When sending emails, most email clients to do not support SOCKS for the very reason that they do not want to contribute to the already existing spam epidemic. In this case, there are two options: Use a bulk-mailing tool that supports proxies, including SOCKS, or use a program like SocksChain (http://ufasoft.com) for Windows or Proxychains (www.proxychains.sf.net) for UNIX. This essentially "proxifies" any connection you set so that you can use any networked application through SOCKS. With the Proxychains programming you can also chain your proxies together to set a route and improve your odds against someone tracking you.
Let's "socksify" a Telnet session and create a proxy chain that we can use to send email and view the headers to relish our accomplished anonymity. To begin, we first need to set up our chain (see Figure 6):
Figure 6 Proxy Chain Setup
Next we set up our "socksify" host so that when we Telnet, we will Telnet to 127.0.0.1 port 1080, and it will redirect to our mail server. Now as we Telnet to 127.0.0.1: 1080, SockChain automatically begins to create its routes, as shown in Figure 7.
Figure 7 Established Chain of Proxies
We will now see the following:
Trying 127.0.0.1... Connected to mail.sendingemail.com. Escape character is '^]'. 220 mail.sendingemail.com ESMTP Postfix HELO hostname 250 mail.sendingemail.com Hello sender.sendingemail.com [22.214.171.124], pleased to meet you MAIL FROM: firstname.lastname@example.org 250 Ok RCPT TO: email@example.com 250 Ok DATA 354 End data with <CR><LF>.<CR><LF> Message body. . 250 Ok: queued as 64A20E4D6A QUIT 221 Bye
And our email will look like the following:
Return-Path: <firstname.lastname@example.org> X-Original-To: email@example.com Delivered-To: firstname.lastname@example.org Received: by mail.sendingemail.com (Postfix, from userid 1999) id 64A20E4D6A; Tue, 5 Apr 2005 22:21:17 -0700 (PDT) Received: from hostname (126.96.36.199) by mail.sendingemail.com (Postfix) with SMTP id 73F50EDD2B for
; Tue, 5 Apr 2005 22:21:13 -0700 (PDT) Message-Id: <20050406023267.64A20E4D6A@mail.sendingemail.com> Date: Tue, 5 Apr 2005 22:21:13 -0700 (PDT) From: email@example.com To: firstname.lastname@example.org X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mail.sendingemail.com X-Spam-Status: No, hits=2.3 required=5.0 tests= BAYES_90,NO_REAL_NAME autolearn=no version=2.63 Message body.
In this example, notice that our IP address is now quite different than the previous email, indicating that we have successfully sent an anonymous email.
Of course, there are more elements than just chaining arbitrary proxies together to "safely" send your phishing emails. In most cases, you would want to be on a proxy server that is outside the country you have targeted. This will help you establish some sort of safety zone so that you are untouchable by the law in the targeted country. If a proxy you used was located in the United States and you attacked an American target, there is a very good chance that the proxy would be served a subpoena for the logs in a very short amount of time. In comparison, depending on your actual location and whether the foreign authorities had any interest, the length of time it would take to get any help from the foreign proxy, even if they kept logs, would be next to a millennium, if at all. Many phishers count on the fact that they are not in the country they are targeting, which gives them sort of an added invincibility, although this depends on the country they are physically located in. An ever-growing method that is being implemented by phishers and spammers today is the botnet approach, which allows spammers to use drones of victim computers to perform their evil deeds. We cover botnets in detail in a later chapter.
From law enforcement's perspective, the ability to quickly track is essential to apprehending these criminals. But on the other side of the fence are the privacy advocates, who also have a valid point regarding anonymity. In the esoteric world of cryptography—specifically, the approach to addressing true anonymity, in which anonymity, according to Paul Syverson, has a more strict definition of "being indistinguishable in a group"—the Electronic Frontier Foundation (EFF) is supporting an anonymous Internet communication system. The intent and purpose of the system is to prevent any type of network traffic analysis to be successful at all. Traffic analysis is a form of surveillance that assists in establishing who is communicating to whom over a public network. The information that can be gathered by this type of analysis allows investigators to profile habits, behavior, and interests of a certain group. This system is known as The Onion Router, or TOR (http://tor.eff.org). Ironically, onion-routing research was first done by the U.S. Navy (www.onion-router.net) in a rumored effort to protect the military's interests regarding their access to Web sites without giving away the fact that they are the ones accessing them. Another ironic point is that they encouraged (http://yja.com/onion.htm) the public community to run onion routers, thus performing a public duty to protect the military.
But now that it is supported by the EFF (TOR), the political and legal opposition from some world governments, along with the question of "What if?" have begun, especially in a time where cyber-crime is on the rise at an extremely aggressive rate. Technologies like TOR that allow anonymous communication would only put us farther away from tracking the individuals; as though it weren't difficult enough to keep up with their rate of attacks, now they could fully cloak themselves in a "darknet" (www.cymru.com/Darknet). Other systems that implement David Chaum's Mixnet (www.freehaven.net) concepts, such as JAP and Freedom, could pose a threat to the tracking technology used by forensic investigators and law enforcement agencies. Given that the systems are all still in a primitive state compared to their ambitious goals, phishers have not been observed gravitating to these bleeding-edge technological hopes. That does not mean darknets, mixnets, and onion routers alike won't take the stage for the phisher at some point. A good majority of phishers reside in Europe, and so far, the trend has dictated that the countries outside the United States are not exactly afraid to play with esoteric technology. Being that a major element to successfully committing electronic fraud is not getting caught, I won't be surprised to see the trading underground move to darknets to conduct their communication and material trades. An Australian bank is using an optional scramble pad for its customers' security—something we won't see in the United States due to possible customer inconvenience. https://inetbnkp.adelaidebank.com.au/ OnlineBanking/AdBank
Phishing exposed -- 10 tips in 10 minutes
Tip 1: Phishing and email basics
Tip 2: Phishing and the mail delivery process
Tip 3: Anonymous email and phishing
Tip 4: Forging headers and phishing
Tip 5: Open relays, proxy servers and phishing
Tip 6: Proxy chaining, onion routing, mixnets and phishing
Tip 7: Harvesting email addresses and phishing
Tip 8: Phishers, hackers and insiders
Tip 9: Sending spam and phishing
Tip 10: Fighting phishing with spam filters
This chapter excerpt from Phishing Exposed, Lance James, is printed with permission from Syngress Publishing, Copyright 2005. Click here for the chapter download.