|
|
| |
 |
|
| |
|
|
Email abuse is the use of electronic mail to advertise unethically, harass, annoy, or cause harm to the email recipient. Email abuse can take the form of bulk email, SPAM, UCE, threatening e-mail, e-mail sent with the intent to slow productivity of, or cause damage to the recipient's computer system.
|
| Examples of email abuse activities: |
| |
|
Chain Letters |
|
Spamming |
| |
| Guidance when encountering email abuse: |
| |
|
Email Header |
|
Some Email Etiquettes when making a complaint to Service Providers |
| |
| Email security practices: |
| |
|
Preventing Open Relay Activities |
|
Safe Email Practices |
| |
|
| |
| Examples of email abuse activities: |
| |
| Chain Letters |
| |
Definition
Chain letters are malicious letters sent in a chain from users to users. The contents of the chain letters could be of a threat or sympathy. Chain letter is considered as a big problem, as it wastes users' time and network space/disk. Chain letters always give promising good luck to those who continue the chain. Most of the file is headers from forwarded messages. |
| |
How to Detect a Chain Letter
All chain letters have a similar element such as follows:
a. A Hook
A hook is to catch your interest and get you to read the rest of the letter. Hooks used to be "Make Money Fast" or "Get Rich" or similar statements related to making money for little or no work. Electronic chain letters also use the "free money" type of hooks, but have added hooks like "Danger!" and "Virus Alert" or "A Little Girl Is Dying". These tie into our fear for the survival of our computers or into our sympathy for some poor unfortunate person.
b. A Threat
A threat warns you about the terrible things that will happen if you do not maintain the chain. However, others play on greed or sympathy to get you to pass the letter on. The threat often contains official or technical sounding language to get you to believe it is real.
c. A Request
A traditional request is usually in the form of asking you to mail a dollar to the top ten names on the letter and then pass it on. The electronic request simply admonishes you to "Distribute this letter to as many people as possible." They never mention clogging the Internet or the fact that the message is a fake, they only want you to pass it on to others.
Chain letters usually do not have the name and contact information of the original sender so it is impossible to check on its authenticity. Legitimate warnings and solicitations will always have complete contact information from the person sending the message and will often be signed with a cryptographic signature, such as PGP to assure its authenticity.
Examples of Chain Letters
Example 1
You have been sent a blessing. Those who have followed the instructions on this letter have received good fortune, as you will. The rewards of this letter supersede the promises of all other letters you may have received. This is the final chain-letter you will ever send. Its instructions are simple, to receive the fortune that has graced those who have received this before you follow these steps.
Example 2
Make nine unaltered copies of this note, and send each copy to a friend or stranger within nine days of receiving this. This completed, you will have received not only luck and positive karma, but you have been PERMANENTLY released from the obligation to send another chain -letter.
Example 3
Never heed another chain-letter. By sending this letter you have already incurred the fortune promised by all future letters you will receive.
Recommended actions upon Receipt of Chain Letters
- If you receive a chain letter in your e-mail, delete it.
- Make report to the abuse department of your ISP for further investigation. Attach the chain letter you received together with your complaint.
- Do not send or circulate it to your friends and relatives because you will be clogging up the network. In addition, you lend your and your company's reputation to the message, making it appear to be authentic even when that is not the case. Hit the delete button instead and put that message where it belongs.
|
| |
| Spamming |
| |
Description
Email "spamming and get-rich-scheme" is in which one email is sent to hundreds and thousands of addresses. Worse situations would be when the email is sent to mailing lists, in which the email is forwarded to hundred other users. The email can be in the form of chain letters or get -rich-scheme.
Spamming may be combined with email spoofing (in which the header is altered and makes it more difficult to trace the sender).
Technical Matters
Email spamming is almost impossible to prevent. Users with valid email address can "spam" other user with any valid email address.
When a large number of emails are directed to or through a single site, the site will experience time lag, and faked email address will cause bounced emails, that will eventually cause denial of service, in which the server may lose network connectivity, system crashes or failure of service.
Recommended Steps to deal with Spam
a. Detection:
If the email system appears to be slow, emails not sent and received appropriately, the system might be processing too many emails.
If users are complaining of full mailbox, they may be victims of spamming.
b. Reaction
1. For providers / ISP:
Identify the source of the email-bomb (e-mail bomb is a form of net abuse consisting of sending huge volumes of e-mail to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted in a denial-of-service attack). Review the email header for the email origin. Obtain the user account/identity from your logs. If it is a dedicated host/IP, configure your router to block any incoming packets from that host/IP.
Review the information on email policy and procedure in your organization. If your organization does not have the policy or so called Acceptable Use Policies (AUP), then may be it is a good time to create one. Refer to some samples on AUP for the reference.
Ensure you are updated to the latest sendmail version.
2. For individual email:
If you have been spammed, there are few steps can be taken before you can forward the mail to your ISP or to the spammer's provider.
First you have to find out the domain name the spammer is using. This can be done by looking at the full header of the mail. View and read the full header and determine the source of the spammer. Then forward the mail with the full header to your ISP or the spammer's provider.
To find the appropriate email address to send, you can search the web page. Usually, you can get the contact email address through the web page. You may also use whois command to find the contact person of the domain (if it is a known domain/Internet provider).
Most ISPs have a dedicated email account for reporting email abuse such as. Another alternative, send it to or.
There are some etiquettes involve when you want to send an email to the ISP or the spammer's provider.
c. Prevention:
Unfortunately, there is no easy way to prevent spamming. It is impossible to predict the origin of the email. There are sites that collect emails and sell/provide them to companies to market their product. Users have to be careful not so surrender their personal information, email address and password to any parties on the Internet, especially via the Web.
Dealing with Spamming at an organisational level.
- Develop in-house tools to help you recognize or alert you to respond to a spamming. The tools should increase logging of your email packets, incoming/outgoing. Once you identified the emails, you can use other tools to discard the emails.
- If you have a small network, you may want to configure your firewall or router to route all SMTP packets to your central email hub. Although this will not prevent attacks but it will reduce the amount of available SMTP port for SMTP-based intruder attack. This also means that if you wish to filter your emails, you can easily do so, by wrapping the sendmail server.
- The sendmail 8.8 allows filtering that helps control abuse of smtp ports, and email abuse such as spamming. Please refer to sendmail version 8.8 for sendmail antispamming implementation.
- Educate your users to inform you of spamming activities. Incorporate relevant policy and procedures in managing your email usage.
- Do not propagate the problem by forwarding or replying to spam emails.
|
| |
|
| |
| Guidance when encountering email abuse: |
| |
| Email Header |
| |
What is an Email Header?
Every email comes with a Header which is one part of an e-mail structure. It has basic information such as from whom the email comes, to whom it is addressed, date/time it was sent and the subject of the email. It is similar to an electronic postmark. This basic information comes in all brief/basic headers that most email programs will automatically show. However, there is other technical information that an email has. This detail technical information can be viewed in a full header. All email programs can be set to show only brief header or full header and it is up to the users to set the program whether to view only brief header or full header.
Full header will have information such as the mail servers name that the email passed through on its way to the recipient, recipient and sender's IP address and even the name of the email program and its version used. This information is essential for analysis and investigation purposes on cases involving email abuse, spamming, mailbombing. This information could not be found in a brief header. Thus, it is important anyone reporting to their ISP or to their CERT Team, to include a full header for cases involving email abuse, worm infected email, harassment and forgeries. |
| |
| Some Email Etiquettes when making a complaint to Service Providers |
| |
| Examples of Headers
a. Brief Header
A brief header will look like this with the following information:
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: tom@pc.jaring.mu
To: jacob@ace.cdc.abu.com
Subject: happy holiday
b. Full Header
And a full header will look like this with the following detail information:
Return-Path: tom@pc.jaring.mu
Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: ass@pc.jaring.my
Message-Id: <199805080205.KAA21792@relay13.jaring.my>
To: jacob@ace.cdc.abu.com
Subject: happy holiday
Status: RO
X-Status:
What is in a Header?
Now lets look what is in a header. The header contains the "name" and "address" of the sender, recipient and anyone who is being copied, the "date" and "time" the mail is sent and the "subject" of the mail. The header exists mainly for the computer to route mail to you. The "received:" item indicates the mailers. It shows what mailers the mail is routed through before it goes to the recipient. Usually, over the internet, the mail will go through several mailers before it finally reaches the recipient. This information will help in tracing the source IP address of the sender.
How to read a Header?
Return-Path: tom@pc.jaring.mu
Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: ass@pc.jaring.my
Message-Id: <199805080205.KAA21792@relay13.jaring.my>
To: jacob@ace.cdc.abu.com
Subject: happy holiday
Status: RO
X-Status:
Description of header:
1. Return-Path: ass@relay13.jaring.my
The Return-Path line mean the address in which the reply for this mail will be sent to.
2. Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)
The preceding lines were the routing information which told where the mail went and the time it arrived to the respective mailer. In order to follow the flow, they had to be read backwards. So, the particular mail originated from hole.com and mailed to relay13.jaring.my. Further, it went to ace.cdc.abu.com which was the recipient's Internet host. So, if your mail bounced, this part in the header showed how far the mail went and which machine rejected it.
3. Message-Id: <199805080205.KAA21792@relay13.jaring.my>
The message-Id line was intended mainly for tracing mail routing and uniquely identified each mail.
4. From: ass@pc.jaring.my
The 'From' line showed who sent the mail and his/her email and it can be easily be faked/forged.
5. To: jacob@ace.cdc.abu.com
The 'To' line listed the email address (es) of the recipients of the mail. There might be also a Cc line which listed all the people who received copies of this mail.
This address could also be a hidden list of emails; thus your email may not appear in here even though you received the mail.
6. Subject: happy holiday
The subject line gave some idea of what the mail is about.
7. Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
The Date line lists the date and time this mail was originally sent. It was sent on the sender's local time zone.
|
|
Email security practices: |
| |
Preventing Open Relay Activities
|
An open mail relay refers to a function of an e-mail server that makes it possible for traffic from a foreign system to be relayed to another foreign system. This capability can be enabled or disabled by the appropriate use of configuration options for the server. This capability is not, in and of itself, currently a violation of law or policy.
It does become an issue when a third party discovers that this capability is present and uses it to propagate Spam or other forms of traffic that can be considered by the recipient as offensive.
In order not to be considered "open," an e-mail relay should be configured to accept and forward only the following messages
• Messages from local IP addresses to local mailboxes
• Messages from local IP addresses to non-local mailboxes
• Messages from non-local IP addresses to local mailboxes
• Messages from clients that are authenticated and authorized
In restricting third-party relay activities, System Administrators should install anti-relay features in their mail servers regardless of type of mail servers being used. The anti-relay feature disables third-party relay activities in the mail server and protects the mail server from being used by unauthorized users or spammers to send unsolicited junk mail to other Internet users. In additional, if an older version which are vulnerable to open-relay activities is being used, System Administrators should upgrade to the latest version which has anti-relay features.
In order to test if your mailserver is vulnerable to third party relay activities, pls refer at: http://spamlinks.net/prevent-secure-relay-test.htm |
| |
| Safe Email Practices |
| |
Using Caution with Email Attachments
Some of the characteristics that make email attachments convenient and popular are also the ones that make them a common tool for attackers:
- Email is easily circulated - Forwarding email is so simple that viruses can quickly infect many machines. Most viruses don't even require users to forward the email—they scan a users' computer for email addresses and automatically send the infected message to all of the addresses they find. Attackers take advantage of the reality that most users will automatically trust and open any message that comes from someone they know.
- Email programs try to address all users' needs - Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send.
- Email programs offer many "user-friendly" features - Some email programs have the option to automatically download email attachments, which immediately exposes your computer to any viruses within the attachments.
Protection against such attachments:
- Be wary of unsolicited attachments, even from people you know - Just because an email message looks like it came from your mom, grandma, or boss doesn't mean that it did. Many viruses can "spoof" the return address, making it look like the message came from someone else. If you can, check with the person who supposedly sent the message to make sure it's legitimate before opening any attachments. This includes email messages that appear to be from your ISP or software vendor and claim to include patches or anti-virus software. ISPs and software vendors do not send patches or software in email.
- Save and scan any attachments before opening them - If you have to open an attachment before you can verify the source, take the following steps:
1. Be sure the signatures in your anti-virus software are up to date
2. Save the file to your computer or a disk
3. Manually scan the file using your anti-virus software
4. Open the file
- Turn off the option to automatically download attachments - To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option, and make sure to disable it.
- Consider additional security practices - You may be able to filter certain types of attachments through your email software or a firewall
Tips for protection against Fraudulent Email / Phishing Attempts
1) Identifying phishing/fraudulent attempts:
- Legitimate online businesses will never ask you for sensitive personal information such as passwords, bank account or credit card numbers, PIN numbers, or Social Security numbers via e-mail. So, if you were asked to reveal this information online, this may be a fraudulent attempt.
- Phishers normally use convincing messages to ask users to go to their websites and enter personal/sensitive information on the phishing website. It would be advisable to scan the types of messages contained in the email prior to visiting the websites.
Among messages to be cautious of are as follows:
- Security or server updates, maintenance upgrades, online banking problems
- Billing information requests or billing issues
- Official or urgent notices
- Account updates, e-mail or account verification requests
- Consumer alerts, customer warnings
- Your account has been, or may be, suspended or needs to be reactivated
- Problems with your account, errors found
- Suspicious transactions, fraud investigation, unusual activity
- Someone sent you money, payment acknowledgments, order confirmations, lottery wins, jackpot wins, competition wins
- Requests for assistance with fund transfers (the infamous 'Nigerian' scam)
- Offers of advice on how to protect yourself from fraudulent transactions, identity theft solutions
- The phishing email does not address a user by his/her name.
- No confirmation of the company that does business with you, such as referencing a partial account number.
- The email warns that your account will be shut down unless you reconfirm your financial information.
- Spelling or grammatical errors in the phishing emails.
2) Avoiding phishing attempts
a. Do not respond to e-mails requesting for your personal information. Legitimate companies do not ask their customers for confidential information, such as passwords and account numbers, though e -mail.
b. Do not open attachments or download files. Phishers can use these files to infect your computer with a virus or spyware.
c. Do not click on links provided in e-mails. If you are uncertain about a website address that appears in an e-mail, go to your browser and enter the legitimate address manually. Phishers can use links to point recipients to a "spoofed" site, using an address similar to a real bank's URL. If in doubt, phone the business in question. Use a phone number that you have obtained from a reliable source, and not from the suspected e -mail.
d. Do secure your computer. Use updated anti-virus software, personal firewalls and apply latest security patches for your operating system and browser to secure your system from unwanted incidents. Anti-spam software can also help stop phishing e-mails from getting into your inbox. Some phishing e-mail may try to release a virus onto your computer.
Internet Explorer (IE) users can download a special patch to protect against certain phishing schemes.
The download is available at: http://www.microsoft.com/security/
e. Do report suspicious e-mails to the legitimate company, to your Internet Service Provider (ISP) or to your Computer Emergency Response Team (CERT).
f. Do review your credit card and bank statements regularly to check for errors or unauthorized transactions. If anything looks suspicious, do contact your bank and all card issuers.
g. Do install a Web browser tool bar to help protect you from known phishing fraud websites.
EarthLink ScamBlocker is part of a free browser toolbar that alerts you before you visit a page that's on Earthlink's list of known fraudulent phisher Web sites.
h. Do consider protecting yourself from dangerous scripts and spammers and phishers. Software such as the latest version of Outlook Express does make it much easier to do this. |
| |
| |
|
|
|
News & Events |
|
|
| |
|
| |
|
|
Virus Alerts
RSS Feed
 |
|
|
|
