult enough to keep up with their rate of attacks, now they could fully cloak themselves in a "darknet" (www.cymru.com/Darknet). Other systems that implement David Chaum's Mixnet (www.freehaven.net) concepts, such as JAP and Freedom, could pose a threat to the tracking technology used by forensic investigators and law enforcement agencies. Given that the systems are all still in a primitive state compared to their ambitious goals, phishers have not been observed gravitating to these bleeding-edge technological hopes. That does not mean darknets, mixnets, and onion routers alike won't take the stage for the phisher at some point. A good majority of phishers reside in Europe, and so far, the trend has dictated that the countries outside the United States are not exactly afraid to play with esoteric technology. Being that a major element to successfully committing electronic fraud is not getting caught, I won't be surprised to see the trading underground move to darknets to conduct their communication and material trades. An Australian bank is using an optional scramble pad for its customers' security—something we won't see in the United States due to possible customer inconvenience. https://inetbnkp.adelaidebank.com.au/ OnlineBanking/AdBank


10 tips in 10 minutes: Phishing exposed

 Home: Introduction
 Tip 1: Email basics for Exchange admins
 Tip 2: Understanding email delivery
 Tip 3: Anonymous phishing email
 Tip 4: How phishers forge email headers
 Tip 5: Phishers use of open relays and proxy servers
 Tip 6: How phishers send anonymous email
 Tip 7: Phishers techniques for email harvesting
 Tip 8: Phishers, hackers and insiders
 Tip 9: Sending spam; phishing tools of the trade
 Tip 10: Phishing email and spam filters

This chapter excerpt from Phishing Exposed, Lance James, is printed with permission from Syngress Publishing, Copyright 2005. Click here for the chapter download.

Dig deeper on Phishing and Email Fraud Protection

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close