Release 27 - Discussion

Project Serpo related discussion

Moderators: ryguy, chrLz, Zep Tepi

Postby Zep Tepi » Wed Nov 07, 2007 12:10 am

Thanks to Kit for providing that information, it is appreciated.
With his permission, this is the background that led up to Kit's post, along with a more recent exchange.

The first email is in response to this post where I outlined the exchange with Rick Doty. Kit contacted one of his friends with the information.

I have removed any names and sensitive information that was present.

R***:

Would you comment on this please? I do not mean to task you do do anything more than a ten-minute response from your own working knowlege at this point. FYI, I am bcc'ng this to two friends, whom you do not know. If you need to know why before answering, I will be happy to tell you.
***********************************************************************************************************************

“I can send emails out all days (sic) with your IP address on them.”

My reply:
A number of people have said this to me in the past, but when challenged not one of them could do so. It is a relatively easy task to insert an IP address into the header of an email. It’s a different matter entirely to remove the actual sending IP address and change it with another – especially when using web-based email service providers like Yahoo and MSN etc."


Kit replied with the response from his friend:

Steve and Ryan:

I do not (yet) understand this, but I expect you do/will.

The sender is a PhD from ******** who was the IT program manager for development of the computer codes for linking Global DOE resources between DoD and DOE.

k.

From: **********
Sent: Saturday, November 03, 2007 5:19 PM
To: Green, Christopher
Subject: RE: Question

You can change the sending IP information if you have administrative access to the mail server, or have access to a mail server that allows message relaying. I’ll talk about the more advanced stuff first.

If you have administrative access to any mail server, you can make it look like the sender is Yahoo or Gmail, and you can configure header information to your liking. There will be real routing information once the packets have left the sending IP node – however, you can hide/change the sending node and route history information with root access to the router. Faking the origin node and history will cause problems if there is any packet loss because the various receiving nodes will ask for a re-transmit from the fake sending node, which will of course be unable to transmit packets from a message it never heard of.
If you have enough knowledge of a stable route, which one can determine easily using something like traceroute, you can set the insertion point of the message with the faked header to make it appear like a real route.

If you can hack into the IP node routing code, which was a serious concern with Cicso routers a few years ago when the firmware source code got out, one can go to a whole new level of message forgery by basically being able to chose your insertion point at will. Without having hacked into router code, one either must have real administrative access to a node, or access to a node where the administrator forgot to change default passwords. The latter situation is more likely.

In other words, even though I’m not in the business anymore, I was there when Internet was still one of several competing networks that were still being manually configured. The terminology may have changed over the years, so if something above is unclear, I’m happy to provide more words to translate what I mean (but that’s more than 10 to 20 minutes).

Now the second, and easier method, is to use an existing mail server that allows relaying and use telnet to compose and send a message. If the particular mail server also doesn’t check all of the information you enter, you could provide frivolous origins, but you should also be able to send a text message that looks like it is from any valid email address. I have not tried this lately because if it isn’t illegal already, it should be. BTW, the entire spamming industry is based on those receiving emails not being able to trace the actual source of messages, or the traceable part of the source being outside the jurisdiction of reasonable governments.

I attach specific instructions on how to telnet to a “friendly” or “open” mail server to send an email message that I picked up off the net recently. And by recently I mean in the last few months – around the last time you asked me this question.

The problem with this easy method is that the relaying server you used is included in the header information. One should be able to check the relaying for “open” servers and if one is in the route, you should be suspicious that the entire route information prior to the open server is contrived. BTW, it should be possible to design a piece of software to check the relay route for open servers.

Let me know if you need anymore info.

And right now I don’t need to know why you need this information. It has become obvious to me over the last few years that 1) route forgery is a problem, and 2) most of the young (under 40) techies have only dealt with “plug-and-play” network equipment and don’t realize there was a time before DHCP, WWW, HTML, etc., and all of those old manual instructions still work.


My reply:

Kit,
Everything your friend says is accurate, but none of that is relevant in this particular case. None of the big web-based servers, like those I have mentioned previously, allow relaying through their servers. None of the smaller ISP’s allow it and most (correctly configured) corporate email servers do not allow it either. There are servers which monitor the Internet for mail servers which have relaying enabled. Once detected the offending organizations are contacted and informed of this. As we know, in every case the email servers in question belong to either Yahoo, Microsoft or Lycos – The giants of the email industry. If they ever had a server which allowed open relaying, it would make the news. It never has.

We also know for a fact that each and every email originated at the web email server in question – none of those providers allow sending of emails via a third party application. You login to the service, write your email and send it. Simple as that. Some of them are only now offering a smtp service via which emails can be sent. However, the exact same principle still applies (and the service isn’t free).

Why do we know for a fact that they originated at the web server in question? They are all active accounts which are still being used. Many of the emails are replies, the originals of which were sent to Yahoo/MSN/Whatever so the hijacking of routes or any other skullduggery simply does not apply. It really is as simple as that.

Not sure what he meant about most young techies though. Every network admin I know, knows how to manually configure and maintain the majority of routers and switches out there. Those that don’t should look for another job, IMHO.
Steve

PS I am still waiting for the challenge to be met.


Kit responded with:

Thanks, Steve.

If the Challenge is met, let me know


A day later, Kit replied again and attached the following document:
Web Address Theft

Just fyi. I am sure this is old business for you guys.


I replied:

Thanks Kit, you're right - it is old business

..and nothing whatsoever to do with the "Doty posting as Paul McGovern, Tamara Linden - insert name here" business ;-)

Cheers,
Steve


Kit then responded with the email that led to his post further back in this thread:

Steve:

If you direct me to the "right"thread-placement I will write a "response" saying that I have not been able to have anyone actually make good on the claim that they can either show me EXACTLY how or in fact, even show me by default that THEY can insert a false IP address into an email "SENT" Header, that appeard in the Header of an email coming into and Exchange Server to Microsoft OutLook, anyway.


After Kit posted, he sent a follow-up email:

Followup from a 3rd Source on a partial point: You wrote..."None of the big web-based servers, like those I have mentioned previously, allow relaying through their servers. None of the smaller ISP’s allow it and most (correctly configured) corporate email servers do not allow it either."

Source #3 response:
Well, the root of his argument below is incorrect when he says "none of those providers allow sending of emails via a third party application." Yahoo, Microsoft (msn.com/hotmail.com) and Lycos all provide POP3 options -- i.e. you can send & receive from a third party app like Outlook or Eudora.

http://help.yahoo.com/l/us/yahoo/mail/o ... op-06.html
http://mail.lycos.com/lycos/Index.lycos

As for the rest of the technical aspects of spoofing IP addresses or relaying mail through different servers, I don't have enough experience in that to know any better than these guys.


Amused, I sent the following reply:

I did mention that in my response:
---
“Some of them are only now offering a smtp service via which emails can be sent. However, the exact same principle still applies (and the service isn’t free).”
---

The key point there is “the exact same principle still applies”. i.e. you must have an active account with the service provider. Open relaying involves using a random email server and does not require any login or account details to use. Btw, the POP3 protocol is for receiving emails, NOT sending them. Source #3 should really think before responding next time ;)

Cheers,
Steve


Kit replied:

Thanks, I agree, and will politely tell Source 3.

Even I understand this one!


Ryan then replied with the following:

I'm in the same boat as you Kit...a lot of this rises just a bit above my head and I can just barely follow along and understand. I'm an engineer, not a networking guru. However, even with rudimentary knowledge of the discussion, it does appear that the clincher is that these accounts weren't fake, they either are, or for certain periods of time, were real. As you wrote - that implies that a complicated and expensive National Program wasn't required. Just a person opening an anonymous webmail account, logging in, and sending emails.

I have to say that your post today surprised me. It implies, publically and strongly, that you have a very, very open mind - and appear truly interested in getting to the truth.

-Ryan


And there you have it. Hopefully the above exchange will show for those who are not sure, exactly what the issues are WRT the IP matter and why we know with such conviction it has been Rick Doty sending the emails.

Cheers,
Zep
.
Image
User avatar
Zep Tepi
1 of the RU3
 
Posts: 2150
Joined: Wed Feb 22, 2006 12:59 pm


Postby robertfenix » Wed Nov 07, 2007 6:14 pm

I think the key is really, yes you can fake the sending IP.

But the kicker is that you can not do it on Yahoo or MSN using a x@yahoo.com account.

You can use a third party mailing app and remark a bogus or (real email addy) into the sending header string. BUT... the TR is a random network string.

if you use a real yahoo account from computer A then TR and Network Peer will revel the message exchanging on known Yahoo server LAN's.

Spoofed originating email's typically have a randomized route and will not be the same route every time.

Thus paulG@yahoo.com running through a spoofed email exchange server will TR back differently every time even messages sent to the same receipient. Thereby tipping you off the "@yahoo.com" email addy was spoofed and inserted into the packet prior to sending.

a,b,c,d ad infinite @yahoo.com that all route back on the same know route therefore can only originate from same source. Thus Doty can not prove his claim that "his" routing had been spoofed by some other outside nefarious people.

Even his claim that the FBI seized his previous PC does not hold water, as A he is currently still responding via email, thus must have "another" PC not in FBI custody thereby eliminating his claim of guilt based on FBI having the PC..

Since they obviously do not have the current one he is using....
robertfenix
 
Posts: 41
Joined: Sat Jun 03, 2006 12:09 pm

Previous

Google

Return to Project Serpo

Who is online

Users browsing this forum: No registered users and 11 guests

cron