Without knowing more about the email system utilised it’s not entirely possible to give a precise “you do this”.
Commonly it’s possible to blacklist addresses or domains to prevent further contact, quite how this is achieved would depend on what system(s) you use. A ½ decent mail service will be running AV which will remove the malware.
Regardless of what systems are deployed, emails have headers. How you would get to see them would depend on what software you are using to retrieve your mail.
A blacklist has flaws, though. It will only stop things it’s previously been told to stop for example. Whitelisting – only allowing in the few specified – is usually impractical for most people’s general email use. but possible.
There is another option. One that might be more sensible. Don’t directly protect yourself from the symptoms. Attack the cause.
This header should contain all required for law enforcement agencies to act. Getting them to act is another matter. I encourage you to try, but in most countries they seem apethetic at best.
But, their service provider if responsible will act. Some rapidly.
To use a header from some likely malware-ridden spam I have recieved as an example to illustrate this concept:
Received: from images244.lifeisextra.com (unknown [22.214.171.124])
by mail.armed.me.uk (Postfix) with ESMTP id 5BCD7E4B2E
for ; Wed, 13 Apr 2016 01:34:38 -0400 (EDT)
Date: Wed, 13 Apr 2016 01:35:41 -0400
From: “Ray-Ban 90% OFF”
Subject: Ray-Ban 80% OFF today only
Content-Type: multipart/alternative; boundary=646943eccbe07823a30a2cb40bf67cf614ea29e67cde0852fff0b1122f98
The entire body of the email is:
please read html mails
Hilarous. Please start attempting to execute code so I may infect you. Let me get straight on that.
Most of the header, as a user, will be entirely meaningless. I personally find it interesting to note that the Return-Path has been adjusted to reflect the email recipient, prepended no-reply- like many automated services running on un-monitored inboxes, with the “@” in the address swapped for “=” – normally this should contain the address it came from. The message ID can be used to track it as it passes through systems. But what we are interested in today is:
Received: from images244.lifeisextra.com (unknown [126.96.36.199])
This gives us both a domain and an IP to be looking at. The domain name “images244.lifeisextra.com” doesn’t particular shout “email” at me and is likely indication that this server is compromised and the legitimate operator may not be aware of the issue. It could be that they just don’t care(either way IMHO it’s enough excuse to lose the server). As it doesn’t resolve to anything it could just be bogus rDNS set to make it appear more legit than it is, and it’s knowingly emitting spam.
“188.8.131.52” however is a legitimate IPv4 IP – and almost certainly the originating system. Or at least the system that passed it to mine. If it is a relay then that message ID will be be able to track back in logs and find what system passed the message to this one.
Doing a whois on this IP provides:
NetRange: 184.108.40.206 – 220.127.116.11
Parent: GLOBAL-FRAG-NETWORKS (NET-157-52-128-0-1)
Customer: WebXury Inc (C05723543)
CustName: WebXury Inc
Address: 20533 E Walnut Dr N
Now, before thinking that’s just given you their address and telephone number, consider that this is most likely just the company that rents out the hardware to someone else. But it does let loose some useful info.
Knowing what company that is you can visit their site and note their Terms of Service and Acceptable use Policies. If you can find clauses that your email problem is supposed to stop, then quoting breach of ToS/AuP with clause numbers(if applicable) and providing them with the email headers as evidence of breach is usually enough to get things moving with any responsible provider.
Knowing they are in the US means they are covered by applicable US law with regards to spam and malware.
Abuse email address listed to send reports of abuse to. There’s someone on the other end of that – usually – who’s job it is to sort these things out.
Usually by taking the server away. This is where you’d send those headers to.
You might even consider offering them a contract, where you will willingly recieve further malware implantation attempts and irrelevant spam. For a fee.
To continue working on my example, a cursory glance at the interwebs reveals Webxury inc is indeed a firm that rents hardware – in the form of servers, VPS, cloud servers etc to the general public. Like most others of similar ilk, they have posted their ToS: https://www.webxury.com/datacenter/tos.html
Right off the bat, “useful” bits of that include: “NOTICE: IF YOUR ACCOUNT IS FOUND TO CONTAIN ILLEGAL ACTIVITY, ILLEGAL MP3 FILES, PIRATED SOFTWARE, HACKER PROGRAMS, WAREZ PROGRAMS, OR ANY OTHER ILLEGAL FILES, YOUR ACCOUNT WILL BE TERMINATED IMMEDIATELY, WITHOUT NOTICE, AND A $50.00 CANCELLATION FEE WILL APPLY. ADDITIONALLY, WebXury WILL NOTIFY THE PROPER AUTHORITIES OF YOUR ACTIONS. ”
“illegal actvity”. Possibly like trying to infect machines with email spam? To be honest I CBA looking right now at federal and state law, But I know it’s crime to send unsolicited bulk email(spam) in some states, might be a federal thing. Unsure. You might be able to define the malware that was attempted implant as “hacker programs” – Tho this would be easier to nail if it was linked to on this system(or another hosted by themselves). Hitting home a violation on these counts will rip the server from under them, usually without refund. And charge them another $50 on top.
A bit futher down on that link, though, and you get to the AuP which clearly states:”Spamming:
Sending unsolicited bulk and/or commercial information over the Internet. It is not only harmful because of its negative impact on consumer attitudes toward WebXury, but also because it can overload WebXury’s network and disrupt service to WebXury’s subscribers. Also, maintaining an open SMTP relay is prohibited. When a complaint is received, WebXury will investigate and shutdown the account that is SPAMing. A $250 charge for violating this policy will be charged to the person initiating the SPAM. Furthermore WebXury reserves the right to prosecute for this violation. A $1.00 charge will be assessed PER EMAIL sent should WebXury choose to pursue and prosecute.”
Which is even better. Even if it’s not acting as an email server but a relay – Lose the server, $50 illegal activity charge, $250 unsolicted bulk email charge and potential charge of $1 per email they’ve sent – computers can do thousands in an hour.
As most of these sorts of spam runs have some sort of fiscal goal in mind when they step forwards, I do like to cost them as much as possible. In this case, I’m about to cost them at least $300.
So, to wrap this one up, we send some email to: email@example.com you don’t need to worry about formalities or politeness. Under the subject heading of: “Abuse from your IP: 18.104.22.168” So they know what to expect before they open it I’ve composed my complaint thusly:
Your IP: 22.214.171.124 is emitting unsolicited bulk email in opposition to your AuP, specifically the clause dealing with spam.
Due to the exploitive nature of this unsolicited email and crossing state borders it may further constitute for “illegal activities” as set out in your ToS.
Being purely an attempt to trick a user into becoming infected with malware it may also qualify for “hacker programs”.
Please return customer details to add to my casefile.
Please find enclosed a copy of the header to assist your trackback in this abuse of your systems”
Obviously afterwards I’ve pasted in the header n hit “send”.
About here I usually expect the problem to be over – Unless they are not a responsible provider, or they rent another server to the same end client(some providers want money more than good customers, so will keep selling to people like that just to keep charging them).
Typically you won’t get near the customer details unless backed by LEA credentials.
If I ever see that IP again, then the next abuse mail sent off will offer them a contract – acceptable by myself receiving more unwanted mail from themselves – whereupon the receipt of said email they will be charged £250. For storage of said email, they will be charged £50 per email, per week. Deletion of said email carries a £500 admin charge.
Some nice open source software is “maltego” or it’s offline counterpart, “casefile”. What makes this nice is it can replicate varied datasources in a visual graph format. You can plonk a computer on the page – to represent that email account – Then you can throw down an IP address, in it’s notes include domains it’s been seen under date first received, complained, responses etc. Draw a line between the two. Can end up building graphs like: http://mail.armed.me.uk/graphs/thumb_Linked_attacks.png or zoomed in a little: http://mail.armed.me.uk/graphs/Linked_attacks1.png
- You must login to post comments
Please login first to submit.