10- E-Mail Hacking_ forging _ tracing by Anil016


More Info
									             E-MAIL HACKING, FORGING & TRACING

How does mail get from here to there? Here's a step by step guide to a very simple
email system.

     So you compose an email on your computer, using an email client like Outlook.
You address it to someoneelse@theirdomain.com, and press Send. So what happens
     1. Your email program sends your mail to the SMTP server where your account is.
        If you are sending mail to someone else whose mail account is on that server, go
        to step 7. Otherwise, keep reading.
     2. The SMTP server breaks the address someonelse@theirdomain.com into two
        parts: someonelse (the account name) and theirdomain.com (the domain). The
        SMTP server then contacts a DNS (domain name service)server, and asks for the
        IP address where theirdomain.com is located.
     3. The DNS server sends the address back to the SMTP server.
     4. The SMTP server then sends the email message to the SMTP server where
        theirdomain.com is located.
     5. The second SMTP server delivers the email message to someonelse's account on
        the POP3 or IMAP server.

     6. Someonelse logs on to their computer and opens their email client. Their email
        client requests the POP3 or IMAP server to send all email from their account to
        their computer.
     If you are sending email to someone whose account resides on the same set of mail
servers, the SMTP server will simply direct the mail to the local POP3 or IMAP server,
where it will be delivered to the appropriate account.

E-mail tracking is a method for monitoring the e-mail delivery to intended recipient.
Most tracking technologies utilize some form of digitally time-stamped record to reveal
the exact time and date that your e-mail was received or opened, as well the IP address
of the recipient.
E-mail tracking is useful when the sender wants to know if the intended recipient
actually received the e-mail, or if they clicked the links. However, due to the nature of
the technology, e-mail tracking cannot be considered an absolutely accurate indicator
that a message was opened or read by the recipient.
A separate PDF file has been attached for tracing an email. Please go through the file for
learning how to trace an email.

Email bombing is characterized by abusers repeatedly sending an email message to a
particular address at a specific victim site. In many instances, the messages will be large
and constructed from meaningless data in an effort to consume additional system and
network resources. Multiple accounts at the target site may be abused, increasing the
denial of service impact.
      Email spamming is a variant of bombing; it refers to sending email to hundreds or
thousands of users (or to lists that expand to that many users). Email spamming can be
made worse if recipients reply to the email, causing all the original addressees to
receive the reply. It may also occur innocently, as a result of sending a message to
mailing lists and not realizing that the list explodes to thousands of users, or as a result
of a responder message that is setup incorrectly.
     Email bombing/spamming may be combined with email spoofing (which alters
the identity of the account sending the email), making it more difficult to determine
who actually sent the email.

The best anti-spam measure is to be a bit savvy about the way you use your email
      Try to avoid opening spam emails and clicking on links in spam messages.
      Don’t buy anything from a spammer. Not only do you risk comprising your
      security and infecting your computer with malware - viruses and so on - you also
      reward and encourage the spammers.
      Don’t be tempted to reply. The mailbox is probably unread.
      Don’t threaten the spammer. Some mails will be seen and spammers have rights
      too. Threatening messages could expose you to legal action.
      Avoid ‘unsubscribe’ options. Cynically, spammers often include an ‘unsubscribe’
      link. Far from removing the menace, clicking it will confirm that your address is
      active and probably attract even more spam.
      Use a disposable email address. You could use this account especially for buying
      online or writing to newsgroups. If you find that you are getting a lot of spam at
      this address, you can simply delete it and set up another.
      Be wary about giving out your main email address. If in doubt, it is a good idea
      to use a disposable address (see above).
      Never reveal your email address on your website. If you have a website, putting
      your email address on it will be easy fodder for a ‘spambot’ that is harvesting
      addresses. You could use a web contact form instead.
      Munging. A simple but effective technique where you present your address in a
      way that people can easily work out but which will fool spambots. They will
      look for a pattern, such as a@b.com. Writing the address as ‘a at b dot com’
      would probably evade them.

Robert Alan Soloway, known as the Spam King, was indicted last month by a Seattle
(US) jury on charges of fraud, money laundering and identity theft. As per reports, he
siphoned out about US $773,000 through spamming-related activities.
      A joint investigation led by the Washington State Attorney General’s Office, FBI,
Federal Trade Commission, the Internal Revenue Service Department of Criminal
Investigations, and the US Postal Inspection Service resulted in his eventual arrest. This
was made possible by the US CAN-SPAM Act of 2003 (Controlling the Assault of Non-
Solicited Pornography and Marketing Act). And last month the Singapore government
enacted its Spam Control Act to address the growing global problem of spam.

      As of today, the Indian government has yet to come out with a legislation that
directly addresses the issue of spam. The Information Technology Act, 2000 (IT Act
2000) does not contain any provision regulating the act of spamming though it does
regulate obscenity, which covers publishing, transmitting or causing to be published in
electronic form any material which is lascivious, or appeals to the prurient interest.
     However, last month, the Indian Ministry of Information Technology had a
discussion to incorporate a provision to have legislation against spammers.
     “This is a good development from the government. The ministry should create a
panel and involve more technical people and experts from the IT industry when it plans
to have legislation for cyber security and IT laws,” says Karnika Seth, attorney-at-law &
partner, Seth Associates.
     According to sources, the ministry pondered whether the punishment to
spammers would be done after verifying the nature of the spam attack, that is, whether
the act of spamming was done inadvertently or on purpose.
     “Cyber law in India is still in its infancy, and a lot of efforts and initiatives are
required to make it a mature legal instrument. The government needs to give a fresh
look to the existing IT Act 2000 to make it safer, stronger and more appropriate. It must
also keep in mind the absolute requirements of ICT and cyber security in India that are
drastically missing,” says Delhi-based Praveen Dalal, advocate, arbitrator and
consultant, Supreme Court of India.
     The government is looking at setting up a Center for Communication Security
Research and Monitoring to monitor the activities of criminal elements online, and has
sanctioned Rs 50 crore for the same. The nodal implementation agency is Center for
Development of Telematics. The research side of the Center will focus on Multiple
communication technologies in order to monitor all traffic types (satellite, wire line,
wireless, internet, email, IM, VoIP), Encrypted communication for de-encryption of Net-
based encryption methods being used by terrorists, Regulatory standard to ensure
compliance by telecom operators and equipment vendors and System design among
other things.
(Source: http://cyberlawsconsultingcentre.com)

5.1. Fake Email Generation
We can use online websites for generating fake emails
Best website for generating fake email is:
http://emkei.cz/ (Best Link)

5.2. Detecting Fake Email
We can detect whether the email is fake or not tracing it online. View the full header of
the email by clicking on show original and copy the email header and paste it into some
email tracing website like

5.3. What is a Firewall?
A firewall is a security device that can be a software program or a dedicated network
appliance. The main purpose of a firewall is to separate a secure area from a less secure
area and to control communications between the two. Firewalls can perform a variety of
other functions, but are chiefly responsible for controlling inbound and outbound
communications on anything from a single machine to an entire network.

5.3.1.   Software Firewalls
Software firewalls, also sometimes called personal firewalls, are designed to run on a
single computer. These are most commonly used on home or small office computers
that have broadband access, which tend to be left on all the time. A software firewall
prevents unwanted access to the computer over a network connection by identifying
and preventing communication over risky ports. Computers communicate over many
different recognized ports, and the firewall will tend to permit these without prompting
or alerting the user. For example, computers access Web pages over port 80 and use
port 443 for secure Web communications. A home computer would expect to receive
data over these ports. However, a software firewall would probably block any access
from the Internet over port 421, over which it does not expect to receive data.
Additionally, port 421 has been used by certain Trojans (a type of malware) in the past.
Software firewalls can also detect "suspicious" activity from the outside. They can block
access to a home computer from an outside address when activity matches certain
patterns, like port scanning.
      A software firewall also allows certain programs on the user's computer to access
the Internet, often by express permission of the user. Windows Update, antivirus
software, and Microsoft Word are a few programs that a user might legitimately expect
to access the Internet. However, a program called gator.exe that is attempting to access
the Internet when it shouldn't be running might be reason for concern, so the user could
decline access for this program. This is a useful feature when spyware, adware or some
type of malware is suspected.
     Some software firewalls also allow configuration of trusted zones. These permit
unlimited communication over a wide variety of ports. This type of access may be
necessary when a user starts a VPN client to reach a corporate intranet.
     One drawback to software firewalls is that they are software running on a personal
computer operating system. If the underlying operating system is compromised, then
the firewall can be compromised as well. Since many other programs also run on a
home computer, malicious software could potentially enter the computer through some
other application and compromise the firewall. Software firewalls also rely heavily
upon the user making the right decisions. If someone using a software firewall
mistakenly gives a keylogger or a Trojan permission to access the Internet, security on
that machine is compromised even though there is nothing wrong with the firewall
     There are many different brands of software firewalls, each with their own
features. Some examples include ZoneAlarm, BlackICE, and Kerio.

5.3.2.   Hardware Firewalls
Hardware firewalls are more complex. They also have software components, but run
either on a specially engineered network appliance or on an optimized server dedicated
to the task of running the firewall. The operating system underlying a hardware
firewall is as basic as possible and very difficult to attack. Since no other software runs
on these machines, and configuration takes a little more thought than clicking on an
"allow" prompt, they are difficult to compromise and tend to be extremely secure.

      A hardware firewall is placed between a network, such as a corporation, and a less
secure area, such as the Internet. Firewalls also can separate more secure networks from
less secure networks, such as one corporate location within a larger corporate structure.
Versions of hardware firewalls are available to home users who want stronger
protection from potential Internet attacks. There are many different default
configurations for these devices - some allow no communications from the outside and
must be configured, using rules, others (like those available for the home market) are
already configured to block access over risky ports. Rules can be as simple as allowing
port 80 traffic to flow through the firewall in both directions, or as complex as only
allowing 1433 (SQL server) traffic from a specific IP address outside of the network
through the firewall to a single IP address inside the network.
     Firewalls are also used for Network Address Translation (NAT). This allows a
network to use private IP addresses that are not routed over the Internet. Private IP
address schemes allow organizations (or even household networks) to limit the number
of publicly routed IP addresses they use, reserving public addresses for Web servers
and other externally accessed network equipment. NAT allows administrators to use
one public IP address for all of their users to access the Internet - the firewall is "smart"
enough to send the requests back to the requesting workstation's internal IP. NAT also
allows users inside a network to contact a server using a private IP while users outside
the network must contact the same server using an external IP.
     In addition to port and IP address rules, firewalls can have a wide variety of
functionality. They can also act as caching servers, VPNs, routers, and more. Some
examples of hardware firewalls are CheckPoint, Cisco PIX, SonicWall, Contivity from
Nortel, and Linksys (for the home market).

      Firewalls are vital to network management. Without this control over computer
and network access, large networks could not store sensitive data intended for selective
retrieval. Firewalls are also very important for home broadband users - without a home
version of one of these products, your personal data is at risk.

5.4. How Firewalls Work
Primarily, firewalls allow or block network traffic between devices based upon rules set
up by the firewall administrator. Each rule defines a specific traffic pattern you want
the firewall to detect and the action you want the firewall to take when that pattern is
Note: A firewall can only operate on communications traffic that physically passes
through it. A firewall has no impact on traffic between two devices on the same "side"
of the firewall (i.e., both connected to the same firewall network card or port).

5.4.1.    Criteria used to Identify Communication Sessions

When the firewall receives a request from a device on one side to communicate with a
device on a different side, it compares information about the request against each
firewall rule in sequence until a match is found. The following information is

         The network address of the device initiating the communication ("source") is
         compared against the list of sources contained within the rule.
         The network address of the device whose services are requested ("destination") is
         compared against the list of destinations contained within the rule.
         The service being requested (e.g., Web, mail, file transfer, terminal session, etc.) is
         compared against the list of services contained within in the rule.

5.4.2.    Additional Criteria Provided by Some Vendors
Some firewall products can also consider not only the service type, but also the specific
actions, files or elements involved. For example, between specific sources and
destinations, a firewall may:
         allow Web requests to proceed except for certain Web pages,
         allow file transfers to proceed from destination to source but not vice versa,
         allow file transfers to proceed except for certain named files.

5.4.3.    Actions that can be taken When Criteria are Met
If an attempted communication meets all the criteria specified in any rule, the firewall
will take the appropriate action specified in the rule. After a match, the firewall will not

review any subsequent rules in the ruleset for that communications session. Depending
on the vendor, the actions may be taken:
         allow the communication to occur,
         block the communication without notifying the source,
         block the communication and notify the source,
         require the user to provide valid authentication information (e.g., user ID and
         password, smart token or biometric data) before allowing the communication,
         set up a Virtual Private Network (VPN) to encrypt the communication session
         between the source and the firewall.
    Additionally, rules contain information regarding whether or not information
about specific types of communications sessions should be captured to a log file.

5.5. What are Keyloggers?
Keylogger is a software program or hardware device that is used to monitor and log
each of the keys a user types into a computer keyboard. The user who installed the
program or hardware device can then view all keys typed in by that user. Because these
programs and hardware devices monitor the keys typed in a user can easily find user
passwords and other information a user may not wish others to know about.
Keyloggers, as a surveillance tool, are often used by employers to ensure employees use
work computers for business purposes only. Unfortunately, keyloggers can also be
embedded in spyware allowing your information to be transmitted to an unknown
third party.

5.5.1.    About Keyloggers
A keylogger is a program that runs in the background, recording all the keystrokes.
Once keystrokes are logged, they are hidden in the machine for later retrieval, or
shipped raw to the attacker. The attacker then peruses them carefully in the hopes of
either finding passwords, or possibly other useful information that could be used to
compromise the system or be used in a social engineering attack. For example, a
keylogger will reveal the contents of all e-mail composed by the user. Keylogger is
commonly included in rootkits.
     A keylogger normally consists of two files: a DLL which does all the work and an
EXE which loads the DLL and sets the hook. Therefore when you deploy the hooker on
a system, two such files must be present in the same directory.
     There are other approaches to capturing info about what you are doing.
         Some keyloggers capture screens, rather than keystrokes.
         Other keyloggers will secretly turn on video or audio recorders, and transmit
         what they capture over your internet connection.

     A keyloggers might be as simple as an exe and a dll that are placed on a machine
and invoked at boot via an entry in the registry. Or a keyloggers could be which boasts
these features:
      Stealth: invisible in process list
      Includes kernel keylogger driver that captures keystrokes even when user is
      logged off (Windows 2000/XP)
      ProBot program files and registry entries are hidden (Windows 2000/XP)
      Includes Remote Deployment wizard
      Active window titles and process names logging
      Keystroke / password logging
      Regional keyboard support
      Keylogging in NT console windows
      Launched applications list
      Text snapshots of active applications.
      Visited Internet URL logger
      Capture HTTP POST data (including logins/passwords)
      File and Folder creation/removal logging
      Mouse activities
      Workstation user and timestamp recording
      Log file archiving, separate log files for each user
      Log file secure encryption
      Password authentication
      Invisible operation
      Native GUI session log presentation
      Easy log file reports with Instant Viewer 2 Web interface
      HTML and Text log file export
      Automatic E-mail log file delivery
      Easy setup & uninstall wizards
      Support for Windows (R) 95/98/ME and Windows (R) NT/2000/XP
     Because a keylogger can involve dozens of files, and has as a primary goal
complete stealth from the user, removing one manually can be a terrifying challenge to
any computer user. Incorrect removal efforts can result in damage to the operating
system, instability, inability to use the mouse or keyboard, or worse. Further, some key
loggers will survive manual efforts to remove them, re-installing themselves before the
user even reboots.

5.6. Types of Keylogger
As mentioned, keyloggers are applications that monitor a user's keystrokes and then
send this information back to the malicious user. This can happen via email or to a
malicious user's server somewhere on the Internet. These logs can then be used to
collect email and online banking usernames and passwords from unsuspecting users or
even capture source code being developed in software firms.
      While keyloggers have been around for a long time, the growth of spyware over
the last few years means they warrant renewed attention. In particular, this is due to the
relative ease at which a computer can become infected -- a user simply has to visit the
wrong website to become infected.
     Keyloggers can be one of three types
   1. Hardware Keyloggers: These are small inline devices placed between the
      keyboard and the computer. Because of their size they can often go undetected
      for long periods of time -- however, they of course require physical access to the
      machine. These hardware devices have the power to capture hundreds of
      keystrokes including banking and email username and passwords.

   2. Software using a Hooking Mechanism: This type logging is accomplished by
      using the Windows function SetWindowsHookEx() that monitors all keystrokes.
      The spyware will typically come packaged as an executable file that initiates the
      hook function, plus a DLL file to handle the logging functions. An application
      that calls SetWindowsHookEx() is capable of capturing even autocomplete
   3. Kernel/driver keyloggers: This type of keylogger is at the kernel level and
      receives data directly from the input device (typically, a keyboard). It replaces
      the core software for interpreting keystrokes. It can be programmed to be
      virtually undetectable by taking advantage of the fact that it is executed on boot,
      before any user-level applications start. Since the program runs at the kernel
      level, one disadvantage to this approach it that it fails to capture autocomplete
      passwords, as this information is passed in the application layer.

     One of VeriSign's recent reports notes that in recent years, the company has seen a
rapid growth in the number of malicious programs that have keylogging functionality.

5.7. How to Detect and Prevent Keyloggers?
Most antivirus companies have already added known keyloggers to their databases,
making protecting against keyloggers no different from protecting against other types
of malicious program: install an antivirus product and keep its database up to date.
                         ivirus                                            malicious
However, since most antivirus products classify keyloggers as potentially malicious, or
potentially undesirable programs, users should ensure that their antivirus product will,
with default settings, detect this type of malware. If not, then the product should be
configured accordingly, to ensure protection against most common keyloggers.
     Let’s take a closer look at the methods that can be used to protect against unknown
keyloggers or a keylogger designed to target a specific system.
     Since the chief purpose of keyloggers is to get confidential data (bank card
numbers, passwords, etc.), the most logical ways to protect against unknown
keyloggers are as follows:
                time              two
   1. using one-time passwords or two-step authentication,
   2. using a system with proactive protection designed to detect keylogging software,
   3. using a virtual keyboard.
     Using a one-time password can help minimize losses if the password you enter is
intercepted, as the password generated can be used one time only, and the period of
                                               limited.          one
time during which the password can be used is limited. Even if a one-time password is
intercepted, a cyber criminal will not be able to use it in order to obtain access to
confidential information.
     In order to get one-time passwords, you can use a special device such as:

   1. a USB key (such as Aladdin eToken NG OTP

   2. a ‘calculator’ (such as RSA SecurID 900 Signing Token):

                             one-time passwords, you can also use mobile phone text
      In order to generate one
messaging systems that are registered with the banking system and receive a PIN PIN-code
as a reply. The PIN is then used together with the personal code for authentication.
     If either of the above devices is used to generate passwords, the procedure is as
described below:
   1. the user connects to the Internet and opens a dialogue box where personal data
      should be entered;
   2. the user then presses a button on the device to generate a one-time password,
      and a password will appear on the device’s LCD display for 15 seconds;
   3. the user enters his user name, personal PIN code and the generated one-time
      password in the dialogue box (usually the PIN code and the key are entered one
      after the other in a single pass code field);
   4. the codes that are entered are verified by the server, and a decision is made
      whether or not the user may access confidential data.
     When using a calculator device to generate a password, the user will enter his PIN
code on the device 'keyboard' and press the ">" button.
     One-time password generators are widely used by banking systems in Europe,
Asia, the US and Australia. For example, Lloyds TSB, a leading bank, decided to use
password generators back in November 2005.

      In this case, however, the company has to spend a considerable amount of money
as it had to acquire and distribute password generators to its clients, and develop/
purchase the accompanying software.
    A more cost efficient solution is proactive protection on the client side, which can
warn a user if an attempt is made to install or activate keylogging software.

        Proactive protection against keyloggers in Kaspersky Internet Security

      The main drawback of this method is that the user is actively involved and has to
decide what action should be taken. If a user is not very technically experienced, s/he
might make the wrong decision, resulting in a keylogger being allowed to bypass the
antivirus solution. However, if developers minimize user involvement, then keyloggers
will be able to evade detection due to an insufficiently rigorous security policy.
However, if settings are too stringent, then other, useful programs which contain
legitimate keylogging functions might also be blocked.
     The final method which can be used to protect against both keylogging software
and hardware is using a virtual keyboard. A virtual keyboard is a program that shows a
keyboard on the screen, and the keys can be 'pressed' by using a mouse.
     The idea of an on-screen keyboard is nothing new - the Windows operating system
has a built-in on-screen keyboard that can be launched as follows: Start > Programs >
                              On-Screen Keyboard.
Accessories > Accessibility > On

                                             on screen
                   An example of the Windows on-screen keyboard

     However, on-screen keyboards aren’t a very popular method of outsmarting
keyloggers. They were not designed to protect against cyber threats, but as an
accessibility tool for disabled users. Information entered using an on-screen keyboard
can easily be intercepted by a malicious program. In order to be used to protect against
keyloggers, on-screen keyboards have to be specially designed in order to ensure that
information entered or transmitted via the on-screen keyboard cannot be intercepted.


To top