File000147

632 views
488 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
632
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

File000147

  1. 1. Module XXXIV – Tracking Emails and Investigating Email Crimes
  2. 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Email Spamming Attacks Quadruple Since Start of 2008 Source: http://www.publictechnology.net/
  3. 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Email Spam Has Been Annoying Us for 30 Years Source: http://www.news.com.au/
  4. 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Two Internet Spammers Charged By Information R. Alexander Acosta, United States Attorney for the Southern District of Florida, and Jonathan I. Solomon, Special Agent in Charge, Federal Bureau of Investigation, Miami Field Office, announced today the filing of a one-count Information charging defendants, Jared Cosgrave and Mohammed Haque, with fraud and related activity in connection with electronic mail, in violation of the CAN-SPAM ACT of 2003, Title 18, United States Code, Section 1037(a)(2), by illegally transmitting over 25,000 electronic mail messages during a 30 day period. Both Cosgrave, 25, of Plantation, Florida, and Haque, 26, of California, made their initial appearances in federal court this morning before U.S. Magistrate Judge Chris Mc Aliley. Cosgrave and Haque subsequently pled guilty to the Information before United States District Court Judge Alan S. Gold. Sentencing is scheduled for November 16, 2007. At sentencing, Cosgrave and Haque face a maximum statutory sentence of up to three years’ imprisonment, a fine of up to $250,000, and restitution of more than $58,000 to Earthlink Inc. Source: http://miami.fbi.gov
  5. 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Email Systems • Email Clients • Email Servers • Real Email Systems • Email Crime • Spamming • Identity Fraud/Chain Letters • Investigating Email Crimes and Violations • List of Common Headers • Microsoft Outlook Mail • Tracing an Email Message • U.S. Laws Against Email Crime This module will familiarize you with:
  6. 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Email System Email Client Investigating Email Crimes and Violations SMTP Server Microsoft Outlook Mail List of Common HeadersEmail Server Identity Fraud/Chain Letter Email Crime Tracing an Email Message Spamming U.S. Laws Against Email Crime
  7. 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Email System Email system consists of mail clients to send or fetch mails and two different, SMTP and POP3 or IMAP, servers running on a server machine
  8. 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Email Client Email client is a computer application to manage emails • Retrieve messages from a mailbox • Display the headers of all the messages in mailbox • Header contains information such as who sent the mail, the subject of the mail, time and date of the message, and the size of the message • Client allows to select a message header and read the body of the email message • It allows user to create new messages and submit them to a mail server • Clients allow user to add attachments to the messages they want to send and save the attachments from the received messages • Formats the messages • Internet Explorer, Mozilla Firefox, Netscape, and Safari are some of the commonly used email clients Email clients perform the following functions:
  9. 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Email Server • It contains a list of email accounts, with one account for each person • Mail servers reserve a text file for each account in the list which contains all the information of the account • After a user presses the ‘Send’ button to send the message, email client connects to the email server and passes the name of the recipient, sender, and the body of the message • The server formats those pieces of information and appends them to the bottom of the recipients.txt file • If the addressed user wants to receive the email, he/she will connect to the server through a mail client and request for the mail Email server works as follows: Email Client Email Server Any mail for me? Yes
  10. 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SMTP Server Simple Mail Transfer Protocol (SMTP) Server listens on port number 25 and handles outgoing mail When the client sends an email, it connects to the SMTP server The client has a conversation with the SMTP server, telling the SMTP server the address of the sender, the recipient, and the body of the message The SMTP server takes the "to" address and breaks it into two parts: •The recipient’s name •The domain’s name SMTP server has a conversation with a Domain Name Server, gets the identifying information for the Domain of the remote Email server and connects to the SMTP of the remote Email server SMTP server connects with the recipient’s SMTP server using port 25
  11. 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited POP3 and IMAP Servers • When a message arrives, the POP3 server appends it to the bottom of the recipient's account file which can be retrieved by the mail client at any preferred time • Email client connects to the POP3 server at port 110 by default to fetch mails Post Office Protocol (POP3 ) Server: • Email client connects to the IMAP server using default port 143 • IMAP servers allow multiple concurrent client connection to the same mailbox, access to MIME message parts and partial fetch, maintain message state information at server, multiple mailboxes on the server and Server-side searches Internet Mail Access Protocol (IMAP) Server:
  12. 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Electronic Records Management Electronic records management may be defined as “The field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of electronic records, including the processes for capturing and maintaining evidence of and information for legal, fiscal, administrative, and other business purposes” • It helps in investigation and prosecution of email crimes • It acts as a deterrent for abusive and indecent materials in email messages • It helps in non-repudiation of electronic communication so that someone cannot deny of being a source of communication Importance of electronic records management:
  13. 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Email Crime Emails are used for criminal purposes Email crime can be categorized into two crimes: • Spamming, phishing, mail bombing etc. Crime committed by sending emails: • Harassment, cyber black mailing, identity frauds, pornography, etc. Crime supported by email:
  14. 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Spamming Spamming can be defined as sending unsolicited mails Spammers obtain email addresses by harvesting addresses from Usenet postings, DNS listings, or web pages Common Subject headers of Spam mails
  15. 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mail Bombing/Mail Storm • Sending huge volumes of emails to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted to cause a denial-of-service attack • In many instances, the messages will be large and constructed from meaningless data in an effort to consume additional system and network resources Mail Bombing • It is a sudden spike of ‘Reply All’ messages on an email distribution list, caused by one misdirected message Mail Storm
  16. 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Crime via Chat Rooms A chat room is a website, part of a website, or part of an online service that provides a venue for communities of users with a common interest to communicate in real time Chat rooms are increasingly being used for different crimes such as child pornography, cyber stalking, and identity thefts They can also be used as a social engineering tool to collect information for committing several other crimes They are a regular feature of different adult sites and are extensively used to disseminate obscene materials over Internet
  17. 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identity Fraud/Chain Letter “Identity fraud is the term used to refer all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain” “A chain letter by definition is a letter directing the recipient to send out multiple copies so that its circulation increases exponentially ”
  18. 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  19. 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Phishing Phishing is a criminal act of sending an email to a user falsely claiming to be a well-known and legitimate source in an attempt to trick the user into surrendering sensitive and private information Phishers incite the targeted users to provide personal information in illegitimate websites The main purpose of phishing is to get access to the customer’s bank accounts, passwords, and other security information Phishing attacks can target millions of email addresses around the world using mass-mailing systems
  20. 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Email Spoofing Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source Spammers and perpetrators of phishing change the email header fields such as From, Return-Path, and Reply-To-Fields to hide the actual source
  21. 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Email Crime and Violation Trace an email Examine attachments Examine email headers View email headers Print an email message Copy an email message Examine an email message
  22. 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Obtain a Search Warrant and Seize the Computer and Email Account A search warrant application should include proper language to perform on-site examination of the computer and email server Conduct a forensics test on only that equipment that is permitted to do so Seize the computer and email accounts suspected to be involved in the crime Email accounts can be seized by just changing the existing password of the email account either by asking the victim his/her password or from the mail server
  23. 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Obtain a Bit-by-Bit Image of Email Information Make a bit-by-bit image of all the folders, settings, and configurations present in the email account for further investigation in a removable disk using tools such as Safe Back Encrypt the image using MD5 hashing to maintain integrity of the evidence
  24. 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Email Message An email message is composed of two parts: • Email header contains information about the email origin such as the address from where it came, how it reached (path), and who sent it Header • Body contains the actual message Body
  25. 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Headers in Microsoft Outlook Launch the Outlook program and open the copied email message Right-click the message received and click Options to open the dialog box Select the header text and make a copy of it Paste the header text in any text editor and save the file with the name Filename.txt Close the program
  26. 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Microsoft Outlook Header
  27. 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Headers in AOL Initiate the program Open the received message Click the DETAILS link Select message header text and copy it Paste the text in any text editor and save the file as Filename.txt Close the program
  28. 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Headers in Hotmail Log on to hotmail Open the received message Go to Options and click Click Mail Display Settings Select Message Headers - Full text and copy it Paste the text in any text editor and save the file as Filename.txt Close the program
  29. 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Headers in Hotmail: Screenshot
  30. 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Headers in Gmail Log on to Gmail Open the received mail Click on More option Click on Show original Select Message Headers - Full text and copy it Paste the text in any text editor and save the file as Filename.txt Close the program
  31. 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Gmail Header
  32. 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Headers in Yahoo Mail Initiate the yahoo mail Open a received mail Click on Full header Check the header Select message header text and copy it Paste the text in any text editor and save the file Log out from mail account and close the mail client
  33. 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Yahoo Mail Header
  34. 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examining an Email Header Mail originated from this IP address
  35. 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Example: Rudy Sends an Email to Timmy From: rudy@bieberdorf.edu (Rudy) To: timmy@immense-isp.com Date: Tue, Mar 18 1997 14:36:14 PST X-Mailer: Loris v2.32 Subject: Lunch today?
  36. 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analysis of Email Header at Timmy Received: from mail.bieberdorf.edu (mail.bieberdorf.edu [124.211.3.78]) by mailhost.immense-isp.com (8.8.5/8.7.2) with ESMTP id LAA20869 for <timmy@immense-isp.com>; Tue, 18 Mar 1997 14:39:24 -0800 (PST) Received: from alpha.bieberdorf.edu (alpha.bieberdorf.edu [124.211.3.11]) by mail.bieberdorf.edu (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17 -0800 (PST) From: rudy@bieberdorf.edu (R.T. Hood) To: timmy@immense-isp.com Date: Tue, Mar 18 1997 14:36:14 PST Message-Id: <rth031897143614-00000298@mail.bieberdorf.edu> X-Mailer: Loris v2.32 Subject: Lunch today?
  37. 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Received: Headers Received: headers provide a detailed log of a message's history, and so make it possible to draw some conclusions about the origin of a piece of email even when other headers have been forged If, for instance, the machine turmeric.com, whose IP address is 104.128.23.115, sends a message to mail.bieberdorf.edu, but falsely says HELO galangal.org, the resultant Received: line might start like this: • Received: from galangal.org ([104.128.23.115]) by mail.bieberdorf.edu (8.8.5)...
  38. 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forging Headers Another trick used by forgers of email, this one increasingly common, is to add spurious Received: headers before sending the offending mail • Received: from galangal.org ([104.128.23.115]) by mail.bieberdorf.edu (8.8.5) • Received: from nowhere by fictitious-site (8.8.3/8.7.2)... Received: No Information Here, Go Away! This means that the hypothetical email sent from turmeric.com might have Received: lines that looked something like this:
  39. 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forging Headers (cont’d) Obviously, the last two lines are complete nonsense, written by the sender and attached to the message before it was sent Since the sender has no control over the message once it leaves turmeric.com, Received: headers are always added at the top and the forged lines at the bottom of the list This means that someone reading the lines from top to bottom, tracing the history of the message, can safely throw out anything after the first forged line; even if the Received: lines after that point looks plausible, they are guaranteed to be forgeries
  40. 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Common Headers • Messages with many recipients sometimes have a long list of headers of the form "Apparently-To: rth@bieberdorf.edu" (one line per recipient) • These headers are unusual in legitimate mail; they are normally a sign of a mailing list, and in recent times mailing lists have generally used software not sophisticated enough to generate a giant pile of headers Apparently-To • Bcc stands for "Blind Carbon Copy“. If you see this header on incoming mail, something is wrong. It is used like Cc: (see below), but does not appear in the headers • The idea is to be able to send copies of email to persons who might not want to receive replies or to appear in the headers • Blind carbon copies are popular with spammers, since it confuses many inexperienced users to get email that does not appear to be addressed to them Bcc
  41. 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Common Headers (cont’d) • Cc stands for "Carbon Copy” • This header is sort of an extension of "To:"; it specifies additional recipients. The difference between "To:" and "Cc:" is essentially connotative; some mailers also deal with them differently in generating replies Cc • This is a nonstandard, free-form header field. It is most commonly seen in the form "Comments: Authenticated sender is <rth@bieberdorf.edu>" • “Treat with caution”, A header like this is added by some mailers to identify the sender; however, it is often added by hand by spammers as well Comments
  42. 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Common Headers (cont’d) Content-Transfer-Encoding: This header relates to MIME, a standard way of enclosing non-text content in email; it has no direct relevance to the delivery of mail, but it affects how MIME- compliant mail programs interpret the content of the message Content-Type: Another MIME header, telling MIME-compliant mail programs what type of content to expect in the message Date: This header does exactly what you expected; it specifies a date, normally the date the message was composed and sent. If this header is omitted by the sender's computer, it might conceivably be added by a mail server or even by some other machines along the route Errors-To: Specifies an address for mailer-generated errors, like "no such user" bounce messages, to go to (instead of the sender's address). This is not a particularly common header, as the sender usually wants to receive any errors at the sending address, which is what most (essentially all) mail server software does by default From (without colon) This is the "envelope From" discussed above
  43. 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Common Headers (cont’d) From: (with colon) This is the "message From Message-Id: The Message-Id is a more-or-less unique identifier assigned to each message, usually by the first mail server it encounters. Conventionally, it is of the form "gibberish@bieberdorf.edu", where the "gibberish" part could be absolutely anything and the second part is the name of the machine that assigned the ID. Sometimes, but not often, the "gibberish" includes the sender's username. Any email in which the message ID is malformed or in which the site in the message ID isn't the real site of origin, is probably a forgery In-Reply-To: A Usenet header that occasionally appears in mail, the In-Reply-To: header gives the message ID of some previous message which is being replied to. It is unusual for this header to appear except in email directly related to Usenet; spammers have been known to use it, probably in an attempt to evade filtration programs Mime-Version: (also MIME-Version:) Yet another MIME header, this one just specifying the version of the MIME protocol that was used by the sender. Like the other MIME headers, this one is usually ignorable; most modern mail programs will do the right thing with it
  44. 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Common Headers (cont’d) Newsgroups: This header only appears in email that is connected with Usenet---either email copies of Usenet postings, or email replies to postings. In the first case, it specifies the newsgroup(s) to which the message was posted; in the second, it specifies the newsgroup(s) in which the message being replied to was posted. The semantics of this header are the subject of a low-intensity holy war, which effectively assures that both sets of semantics will be used indiscriminately for the foreseeable future Organization: It is a completely free-form header that normally contains the name of the organization through which the sender of the message has net access. The sender can generally control this header, and silly entries like "Royal Society for Putting Things on Top of Other Things" are commonplace Priority: It is a free-form header that assigns a priority to the mail. Most software ignore it. It is often used by spammers, usually in the form "Priority: urgent" (or something similar), in an attempt to get their messages read Received: This is the message received
  45. 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Common Headers (cont’d) References: The References: header is rare in email except for copies of Usenet postings. Its use on Usenet is to identify the "upstream" posts to which a message is a response; when it appears in email, it is usually just a copy of a Usenet header. It may also appear in email responses to Usenet postings, giving the message ID of the post being responded to as well as the references from that post Reply-To: Specifies an address for replies to go to. Though this header has many legitimate uses (perhaps your software mangles your From: address and you want replies to go to a correct address), it is also widely used by spammers to deflect criticism. Occasionally, a naive spammer will actually solicit responses by email and use the Reply-To: header to collect them, but more often the Reply-To: address in junk email is either invalid or an innocent victim Sender: This header is unusual in email (X-Sender: is usually used instead), but appears occasionally, especially in copies of Usenet posts. It should identify the sender; in the case of Usenet posts as it is a more reliable identifier than the From: line
  46. 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Common Headers (cont’d) Subject: A completely free-form field specified by the sender, intended, of course, to describe the subject of the message To: The "message To: "described above. Note that the To: header need not contain the recipient's address! X-headers is the generic term for headers starting with a capital X and a hyphen. The convention is that X-headers are nonstandard and provided for information only, and that, conversely, any nonstandard informative header should be given a name starting with "X-". This convention is frequently violated X-Confirm-Reading-To: This header requests an automated confirmation notice when the message is received or read. It is typically ignored; presumably some software acts on it
  47. 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Common Headers (cont’d) X-Distribution: In response to problems with spammers using his software, the author of Pegasus Mail added this header. Any message sent with Pegasus to a sufficiently large number of recipients has a header added that says "X-Distribution: bulk". It is explicitly intended as something for recipients to filter against X-Errors-To: Like Errors-To:, this header specifies an address for errors to be sent to. It is probably less widely obeyed X-Mailer: (also X-mailer:) This is a freeform header field intended for the mail software used by the sender to identify itself (as advertising or whatever). Since much junk email is sent with mailers invented for the purpose, this field can provide much useful folder for filters X-PMFLAGS: This is a header added by Pegasus Mail; its semantics are non-obvious. It appears in any message sent with Pegasus, so it does not obviously convey any information to the recipient that is not covered by the X-Mailer: header
  48. 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited List of Common Headers (cont’d) X-Priority: Another priority field, used notably by Eudora to assign a priority (which appears as a graphical notation on the message) X-Sender: It is the usual email analogue to the Sender: header in Usenet news; this header purportedly identifies the sender with greater reliability than the From: header. In fact, it is nearly as easy to forge, and should therefore be viewed with the same sort of suspicion as the From: header X-UIDL: This is a unique identifier used by the POP protocol for retrieving mail from a server. It is normally added between the recipient's mail server and the recipient's actual mail software; if mail arrives at the mail server with an X-UIDL: header, it is probably junk (there is no conceivable use for such a header, but for some unknown reason many spammers add one)
  49. 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examining Additional Files (.pst or .ost files) Email messages are saved as files either on client computer or server Microsoft Outlook maintains email in .pst or .ost files Online email program such as AOL, Hotmail, and Yahoo store Email messages in folders such as History, Cookies, and Temp Unix stores email messages as per the user
  50. 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pst File Location
  51. 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Microsoft Outlook Mail Microsoft Outlook Mail acts like a personal information manager The email database is normally located in the user accountLocal SettingsApplication DataMicrosoftOutlook directory The files stored in Outlook Mail are known as *.pst files The .pst files have archives of all folders such as Outlook, Calendar, Drafts, Sent Items, Inbox, and Notes
  52. 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examine the Originating IP Address Look for the geographic address of the sender in the whois database Search the IP in the whois database Collect the IP address of the sender from the header of the received mail
  53. 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited http://centralops.net/co/ This website contains a tool known as Email Dossier Email Dossier is an online tool used to check the email validity and investigate email
  54. 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Exchange Message Tracking Center By default, message tracking is not enabled in Exchange Server This tool can help you track a message's path between servers, as well as determine when the user sent the message, to whom the user sent the message, and other important pieces of information Tracking log files will be stored (by default) in a folder located at c:Program FilesExchsrvrservername.log Inside this folder, you will find a text file for each day that logs are being retained for
  55. 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Exchange Message Tracking Center: Screenshot
  56. 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MailDetective Tool MailDetective is an effective tool for monitoring the corporate email usage in Microsoft Exchange Server It is a monitoring application designed to control email use in the corporate network It is a solid solution against frivolous employees who undermine corporate discipline and decrease productivity by sending and receiving non-work related emails It analyzes mail server log files and provides the employer with detailed reports about private and business emails coming to and from the corporate network as well as traffic distribution by users and email addresses
  57. 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Screenshot: MailDetective Tool
  58. 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examine Phishing Search the received mail which contains the malicious link to any website Check for that link in the phishing archive in the Honeytrap database tool The Honeytrap database is a database of phishing websites, submitted by different users
  59. 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Example of Phishing Email
  60. 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Example of Phishing Email
  61. 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Example of Phishing Email
  62. 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Tool Kit (FTK) AccessData FTK is known as the forensic tool to perform email analysis The FTK features powerful file filtering and search functionality • Email analysis supports Outlook, Outlook Express, AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN email • View, search, print, and export email messages and attachments • Recover deleted and partially deleted email • Automatically extract data from PKZIP, WinZip, WinRAR, GZIP, and TAR compressed files • Supports file formats include: NTFS, NTFS compressed, FAT 12/16/32, and Linux ext2 & ext3 Features:
  63. 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited E-mail Examiner by Paraben E-mail Examiner can recover deleted emails It examines more than 14 mail types It recovers email deleted from deleted items
  64. 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network E-mail Examiner by Paraben ‘Network E-mail Examiner’ examines a variety of network email archives such as Exchange Server and Lotus Domino Server It views all the individual email accounts It supports Microsoft Exchange and Lotus Notes
  65. 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Recover My Email for Outlook Recovers individual email messages deleted from a Microsoft Outlook email file Simple to use, scans your Outlook .PST file now to see what email can be recovered Saves deleted messages and attachments into a new .PST file
  66. 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DiskInternal’s Outlook Express Repair DiskInternals Outlook Express Repair scans email accounts for damage, and restores contents whenever possible
  67. 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tracing Back The first step in tracing back fakemail is to view the header’s information The header will show the originating mail server, ex: mail.example.com With a court order served by law enforcement or a civil complaint filed by attorneys, obtain the log files from mail.example.com to determine who sent the message • www.arin.net • www.internic.com • www.freeality.com Information regarding the Internet domain registration can be found from:
  68. 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tracing Back Web-based Email Web-based email accounts (Webmail) can make it more difficult to establish the identity of the sender It is possible to create a new online webmail account easily • www.hotmail.com • www.yahoo.com • www.lycosmail.com • www.hyshmail.com The above sites maintain the source IP address of each connection that accesses the online webmail Contact the mail provider (ex: Microsoft) to reveal the subscriber’s information
  69. 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Abuse.Net Abuse.net helps the Internet community to report and control network abuse and abusive users It does not include blacklist or spam analysis services Once registered, when you send a message to domain-name@abuse.net, where domain-name is the name of the domain that was the source of junk email or another abusive practice, the system here automatically emails your message to the best reporting address(es) known for that domain
  70. 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Abuse Clearing House
  71. 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: LoPe • It extracts all email messages and attachments from multiple PST files • It automatically processes unlimited number of PST files • It re-creates the internal PST folder structure • It extracts all message headers and properties • Files are exported in MSG, EML, or XML format • It hashes every message and it can be easily batch scripted • XML output format is fully customizable using XSL style sheets LoPe is an email forensic tool comprised of the following features:
  72. 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: FINALeMAIL FINALeMAIL Email search results FINALeMAIL can restore lost emails to their original state It can recover the entire email database files
  73. 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Handling Spam Before taking legal action, send a short notice on the illegality of spam to the system administrator of the domain
  74. 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: eMailTrackerPro eMailTrackerPro analyzes the email header and provides the IP address of the machine that sent the email
  75. 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Email Trace - Email Tracking Email trace tool helps to track the email sender and IP address of the sender • Open the received email and copy the headers • Go to http://www.ip-adress.com/trace_email/ • Paste the email message headers • Click on “Trace Email Sender” • Email sender IP address location and IP address information are traced To trace an email:
  76. 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Email Trace - Email Tracking (cont’d) Source: http://www.ip-adress.com/trace_email/ Paste the message header here
  77. 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Email Trace - Email Tracking (cont’d) Email sender IP address location and IP address information
  78. 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: ID Protect - www.enom.com ‘ID Protect’ prevents unauthorized access to your email address and other private information Due to eNom's dynamic email system, the visible email address changes constantly, so while it is being harvested and redistributed, the address gets changed and the previous address does not work for the spammer The Domain Privacy Protection Service secures and maintains the real email address on the file so that the user can receive important information regarding the domain
  79. 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools: R-Mail & Email Detective R-Mail is an email recovery tool, which recovers accidentally deleted emails Email Detective is a Forensic Software Tool that is used in several investigations and data recovery
  80. 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools: SPAM Punisher & SpamArrest SPAM Punisher is an anti-spam tool that makes it easy for you to find out the address of the spammer's Internet Service Provider, as well as generate and send complaints SpamArrest tool protects the account from spam
  81. 81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited U.S. Laws Against Email Crime: CAN-SPAM Act The CAN-SPAM Act of 2003 (Controlling the Assault of Non- Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them • It bans false or misleading header information • It prohibits deceptive subject lines • It requires that the email give recipients an opt-out method • It requires that commercial email be identified as an advertisement and include the sender's valid physical postal address Main provisions:
  82. 82. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CAN-SPAM Act • Each violation of the above provisions is subject to fines of up to $11,000 • Additional fines are provided for commercial emailers who not only violate the rules described above, but also: • "harvest" email addresses from Web sites or Web services that have published a notice prohibiting the transfer of email addresses for the purpose of sending email • generate email addresses using a "dictionary attack" – combining names, letters, or numbers into multiple permutations • use scripts or other automated ways to register for multiple email or user accounts to send commercial email • relay emails through a computer or network without permission – for example, by taking advantage of open relays or open proxies without authorization • The law allows the DOJ to seek criminal penalties, including imprisonment, for commercial emailers who do – or conspire to: • use another computer without authorization and send commercial email from or through it • use a computer to relay or retransmit multiple commercial email messages to deceive or mislead recipients or an Internet access service about the origin of the message • falsify header information in multiple email messages and initiate the transmission of such messages Penalties :
  83. 83. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 18 U.S.C. § 2252A This law states that: • knowingly mails, or transports or ships in interstate or foreign commerce by any means, including by computer, any child pornography • knowingly receives or distributes any child pornography that has been mailed, or shipped or transported in interstate or foreign commerce by any means, including by computer • knowingly reproduces any child pornography for distribution through the mails, or in interstate or foreign commerce by any means, including by computer • knowingly distributes, offers, sends, or provides to a minor any visual depiction, including any photograph, film, video, picture, or computer generated image or picture, whether made or produced by electronic, mechanical, or other means • Shall be punished as fined under this title and imprisoned not less than 5 years and not more than 20 years Any person who:
  84. 84. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 18 U.S.C. § 2252B • Whoever knowingly uses a misleading domain name on the Internet with the intent to deceive a person into viewing material constituting obscenity shall be fined under this title or imprisoned not more than 2 years, or both • Whoever knowingly uses a misleading domain name on the Internet with the intent to deceive a minor into viewing material that is harmful to minors on the Internet, shall be fined under this title or imprisoned not more than 4 years, or both • For the purposes of this section, a domain name that includes a word or words to indicate the sexual content of the site, such as “sex” or “porn”, is not misleading This law states that:
  85. 85. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Email Crime Law in Washington: RCW 19.190.020 • No person may initiate the transmission, conspire with another to initiate the transmission, or assist the transmission, of a commercial electronic mail message from a computer located in Washington or to an electronic mail address that the sender knows, or has reason to know, is held by a Washington resident that: • Uses a third party's Internet domain name without permission of the third party, or otherwise misrepresents or obscures any information in identifying the point of origin or the transmission path of a commercial electronic mail message; or • Contains false or misleading information in the subject line This law is for residents of Washington, it states that:
  86. 86. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Emails are used for the criminal purpose are Email Crime Spammers obtain email addresses by harvesting addresses from Usenet postings, DNS listings, or web pages Chat rooms can also be used as a social engineering tool to collect information for committing several other crimes Phishers incite the targeted users to provide personal information in illegitimate websites Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source
  87. 87. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  88. 88. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

×