file000147
TRANSCRIPT
Module XXXIV – Tracking Emails and Investigating Email Crimes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Email Spamming Attacks Quadruple Since Start of 2008
Source: http://www.publictechnology.net/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Email Spam Has Been Annoying Us for 30 Years
Source: http://www.news.com.au/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Two Internet Spammers Charged By Information
R. Alexander Acosta, United States Attorney for the Southern District of Florida, and Jonathan I. Solomon, Special Agent in Charge, Federal Bureau of Investigation, Miami Field Office, announced today the filing of a one-count Information charging defendants, Jared Cosgrave and Mohammed Haque, with fraud and related activity in connection with electronic mail, in violation of the CAN-SPAM ACT of 2003, Title 18, United States Code, Section 1037(a)(2), by illegally transmitting over 25,000 electronic mail messages during a 30 day period.
Both Cosgrave, 25, of Plantation, Florida, and Haque, 26, of California, made their initial appearances in federal court this morning before U.S. Magistrate Judge Chris Mc Aliley.
Cosgrave and Haque subsequently pled guilty to the Information before United States District Court Judge Alan S. Gold. Sentencing is scheduled for November 16, 2007.
At sentencing, Cosgrave and Haque face a maximum statutory sentence of up to three years’ imprisonment, a fine of up to $250,000, and restitution of more than $58,000 to Earthlink Inc.
Source: http://miami.fbi.gov
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Email Systems• Email Clients• Email Servers• Real Email Systems• Email Crime• Spamming• Identity Fraud/Chain Letters• Investigating Email Crimes and Violations• List of Common Headers• Microsoft Outlook Mail• Tracing an Email Message• U.S. Laws Against Email Crime
This module will familiarize you with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Email System
Email ClientInvestigating
Email Crimes and Violations
SMTP Server Microsoft Outlook Mail
List of Common HeadersEmail Server
Identity Fraud/Chain Letter
Email Crime Tracing an Email Message
Spamming U.S. Laws Against Email Crime
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email System
Email system consists of mail clients to send or fetch mails and two different, SMTP and POP3 or IMAP, servers running on a server machine
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Client
Email client is a computer application to manage emails
• Retrieve messages from a mailbox• Display the headers of all the messages in mailbox• Header contains information such as who sent the mail, the subject of the
mail, time and date of the message, and the size of the message• Client allows to select a message header and read the body of the email
message • It allows user to create new messages and submit them to a mail server• Clients allow user to add attachments to the messages they want to send and
save the attachments from the received messages • Formats the messages• Internet Explorer, Mozilla Firefox, Netscape, and Safari are some of the
commonly used email clients
Email clients perform the following functions:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Server
• It contains a list of email accounts, with one account for each person• Mail servers reserve a text file for each account in the list which contains all the
information of the account • After a user presses the ‘Send’ button to send the message, email client connects to the
email server and passes the name of the recipient, sender, and the body of the message• The server formats those pieces of information and appends them to the bottom of the
recipients.txt file • If the addressed user wants to receive the email, he/she will connect to the server
through a mail client and request for the mail
Email server works as follows:
Email Client Email Server
Any mail for me?
Yes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SMTP Server
Simple Mail Transfer Protocol (SMTP) Server listens on port number 25 and handles outgoing mail
When the client sends an email, it connects to the SMTP server
The client has a conversation with the SMTP server, telling the SMTP server the address of the sender, the recipient, and the body of the message
The SMTP server takes the "to" address and breaks it into two parts:
•The recipient’s name •The domain’s name
SMTP server has a conversation with a Domain Name Server, gets the identifying information for the Domain of the remote Email server and connects to the SMTP of the remote Email server
SMTP server connects with the recipient’s SMTP server using port 25
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
POP3 and IMAP Servers
• When a message arrives, the POP3 server appends it to the bottom of the recipient's account file which can be retrieved by the mail client at any preferred time
• Email client connects to the POP3 server at port 110 by default to fetch mails
Post Office Protocol (POP3 ) Server:
• Email client connects to the IMAP server using default port 143• IMAP servers allow multiple concurrent client connection to the same mailbox, access
to MIME message parts and partial fetch, maintain message state information at server, multiple mailboxes on the server and Server-side searches
Internet Mail Access Protocol (IMAP) Server:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Importance of Electronic Records Management
Electronic records management may be defined as “The field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of electronic records, including the processes for capturing and maintaining evidence of and information for legal, fiscal, administrative, and other business purposes”
• It helps in investigation and prosecution of email crimes• It acts as a deterrent for abusive and indecent materials in email messages• It helps in non-repudiation of electronic communication so that someone
cannot deny of being a source of communication
Importance of electronic records management:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Crime
Emails are used for criminal purposes
Email crime can be categorized into two crimes:
• Spamming, phishing, mail bombing etc.
Crime committed by sending emails:
• Harassment, cyber black mailing, identity frauds, pornography, etc.
Crime supported by email:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Spamming
Spamming can be defined as sending unsolicited mails
Spammers obtain email addresses by harvesting addresses from Usenet postings, DNS listings, or web pages
Common Subject headers of Spam mails
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mail Bombing/Mail Storm
• Sending huge volumes of emails to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted to cause a denial-of-service attack
• In many instances, the messages will be large and constructed from meaningless data in an effort to consume additional system and network resources
Mail Bombing
• It is a sudden spike of ‘Reply All’ messages on an email distribution list, caused by one misdirected message
Mail Storm
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Crime via Chat Rooms
A chat room is a website, part of a website, or part of an online service that provides a venue for communities of users with a common interest to communicate in real time
Chat rooms are increasingly being used for different crimes such as child pornography, cyber stalking, and identity thefts
They can also be used as a social engineering tool to collect information for committing several other crimes
They are a regular feature of different adult sites and are extensively used to disseminate obscene materials over Internet
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Identity Fraud/Chain Letter
“Identity fraud is the term used to refer all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain”
“A chain letter by definition is a letter directing the recipient to send out multiple copies so that its circulation increases exponentially ”
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Phishing
Phishing is a criminal act of sending an email to a user falsely claiming to be a well-known and legitimate source in an attempt to trick the user into surrendering sensitive and private information
Phishers incite the targeted users to provide personal information in illegitimate websites
The main purpose of phishing is to get access to the customer’s bank accounts, passwords, and other security information
Phishing attacks can target millions of email addresses around the world using mass-mailing systems
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Spoofing
Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source
Spammers and perpetrators of phishing change the email header fields such as From, Return-Path, and Reply-To-Fields to hide the actual source
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Email Crime and Violation
Trace an email
Examine attachments
Examine email headers
View email headers
Print an email message
Copy an email message
Examine an email message
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Obtain a Search Warrant and Seize the Computer and Email Account
A search warrant application should include proper language to perform on-site examination of the computer and email server
Conduct a forensics test on only that equipment that is permitted to do so
Seize the computer and email accounts suspected to be involved in the crime
Email accounts can be seized by just changing the existing password of the email account either by asking the victim his/her password or from the mail server
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Obtain a Bit-by-Bit Image of Email Information
Make a bit-by-bit image of all the folders, settings, and configurations present in the email account for further investigation in a removable disk using tools such as Safe Back
Encrypt the image using MD5 hashing to maintain integrity of the evidence
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Message
An email message is composed of two parts:
• Email header contains information about the email origin such as the address from where it came, how it reached (path), and who sent it
Header
• Body contains the actual message
Body
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing Headers in Microsoft Outlook
Launch the Outlook program and open the copied email message
Right-click the message received and click Options to open the dialog box
Select the header text and make a copy of it
Paste the header text in any text editor and save the file with the name Filename.txt
Close the program
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Microsoft Outlook Header
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing Headers in AOL
Initiate the program
Open the received message
Click the DETAILS link
Select message header text and copy it
Paste the text in any text editor and save the file as Filename.txt
Close the program
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing Headers in Hotmail
Log on to hotmail
Open the received message
Go to Options and click
Click Mail Display Settings
Select Message Headers - Full text and copy it
Paste the text in any text editor and save the file as Filename.txt
Close the program
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing Headers in Hotmail: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing Headers in Gmail
Log on to Gmail
Open the received mail
Click on More option
Click on Show original
Select Message Headers - Full text and copy it
Paste the text in any text editor and save the file as Filename.txt
Close the program
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Gmail Header
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Viewing Headers in Yahoo Mail
Initiate the yahoo mail
Open a received mail
Click on Full header
Check the header
Select message header text and copy it
Paste the text in any text editor and save the file
Log out from mail account and close the mail client
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Yahoo Mail Header
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examining an Email Header
Mail originated from this IP address
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Example: Rudy Sends an Email to Timmy
From: [email protected] (Rudy)
Date: Tue, Mar 18 1997 14:36:14 PST
X-Mailer: Loris v2.32
Subject: Lunch today?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Analysis of Email Header at Timmy
Received: from mail.bieberdorf.edu (mail.bieberdorf.edu [124.211.3.78]) by mailhost.immense-isp.com (8.8.5/8.7.2) with ESMTP id LAA20869 for <[email protected]>; Tue, 18 Mar 1997 14:39:24 -0800 (PST)
Received: from alpha.bieberdorf.edu (alpha.bieberdorf.edu [124.211.3.11]) by mail.bieberdorf.edu (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17 -0800 (PST)From: [email protected] (R.T. Hood)To: [email protected]: Tue, Mar 18 1997 14:36:14 PSTMessage-Id: <[email protected]>X-Mailer: Loris v2.32Subject: Lunch today?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Received: Headers
Received: headers provide a detailed log of a message's history, and so make it possible to draw some conclusions about the origin of a piece of email even when other headers have been forged
If, for instance, the machine turmeric.com, whose IP address is 104.128.23.115, sends a message to mail.bieberdorf.edu, but falsely says HELO galangal.org, the resultant Received: line might start like this:
• Received: from galangal.org ([104.128.23.115]) by mail.bieberdorf.edu (8.8.5)...
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forging Headers
Another trick used by forgers of email, this one increasingly common, is to add spurious Received: headers before sending the offending mail
• Received: from galangal.org ([104.128.23.115]) by mail.bieberdorf.edu (8.8.5)
• Received: from nowhere by fictitious-site (8.8.3/8.7.2)...Received: No Information Here, Go Away!
This means that the hypothetical email sent from turmeric.com might have Received: lines that looked something like this:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forging Headers (cont’d)
Obviously, the last two lines are complete nonsense, written by the sender and attached to the message before it was sent
Since the sender has no control over the message once it leaves turmeric.com, Received: headers are always added at the top and the forged lines at the bottom of the list
This means that someone reading the lines from top to bottom, tracing the history of the message, can safely throw out anything after the first forged line; even if the Received: lines after that point looks plausible, they are guaranteed to be forgeries
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Common Headers
• Messages with many recipients sometimes have a long list of headers of the form "Apparently-To: [email protected]" (one line per recipient)
• These headers are unusual in legitimate mail; they are normally a sign of a mailing list, and in recent times mailing lists have generally used software not sophisticated enough to generate a giant pile of headers
Apparently-To
• Bcc stands for "Blind Carbon Copy“. If you see this header on incoming mail, something is wrong. It is used like Cc: (see below), but does not appear in the headers
• The idea is to be able to send copies of email to persons who might not want to receive replies or to appear in the headers
• Blind carbon copies are popular with spammers, since it confuses many inexperienced users to get email that does not appear to be addressed to them
Bcc
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Common Headers (cont’d)
• Cc stands for "Carbon Copy”• This header is sort of an extension of "To:"; it
specifies additional recipients. The difference between "To:" and "Cc:" is essentially connotative; some mailers also deal with them differently in generating replies
Cc
• This is a nonstandard, free-form header field. It is most commonly seen in the form "Comments: Authenticated sender is <[email protected]>"
• “Treat with caution”, A header like this is added by some mailers to identify the sender; however, it is often added by hand by spammers as well
Comments
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Common Headers (cont’d)
Content-Transfer-Encoding: This header relates to MIME, a standard way of enclosing non-text content in email; it has no direct relevance to the delivery of mail, but it affects how MIME-compliant mail programs interpret the content of the message
Content-Type: Another MIME header, telling MIME-compliant mail programs what type of content to expect in the message
Date: This header does exactly what you expected; it specifies a date, normally the date the message was composed and sent. If this header is omitted by the sender's computer, it might conceivably be added by a mail server or even by some other machines along the route
Errors-To: Specifies an address for mailer-generated errors, like "no such user" bounce messages, to go to (instead of the sender's address). This is not a particularly common header, as the sender usually wants to receive any errors at the sending address, which is what most (essentially all) mail server software does by default
From (without colon) This is the "envelope From" discussed above
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Common Headers (cont’d)
From: (with colon) This is the "message From
Message-Id: The Message-Id is a more-or-less unique identifier assigned to each message, usually by the first mail server it encounters. Conventionally, it is of the form "[email protected]", where the "gibberish" part could be absolutely anything and the second part is the name of the machine that assigned the ID. Sometimes, but not often, the "gibberish" includes the sender's username. Any email in which the message ID is malformed or in which the site in the message ID isn't the real site of origin, is probably a forgery
In-Reply-To: A Usenet header that occasionally appears in mail, the In-Reply-To: header gives the message ID of some previous message which is being replied to. It is unusual for this header to appear except in email directly related to Usenet; spammers have been known to use it, probably in an attempt to evade filtration programs
Mime-Version: (also MIME-Version:) Yet another MIME header, this one just specifying the version of the MIME protocol that was used by the sender. Like the other MIME headers, this one is usually ignorable; most modern mail programs will do the right thing with it
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Common Headers (cont’d)
Newsgroups: This header only appears in email that is connected with Usenet---either email copies of Usenet postings, or email replies to postings. In the first case, it specifies the newsgroup(s) to which the message was posted; in the second, it specifies the newsgroup(s) in which the message being replied to was posted. The semantics of this header are the subject of a low-intensity holy war, which effectively assures that both sets of semantics will be used indiscriminately for the foreseeable future
Organization: It is a completely free-form header that normally contains the name of the organization through which the sender of the message has net access. The sender can generally control this header, and silly entries like "Royal Society forPutting Things on Top of Other Things" are commonplace
Priority: It is a free-form header that assigns a priority to the mail. Most software ignore it. It is often used by spammers, usually in the form "Priority: urgent" (or something similar), in an attempt to get their messages read
Received: This is the message received
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Common Headers (cont’d)
References: The References: header is rare in email except for copies of Usenet postings. Its use on Usenet is to identify the "upstream" posts to which a message is a response; when it appears in email, it is usually just a copy of a Usenet header. It may also appear in email responses to Usenet postings, giving the message ID of the post being responded to as well as the references from that post
Reply-To: Specifies an address for replies to go to. Though this header has many legitimate uses (perhaps your software mangles your From: address and you want replies to go to a correct address), it is also widely used by spammers to deflect criticism. Occasionally, a naive spammer will actually solicit responses by email and use the Reply-To: header to collect them, but more often the Reply-To: address in junk email is either invalid or an innocent victim
Sender: This header is unusual in email (X-Sender: is usually used instead), but appears occasionally, especially in copies of Usenet posts. It should identify the sender; in the case of Usenet posts as it is a more reliable identifier than the From: line
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Common Headers (cont’d)
Subject: A completely free-form field specified by the sender, intended, of course, to describe the subject of the message
To: The "message To: "described above. Note that the To: header need not contain the recipient's address!
X-headers is the generic term for headers starting with a capital X and a hyphen. The convention is that X-headers are nonstandard and provided for information only, and that, conversely, any nonstandard informative header should be given a name starting with "X-". This convention is frequently violated
X-Confirm-Reading-To: This header requests an automated confirmation notice when the message is received or read. It is typically ignored; presumably some software acts on it
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Common Headers (cont’d)
X-Distribution: In response to problems with spammers using his software, the author of Pegasus Mail added this header. Any message sent with Pegasus to a sufficiently large number of recipients has a header added that says "X-Distribution: bulk". It is explicitly intended as something for recipients to filter against
X-Errors-To: Like Errors-To:, this header specifies an address for errors to be sent to. It is probably less widely obeyed
X-Mailer: (also X-mailer:) This is a freeform header field intended for the mail software used by the sender to identify itself (as advertising or whatever). Since much junk email is sent with mailers invented for the purpose, this field can provide much useful folder for filters
X-PMFLAGS: This is a header added by Pegasus Mail; its semantics are non-obvious. It appears in any message sent with Pegasus, so it does not obviously convey any information to the recipient that is not covered by the X-Mailer: header
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
List of Common Headers (cont’d)
X-Priority: Another priority field, used notably by Eudora to assign a priority (which appears as a graphical notation on the message)
X-Sender: It is the usual email analogue to the Sender: header in Usenet news; this header purportedly identifies the sender with greater reliability than the From: header. In fact, it is nearly as easy to forge, and should therefore be viewed with the same sort of suspicion as the From: header
X-UIDL: This is a unique identifier used by the POP protocol for retrieving mail from a server. It is normally added between the recipient's mail server and the recipient's actual mail software; if mail arrives at the mail server with an X-UIDL: header, it is probably junk (there is no conceivable use for such a header, but for some unknown reason many spammers add one)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examining Additional Files (.pst or .ost files)
Email messages are saved as files either on client computer or server
Microsoft Outlook maintains email in .pst or .ost files
Online email program such as AOL, Hotmail, and Yahoo store Email messages in folders such as History, Cookies, and Temp
Unix stores email messages as per the user
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pst File Location
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Microsoft Outlook Mail
Microsoft Outlook Mail acts like a personal information manager
The email database is normally located in the \user account\Local Settings\Application Data\Microsoft\Outlook directory
The files stored in Outlook Mail are known as *.pst files
The .pst files have archives of all folders such as Outlook, Calendar, Drafts, Sent Items, Inbox, and Notes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examine the Originating IP Address
Look for the geographic address of the sender in the whois database
Search the IP in the whois database
Collect the IP address of the sender from the header of the received mail
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
http://centralops.net/co/
This website contains a tool known as Email Dossier
Email Dossier is an online tool used to check the email validity and investigate email
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Exchange Message Tracking Center
By default, message tracking is not enabled in Exchange Server
This tool can help you track a message's path between servers, as well as determine when the user sent the message, to whom the user sent the message, and other important pieces of information
Tracking log files will be stored (by default) in a folder located at c:\Program Files\Exchsrvr\servername.log
Inside this folder, you will find a text file for each day that logs are being retained for
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Exchange Message Tracking Center: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MailDetective Tool
MailDetective is an effective tool for monitoring the corporate email usage in Microsoft Exchange Server
It is a monitoring application designed to control email use in the corporate network
It is a solid solution against frivolous employees who undermine corporate discipline and decrease productivity by sending and receiving non-work related emails
It analyzes mail server log files and provides the employer with detailed reports about private and business emails coming to and from the corporate network as well as traffic distribution by users and email addresses
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: MailDetective Tool
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examine Phishing
Search the received mail which contains the malicious link to any website
Check for that link in the phishing archive in the Honeytrap database tool
The Honeytrap database is a database of phishing websites, submitted by different users
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Example of Phishing Email
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Example of Phishing Email
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Example of Phishing Email
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Tool Kit (FTK)
AccessData FTK is known as the forensic tool to perform email analysis
The FTK features powerful file filtering and search functionality
• Email analysis supports Outlook, Outlook Express, AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN email
• View, search, print, and export email messages and attachments • Recover deleted and partially deleted email• Automatically extract data from PKZIP, WinZip, WinRAR, GZIP,
and TAR compressed files• Supports file formats include: NTFS, NTFS compressed, FAT
12/16/32, and Linux ext2 & ext3
Features:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
E-mail Examiner by Paraben
E-mail Examiner can recover deleted emails
It examines more than 14 mail types
It recovers email deleted from deleted items
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Network E-mail Examiner by Paraben
‘Network E-mail Examiner’ examines a variety of network email archives such as Exchange Server and Lotus Domino Server
It views all the individual email accounts
It supports Microsoft Exchange and Lotus Notes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Recover My Email for Outlook
Recovers individual email messages deleted from a Microsoft Outlook email file
Simple to use, scans your Outlook .PST file now to see what email can be recovered
Saves deleted messages and attachments into a new .PST file
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DiskInternal’s Outlook Express Repair
DiskInternals Outlook Express Repair scans email accounts for damage, and restores contents whenever possible
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tracing Back
The first step in tracing back fakemail is to view the header’s information
The header will show the originating mail server, ex: mail.example.com
With a court order served by law enforcement or a civil complaint filed by attorneys, obtain the log files from mail.example.com to determine who sent the message
• www.arin.net• www.internic.com• www.freeality.com
Information regarding the Internet domain registration can be found from:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tracing Back Web-based Email
Web-based email accounts (Webmail) can make it more difficult to establish the identity of the sender
It is possible to create a new online webmail account easily
• www.hotmail.com• www.yahoo.com• www.lycosmail.com• www.hyshmail.com
The above sites maintain the source IP address of each connection that accesses the online webmail
Contact the mail provider (ex: Microsoft) to reveal the subscriber’s information
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Abuse.Net
Abuse.net helps the Internet community to report and control network abuse and abusive users
It does not include blacklist or spam analysis services
Once registered, when you send a message to [email protected], where domain-name is the name of the domain that was the source of junk email or another abusive practice, the system here automatically emails your message to the best reporting address(es) known for that domain
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Network Abuse Clearing House
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: LoPe
• It extracts all email messages and attachments from multiple PST files
• It automatically processes unlimited number of PST files
• It re-creates the internal PST folder structure • It extracts all message headers and properties• Files are exported in MSG, EML, or XML format• It hashes every message and it can be easily batch
scripted • XML output format is fully customizable using XSL
style sheets
LoPe is an email forensic tool comprised of the following features:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: FINALeMAIL
FINALeMAIL Email search results
FINALeMAIL can restore lost emails to their original state
It can recover the entire email database files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Handling Spam
Before taking legal action, send a short notice on the illegality of spam to the system administrator of the domain
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: eMailTrackerPro
eMailTrackerPro analyzes the email header and provides the IP address of the machine that sent the email
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Email Trace - Email Tracking
Email trace tool helps to track the email sender and IP address of the sender
• Open the received email and copy the headers
• Go to http://www.ip-adress.com/trace_email/
• Paste the email message headers
• Click on “Trace Email Sender”
• Email sender IP address location and IP address information are traced
To trace an email:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Email Trace - Email Tracking (cont’d)
Source: http://www.ip-adress.com/trace_email/
Paste the message header here
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Email Trace - Email Tracking (cont’d)
Email sender IP address location and IP address information
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: ID Protect - www.enom.com
‘ID Protect’ prevents unauthorized access to your email address and other private information
Due to eNom's dynamic email system, the visible email address changes constantly, so while it is being harvested and redistributed, the address gets changed and the previous address does not work for the spammer
The Domain Privacy Protection Service secures and maintains the real email address on the file so that the user can receive important information regarding the domain
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools: R-Mail & Email Detective
R-Mail is an email recovery tool, which recovers accidentally deleted emails
Email Detective is a Forensic Software Tool that is used in several investigations and data recovery
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools: SPAM Punisher & SpamArrest
SPAM Punisher is an anti-spam tool that makes it easy for you to find out the address of the spammer's Internet Service Provider, as well as generate and send complaints
SpamArrest tool protects the account from spam
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
U.S. Laws Against Email Crime:CAN-SPAM Act
The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them
• It bans false or misleading header information • It prohibits deceptive subject lines • It requires that the email give recipients an opt-out method• It requires that commercial email be identified as an advertisement and
include the sender's valid physical postal address
Main provisions:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CAN-SPAM Act
• Each violation of the above provisions is subject to fines of up to $11,000 • Additional fines are provided for commercial emailers who not only violate the rules
described above, but also:• "harvest" email addresses from Web sites or Web services that have published a notice
prohibiting the transfer of email addresses for the purpose of sending email • generate email addresses using a "dictionary attack" – combining names, letters, or numbers into
multiple permutations • use scripts or other automated ways to register for multiple email or user accounts to send
commercial email • relay emails through a computer or network without permission – for example, by taking
advantage of open relays or open proxies without authorization
• The law allows the DOJ to seek criminal penalties, including imprisonment, for commercial emailers who do – or conspire to: • use another computer without authorization and send commercial email from or through it • use a computer to relay or retransmit multiple commercial email messages to deceive or mislead
recipients or an Internet access service about the origin of the message • falsify header information in multiple email messages and initiate the transmission of such
messages
Penalties :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
18 U.S.C. § 2252A
This law states that:
• knowingly mails, or transports or ships in interstate or foreign commerce by any means, including by computer, any child pornography
• knowingly receives or distributes any child pornography that has been mailed, or shipped or transported in interstate or foreign commerce by any means, including by computer
• knowingly reproduces any child pornography for distribution through the mails, or in interstate or foreign commerce by any means, including by computer
• knowingly distributes, offers, sends, or provides to a minor any visual depiction, including any photograph, film, video, picture, or computer generated image or picture, whether made or produced by electronic, mechanical, or other means
• Shall be punished as fined under this title and imprisoned not less than 5 years and not more than 20 years
Any person who:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
18 U.S.C. § 2252B
• Whoever knowingly uses a misleading domain name on the Internet with the intent to deceive a person into viewing material constituting obscenity shall be fined under this title or imprisoned not more than 2 years, or both
• Whoever knowingly uses a misleading domain name on the Internet with the intent to deceive a minor into viewing material that is harmful to minors on the Internet, shall be fined under this title or imprisoned not more than 4 years, or both
• For the purposes of this section, a domain name that includes a word or words to indicate the sexual content of the site, such as “sex” or “porn”, is not misleading
This law states that:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email Crime Law in Washington: RCW 19.190.020
• No person may initiate the transmission, conspire with another to initiate the transmission, or assist the transmission, of a commercial electronic mail message from a computer located in Washington or to an electronic mail address that the sender knows, or has reason to know, is held by a Washington resident that: • Uses a third party's Internet domain name without permission
of the third party, or otherwise misrepresents or obscures any information in identifying the point of origin or the transmission path of a commercial electronic mail message; or
• Contains false or misleading information in the subject line
This law is for residents of Washington, it states that:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Emails are used for the criminal purpose are Email Crime
Spammers obtain email addresses by harvesting addresses from Usenet postings, DNS listings, or web pages
Chat rooms can also be used as a social engineering tool to collect information for committing several other crimes
Phishers incite the targeted users to provide personal information in illegitimate websites
Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited