E-mail tracking

[G-Stress]

Hey guys, I'm a bit rusty. I have a friend who's yahoo e-mail account I believe has been compromised. She has changed her passwords on all her accounts, from various devices in various locations and still somehow something/someone is using her yahoo e-mail account OR has managed to copy her address book and is spoofing her e-mail account sending out spam to all her clients.

She has forwarded me 2 of the e-mails to my gmail account and I know to look in the header's, etc, but I'm having a bit of an issue trying to figure how where to look to see where the e-mail was originated from. Looking at the headers in gmail to me it mostly looks like a bunch of encrypted gibberish.

[digip]

You need the original email file, saved as an attachment. Forwards, will rewrite the header info usually and not show the original chain they came in from. She needs to save it to disk, renamed to .txt or such, using an email client that can save the whole file with the original headers, or give you access to her account to look at the original email. The last address in the header area towards the bottom before the from and to area, is usually where you find the originating IP too. You'll usually see a number of places it says something like "Received: by" and could be spoofed, or sent from a VM, and might be a lan IP, or say localhost, or 127.0.0.1 even.

Might even say: Received: from [10.0.0.8] ([x.x.x.x]) where the x.x.x.x is the real IP of the sender, and the first IP is the local address of the senders lan. The second address is the one externally facing, that you can usually do a GeoIP lookup for a general idea where/what part of the world it came from.

If she uses email on her phone though, or has something like the Facebook app, or any facebook, twitter, or other third party social network apps, they usually raid address books, aside from the fact Facebook app has complete control of a phone and your address book, but I would ask her if she uses something like that in conjunction with her normal computer login to yahoo.

Tell her make sure when changing passwords, that she also never uses the same password for websites as she does her email and to change them all, since if they have her Yahoo account pass, they will try that email address and pass and every social network site, look up her reset questions and answers for the, and can use that later to re-guess her Yahoo reset question to get in again, and again.

Yahoo also had a system breach months back. They tried to say it only effected their Japanese users, but companies like Yahoo use co-location services and I had family members that had yahoo at one time and hadn't logged into their accounts in years, that started sending out spam after the breach, so I know Yahoo was full of shit when they said it was a limited scope to the attack and what data was accessed. She'd be better off exporting her address book, and moving to a new email service, although these days, none of them are exactly what I could call "trustworthy", including gmail.

Edited September 6, 2013 by digip

[GuardMoony]

I would also recomment leaving yahoo. Esp. if your saying she's using a yahoo account as workd account ?! This realy puts people off. Buying a domain barely cost something these days. And most internet providers give you mailbox where you can link your domain on.

[Bountyhunter50]

I would also recomment leaving yahoo. Esp. if your saying she's using a yahoo account as workd account ?! This realy puts people off. Buying a domain barely cost something these days. And most internet providers give you mailbox where you can link your domain on.

I agree, it's a lot more robust than Yahoo (but they're not as bad as AOL, dear lord and all that is holy ..)

[digip]

I agree, it's a lot more robust than Yahoo (but they're not as bad as AOL, dear lord and all that is holy ..)

Funny, cause for the longest time too, not sure if still that way, AOL truncated passwords to 8 characters no matter length, and forced lower case for everything. This easy hacking for spam attacks on AOL users, including those who used AIM and just the email service, not the regular AOL software, which also did the same thing..

EDIT: Google gmail news of interest to gmail users - https://twitter.com/mouselink/status/375999404182077440

Here is one spam email I received today, can see how they try to obfuscate to some extent. The mydomain part, is what I changed to remove my email servers.

Return-Path: <vodon12@hosting5.ukrnames.com>
X-Original-To: me@mydomain
Delivered-To: x10962632@homiemail-mx23.g.mydomain
Received: from diehard.mydomain (caiajhbdcbhh.mydomain [mydomain.132.177])
	by homiemail-mx23.g.mydomain (Postfix) with ESMTP id 0A5F860BD5608
	for <me@mydomain>; Fri,  6 Sep 2013 10:23:35 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by diehard.mydomain (Postfix) with ESMTP id E7B5017BC6D6
	for <me@mydomain>; Fri,  6 Sep 2013 10:23:34 -0700 (PDT)
X-DH-Virus-Scanned: Debian amavisd-new at diehard.mydomain
X-Spam-Flag: NO
X-Spam-Score: -1.938
X-Spam-Level: 
X-Spam-Status: No, score=-1.938 tagged_above=-999 required=999
	tests=[HTML_FONT_SIZE_HUGE=0.001, HTML_MESSAGE=0.001,
	RP_MATCHES_RCVD=-1.94] autolearn=disabled
Received: from godfather.mydomain ([mydomain.132.79])
	by localhost (diehard.mydomain [mydomain.132.157]) (amavisd-new, port 10024)
	with ESMTP id P3gZqk8jMF9h for <me@mydomain>;
	Fri,  6 Sep 2013 10:23:34 -0700 (PDT)
Received: from hosting5.ukrnames.com (hosting5.ukrnames.com [91.197.128.157])
	by godfather.mydomain (Postfix) with ESMTP id 87F151B0087
	for <me@mydomain>; Fri,  6 Sep 2013 10:23:34 -0700 (PDT)
Received: from vodon12 by hosting5.ukrnames.com with local (Exim 4.80.1)
	(envelope-from <vodon12@hosting5.ukrnames.com>)
	id 1VHzkp-0002Vm-RH
	for me@mydomain; Fri, 06 Sep 2013 20:23:31 +0300
To: me@mydomain
Subject: Invitation
From: "Wedding Agent Anthony Craft" <anthony_craft51@kartek-avto.com.ua>
X-Mailer: grasslandtromboneV8.75
Reply-To: "Wedding Agent Anthony Craft" <anthony_craft51@kartek-avto.com.ua>
Mime-Version: 1.0
Content-Type: multipart/alternative;boundary="----------1378488211522A0F93A6E26"
Message-Id: <E1VHzkp-0002Vm-RH@hosting5.ukrnames.com>
Date: Fri, 06 Sep 2013 20:23:31 +0300
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - hosting5.ukrnames.com
X-AntiAbuse: Original Domain - mydomain
X-AntiAbuse: Originator/Caller UID/GID - [689 687] / [47 12]
X-AntiAbuse: Sender Address Domain - hosting5.ukrnames.com
X-Get-Message-Sender-Via: hosting5.ukrnames.com: authenticated_id: vodon12/from_h


original sender if we look at last received from(which can be spoofed depending on how it was sent):
Received: from vodon12 by hosting5.ukrnames.com with local (Exim 4.80.1) (envelope-from <vodon12@hosting5.ukrnames.com>)
Array
(
    [CountryCode] => UA
    [IP] => 91.197.128.157
    [CountryName] => Ukraine
    [Region] => 
    [City] => 
    [PostalCode] => 
    [Latitude] => 49
    [Longitude] => 32
    [Hostname] => hosting5.ukrnames.com
)

Now lets do a whois:

whois 91.197.128.157

Whois v1.01 - Domain information lookup utility
Sysinternals - www.sysinternals.com
Copyright (C) 2005 Mark Russinovich

Connecting to COM.whois-servers.net...
Connecting to whois.godaddy.com...

Domain Name: UKRNAMES.COM
Registrar URL: http://www.godaddy.com
Updated Date: 2011-08-21 13:24:07
Creation Date: 2007-09-05 10:32:41
Registrar Expiration Date: 2019-09-05 10:32:41
Registrar: GoDaddy.com, LLC
Registrant Name: Oleksiy Mykhaylov
Registrant Organization: Ukrainian Internet Names Center
Registrant Street: ul. Chernishevskogo 85/14
Registrant City: Kharkiv
Registrant State/Province:
Registrant Postal Code: 61002
Registrant Country: Ukraine
Admin Name: Oleksiy Mykhaylov
Admin Organization: Ukrainian Internet Names Center
Admin Street: ul. Chernishevskogo 85/14
Admin City: Kharkiv
Admin State/Province:
Admin Postal Code: 61002
Admin Country: Ukraine
Admin Phone: +380.5727626123
Admin Fax: +380.577800386
Admin Email: alexey@ukrnames.com
Tech Name: Oleksiy Ptashniy
Tech Organization: Ukrainian Internet Names Center
Tech Street: ul. Chernishevskogo 85/14
Tech City: Kharkiv
Tech State/Province:
Tech Postal Code: 61002
Tech Country: Ukraine
Tech Phone: +380.503011496
Tech Fax: +380.577800386
Tech Email: alex@ukrnames.com
Name Server: NS1.UKRNAMES.COM
Name Server: NS2.UKRNAMES.COM
Name Server: NS3.UKRNAMES.COM

The data contained in GoDaddy.com, LLC's WhoIs database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy.  This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, LLC.  By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.  In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam.  You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.

Please note: the registrant of the domain name is specified
in the "registrant" section.  In most cases, GoDaddy.com, LLC
is not the registrant of domain names listed in this database.

So they are using GoDaddy and we can report them for abuse. Edited September 6, 2013 by digip

[G-Stress]

Thanks for the quick response guys! @ digip, yes she has changed all her passes and never used the same for everything and all her questions. I honestly think somehow that her address book was just compromised and the bot or user is mass spamming her address book. She said her clients are receiving the junk about 2 times a day.

I also suggested she leave yahoo or use a different e-mail for her work and she has done so, now using the email service via her domain. She does use facebook on her phone and I'm sure yahoo as well and maybe other social apps. Also yes I did notice a localhost address in the header I was looking at and I thought that I would need the original e-mail, because of tracking purposes that it would show me her address if it were forwarded vs. the attacker's IP, but I wasn't sure.

I use to use yahoo back in the day, but I find gmail is much better especially for business use if your not gonna buy a domain. Also it's been awhile since I been on the forums, I was wondering when hak5 was gonna add a like button :) bout time!

Thanks again guys for all your input and advice:)

[Dec100]

If you can get one of the emails as an attachment (to preserve the headers as Digip suggests), you can copy/past the header into an online analyser to make it easier to read...

http://www.mxtoolbox.com/EmailHeaders.aspx

It might make things clearer on where it came from.

[digip]

If you can get one of the emails as an attachment (to preserve the headers as Digip suggests), you can copy/past the header into an online analyser to make it easier to read...

http://www.mxtoolbox.com/EmailHeaders.aspx

It might make things clearer on where it came from.

Just be careful to sanitize your own email address info!! Lots of those are used to create spam lists, and most people don't take out their email ID, server, ip, etc.

[Dec100]

Just be careful to sanitize your own email address info!! Lots of those are used to create spam lists, and most people don't take out their email ID, server, ip, etc.

Good point!

[G-Stress]

Dec100, Thanks for that buddy! I was not aware such a service existed. I am a bit rusty on my reconnaissance skills ;)