awakenings
asked on
Email Forensics question
My email forensics is a little rusty. Here is what I am working with
Return-Path: <support.7@jonesday.com>
Received: from gideon.mail.atl.earthlink. net ([207.69.200.80])
by mdl-raibs.atl.sa.earthlink .net (EarthLink SMTP Server) with SMTP id 1vVaZZWR3Nl36y0; Mon, 23 Dec 2013 14:17:07 -0500 (EST)
Received: from jonesday.com ([96.46.255.60])
by gideon.mail.atl.earthlink. net (EarthLink SMTP Server) with SMTP id 1vVaZX44Z3Nl3pK0
for <SomeChangedAddress@earthl ink.net.co m, 23 Dec 2013 14:17:05 -0500 (EST)
Message-ID: <001901cf001392029beb8ac8a 8c0@BillSt anners-PC>
From: "Notice to Appear" <support.7@jonesday.com>
-------------
So to me the return path is probably faked. Is the jonesday email address faked? They used XimianEvolution for the email client. I'd love to see a strong analysis to see what I am interpreting correctly and what I am interpreting wrong. The payload was malware, but in my opinion, clearly targeted. I've used a couple of free online forensic tools, but I don't have the name of the malware. Your thoughts are appreciated. I did see the bit about BillStanners-PC.
Return-Path: <support.7@jonesday.com>
Received: from gideon.mail.atl.earthlink.
by mdl-raibs.atl.sa.earthlink
Received: from jonesday.com ([96.46.255.60])
by gideon.mail.atl.earthlink.
for <SomeChangedAddress@earthl
Message-ID: <001901cf001392029beb8ac8a
From: "Notice to Appear" <support.7@jonesday.com>
-------------
So to me the return path is probably faked. Is the jonesday email address faked? They used XimianEvolution for the email client. I'd love to see a strong analysis to see what I am interpreting correctly and what I am interpreting wrong. The payload was malware, but in my opinion, clearly targeted. I've used a couple of free online forensic tools, but I don't have the name of the malware. Your thoughts are appreciated. I did see the bit about BillStanners-PC.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For my sake, can I get you or someone else, a line-by-line breakdown to ensure I am reading ti correctly?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dave,
What is weird is the timing though. I also had two emails from two law firms - each dealing with the states that I deal with. There is other possibly coincidental circumstances that don't make it seem like a coincidence. There are 50 states, why are the emails directly related to where I live without some advanced knowledge? Maybe the hackers are using information gathered from somewhere to create more targeted attacks - spear phishing and not just phishing. I also know zombie machines could (and often are) be used so the PC may not mean anything. I've never seen a phishing attack from law firms that I have nothing to do with. This email was only the tip of the iceberg.
Technodweeb,
Give me a couple of minutes to check your line-by-line out. I may have a question.
What is weird is the timing though. I also had two emails from two law firms - each dealing with the states that I deal with. There is other possibly coincidental circumstances that don't make it seem like a coincidence. There are 50 states, why are the emails directly related to where I live without some advanced knowledge? Maybe the hackers are using information gathered from somewhere to create more targeted attacks - spear phishing and not just phishing. I also know zombie machines could (and often are) be used so the PC may not mean anything. I've never seen a phishing attack from law firms that I have nothing to do with. This email was only the tip of the iceberg.
Technodweeb,
Give me a couple of minutes to check your line-by-line out. I may have a question.
ASKER
Technodweeb,
Thanks. I have a couple of questions.
Received: from gideon.mail.atl.earthlink. net ([207.69.200.80]) by mdl-raibs.atl.sa.earthlink .net (EarthLink SMTP Server) with SMTP id 1vVaZZWR3Nl36y0; Mon, 23 Dec 2013 14:17:07 -0500 (EST)
*** Message was passed between two mail servers within the Eathlink network
A-> Does this mean the point of origen is earthlink or only that it passed through 2 Earthlink servers.
Received: from jonesday.com ([96.46.255.60]) by gideon.mail.atl.earthlink. net (EarthLink SMTP Server) with SMTP id 1vVaZX44Z3Nl3pK0 for <SomeChangedAddress@earthl ink.net.co m, 23 Dec 2013 14:17:05 -0500 (EST)
***Message was received by the public facing Earthlink mail server as delivered by the mail server at joesday.com
a-> Do you don't think this is spoofed then?
From: "Notice to Appear" <support.7@jonesday.com>
***Email address and account at jonesday.com that was used to originate the message.
A-> So you think this is legitimate?
Thanks. I have a couple of questions.
Received: from gideon.mail.atl.earthlink.
*** Message was passed between two mail servers within the Eathlink network
A-> Does this mean the point of origen is earthlink or only that it passed through 2 Earthlink servers.
Received: from jonesday.com ([96.46.255.60]) by gideon.mail.atl.earthlink.
***Message was received by the public facing Earthlink mail server as delivered by the mail server at joesday.com
a-> Do you don't think this is spoofed then?
From: "Notice to Appear" <support.7@jonesday.com>
***Email address and account at jonesday.com that was used to originate the message.
A-> So you think this is legitimate?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Technodweeb,
Bill Stanner's machine could have been zombified if it isn't fake.
Awakenings
Bill Stanner's machine could have been zombified if it isn't fake.
Awakenings
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Technodweeb,
There was a zip file. I went to a Linux virtual machine and uploaded the exe to free malware analysis sites and it was malware for sure. The text did not link anywhere else, but there are additional indications that it is false. A court clerk sending information from a law firm. What is weird is that different emails hit the only states that I deal with from different law firms within a 24 hour period of time. That is just strange in my book. It could be a coincidence, but maybe not. I'm just scratching my head over this.
Awakenings
There was a zip file. I went to a Linux virtual machine and uploaded the exe to free malware analysis sites and it was malware for sure. The text did not link anywhere else, but there are additional indications that it is false. A court clerk sending information from a law firm. What is weird is that different emails hit the only states that I deal with from different law firms within a 24 hour period of time. That is just strange in my book. It could be a coincidence, but maybe not. I'm just scratching my head over this.
Awakenings
ASKER
I checked Arin and the IP leads to "Achilles Networks, Inc."
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok... I checked a few other black lists and saw many of them had the same issue. I'll close this and treat it as a coincidence. I guess I am on someone's list. I'll give you points. Thanks for sticking to this.
ASKER
Technodweeb was great!
Thanks!
ASKER
What was even more coincidental is they had the states I deal with, my lawyer's last name, the timing, etc. The odds are probably tens of thousands to one if not higher.
ASKER
That's not surprising.
For what it's worth, I have received and deleted one of those "Notice to Appear" emails with a virus each day for the last three days.
ASKER
Thanks. I've seen about 30 of them now. Happy new year!
Happy deleting and Happy New Year!!
ASKER
It is a long story. I would like to find out who did sent this. If I could get a line by line, that would be appreciated. Learning is always a good goal too.