[SLUG] Back trace on an email (St. George Hoax)
Hi everyone, I just received one of those email's suposedly from St. George, telling me to log in to their website and update my records. Since I am not a St. George customer, I was a little suspicious :-D Looking through the email, the scam worked by having a HREF tag containing the real St. George address followed by umpteen spaces (I guess around 160) followed by "[EMAIL PROTECTED]". So even if the mouse hovered over the link, the address displayed in the status bar would still appear correct. St. George are aware of this, and have a note on their own web page warning people about this hoax. Anyway, to my question. Just out of curiosity, I wondered if I could work out where this email came from. Here is the relevant data from the header: Received: from localhost (localhost [127.0.0.1]) by andrewm.localdomain (8.12.8/8.11.6) with ESMTP id h7KLKhj3005981 for <[EMAIL PROTECTED]>; Thu, 21 Aug 2003 07:20:44 +1000 X-From_: [EMAIL PROTECTED] Wed Aug 20 22:18:49 2003 Envelope-to: [EMAIL PROTECTED] Delivery-date: Wed, 20 Aug 2003 22:18:49 +0100 Received: from xxx.freeserve.com [195.92.195.154] by localhost with POP3 (fetchmail-6.2.0) for [EMAIL PROTECTED] (single-drop); Thu, 21 Aug 2003 07:20:44 +1000 (EST) Received: from [203.2.192.89] (helo=mta08.mail.mel.aone.net.au) by imailg2.svr.pol.co.uk with esmtp (Exim 4.14) id 19paLw-ge-QM for [EMAIL PROTECTED]; Wed, 20 Aug 2003 22:18:49 +0100 Received: from [66.26.168.93] by mta08.mail.mel.aone.net.au with SMTP id <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>; Thu, 21 Aug 2003 07:18:46 +1000 Date: Thu, 21 Aug 2003 01:19:50 -0400 From: [EMAIL PROTECTED] The stuff I have xxx'd out is my email accounts. Now as far as I can tell, mta08.mail.mel.aone.net.au would have to be the starting point in the chain. I presume that this is an OzEmail mail server, since there is nothing else in the list that appears to be OzEmail, and the email in question was sent to my OzEmail account. Does this mean that the originator sent the email from OzEmail? Or that the OzEmail mail server allows relaying? Or has the chain been lost somewhere? Or has SpamAssassin deleted part of the header (I doubt this, because if this was the case, then more of the header should have gone). As I said: this is just out of curiosity. Anyone have any thoughts? Regards, Andrew -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Back trace on an email (St. George Hoax)
If you have a look at the url post the actual site address is written in the code. It's the same as the Westpac email I got last week http://olb.westpac.com.au:UserSession=2f4d0zzz899amaiioiiabv5589955&userrstste=SecurityUpdate&[EMAIL PROTECTED] This is where they are actually comming from. 69.61.29.81 > Hi everyone, > > I just received one of those email's suposedly from St. George, telling > me to log in to their website and update my records. Since I am not a > St. George customer, I was a little suspicious :-D > > Looking through the email, the scam worked by having a HREF tag > containing the real St. George address followed by umpteen spaces (I > guess around 160) followed by "[EMAIL PROTECTED]". So even if the mouse > hovered over the link, the address displayed in the status bar would > still appear correct. > > St. George are aware of this, and have a note on their own web page > warning people about this hoax. > > Anyway, to my question. Just out of curiosity, I wondered if I could > work out where this email came from. Here is the relevant data from the > header: > > Received: from localhost (localhost [127.0.0.1]) > by andrewm.localdomain (8.12.8/8.11.6) with ESMTP id > h7KLKhj3005981 > for <[EMAIL PROTECTED]>; Thu, 21 Aug 2003 07:20:44 +1000 > X-From_: [EMAIL PROTECTED] Wed Aug 20 22:18:49 2003 > Envelope-to: [EMAIL PROTECTED] > Delivery-date: Wed, 20 Aug 2003 22:18:49 +0100 > Received: from xxx.freeserve.com [195.92.195.154] > by localhost with POP3 (fetchmail-6.2.0) > for [EMAIL PROTECTED] (single-drop); Thu, 21 Aug 2003 07:20:44 > +1000 (EST) > Received: from [203.2.192.89] (helo=mta08.mail.mel.aone.net.au) > by imailg2.svr.pol.co.uk with esmtp (Exim 4.14) > id 19paLw-ge-QM > for [EMAIL PROTECTED]; Wed, 20 Aug 2003 22:18:49 +0100 > Received: from [66.26.168.93] by mta08.mail.mel.aone.net.au with SMTP >id > <[EMAIL PROTECTED]> >for <[EMAIL PROTECTED]>; Thu, 21 Aug 2003 07:18:46 +1000 > Date: Thu, 21 Aug 2003 01:19:50 -0400 > From: [EMAIL PROTECTED] > > > The stuff I have xxx'd out is my email accounts. > > Now as far as I can tell, mta08.mail.mel.aone.net.au would have to be > the starting point in the chain. I presume that this is an OzEmail mail > server, since there is nothing else in the list that appears to be > OzEmail, and the email in question was sent to my OzEmail account. > > Does this mean that the originator sent the email from OzEmail? Or that > the OzEmail mail server allows relaying? > > Or has the chain been lost somewhere? > > Or has SpamAssassin deleted part of the header (I doubt this, because > if this was the case, then more of the header should have gone). > > As I said: this is just out of curiosity. Anyone have any thoughts? > > Regards, Andrew -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Back trace on an email (St. George Hoax)
On 2003.08.22 14:27 Kevin Saenz wrote: If you have a look at the url post the actual site address is written in the code. It's the same as the Westpac email I got last week http://olb.westpac.com.au:UserSession=2f4d0zzz899amaiioiiabv5589955&userrstste=SecurityUpdate&[EMAIL PROTECTED] This is where they are actually comming from. 69.61.29.81 Thanks for that. But I am not trying to track these people down. If I was then your answer would be very good. What I am trying to do is to learn how to work backwards through the delivery chain to work out where the email originated. Regards, Andrew -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Back trace on an email (St. George Hoax)
>Thanks for that. But I am not trying to track these people down. If I >was then your answer would be very good. What I am trying to do is to >learn how to work backwards through the delivery chain to work out >where the email originated. Examine the message header by working backwards from the top most. I receieved your post, for example, from [EMAIL PROTECTED] as indicated below, which originated from etc, etc. Return-Path: <[EMAIL PROTECTED]> Received: from mailgate2.mci.tel-pacific.com (mailgate2.mci.tel-pacific.com [203.88.255.24]) by acaymail.tel-pacific.com (8.12.8/8.12.8) with ESMTP id h7M4coR8008227; Fri, 22 Aug 2003 14:38:50 +1000 Received: from maddog.slug.org.au (slug.progsoc.uts.edu.au [138.25.7.4]) by mailgate2.mci.tel-pacific.com (8.11.6/8.11.6) with ESMTP id h7M4bWc03492; Fri, 22 Aug 2003 14:37:33 +1000 Received: from maddog.slug.org.au (localhost [127.0.0.1]) by maddog.slug.org.au (Postfix) with ESMTP id 08F6810A7D3; Fri, 22 Aug 2003 14:48:58 +1000 (EST) Delivered-To: [EMAIL PROTECTED] Received: from andrewm.localdomain (unknown [203.82.163.19]) by maddog.slug.org.au (Postfix) with ESMTP id 7135F10A7D5 for <[EMAIL PROTECTED]>; Fri, 22 Aug 2003 14:48:15 +1000 (EST) Received: from andrewm (localhost [127.0.0.1]) by andrewm.localdomain (8.12.8/8.11.6) with ESMTP id h7M4Ykj3002884; Fri, 22 Aug 2003 14:34:46 +1000 Date: Fri, 22 Aug 2003 14:34:45 +1000 From: Andrew Monkhouse <[EMAIL PROTECTED]> To: Kevin Saenz <[EMAIL PROTECTED]> Subject: Re: [SLUG] Back trace on an email (St. George Hoax) Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset=ISO-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <[EMAIL PROTECTED]>; from [EMAIL PROTECTED] on Fri, Aug 22, 2003 at 14:27:46 +1000 X-Mailer: Balsa 2.0.6 Lines: 14 Cc: [EMAIL PROTECTED] X-BeenThere: [EMAIL PROTECTED] X-Mailman-Version: 2.1.1 Precedence: list List-Id: Linux and Free Software Discussion List-Help: <mailto:[EMAIL PROTECTED]> List-Post: <mailto:[EMAIL PROTECTED]> List-Subscribe: <http://lists.slug.org.au/listinfo/slug>, <mailto:[EMAIL PROTECTED]> List-Archive: <http://lists.slug.org.au/archives/slug> List-Unsubscribe: <http://lists.slug.org.au/listinfo/slug>, <mailto:[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be clean Status: Oscar Plameras http://www.acay.com.au/~oscarp/disclaimer.html -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Back trace on an email (St. George Hoax)
Thanks to all the people who explained how I should read the trace. I am now a bit more enlightened. Regards, Andrew -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Back trace on an email (St. George Hoax)
Andrew Monkhouse wrote: Thanks to all the people who explained how I should read the trace. I am now a bit more enlightened. One other clue, Andrew. People who do this sort of thing professionally are only going to be able to use your trace in a legal sense if the timestamps are absolutely correct. Because they can't guarantee that the timestamps on any intervening machine are correct, if you're going to make this useful it helps to be setting timestamps on your mailserver via NTP. Scammers perpetrating this sort of thing dial in somewhere, send a batch, disconnect, dial somewhere else, etc. They can be very hard to catch. -- Del -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
