Email Forensics question

My email forensics is a little rusty.  Here is what I am working with

Return-Path: <support.7@jonesday.com>
Received: from gideon.mail.atl.earthlink.net ([207.69.200.80])
      by mdl-raibs.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZZWR3Nl36y0; Mon, 23 Dec 2013 14:17:07 -0500 (EST)
Received: from jonesday.com ([96.46.255.60])
      by gideon.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZX44Z3Nl3pK0
      for <SomeChangedAddress@earthlink.net.com, 23 Dec 2013 14:17:05 -0500 (EST)
Message-ID: <001901cf001392029beb8ac8a8c0@BillStanners-PC>
From: "Notice to Appear" <support.7@jonesday.com>
-------------
So to me the return path is probably faked.  Is the jonesday email address faked?  They used XimianEvolution for the email client.  I'd love to see a strong analysis to see what I am interpreting correctly and what I am interpreting wrong.  The payload was malware, but in my opinion, clearly targeted.  I've used a couple of free online forensic tools, but I don't have the name of the malware.  Your thoughts are appreciated.  I did see the bit about BillStanners-PC.
awakeningsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gregory MillerGeneral ManagerCommented:
You would be correct, the address appears to be spoofed. What is your goal with the forensics anyway?
0
awakeningsAuthor Commented:
Technodweeb,

     It is a long story.  I would like to find out who did sent this.  If I could get a line by line, that would be appreciated.  Learning is always a good goal too.
0
Gregory MillerGeneral ManagerCommented:
You are never going to find out who sent this unless you are Law Enforcement AND could get a court order to pull logs from jonesday and earthlink mail servers. I can appreciate that it seems like it was a very targeted attempt, but for the sake of a good nights sleep you should not worry too much about it. IMHO.
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

awakeningsAuthor Commented:
For my sake, can I get you or someone else, a line-by-line breakdown to ensure I am reading ti correctly?
0
Gregory MillerGeneral ManagerCommented:
Sure... The email actually may not have been spoofed but an account at jonesday.com that was compromised would be my better guess. The order of operation is to read it from the bottom to the top. Each server that handles a message will prepend their info at the top so the most recent entry will be the first line.

Return-Path: <support.7@jonesday.com>
***Return Address

Received: from gideon.mail.atl.earthlink.net ([207.69.200.80]) by mdl-raibs.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZZWR3Nl36y0; Mon, 23 Dec 2013 14:17:07 -0500 (EST)
*** Message was passed between two mail servers within the Eathlink network

Received: from jonesday.com ([96.46.255.60]) by gideon.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZX44Z3Nl3pK0 for <SomeChangedAddress@earthlink.net.com, 23 Dec 2013 14:17:05 -0500 (EST)
***Message was received by the public facing Earthlink mail server as delivered by the mail server at joesday.com

Message-ID: <001901cf001392029beb8ac8a8c0@BillStanners-PC>
***Unique messageID that is used by all points between the endpoint servers to track the message by

From: "Notice to Appear" <support.7@jonesday.com>
***Email address and account at jonesday.com that was used to originate the message.
0
Dave BaldwinFixer of ProblemsCommented:
I believe I got the same "Notice to Appear" email this morning.  I just deleted it.  Almost All spam like this is auto-generated.  It is Very unlikely that the machine (not person) that sent this knows who you are.  You were just on the list that was sent to that machine.
0
Gregory MillerGeneral ManagerCommented:
I just went and looked to see if I had received it too, but I had not... =<
0
awakeningsAuthor Commented:
Dave,

   What is weird is the timing though.  I also had two emails from two law firms - each dealing with the states that I deal with.  There is other possibly coincidental circumstances that don't make it seem like a coincidence.  There are 50 states, why are the emails directly related to where I live without some advanced knowledge?  Maybe the hackers are using information gathered from somewhere to create more targeted attacks - spear phishing and not just phishing.  I also know zombie machines could (and often are) be used so the PC may not mean anything.  I've never seen a phishing attack from law firms that I have nothing to do with.  This email was only the tip of the iceberg.

Technodweeb,

   Give me a couple of minutes to check your line-by-line out.  I may have a question.
0
awakeningsAuthor Commented:
Technodweeb,

    Thanks.  I have a couple of questions.

Received: from gideon.mail.atl.earthlink.net ([207.69.200.80]) by mdl-raibs.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZZWR3Nl36y0; Mon, 23 Dec 2013 14:17:07 -0500 (EST)
*** Message was passed between two mail servers within the Eathlink network

A-> Does this mean the point of origen is earthlink or only that it passed through 2 Earthlink servers.

Received: from jonesday.com ([96.46.255.60]) by gideon.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id 1vVaZX44Z3Nl3pK0 for <SomeChangedAddress@earthlink.net.com, 23 Dec 2013 14:17:05 -0500 (EST)
***Message was received by the public facing Earthlink mail server as delivered by the mail server at joesday.com

a-> Do you don't think this is spoofed then?


From: "Notice to Appear" <support.7@jonesday.com>
***Email address and account at jonesday.com that was used to originate the message.

A-> So you think this is legitimate?
0
Gregory MillerGeneral ManagerCommented:
I did leave one piece out... BillStanners-PC would be the name of the computer that originated the email message but that could be spoofed as well.
0
awakeningsAuthor Commented:
Technodweeb,

    Bill Stanner's machine could have been zombified if it isn't fake.

Awakenings
0
Dave BaldwinFixer of ProblemsCommented:
No, it is not 'legit'.  Out of the 10,000 or more copies of that email that were sent out this morning, at least 1 is bound to go to someone that is dealing with lawyers and legal issues.  You are trying to create a problem where none existed.  Which of course is what the email is intended to do.  In case you still have doubts about the legitimacy of the email... here are the DNS records for 'jonesday.com' showing all the sites they host.  Note that the message source IP address 96.46.255.60 is Not listed here.  It belongs to AdvancedPowerTech.com .
1	jonesday.com	NS	N1NS02LX.jdrp.com	168.98.65.6		Answer	
2	jonesday.com	NS	NANS01LX.jdrp.com	168.98.129.5		Answer	
3	jonesday.com	NS	N1NS01LX.jdrp.com	168.98.65.5		Answer	
4	jonesday.com	MX	n1ms20ci.jonesday.com	168.98.65.121	Preference: 10	Answer	
5	jonesday.com	MX	n1ms21ci.jonesday.com	168.98.65.122	Preference: 10	Answer	
6	jonesday.com	MX	nams20ci.jonesday.com	168.98.129.121	Preference: 20	Answer	
7	jonesday.com	A	jonesday.com	167.68.12.5		Answer	
8	jonesday.com	CNAME			Error 9501: No records found for given DNS query.		
9	jonesday.com	SOA	NANS01LX.jdrp.com	168.98.129.5	Admin: dnsadmin.jonesday.com, Default TTL: 21600, Expire: 172800, Refresh: 7200, Retry: 3600, Serial: 2013101001	Answer	
10	jonesday.com	TEXT			Error 9501: No records found for given DNS query.		
11	6.65.98.168.in-addr.arpa	PTR	N1NS02LX.jdrp.com	168.98.65.6		Answer	
12	5.129.98.168.in-addr.arpa	PTR	NANS01LX.jdrp.com	168.98.129.5		Answer	
13	5.65.98.168.in-addr.arpa	PTR	N1NS01LX.jdrp.com	168.98.65.5		Answer	
14	121.65.98.168.in-addr.arpa	PTR	N1MS20CI.jonesday.com	168.98.65.121		Answer	
15	122.65.98.168.in-addr.arpa	PTR	N1MS21CI.jonesday.com	168.98.65.122		Answer	
16	121.129.98.168.in-addr.arpa	PTR	NAMS20CI.jonesday.com	168.98.129.121		Answer	
17	5.12.68.167.in-addr.arpa	PTR	www.dealproof.com	167.68.12.5		Answer	
18	5.12.68.167.in-addr.arpa	PTR	www.icomply.com	167.68.12.5		Answer	
19	5.12.68.167.in-addr.arpa	PTR	prolaw.thomsonelite.com	167.68.12.5		Answer	
20	5.12.68.167.in-addr.arpa	PTR	thomsonelite.com	167.68.12.5		Answer	
21	5.12.68.167.in-addr.arpa	PTR	eliteis.com	167.68.12.5		Answer	
22	5.12.68.167.in-addr.arpa	PTR	elite.com	167.68.12.5		Answer	
23	5.12.68.167.in-addr.arpa	PTR	hubbardone.eu	167.68.12.5		Answer	
24	5.12.68.167.in-addr.arpa	PTR	hubbardonline.com	167.68.12.5		Answer	
25	5.12.68.167.in-addr.arpa	PTR	hubbard1.com	8.5.1.36		Answer	
26	5.12.68.167.in-addr.arpa	PTR	hubbardone.co.uk	167.68.12.5		Answer	
27	5.12.68.167.in-addr.arpa	PTR	yourlegalcareercenter.net	167.68.12.5		Answer	
28	5.12.68.167.in-addr.arpa	PTR	yourlegalcareercenter.info	167.68.12.5		Answer	
29	5.12.68.167.in-addr.arpa	PTR	yourlegalcareercenter.biz	167.68.12.5		Answer	
30	5.12.68.167.in-addr.arpa	PTR	www.hildebrandt.com	167.68.12.5		Answer	
31	5.12.68.167.in-addr.arpa	PTR	contactnetworks.com	167.68.12.5		Answer	
32	5.12.68.167.in-addr.arpa	PTR	cninternal.com	167.68.12.5		Answer	
33	5.12.68.167.in-addr.arpa	PTR	contact-networks.com	167.68.12.5		Answer	
34	5.12.68.167.in-addr.arpa	PTR	www.hildebrandtinstitute.com	167.68.12.5		Answer	
35	5.12.68.167.in-addr.arpa	PTR	www.expertease.com	167.68.12.5		Answer	
36	5.12.68.167.in-addr.arpa	PTR	www.westkm.com	167.68.12.5		Answer	

Open in new window

0
Gregory MillerGeneral ManagerCommented:
No, I think the point of origin was jonesday.com more specifically from a computer with the hostname of BillStanners-PC and from an account of support.7@jonesday.com

I do not think it is spoofed but more likely compromised email account OR computer with malware or compromised in some other way.

I DO NOT think it is legitimate but I am not advising you to believe it or not to believe it. If you have doubts, call JonesDay but lookup contact info from their website directly, do not call numbers that may be a part of the email as that might take you to the perp that originated the hoax. If it is a hoax. No one can really tell you that for certain.

Did the email have any attachments? If yes, was the attachment a ZIP file? If yes, if you open the ZIP file, are the contents an EXE file? If yes BIG HOAX. DO NOT open the EXE file...

If no attachments, are there links in the body of the message? If yes, do the links all take you to jonesday.com/blah/blah/blah or do they point at another site unrelated to jonesday.com? If the latter, BIG HOAX... DO NOT click the links...

It sounds like you are in the legal field and you may know better than me but every law firm I have ever done work for would never send a notice like that in email because they need a bone-fide receipt of the notice. i.e. registered letter, fed-x, etc.
0
awakeningsAuthor Commented:
Technodweeb,

   There was a zip file.  I went to a Linux virtual machine and uploaded the exe to free malware analysis sites and it was malware for sure.  The text did not link anywhere else, but there are additional indications that it is false.  A court clerk sending information from a law firm.  What is weird is that different emails hit the only states that I deal with from different law firms within a 24 hour period of time.  That is just strange in my book.  It could be a coincidence, but maybe not.  I'm just scratching my head over this.

Awakenings
0
awakeningsAuthor Commented:
I checked Arin and the IP leads to "Achilles Networks, Inc."
0
Gregory MillerGeneral ManagerCommented:
I see the lost sleep flying out the window now... Z...Z...Z... Its all good... I deal in computer security all day long at a bank and you would be amazed at some of the stuff I see daily. The best defense is that if it seems suspicious, it probably is. There are times when I have to look at an email for a good while to determine if it is legit, and there are some that have nearly fooled me as well. In all instances, you will find that what #DaveBaldwin said about all the 1000's of individual copies of that exact same email is purely coincidental. Sure, the email could become targeted but unless you are a high profile target, you just got on some list that will be sold and traded for years before it dies off.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gregory MillerGeneral ManagerCommented:
https://www.robtex.com/ip/96.46.255.60.html#graph
Look here... You can also see that the IP address is blacklisted for email abuse. This tells me there is a PC on their network that has been compromised and is spewing SPAM.
0
awakeningsAuthor Commented:
Ok...  I checked a few other black lists and saw many of them had the same issue.  I'll close this and treat it as a coincidence.  I guess I am on someone's list.  I'll give you points.  Thanks for sticking to this.
0
awakeningsAuthor Commented:
Technodweeb was great!
0
Gregory MillerGeneral ManagerCommented:
Thanks!
0
awakeningsAuthor Commented:
What was even more coincidental is they had the states I deal with, my lawyer's last name, the timing, etc.  The odds are probably tens of thousands to one if not higher.
0
awakeningsAuthor Commented:
but... it is infected with a botnet.

http://cbl.abuseat.org/lookup.cgi?ip=96.46.255.60
0
Dave BaldwinFixer of ProblemsCommented:
That's not surprising.
0
Dave BaldwinFixer of ProblemsCommented:
For what it's worth, I have received and deleted one of those "Notice to Appear" emails with a virus each day for the last three days.
0
awakeningsAuthor Commented:
Thanks.  I've seen about 30 of them now.  Happy new year!
0
Dave BaldwinFixer of ProblemsCommented:
Happy deleting and Happy New Year!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.