Solved

Email Forensics question

Posted on 2013-12-24
26
630 Views
Last Modified: 2013-12-31
My email forensics is a little rusty.  Here is what I am working with

Return-Path: <support.7@jonesday.com>
Received: from gideon.mail.atl.earthlink.net ([207.69.200.80])
      by mdl-raibs.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZZWR3Nl36y0; Mon, 23 Dec 2013 14:17:07 -0500 (EST)
Received: from jonesday.com ([96.46.255.60])
      by gideon.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZX44Z3Nl3pK0
      for <SomeChangedAddress@earthlink.net.com, 23 Dec 2013 14:17:05 -0500 (EST)
Message-ID: <001901cf001392029beb8ac8a8c0@BillStanners-PC>
From: "Notice to Appear" <support.7@jonesday.com>
-------------
So to me the return path is probably faked.  Is the jonesday email address faked?  They used XimianEvolution for the email client.  I'd love to see a strong analysis to see what I am interpreting correctly and what I am interpreting wrong.  The payload was malware, but in my opinion, clearly targeted.  I've used a couple of free online forensic tools, but I don't have the name of the malware.  Your thoughts are appreciated.  I did see the bit about BillStanners-PC.
0
Comment
Question by:awakenings
  • 12
  • 9
  • 5
26 Comments
 
LVL 11

Assisted Solution

by:Technodweeb
Technodweeb earned 400 total points
ID: 39738572
You would be correct, the address appears to be spoofed. What is your goal with the forensics anyway?
0
 

Author Comment

by:awakenings
ID: 39738575
Technodweeb,

     It is a long story.  I would like to find out who did sent this.  If I could get a line by line, that would be appreciated.  Learning is always a good goal too.
0
 
LVL 11

Assisted Solution

by:Technodweeb
Technodweeb earned 400 total points
ID: 39738581
You are never going to find out who sent this unless you are Law Enforcement AND could get a court order to pull logs from jonesday and earthlink mail servers. I can appreciate that it seems like it was a very targeted attempt, but for the sake of a good nights sleep you should not worry too much about it. IMHO.
0
 

Author Comment

by:awakenings
ID: 39738586
For my sake, can I get you or someone else, a line-by-line breakdown to ensure I am reading ti correctly?
0
 
LVL 11

Assisted Solution

by:Technodweeb
Technodweeb earned 400 total points
ID: 39738597
Sure... The email actually may not have been spoofed but an account at jonesday.com that was compromised would be my better guess. The order of operation is to read it from the bottom to the top. Each server that handles a message will prepend their info at the top so the most recent entry will be the first line.

Return-Path: <support.7@jonesday.com>
***Return Address

Received: from gideon.mail.atl.earthlink.net ([207.69.200.80]) by mdl-raibs.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZZWR3Nl36y0; Mon, 23 Dec 2013 14:17:07 -0500 (EST)
*** Message was passed between two mail servers within the Eathlink network

Received: from jonesday.com ([96.46.255.60]) by gideon.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZX44Z3Nl3pK0 for <SomeChangedAddress@earthlink.net.com, 23 Dec 2013 14:17:05 -0500 (EST)
***Message was received by the public facing Earthlink mail server as delivered by the mail server at joesday.com

Message-ID: <001901cf001392029beb8ac8a8c0@BillStanners-PC>
***Unique messageID that is used by all points between the endpoint servers to track the message by

From: "Notice to Appear" <support.7@jonesday.com>
***Email address and account at jonesday.com that was used to originate the message.
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 39738608
I believe I got the same "Notice to Appear" email this morning.  I just deleted it.  Almost All spam like this is auto-generated.  It is Very unlikely that the machine (not person) that sent this knows who you are.  You were just on the list that was sent to that machine.
0
 
LVL 11

Assisted Solution

by:Technodweeb
Technodweeb earned 400 total points
ID: 39738613
I just went and looked to see if I had received it too, but I had not... =<
0
 

Author Comment

by:awakenings
ID: 39738620
Dave,

   What is weird is the timing though.  I also had two emails from two law firms - each dealing with the states that I deal with.  There is other possibly coincidental circumstances that don't make it seem like a coincidence.  There are 50 states, why are the emails directly related to where I live without some advanced knowledge?  Maybe the hackers are using information gathered from somewhere to create more targeted attacks - spear phishing and not just phishing.  I also know zombie machines could (and often are) be used so the PC may not mean anything.  I've never seen a phishing attack from law firms that I have nothing to do with.  This email was only the tip of the iceberg.

Technodweeb,

   Give me a couple of minutes to check your line-by-line out.  I may have a question.
0
 

Author Comment

by:awakenings
ID: 39738623
Technodweeb,

    Thanks.  I have a couple of questions.

Received: from gideon.mail.atl.earthlink.net ([207.69.200.80]) by mdl-raibs.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZZWR3Nl36y0; Mon, 23 Dec 2013 14:17:07 -0500 (EST)
*** Message was passed between two mail servers within the Eathlink network

A-> Does this mean the point of origen is earthlink or only that it passed through 2 Earthlink servers.

Received: from jonesday.com ([96.46.255.60]) by gideon.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZX44Z3Nl3pK0 for <SomeChangedAddress@earthlink.net.com, 23 Dec 2013 14:17:05 -0500 (EST)
***Message was received by the public facing Earthlink mail server as delivered by the mail server at joesday.com

a-> Do you don't think this is spoofed then?


From: "Notice to Appear" <support.7@jonesday.com>
***Email address and account at jonesday.com that was used to originate the message.

A-> So you think this is legitimate?
0
 
LVL 11

Assisted Solution

by:Technodweeb
Technodweeb earned 400 total points
ID: 39738624
I did leave one piece out... BillStanners-PC would be the name of the computer that originated the email message but that could be spoofed as well.
0
 

Author Comment

by:awakenings
ID: 39738625
Technodweeb,

    Bill Stanner's machine could have been zombified if it isn't fake.

Awakenings
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 39738630
No, it is not 'legit'.  Out of the 10,000 or more copies of that email that were sent out this morning, at least 1 is bound to go to someone that is dealing with lawyers and legal issues.  You are trying to create a problem where none existed.  Which of course is what the email is intended to do.  In case you still have doubts about the legitimacy of the email... here are the DNS records for 'jonesday.com' showing all the sites they host.  Note that the message source IP address 96.46.255.60 is Not listed here.  It belongs to AdvancedPowerTech.com .
1	jonesday.com	NS	N1NS02LX.jdrp.com	168.98.65.6		Answer	
2	jonesday.com	NS	NANS01LX.jdrp.com	168.98.129.5		Answer	
3	jonesday.com	NS	N1NS01LX.jdrp.com	168.98.65.5		Answer	
4	jonesday.com	MX	n1ms20ci.jonesday.com	168.98.65.121	Preference: 10	Answer	
5	jonesday.com	MX	n1ms21ci.jonesday.com	168.98.65.122	Preference: 10	Answer	
6	jonesday.com	MX	nams20ci.jonesday.com	168.98.129.121	Preference: 20	Answer	
7	jonesday.com	A	jonesday.com	167.68.12.5		Answer	
8	jonesday.com	CNAME			Error 9501: No records found for given DNS query.		
9	jonesday.com	SOA	NANS01LX.jdrp.com	168.98.129.5	Admin: dnsadmin.jonesday.com, Default TTL: 21600, Expire: 172800, Refresh: 7200, Retry: 3600, Serial: 2013101001	Answer	
10	jonesday.com	TEXT			Error 9501: No records found for given DNS query.		
11	6.65.98.168.in-addr.arpa	PTR	N1NS02LX.jdrp.com	168.98.65.6		Answer	
12	5.129.98.168.in-addr.arpa	PTR	NANS01LX.jdrp.com	168.98.129.5		Answer	
13	5.65.98.168.in-addr.arpa	PTR	N1NS01LX.jdrp.com	168.98.65.5		Answer	
14	121.65.98.168.in-addr.arpa	PTR	N1MS20CI.jonesday.com	168.98.65.121		Answer	
15	122.65.98.168.in-addr.arpa	PTR	N1MS21CI.jonesday.com	168.98.65.122		Answer	
16	121.129.98.168.in-addr.arpa	PTR	NAMS20CI.jonesday.com	168.98.129.121		Answer	
17	5.12.68.167.in-addr.arpa	PTR	www.dealproof.com	167.68.12.5		Answer	
18	5.12.68.167.in-addr.arpa	PTR	www.icomply.com	167.68.12.5		Answer	
19	5.12.68.167.in-addr.arpa	PTR	prolaw.thomsonelite.com	167.68.12.5		Answer	
20	5.12.68.167.in-addr.arpa	PTR	thomsonelite.com	167.68.12.5		Answer	
21	5.12.68.167.in-addr.arpa	PTR	eliteis.com	167.68.12.5		Answer	
22	5.12.68.167.in-addr.arpa	PTR	elite.com	167.68.12.5		Answer	
23	5.12.68.167.in-addr.arpa	PTR	hubbardone.eu	167.68.12.5		Answer	
24	5.12.68.167.in-addr.arpa	PTR	hubbardonline.com	167.68.12.5		Answer	
25	5.12.68.167.in-addr.arpa	PTR	hubbard1.com	8.5.1.36		Answer	
26	5.12.68.167.in-addr.arpa	PTR	hubbardone.co.uk	167.68.12.5		Answer	
27	5.12.68.167.in-addr.arpa	PTR	yourlegalcareercenter.net	167.68.12.5		Answer	
28	5.12.68.167.in-addr.arpa	PTR	yourlegalcareercenter.info	167.68.12.5		Answer	
29	5.12.68.167.in-addr.arpa	PTR	yourlegalcareercenter.biz	167.68.12.5		Answer	
30	5.12.68.167.in-addr.arpa	PTR	www.hildebrandt.com	167.68.12.5		Answer	
31	5.12.68.167.in-addr.arpa	PTR	contactnetworks.com	167.68.12.5		Answer	
32	5.12.68.167.in-addr.arpa	PTR	cninternal.com	167.68.12.5		Answer	
33	5.12.68.167.in-addr.arpa	PTR	contact-networks.com	167.68.12.5		Answer	
34	5.12.68.167.in-addr.arpa	PTR	www.hildebrandtinstitute.com	167.68.12.5		Answer	
35	5.12.68.167.in-addr.arpa	PTR	www.expertease.com	167.68.12.5		Answer	
36	5.12.68.167.in-addr.arpa	PTR	www.westkm.com	167.68.12.5		Answer	

Open in new window

0
 
LVL 11

Assisted Solution

by:Technodweeb
Technodweeb earned 400 total points
ID: 39738633
No, I think the point of origin was jonesday.com more specifically from a computer with the hostname of BillStanners-PC and from an account of support.7@jonesday.com

I do not think it is spoofed but more likely compromised email account OR computer with malware or compromised in some other way.

I DO NOT think it is legitimate but I am not advising you to believe it or not to believe it. If you have doubts, call JonesDay but lookup contact info from their website directly, do not call numbers that may be a part of the email as that might take you to the perp that originated the hoax. If it is a hoax. No one can really tell you that for certain.

Did the email have any attachments? If yes, was the attachment a ZIP file? If yes, if you open the ZIP file, are the contents an EXE file? If yes BIG HOAX. DO NOT open the EXE file...

If no attachments, are there links in the body of the message? If yes, do the links all take you to jonesday.com/blah/blah/blah or do they point at another site unrelated to jonesday.com? If the latter, BIG HOAX... DO NOT click the links...

It sounds like you are in the legal field and you may know better than me but every law firm I have ever done work for would never send a notice like that in email because they need a bone-fide receipt of the notice. i.e. registered letter, fed-x, etc.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:awakenings
ID: 39738652
Technodweeb,

   There was a zip file.  I went to a Linux virtual machine and uploaded the exe to free malware analysis sites and it was malware for sure.  The text did not link anywhere else, but there are additional indications that it is false.  A court clerk sending information from a law firm.  What is weird is that different emails hit the only states that I deal with from different law firms within a 24 hour period of time.  That is just strange in my book.  It could be a coincidence, but maybe not.  I'm just scratching my head over this.

Awakenings
0
 

Author Comment

by:awakenings
ID: 39738656
I checked Arin and the IP leads to "Achilles Networks, Inc."
0
 
LVL 11

Accepted Solution

by:
Technodweeb earned 400 total points
ID: 39738661
I see the lost sleep flying out the window now... Z...Z...Z... Its all good... I deal in computer security all day long at a bank and you would be amazed at some of the stuff I see daily. The best defense is that if it seems suspicious, it probably is. There are times when I have to look at an email for a good while to determine if it is legit, and there are some that have nearly fooled me as well. In all instances, you will find that what #DaveBaldwin said about all the 1000's of individual copies of that exact same email is purely coincidental. Sure, the email could become targeted but unless you are a high profile target, you just got on some list that will be sold and traded for years before it dies off.
0
 
LVL 11

Assisted Solution

by:Technodweeb
Technodweeb earned 400 total points
ID: 39738665
https://www.robtex.com/ip/96.46.255.60.html#graph
Look here... You can also see that the IP address is blacklisted for email abuse. This tells me there is a PC on their network that has been compromised and is spewing SPAM.
0
 

Author Comment

by:awakenings
ID: 39738669
Ok...  I checked a few other black lists and saw many of them had the same issue.  I'll close this and treat it as a coincidence.  I guess I am on someone's list.  I'll give you points.  Thanks for sticking to this.
0
 

Author Closing Comment

by:awakenings
ID: 39738671
Technodweeb was great!
0
 
LVL 11

Expert Comment

by:Technodweeb
ID: 39738742
Thanks!
0
 

Author Comment

by:awakenings
ID: 39739051
What was even more coincidental is they had the states I deal with, my lawyer's last name, the timing, etc.  The odds are probably tens of thousands to one if not higher.
0
 

Author Comment

by:awakenings
ID: 39739054
but... it is infected with a botnet.

http://cbl.abuseat.org/lookup.cgi?ip=96.46.255.60
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39739258
That's not surprising.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39749141
For what it's worth, I have received and deleted one of those "Notice to Appear" emails with a virus each day for the last three days.
0
 

Author Comment

by:awakenings
ID: 39749193
Thanks.  I've seen about 30 of them now.  Happy new year!
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39749214
Happy deleting and Happy New Year!!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now