Showing posts with label nacha. Show all posts
Showing posts with label nacha. Show all posts

Wednesday, December 12, 2012

Phishing Alert - NACHA Spam with BONUS: How to Read Headers to Identify the Source of Fraudulent Email

A few million of the emails below are making the rounds. The phishing emails attempt to be from NACHA, an ACH trade organization, and tell readers that a recent direct deposit was declined and to just DOWNLOAD THIS SOFTWARE to CLAIM YOUR FREE CASH NOW!!!11!


NACHA itself is aware of the tomfoolery:


The From: and Reply To: headers are both forged in this email. Because of this, I suspect that jamnaytac.com, who is included in the Reply To: but now the From: is going to be receiving some grief / spam complaints that have nothing to do with them.

So who is responsible for this? Below I have included the email headers for this spam message. This one is mildly interesting because it makes some shallow attempts at being deceptive to a lazy reader. When reading headers, what we are interested in mostly are the Received: lines. Almost every other item (mouth breathers: note the almost) can be forged. Received: lines can be forged to, but only by adding lines that should not be there. Received: lines that should be there cannot be removed. When reading these lines from top to bottom, we are retracing the steps that the email took to reach us. The first lines are for the recipient - the last email server in the chain is the email server that received the email. In this case, the email was received by my gmail account (I've replaced my email address with a phony one - the other email addresses I have not modified because they were fake to begin with). 

Delivered-To: 1coolguy@yomamahouse.com****NOTAREALADDRESS****DERP
Received: by 10.194.0.225 with SMTP id 1csp142932wjh;
        Tue, 11 Dec 2012 13:31:16 -0800 (PST)
Received: by 10.69.16.100 with SMTP id fv4mr52027767pbd.135.1355261475662;
        Tue, 11 Dec 2012 13:31:15 -0800 (PST)
Return-Path: <vegetatesgh0@planetsegur.com>
Received: from dalerojo.ning.com ([83.70.178.81])
        by mx.google.com with ESMTP id yl9si26859320pbc.272.2012.12.11.13.31.14;
        Tue, 11 Dec 2012 13:31:15 -0800 (PST)
Received-SPF: neutral (google.com: 83.70.178.81 is neither permitted nor denied by best guess record for domain of vegetatesgh0@planetsegur.com) client-ip=83.70.178.81;
Authentication-Results: mx.google.com; spf=neutral (google.com: 83.70.178.81 is neither permitted nor denied by best guess record for domain of vegetatesgh0@planetsegur.com) smtp.mail=vegetatesgh0@planetsegur.com
Received: from rbdrhasvgdrhjataahsc (192.168.1.8) by rbdrhasvgdrhjataahsc.barronheating.com (83.70.178.81) with Microsoft SMTP Server id 8.0.685.24; Tue, 11 Dec 2012 14:32:23 +0000
Message-ID: <50C7837A.901050@planetsegur.com>
Date: Tue, 11 Dec 2012 14:32:23 +0000
From: "noreply@direct.nacha.org" <limbereds64@jamnaytac.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24) Gecko/20100328 Thunderbird/2.0.0.24
MIME-Version: 1.0
To: <1coolguy@yomamahouse.com****NOTAREALADDRESS****DERP>
Subject: Direct Deposit payment was declined
Content-Type: multipart/alternative;
 boundary="------------05090300301030906090103"

We want to typically ignore the hostnames in these lines as irrelevant. These hostnames are provided by the email server and can be anything the administrator wants them to be. In cases where the originating sender is a computer and not an email server (AKA a Mail Transfer Agent or MTA), in other words when someone uses Outlook on their desktop computer and not webmail, you'll often see a Windows machine name there that is not a Fully Qualified Domain Name (FQDN). So again, the IP is what is important, the hostnames aren't.
I stress the hostnames in this case because they are deliberately deceptive in this case. The spammer has used hostnames for other legitimate mail servers as the hostnames on their mail servers to make it look to the casual reader as though someone else was responsible. Hostnames included below like "rbdrhasvgdrhjataahsc.barronheating.com" - barronheating.com is a regular business, and one that appears to have been harassed as the result of this. Their mail server is 173.10.124.129, which has nothing to do with the 83.70.178.81 that rbdrhasvgdrhjataahsc.barronheating.com was assigned. rbdrhasvgdrhjataahsc.barronheating.com is not even an A record / forward DNS entry, and 83.70.178.81 contains no reverse. A quick bit of help from ARIN, and it appears that 83.70.178.81 is registered to a Internet Service Provider in Cork, Ireland named Eircom Limited. Most likely this message was sent after some poor sap in Ireland click on the spam, downloaded a nasty bit of business that turned their crappy PC into a tiny mail server, and there you go.
Other hostnames involved that have nothing to do with this are planetsegur.com and ning.com. Why would a spammer involve innocent third party mailers like this? Largely, to be obnoxious. When blacklists filter email for legitimate email servers, it wastes everyone's time and decreases faith in those services (there are good reasons to ignore a large number of modern RBL services, but that's a post for another day).
So what is to be done? Unfortunately, not much. 83.70.178.81 is a broadband IP address, meaning it is almost certainly assigned as part of a dynamic range of IPs - IPs that are not assigned to a specific user or organization, and whose assignment changes regularly using something like DHCP for example. Any email administrator worth even part of their paycheck would have sent this to the Junk Email box or rejected it before even touching the mailbox. Worthwhile RBLs like Spamhaus publish lists of dynamically assigned IPs to be filtered be email administrators - Spamhaus publishes these numbers as part of their PBL [Full disclosure: I provided data center support for and was at one time a coworker of the creator of NJABL. NJABL has since been acquired and merged with Spamhaus.] Recipient email administrators should filter dynamically assigned IPs, because email servers hosted on commercial internet connections are almost exclusively regular computers that have been compromised. Even those who opt not to host in a data center (pttthhhbbbtttt) can at least scrape together a few dollars for a dedicated IP address and associated reverse DNS / PTR entry. Email readers should stop downloading software from emails that promise them FREE MONEY!!1!1! Email has been around for 40 years now. My 90 year old grandmother has email. There's no longer any reason to be a dupe. 
Finally, and most importantly, Internet Police, Email Vigilantes and Armchair Warriors need to take a deep breath and stop what they are doing. Just - stop. Please. After a number of years working at this email business, I feel comfortable saying that we have begun to reach a critical mass where the Internet Police are a larger waste of time and money than the spammers are. Why? Internet Police are the ones who make bizarre phone calls and send threatening emails over spam. They blacklist hosting companies and data centers, preventing normal email communication for tens of thousands of people, after identifying one or two spam emails. They force companies who *do not send spam* to release statements like this one. If this is you - please know that you are the problem for those of us whose job it is to make email work for people. If that is not your goal in fighting spam, what is your goal?
Remember - all data is posted on this website with the hopes that sharing data and an increased understanding of the internet and how it works will result in a better, safer internet for all of us. Thanks for reading!

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...