@Anirudh and Vikram: Thanks for sharing the tips here.
@Vikram: Thanks a lot, do tell other about it too, so they can remain secure.
@Kat: lol, just grow to be a ricj person, you will have people running around for your email id. https is the most important thing you should always know.
The From: field is easily forged. So, if it is not some idiot fooling around but an experienced identity theif (or even unexperienced), it will almost ALWAYS
appear to be from yahoo. A better way is to view full/complete headers and look for ‘Recieved: from’, or ‘x-originating-address:’ or similar. This can be
done in GMail by pressing the menu (downward pointing triangle) in the top-right of the message and selecting Show Original. In this example, an email I
recieved in Google Apps for hoppingmouse.com from AOL {comments in curly brackets are mine}
Delivered-To: ******@hoppingmouse.com
Received: by 10.67.62.11 with SMTP id p11cs48107ugk; {Note that for each step in the process another Recieved header is added, so it is the bottom one (ie
the first one showing the originating server) we care about}
Fri, 6 Apr 2007 23:59:19 -0700 (PDT)
Received: by 10.70.66.18 with SMTP id o18mr6797768wxa.1175929158865;
Fri, 06 Apr 2007 23:59:18 -0700 (PDT)
Return-Path:
Received: from mta.message.aim.com (mta.message.aim.com [65.167.67.222]) {This is the good bit, mta.message.aim.com is where this email came from}
by mx.google.com with ESMTP id 39si5724714wrl.2007.04.06.23.59.17;
Fri, 06 Apr 2007 23:59:18 -0700 (PDT)
Received-SPF: unknown (google.com: domain of AIM_Products@message.aim.com uses a mechanism not recognized by this client)
Date: Sat, 07 Apr 2007 02:59:08 -0400 (EDT)
Message-Id:
From: “AIM Member Message” {This is the From: field GMail displays.}
To: ******@hoppingmouse.com
Subject: ******, Kevin Bacon Invites You to Join Six Degrees
MIME-Version: 1.0
Content-Type: text/html; charset=”us-ascii”
Content-Transfer-Encoding: 7bit
Also, apparently mail software is supposed to add a Sender: or X-Sender: header if the From: header is forged. In addition to this, extra forged Recieved:
headers can be added (but they cannot be removed). This means that, if a forger adds a fake Recieved: header, it will not be the last, but the second last
Below is an example of a forgery (copy-pasted off the site above):
From webpromo@denmark.it.earthlink.net Tue Jul 8 13:05:02 1997 Return-Path:
From: webpromo@denmark.it.earthlink.net
Received: from denmark.it.earthlink.net (denmark-c.it.earthlink.net [204.119.177.22]) {This line is the last step, inserted by the ISP}
by best.com (SMI-8.6/mail.byaddr) with ESMTP id NAA21506 for ;
Tue, 8 Jul 1997 13:05:16 -0700
Received: from mail.earthlink.net (1Cust98.Max16.Detroit.MI.MS.UU.NET [153.34.218.226]) {Claims to be Earthlink.net but is really uu.net}
by denmark.it.earthlink.net (8.8.5/8.8.5) with SMTP id NAA12436;
Tue, 8 Jul 1997 13:00:46 -0700 (PDT)
Received: from adultpromo@earthlink.net {This line is clearly bogus as it displays email addresses rather than server names.}
by adultpromo@earthlink.net (8.8.5/8.6.5) with SMTP id GAA05239 {Another way to identify bogus IP adresses is to ping to see if it exists, or whois or
traceroute to check the servers match}
for ; Tue, 08 Jul 1997 15:48:51 -0600 (EST)
To: adultpromo@earthlink.net Message-ID:
Date: Tue, 08 Jul 97 15:48:51 EST
Subject: Hot News !
Reply-To: adultpromo@earthlink.net
X-PMFLAGS: 12345678 9 X-UIDL: 1234567890×00xyz1×128xyz426×9x9x
Comments: Authenticated sender is {FORGED!}
Content-Length: 672 X-Lines: 26 Status: RO
PS, copy-paste this into Notepad so that you can read it properly.
Hi again.
Sorry about the length of my last comment, I probably should have trimmed it down a bit.
To the point, I have a feeling a spambot would be able to work out name [at] example [dot] com, by doing the following:
Find the words at and dot within 1 word of each other and get the words on either side name [at] example [dot] com
Strip non-alphanumeric characters nameatexampledotcom
Substitute at and dot name@example.com
I may at some point in the future build a proof of concept PHP script showing this possibility, but by the time I get around to it, this filtering will be commonplace and there will be no need.
It would also probably be told to strip words like NOSPAM, another trick going around.
All this might lead to some false positives, but a lot more emails being harvested.
My suggestion: Computers aren’t capable of human thought. Use a riddle or other tricky thingy, like
[Ceasing to exist, to ___ into oblivion]@[a device used to make mathematical calculations, often fits in one's pocket].com
clearly means disappear@calculator.com
(this is just a random example)
Also, Javascript tricks like the JS equavilent of <?php echo $user.”@”.$domain.”.”.$suffix ?> [I am not fluent in JS, hence the (useless) PHP example] could also be combatted by harvesting tools, I’m sure. (although this may be a little more difficult)
By using a proxy, you not only protect your personal information from the site you are visiting, but you also reduce your risk of identity theft. Sites created for the purpose of phishing identities loom on the web, and every time you accidentally stumble upon a site you leave a footprint of your location. These thieves use all the information they can to eventually steal your credit information for their own profit. However, if you are safe and use a proxy such as this one, the risk for identity theft is greatly reduced.
Identity theft is a huge problem in today’s society. The transformation to online banking, checking, and bill paying has spawned a new avenue for thieves to steal from you. More important than money, though, is the personal information they can steal. Thieves use tactics commonly referred to as phishing. By using a proxy such as this one, you can greatly reduce your risk of identity theft.
Add to Google Reader, Bloglines, Netvibes
wrote, on April 8th, 2007
@Anirudh and Vikram: Thanks for sharing the tips here.
@Vikram: Thanks a lot, do tell other about it too, so they can remain secure.
@Kat: lol, just grow to be a ricj person, you will have people running around for your email id. https is the most important thing you should always know.
wrote, on April 8th, 2007
@Sharique: Keyloggers are something which is really difficult to beat down. You should know where you are using the system.
wrote, on April 9th, 2007
The From: field is easily forged. So, if it is not some idiot fooling around but an experienced identity theif (or even unexperienced), it will almost ALWAYS
appear to be from yahoo. A better way is to view full/complete headers and look for ‘Recieved: from’, or ‘x-originating-address:’ or similar. This can be
done in GMail by pressing the menu (downward pointing triangle) in the top-right of the message and selecting Show Original. In this example, an email I
recieved in Google Apps for hoppingmouse.com from AOL {comments in curly brackets are mine}
Delivered-To: ******@hoppingmouse.com
Received: by 10.67.62.11 with SMTP id p11cs48107ugk; {Note that for each step in the process another Recieved header is added, so it is the bottom one (ie
the first one showing the originating server) we care about}
Fri, 6 Apr 2007 23:59:19 -0700 (PDT)
Received: by 10.70.66.18 with SMTP id o18mr6797768wxa.1175929158865;
Fri, 06 Apr 2007 23:59:18 -0700 (PDT)
Return-Path:
Received: from mta.message.aim.com (mta.message.aim.com [65.167.67.222]) {This is the good bit, mta.message.aim.com is where this email came from}
by mx.google.com with ESMTP id 39si5724714wrl.2007.04.06.23.59.17;
Fri, 06 Apr 2007 23:59:18 -0700 (PDT)
Received-SPF: unknown (google.com: domain of AIM_Products@message.aim.com uses a mechanism not recognized by this client)
Date: Sat, 07 Apr 2007 02:59:08 -0400 (EDT)
Message-Id:
From: “AIM Member Message” {This is the From: field GMail displays.}
To: ******@hoppingmouse.com
Subject: ******, Kevin Bacon Invites You to Join Six Degrees
MIME-Version: 1.0
Content-Type: text/html; charset=”us-ascii”
Content-Transfer-Encoding: 7bit
Google has more info on these headers here: http://mail.google.com/support.....security=1
When reporting spam and phishing, it is important to include these full headers.
Also, apparently mail software is supposed to add a Sender: or X-Sender: header if the From: header is forged. In addition to this, extra forged Recieved:
headers can be added (but they cannot be removed). This means that, if a forger adds a fake Recieved: header, it will not be the last, but the second last
that shows the real originating server. More info can be gained here: http://www.rahul.net/falk/mailtrack.html
Below is an example of a forgery (copy-pasted off the site above):
From webpromo@denmark.it.earthlink.net Tue Jul 8 13:05:02 1997 Return-Path:
From: webpromo@denmark.it.earthlink.net
Received: from denmark.it.earthlink.net (denmark-c.it.earthlink.net [204.119.177.22]) {This line is the last step, inserted by the ISP}
by best.com (SMI-8.6/mail.byaddr) with ESMTP id NAA21506 for ;
Tue, 8 Jul 1997 13:05:16 -0700
Received: from mail.earthlink.net (1Cust98.Max16.Detroit.MI.MS.UU.NET [153.34.218.226]) {Claims to be Earthlink.net but is really uu.net}
by denmark.it.earthlink.net (8.8.5/8.8.5) with SMTP id NAA12436;
Tue, 8 Jul 1997 13:00:46 -0700 (PDT)
Received: from adultpromo@earthlink.net {This line is clearly bogus as it displays email addresses rather than server names.}
by adultpromo@earthlink.net (8.8.5/8.6.5) with SMTP id GAA05239 {Another way to identify bogus IP adresses is to ping to see if it exists, or whois or
traceroute to check the servers match}
for ; Tue, 08 Jul 1997 15:48:51 -0600 (EST)
To: adultpromo@earthlink.net Message-ID:
Date: Tue, 08 Jul 97 15:48:51 EST
Subject: Hot News !
Reply-To: adultpromo@earthlink.net
X-PMFLAGS: 12345678 9 X-UIDL: 1234567890×00xyz1×128xyz426×9x9x
Comments: Authenticated sender is {FORGED!}
Content-Length: 672 X-Lines: 26 Status: RO
PS, copy-paste this into Notepad so that you can read it properly.
wrote, on April 16th, 2007
Hi again.
Sorry about the length of my last comment, I probably should have trimmed it down a bit.
To the point, I have a feeling a spambot would be able to work out name [at] example [dot] com, by doing the following:
Find the words at and dot within 1 word of each other and get the words on either side
name [at] example [dot] com
Strip non-alphanumeric characters
nameatexampledotcom
Substitute at and dot
name@example.com
I may at some point in the future build a proof of concept PHP script showing this possibility, but by the time I get around to it, this filtering will be commonplace and there will be no need.
It would also probably be told to strip words like NOSPAM, another trick going around.
All this might lead to some false positives, but a lot more emails being harvested.
My suggestion: Computers aren’t capable of human thought. Use a riddle or other tricky thingy, like
[Ceasing to exist, to ___ into oblivion]@[a device used to make mathematical calculations, often fits in one's pocket].com
clearly means
disappear@calculator.com
(this is just a random example)
Also, Javascript tricks like the JS equavilent of <?php echo $user.”@”.$domain.”.”.$suffix ?> [I am not fluent in JS, hence the (useless) PHP example] could also be combatted by harvesting tools, I’m sure. (although this may be a little more difficult)
wrote, on September 16th, 2007
I have seen a lot of spam and I waste a lot of time marking them as spam. Why doesn’t google do it for me.
wrote, on October 3rd, 2007
By using a proxy, you not only protect your personal information from the site you are visiting, but you also reduce your risk of identity theft. Sites created for the purpose of phishing identities loom on the web, and every time you accidentally stumble upon a site you leave a footprint of your location. These thieves use all the information they can to eventually steal your credit information for their own profit. However, if you are safe and use a proxy such as this one, the risk for identity theft is greatly reduced.
Identity theft is a huge problem in today’s society. The transformation to online banking, checking, and bill paying has spawned a new avenue for thieves to steal from you. More important than money, though, is the personal information they can steal. Thieves use tactics commonly referred to as phishing. By using a proxy such as this one, you can greatly reduce your risk of identity theft.
http://therealproxy.info
wrote, on October 29th, 2007
[...] How To Avoid Identity Fraud [...]
wrote, on February 8th, 2008
[...] How To Avoid Online Identity Fraud [...]