Seeing Through E-mail and Web Scams

Though most operating systems come equipped with any number of command-line IP tools, savvy network administrators are quick to exploit the capabilities of graphical, commercial implementations of such functionality. Built-in Windows IP utilities can help you identify potential scams and impostures fairly easily -- but only if you know how to use them. For full-time professionals, however, we recommend enhanced commercial packages like NetScanPro Tools 2004, which offer friendlier graphical interfaces and built-in support that make them a little bit quicker and easier to use.

Properly used, IP tools can help system builders tackle set-up and configuration chores, speed troubleshooting and problems resolution, and address all kinds of security issues and concerns. A good IP toolkit is the networking equivalent of a Swiss Army knife: chock-full of useful implements, and handy to have around for all kinds of uses.

Though the utilities built into Windows, Linux, and other operating systems are adequate to the tasks we describe in this article --with one exception, for which we provide a free Web site that does a geographic lookup on IP addresses -- other commercial packages (like NetScan Pro Tools, mentioned above) may be preferable for regular or repeated use.

Whether IP tools run at the command line or inside a dolled-up graphical interface, they are designed to inform their users about the following:

id
unit-1659132512259
type
Sponsored post

Nearly all IP toolkits include facilities that help test basic access and connectivity (Ping, Pathping, and other variants), track and report on the paths packets take from sender to receiver (Traceroute), show connections between physical and IP addresses and domain names, and much more. In an era when so-called "phishing toolkits" make it easy for non-programmers to attempt to steal financial and identify information from the unwitting or unwary, these tools can help debunk illicit scams, and help to educate users about proper personal and business-information disclosure habits.

System builders can choose from numerous IP toolkits available in today's marketplace, or they can brute-force things out and use built-in IP command-line utilities in Windows, Linux, and other operating systems (for a list of what's included with Windows XP, see Sidebar below.

For this Recipe, I used the built-in Windows utility called nslookup, short for "name server lookup." It's a tool that performs all kinds of forward and reverse mappings between numeric IP addresses and symbolic domain names. I also used a geographical IP address lookup utility called IP2Location that's pretty good at reporting where IP addresses are physically located. This, too, can be revealing when you think you should be sending data to a server in Cincinnati, and it ends up in Portugal instead.

It's easy to use these tools to debunk phishing scams and spoofed e-mails, which usually indicate spam or worse appears in the message body. In this Recipe, you'll learn how to use nslookup and IP2Location for the following two scenarios:

Recognize phony e-mail (sender) addresses: By attempting to validate purported sender addresses, or to verify sending domains, you can easily tell what kind of e-mail is honest, and what is at least questionable. By comparing the IP address in the e-mail header with the IP address for the domain where it claims to originate,if, in fact, it exists,you can catch bogus messages quickly and easily. Obvious signs of fake addresses include:

Debunk phishing scams: By comparing reported domain names -- and associated e-mail addresses or Web URLs -- you can look for mismatches that indicate something isn't quite kosher. By comparing forward lookups of IP addresses to domain names, to reverse lookups of domain names from IP addresses, you can learn a lot. Also, by using the IP2Location tool, you can compare where official and reported IP addresses are located, and sniff out scams quickly and easily. To aid the process, IP tools can help you detect these obvious warning signs of potential fraud or misrepresentation:

As we step through our recipe, I'll provide pointers to a wonderful "Phishing Test" you can try for yourself once you've worked through the example to try out your skills and learning (I got 9 out of 10 correct on my first try, using the NetScanPro 2004 tools to aid my investigation,perhaps you can rack up a perfect score).

Because I use built-in Windows utilities and a publicly-accessible Web site to follow this recipe, you don't have to do anything to prepare for that task, except to make sure you've got a working Internet connection, access to your favorite browser, and know how to start up and work at the Windows command line.

If you decide to use a commercial package instead, you'll want to install NetScan Tools Pro 2004 on the machine where you'll perform your analysis, monitoring, troubleshooting, and other IP networking tasks. Because these tools are portable and work on any network (or network segment), I find they're great to install on a laptop I carry around to inspect and investigate potential trouble spots (if not also the places where trouble originates).

I installed NetScan Tools Pro 2004 on Windows 2000 Professional and Server, Windows XP Professional (SP1 and SP2 RC2), and Windows 2003 Server, using a download package provided to me from the Northwest Performance Software site. All installs took about four to six minutes, depending on the speed of the machine; and all the downloads produced working software. One word of warning: While NetScanTools Pro 2004 is powerful, it is not small. In fact, it takes about 25 MB of disk space to store a complete installation of the package!

If you use a laptop with NetScan Tools Pro installed, you must furnish that laptop with all the elements necessary for a working IP connection to the Internet: DHCP and DNS server access; or a static IP address, IP gateway, and subnet mask, at the bare minimum. This is my preferred method of operation, anyway.

To start, grab a suspect spam message from your spam filter or some other spam repository. If you can't find anything handy, I've posted a Web page that includes several examples. I'll use the first one as the focus for my recipe, and provide others for you to practice on at your leisure. If you want to follow along, click on the preceding hyperlink and grab the message from Canker Hoisting.

I'm grateful that e-mail products and services company MailFrontier has created a terrific Web page that features a Phishing I.Q. Test. Before you start on the second example, click on the preceding hyperlink and make sure the page is open in your favorite Web browser (for my example, I used Internet Explorer 6.0).

Let's get started.

System Ingredients

How To Analyze E-mail Name and Address Info

Now that we have our components assembled, let's take a look at the four steps involved in analyzing e-mail name and address information:

Non-authoritative answer:

Name: lanw.com

Address: 206.224.65.194

Close the nslookup session by typing exit, then hitting the Enter key. Alternatively, you can leave that session open, because we'll use it again in the next example.

This sort of technique works extremely well to separate spam -- in this case, malicious virus-infected spam -- from legitimate e-mail.

In passing, let me mention another dead giveaway that this e-mail isn't legit: It's addressed to [email protected] instead of either of my most typical e-mail addresses, [email protected] or [email protected]. My colleague would never send me e-mail through a general mailbox, when he's had my direct e-mail address in his address book for years.

Try these techniques on the other examples on my Web page; if you need inspiration, you can also read my analysis and discussion for those as well.

Phishing Detection, Step-By-Step

To follow this example, access the MailFrontier Phishing I.Q. Test in one browser window, the IP2Location service in another browser window, and open a command window with an nslookup session running. To do this, simply right-click on each of the preceding links, then select "Open in a new window" for each one. If you didn't leave a command window open after completing the previous example, return to it if you need instructions to open another one now; then type nslookup and hit the Enter key.

On the Phishing I.Q. Test page, click item 2 to open up the PayPal window. Note that the URL to update your PayPal records says http://www.paypal.com/cgi-bin/webscr?cmd=\\_login-run, but when you mouseover the string, the toolbar at the bottom of the browser window reads http://194.65.136.141/.paypal/login.html. Remember my earlier warnings: This is a definite tell-tale sign of phishing.

This is where things start to get interesting. First get the IP address for paypal.com in your nslookup session: type paypal.com, then hit the Enter key. Here's what you get in response:

Non-authoritative answer:

Name: paypal.com

Address: 216.113.188.32

Next, do what's called a "reverse lookup" in your nslookup session. This will translate an IP address into a domain name. To set this up, type set type=ptr, then hit Enter. Next, type 194.65.136.141. Again, hit the Enter key. Here's what this sequence of commands produces:

*** aus-dns-cac-01-dmfe0.austin.rr.com can't find 141.136.65.194.in-addr.arpa.:

Non-existent domain

There's no good reason why a legitimate PayPal server IP address wouldn't resolve to a legitimate domain name. So now let's run our location check in the IP2Location window. From this document, cut and paste the PayPal IP address into the IP Address(es) window (216.113.188.32), type a single space, then do the same for the IP address from the URL (194.65.136.141). Click the lookup button. You get the dramatic confirmation shown in the screen shot below: While PayPal's in Boulder, Colorado, the other address is in Portugal! Anybody wanna go phishin'?

You can repeat this exercise with the other nine entries on the Phishing I.Q. Test page. Work carefully and check addresses; sometimes multiple addresses resolve, so you must check them all. If you do, I guarantee you'll be able to distinguish the legitimate update requests from the phishing attacks.

One final note: If you'd used NetScanTools Pro 2004 for these tasks, you'd have an e-mail validate command to help you check the veracity of e-mail addresses more directly. You'd also find an IP Address/Country Map command to help you do for yourself what IP2Location did for you on their Web server. It's definitely worth checking out -- and also worth the $180 to $220 you'll pay for a single full-product license.

SIDEBAR: Built-in IP Commands in Windows XP

As a general tool, the Windows XP Command Line Reference can't be beat. It includes all command-line utilities, not just IP commands. It is still a useful reference for basic descriptions, syntax rules, and examples. Here are the basics. To learn more, view this Microsoft professional product documentation.

Arp (Address resolution protocol): Displays and modifies the contents of a PC's physical (MAC) and numeric IP address table.

Finger: Seldom-used IP name and address check utility. Finger has security problems and is seldom publicly available.

Ftp (File Transfer Protocol): Command-line version of a basic, IP-based file transfer utility. Like Nslookup, it sets up a session-oriented runtime environment, so you can also find information about Ftp subcommands.

Ipconfig (IP configuration utility): Displays all current IP configuration data and refreshes DHCP and DNS settings.

Ipseccmd (IP Security policy mgmt tool): Configures IPSec policy settings in a Windows Registry or directory service.

Lpq (Line printer queue): Displays status of a line-printer queue that uses the IP-based Line Printer Daemon (LPD) service.

Lpr (Line printer): Sends a print file to a line printer that supports the IP-based Line Printer Daemon (LPD) service.

Nbtstat (Statistics for NetBIOS over TCP/IP, or NBT, activity): Provides numerous ways to query and display NBT-based network activity

Netsh Interface IP (Net shell IP controls and commands): Provides command-line control over IP configuration, settings, devices, and so forth. Part of the Netsh runtime environment.

Netstat (Show IP network statistics): Provides numerous ways to query and display IP-based network activity.

Nslookup (Name Server Lookup): A runtime environment for querying and managing DNS records.

Name server lookup (nslookup.exe) is complex enough to warrant its own manual. You'll find explanations of all of nslookup subcommands, along with syntax rules and examples, in this Microsoft document.

Pathping: Pings all hosts on any path from a sender to a receiver.

Ping (Apocryphal: Packet Internet Groper): Utility used to check basic IP connectivity, host access, and communications transit time.

Rcp (Berkeley r-util remote copy command): IP-based network file transfer/copy utility used to access servers running the Remote Shell Daemon (Rshd) service.

Rexec (Berkeley r-util remote command execution): IP-based remote single-shot command execution utility used to access servers running the Remote execution daemon (Rexecd) service.

Route: Displays and modifies entries in the local PC's IP routing table.

Rsh (Berkeley r-util remote shell): IP-based remote shell execution utility that opens a sessions on a remote computer where users can execute an arbitrary number of commands; is used to access servers running the Remote shell daemon (Rshd).

Telnet: IP-based network terminal emulation service that lets remote users log into a server and execute commands as if local.

Tftp (Trivial File Transfer Protocol): Alightweight, UDP/IP-based file transfer service.

Tracert (Trace route): Traces all routers and hosts traversed between a sender and a receiver, then logs average transit time between each pair of devices transited.

ED TITTEL is a writer and trainer based in Austin, TX, who specializes in Windows and security topics. He's the author of a forthcoming book, The PC Magazine Guide to Fighting Spyware, Adware, and Malware (John Wiley, Dec. 2004), and a frequent contributor to TechBuilder.org.