Arras
enthusiast
Reged: 05/24/04
Posts: 263
Loc: B.C., Canada
|
|
In "Digital Fortress", Brown describes Susan Fletcher's e-mail tracer program as an application that attaches invisibly to an e-mail, and then executes when it finally arrives at its destination, sending back the recipient's actual e-mail address before deleting itself to cover its tracks. She uses this to discover the real identity of "North Dakota", whose e-mail passes through an anonymous remailer.
While this may play well for movie audiences, e-mail simply doesn't work that way. There *are* ways to trace e-mail, and I'll get to those in a moment, but first let's look at why Susan's tracer would never work:
(1) Mail attachments are never "invisible", no matter how small they are. E-mail has a clearly-defined structure to it, and if you want to embed a program in the mail it needs to be attached explicitly as a MIME part. There's no way to specify that the attachment should be "invisible".
(2) The tracer program she was attaching to her mail would have to be executed by the recipient, just like any other virus/worm/Trojan. Just *receiving* the attachmed program does not trigger its execution, unless you're relying on some exploit in the recipient's mail client (in which case you'd need to know what mail client he's using). Furthermore, in sending this tracer to a supposed associate of Tankado's, Susan would have been counting on a presumably knowledgeable person to do a very stupid thing--execute an unknown program sent by an unknown party. With e-mail-based viruses/worms/Trojans as rampant as they are (and have been for the better part of the last decade), it's hard to imagine a computer-savvy person falling for such a trick.
(3) Even if the tracer program had been executed by the recipient and then deleted itself, it would leave behind evidence in the recipient's mail server's logs.
Now, having said that, people *do* use clever and deceptive E-mail tracking techniques these days--spammers in particular. Their interest is in verifying that your e-mail address is in fact valid, and whether you actually opened the spam they sent you.
Spammers do this by taking advantage of the fact that modern mail clients support HTML. With HTML you can embed image links, and the recipient's mail client is usually only too happy to load those images from a remote web server--a server that the spammer controls. If you look closely at the mail he sends you, you'll see an image tag in the HTML that points to his web server, and contains some extra tracking information at the end, e.g.
<IMG SRC="http://some.web.server/product.jpg?id=398482773">
This tells your mail client where to get the image from, and when your mail client dutifully connects to the spammer's web server to do so, it also passes along that tracking number (398482773). In the spammer's database, he knows that 398482773 is the number associated with the e-mail address he used to reach you, so when he sees this in his web server's logs, he has confirmation that your e-mail address is valid, and that you actually opened the e-mail (since the image would not be loaded by your mail client otherwise).
There's no attachment for you to have to click on, no executable code to run. It's all done by taking advantage of your mail client's built-in HTML capabilities. These are called "web bugs", incidentally.
You can block this tactic by configuring your mail client not to load images from remote servers (or not to load them at all). Some mail clients make this easier than others, and of course if your mail client doesn't support HTML at all, web bugs can't affect you.
As for whether Susan Fletcher's tracer could have been implemented with web bugs, it certainly could. It would not have been entirely "invisible", however--the recipient could always have checked the raw contents of the e-mail to see the web bug, and a paranoid recipient would be all but guaranteed to do so. On the other hand, disguising the tracer e-mail as spam would probably work quite well at slipping under the recipient's radar, though there's also the growing risk that the recipient's mail server may use a spam filter that blocks/discards such junk mail before relaying anything to his mailbox (these days more intelligent spam filters look explicitly for web bugs).
|
WKShadow
Beloved Angel
Reged: 06/02/04
Posts: 79
Loc: Myrtle Beach, SC
|
|
Speaking of HTMl and web bugs, is that the same thing used when I try to unsubscribe. Isn't that jsut another way for the sender to verify my email? (cuz I noticed I seemed to be in a list of names similar to my email. Is that a listserve?) 
|
Arras
enthusiast
Reged: 05/24/04
Posts: 263
Loc: B.C., Canada
|
|
Unsubscribe links (or any HTML links) in an e-mail are similar to web bugs, yes, except that they need to be clicked on to work. The web bugs I was describing don't even require you to click on anything--they just try to load an image from a remote web server, so when your e-mail program opens the mail, the deed is done.
Generally speaking, you should only try to unsubscribe from lists that you know you subscribed to in the first place. Most spam these days claims to be "opt-out"--they'll claim that you must have subscribed at some point in the past, possibly on one of their affiliates' sites, etc., but they offer you the chance to unsubscribe yourself by clicking on a link. If you do that, one of several things could happen:
(1) You could actually be removed from that particular spammer's list. Great! Now you just have to do that for every other list you're on. Unsubscribing quickly becomes a full-time job, particularly since you never subscribed to these lists in the first place.
(2) More likely, the spammer now has confirmation that your e-mail address is valid, and that you read his mail. More promising from his point of view is that you were gullible enough to click the "unsubscribe" link, which makes you statistically more likely to be the kind of person to buy the products spammers advertise. In other words, you migrate to the spammer's VIP list, and instead of getting removed from future mailings, you end up getting a lot more of them.
(3) You could get placed on a "complainers" list that the spammer maintains, to be treated to something worse. Not that spammers are particularly discriminating people to begin with, but if they have reason to dislike you they may go out of their way to subscribe you to a virus distribution channel. This can actually help the spammer, too--many of the viruses (well, worms) that have been developed over the past year have been designed to turn the victim's computer into a spam relay. If your machine becomes infected, the spammer can then use your computer to broadcast spam, to better hide his tracks.
To reiterate, only try to unsubscribe from lists that you know you subscribed to in the first place. There are many valid, legitimate mailing lists (listserves), but you won't usually find yourself on a legitimate mailing list without first subscribing (and usually confirming that subscription) yourself.
|
Dave_Howe
stranger
Reged: 12/13/04
Posts: 4
Loc: Manchester England
|
|
Re: "mime attachments are never invisible"
investigate the RFC for Mime Multipart/related - RFC 2387 - and you will find an interesting concept, of mime parts that are *hidden* from the viewer and can be referenced in the html of the mail as embedded objects such as a SWF.
Combine this with the known bugs and exploits for IE (used as the rendering agent in Outlook and Outlook express, sadly the most popular email software in the world) and you can have an email that carries with it a program, which once executed by merely viewing the email, covers its own tracks then emails back details from the viewing machine.
|
Dachande
stranger
Reged: 02/05/05
Posts: 2
|
|
You don't even have to use images as links. Windows has exploits in it that allow code to be placed as the image and when you try and view the image it could do anything you want. This way you could have a 1px by 1px image and when you view the email you see nothing, but the code is run in the background. You could then use an open port and send a reply. Simple!
|
Arras
enthusiast
Reged: 05/24/04
Posts: 263
Loc: B.C., Canada
|
|
Quote:
Dave_Howe said:
Re: "mime attachments are never invisible"
investigate the RFC for Mime Multipart/related - RFC 2387 - and you will find an interesting concept, of mime parts that are *hidden* from the viewer and can be referenced in the html of the mail as embedded objects such as a SWF.
The key phrase there is "invisible to the viewer". There's no way to conceal an attachment from the software parsing the mail. Whether and how your e-mail client displays attachments is up to its developer (and in some cases configurable by the user).
My point, though, is that the evidence is still contained in the original MIME-encoded e-mail sitting in the target's mailbox. The target's mail client will display the decoded contents, but most mail clients also offer an ability to view the "raw" (i.e. encoded) contents as well, and of course the mail file itself can be viewed with any text editor. Anyone bothering to do a little investigation would discover the "hidden" content, provided the receiver hasn't already deleted the mail. From the standpoint of someone sending a bit of tracer code, the risk of leaving this evidence behind on the target's computer is impractically large, particularly if the target works in a paranoid environment.
It's also worth noting that spam and mail-borne viruses have encouraged the development of software that closely inspects the raw and decoded contents of the e-mail you receive, and these filters look explicitly for embedded malware, web bugs, and suspicious MIME structures in the process. With more people using these kinds of tools to defend their mailboxes against spam and malware, it becomes much harder to "hide" such tracer code from the target--it gets flagged as suspicious automatically.
|
Lightstar
stranger
Reged: 03/28/05
Posts: 4
Loc: Florida
|
|
You don't know jack shit about computers. First off, you can hide an application in an e-mail and make it invisible. Second, you don't have to have the reciever activate the tracer, it activates upon opening of the e-mail. My dad worked for the NSA as a cryptographer. I would know.
--------------------
-Lightstar
You've just been blinded by the starlight.
|
Arras
enthusiast
Reged: 05/24/04
Posts: 263
Loc: B.C., Canada
|
|
Quote:
Lightstar said:
You don't know jack shit about computers. First off, you can hide an application in an e-mail and make it invisible. Second, you don't have to have the reciever activate the tracer, it activates upon opening of the e-mail. My dad worked for the NSA as a cryptographer. I would know.
If you want to argue on the basis of credentials, I write anti-spam and anti-virus software for a living, specifically mail server scanners (witness Maia Mailguard), and I lecture on related topics such as cryptovirology and malware. Your uncle Jack and I have known each other for more than 25 years 
It is my business to understand e-mail-borne threats and how to neutralize them at the mail server, before they ever reach the recipient's mail client. When I speak of "visibility," I'm not talking necessarily about what the mail client exposes to the end-user, but rather what any raw mail processor (e.g. a mail filter or scanner) can see in the mail. There are certainly tricks to fool a mail client into not displaying an attachment to the end-user, but any application that offers a "raw" view of the mail will expose the malicious code for what it is, to humans and applications that know what to look for.
Web bugs are a perfect example of this sort of thing. They're HTML call-backs, essentially, and rely on modern e-mail clients to blindly try to load remote links (such as images) in HTML code. A mail filter can detect these trivially and neutralize such links before they are sent to the HTML processing engine--a feature that has been incorporated into many mail clients these days. I catch and neutralize several hundred of these attempts on a daily basis in my personal e-mail.
Now, if you want to talk about exploit-ware--malware written to exploit known vulnerabilities in specific mail clients--that's a similar matter. Once the exploits become known, new filter patterns are written to detect their characteristics in arriving e-mail. Only so-called "zero-day" exploits, which are as-yet unrecognized, will slip through to the recipient. With more and more ISPs and end-users running anti-virus and anti-spyware software on their machines, pre-processing their mail for them, the delivery of exploit-ware is unreliable.
More to the point, reliance on exploit-ware requires knowledge of the recipient's specific mail client--do you know she's using Microsoft Outlook? If she's using Mozilla Thunderbird, or Eudora, that exploit won't work. It even requires assumptions about the platform the recipient is using--an exploit that targets Thunderbird under Windows won't necessarily affect someone running Thunderbird under Linux, or on a Mac. It's far from reliable as a tool for targeting a specific recipient, unless you know these things ahead of time. Even then, the target recipient may read her mail from multiple platforms and with multiple clients--perhaps Outlook Express on a Windows box at home, Thunderbird on a Mac at work, and via Yahoo! web-mail when she's traveling.
My point (as I believe I've stressed several times by now) is that it would be drop-dead stupid for the NSA or any other organization to try to pull a stunt like this with e-mail, particularly against a target who is known to be paranoid in the first place and technically competent (e.g. Tankado). There is no way to hide the evidence, since the exploit code must be transmitted in full to the recipient. It will have passed (in uninterpreted, raw form) through multiple mail relays by then, including one or more mail filters (any one of which might quarantine the item for being suspicious), and thanks to financial sector rules like the Sarbanes-Oxley Act, an increasing number of companies are required by law to archive all of the mail they send or receive on write-once media (e.g. CDs or DVDs). Such archives would preserve the evidence indefinitely.
|
Lightstar
stranger
Reged: 03/28/05
Posts: 4
Loc: Florida
|
|
You have proved me wrong. I am sorry.
--------------------
-Lightstar
You've just been blinded by the starlight.
|
8549176320abc
enthusiast
Reged: 05/02/05
Posts: 219
Loc: UK
|
|
I takes a big man to admit that - you could never become a politician though!
--------------------
Governments offer us safety for our freedom. It is by seeing this safety as false that we are freed.
|
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
[Re: