By Adeyemo Ayodele Gabriel
A Proposal made to the Economic And Financial Crimes Commission (EFCC) and the Nigerian Cyber Crime Working Group (NCWG)
Solving the E-Mail Advance Fee Fraud (419 Mails)
Problem
Looking at the problem at hand, 419 or scam mails have wrecked a major havoc in the image of this country, this problem is actually a Nigerian problem and no multinational will help us to solve it. I have been able to come up with software solution that can help check this menace. This software will delete any mail it suspects to be scam. Tests have shown that it is 98% effective and it does the job transparently. I developed this software with the hope that it would be made available (for a fee) to all internet access points (mainly cyber cafes).
Ways Of Sending Scam Mails In A Cyber Café Situation
Most 419ers or scammers use public internet access points popularly known as cyber cafes to actually send out their scam mails. This is preferable to the perpetrator because since it is a public place, they feel that they can get away with anything they do and it is untraceable back to them. Actually, they thought right. Thus, using this advantage, they can send and receive scam mails from any cyber cafe. Who bears the brunt of the blame? You guessed right, the providers.
There are two modes used, they are (1) public e-mail servers, (2) mail bombers
(1) Public E-mail Servers
Most scammers use public e-mail servers like yahoo mail, hotmail, junomail, etc which are free mail servers to send scam mails. They signup with these mail servers and send mails through those accounts to addresses they get from an internet e-mail directory. These public e-mail servers usually use hyper text transport protocol or HTTP to interface the mail-server. This is because it is easier and much more dynamic in content (in terms of advertisement). Thus because other web pages also use http, it is difficult to restrict people based on the type of protocol being used.
(2) Mail Bombers:
Mail bombers are software used by marketers as a marketing strategy to send adverts to email address (this is often classed as unsolicited mails or SPAM). The working method of the e-mail bomber is to send replicates of the same message to as many addresses as has been put into the destination index. The underlying protocol for communication is called the Post Office Protocol or POP. Most mail clients also use this protocol but they are not popular, this is why we could filter this based on the protocol concerned (POP).
Now, since we could out rightly drop packets destined for POP, we can easily solve the problem of Mail Bombers, but it become more complicated when trying to filter for public e-mail servers since the same protocol (HTTP) is also being used by normal web pages. Thus, we have to write a routine (or program) to be able to filter normal web pages form web e-mails. This is the underlying fact of this work.
Some people often wonder why yahoo or hotmail doesn’t get blamed for 419 mails; after all, the perpetrator uses their facility to send the mails. Why must the Internet Task Force blame the local ISP? Well, these mail servers are smart. Fine they provide the service and even help you to store your mails, etc, but they’ve been able to absorb themselves by legal notices and cannot be held responsible for anybody’s mistake or misdeed for that matter. Thus, they are totally covered. However, in every mail being sent to and from their service, they are under law to publish the originating IP address of that mail to the recipient e-mail server. Actually, this is the normal occurrence between mail servers all over the world. Thus, in this way, an offended person who is a recipient of a scam mail now has someone to point fingers at (which in most cases turn out to be a Nigerian ISP).
In order for us to be able to solve this problem, we can try to make sure that no one sends scam mails in our cafes by watching their every keystroke, or try to preach hard work and dedication to would be scammers, or threaten them with the presence of the police, etc. in every of the ways I have mentioned, you are bound to loose customers, both scammers and ideal (lets face it, seventy percent of the people that browse on a daily and constant bases are scammers). This would be bad for the business.
To bridge the divide between doing clean business and making profit, I have written this program which can filter out and delete scam mails over public http servers. Thus, this program is both ISP and user (or scammer) friendly. What I mean is that it is transparent. The scammer does not know that his scam mail is being deleted (unless he sends a copy to himself of course); he is under this impression that his mail has been sent just because he got the ‘mail sent’ confirmation notice. The ISP is quite happy to keep the scammer pumping money into browsing time without destroying his own credibility, thus, all are happy (of course they pay me too, so that I can be happy).
How It Works
The software works on precognition. The first thing I would like to point out is that there is a certain trend that scam mails follow. There are certain similarities.
These are
(1) The initiation: the first paragraph is always to initiate and introduce the business deal to the person
(2) The body: this contains the major part of the mail, including the system of payment and how money would be siphoned out of a system, the cause or reason for the money, how it was sourced, etc. The percentage cut is also stated in this body.
(3) Conclusion: this mostly contains what the recipient must do if he is interested, who he can contact to verify the deal, asking information from the person, etc
Now, in each of this structure, there are certain words that are too sure to be mentioned. Examples of these words are ‘dollar, deal, president, minister, cbn, bank, money transfer, account, etc.’ thus, the software iterates through the letter paragraph by paragraph, looking for the occurrence of these words. This is why I said it works on precognition or predefined words. These words however could be modified or added to. Long hard work has also been put into the wordlist to include variants of this words, for example, us dollar, usd, $, etc.
Fine, now how is the system able to determine that a certain mail is not a scam mail? For instance, because I mentioned ‘dollars’ in my mail dose not automatically make it scam. Well, for each word (lets call them hot words) precompiled into the search, there is a corresponding ‘weight’ which is really just a numerical value associated with that hot word. This numerical value is chosen in the likelihood of the word being used in a regular mail. What I mean is, I could choose the hot word ‘bank’ to have a numerical weight of 30; and I could say the hot word (in this case, hot phrase) ‘Ministry of finance’ could have a numerical value of say 50. Bank is more likely to occur in an innocent mail while something as precise as ‘Ministry of Finance’ has a grater chance of occurring in a scam/419 mail.
The rule of the thumb is ‘the higher the weight value, the closer the word or phrase is likely to occur in a scam mail’ If in a scan, a hot word is found in the mail, a certain variable is incremented with the weight of that hot word; now if several hot words are found in the same mail, each weight is cumulated. At the end of the scan, the cumulated weight is compared against a fixed scale or cut off point. If the cumulated weight is less than the cut off number, the mail is decided to be innocent and is allowed to pass. However if the cumulated weight is higher than the cut off point, the mail is deleted. Please note that deletion of the mail only alters the packet. It removes the email’s payload but still retains the shell; this way a null or empty shell is sent to the recipients. The effect of this is that the 419er feels the mail has been sent and he does not know or have an idea what has really happened. Thus, the scanning system will be transparent to the end-user.
Implementation
Installation of the system is quite simple, but access to the box is restricted. This is due to the fact that legally e-mails are supposed to be private and there is a law that protects the right of users to this effect. Thus, access to the box (computer system on which the software is installed on) is restricted to a single member of the organization. The basic requirements for the box is as follows
• A Pentium 3 600MHz processor board
• 512 MB of RAM
• 10GB hard disk space
• Two 10/100Mb fast Ethernet cards
Deployment is a day’s job, maintenance and update of system is strictly handled by me.
Naming the Concept I have decided on the name of the system and it shall be called
SAINt®, it will be classified as an internet content filter or ICF.
____________________________________
Dedication: The purpose for this work would not have been conceived if the Lord Jesus had not dropped the idea and the know how into my heart. I dedicate this work to my Fiancée, Olajumoke who encouraged me all the way through the writing of this program; helping me to recover from failure and disappointments. Thank you Jummy, I would never have done it without you.
____________________________________
ADEYEMO AYODELE G.
Cisco Certified Network Associate (CCNA)
INTERNETWORK TECHNOLOGIES LTD
0 Comments:
Post a Comment
<< Home