Monday, December 14, 2009

ATTENTION: The Bat! Being Used by Email Scammers

Have you received unsolicited emails or are you liaising with one of the suspicious scammers thru email correspondences? The question is how we can confirm and track these scammers even if they use sophisticated media or technology in operating their fraudulent business?

This is a simple instruction on how we can get information about the sender or the source of the email message. Let us say you are using Yahoo email service. We can track them by going to your inbox and choose one of the suspected scammers message by pointing your mouse to it then right click and choose "View Full Headers". Copy paste the information acquired in a spreadsheet and tabulate the data. Use
one or many of the available IP-Address trackers. All the information about the sender will appear including its IP address. However those professional scammers use X-Mailer: The Bat! so it would be difficult to track them down. To get to know further information about this please check the article below.


Courtesy of Systems Architecture Laboratory (ESAL) located in Stockholm, Sweden

Technology that can be abused by Scammers – Are you being scammed?

Scamming is a sophisticated technique used to part the unwary of their money. The challenge for the scammer is that not everyone falls for the scam; unfortunately, enough people do fall for the scam to keep the scammers in business. This short article helps explain how Scammers use technology to help them commit a scam and signals that you can look for that will help you avoid being a victim.

Scammers have a big problem to overcome when they try to get unwary people to send them money – first, there is a much higher awareness today so far fewer people fall for the scams. This means that Scammers need to "play the percentages" and send out as many "convincing" e-mails as possible in the hopes of finding their victim. How can they do this? Through technology solutions normally used by companies. Let me ask you two questions: First, what would you think if you knew that the person writing you was using a commercial software application typically used by businesses? Second, what would you think about receiving e-mails from a mail client from someone claiming that they were using an Internet Café? If you do not understand either of these two questions, your vulnerability to being scammed is much greater. There are two pieces of background information that will help you understand why understanding the context of these two questions is important:

First, managing the large number of scams that are necessary in order to identify a victim is difficult. The solution is to use a commercial software application that has the following characteristics:

1) The Scammer needs an e-mail client that can manage large amounts of e-mail from many different e-mail accounts (using the same e-mail account for communicating with many victims can be problematic since once identified as a Scammer, there are enough Blacklists that the e-mail account will be readily recognizable).
2) The Scammer needs an e-mail client that can sort messages from different e-mail accounts into threads do that the dialogue over time can be managed – this allows "customization" of the communication with the victim to help avoid suspicion (not answering questions or ignoring important information can tip off a victim that something is wrong.
3) The Scammer needs a way to reduce the amount of effort required to communicate with all their victims.

Second, as the scale of the scamming activity increases, the Scammer will have a problem using a web e-mail service:

1) E-mail service providers, once aware of a scam, can involve law enforcement agencies and can identify other victims and send out warnings – the Scammer needs to minimize, as much as possible, traces of their scamming activities.
2) Most people would never consider using an e-mail application from an Internet Café (which many Scammers claim to be using) since all of their mail would be left on the computer they were using! If someone is using an e-mail application of any kind (Outlook Express, Outlook, etc.) while stating that they are using an Internet Café warning lights and a siren should be going off.

Now that we have identified the characteristics, we can discuss two simple tests that you can do yourself: First, as soon as possible, ask the person that you are corresponding with where they live. With this information, you can inspect the e-mail message header (most e-mail clients will show this information as "message header" or "show original message") – the part that you are looking for looks like this:

Received: from ( [])
(authenticated bits=0)
by (8.12.10/8.12.10) with ESMTP id jBHJSM2V039983
for ; Sat, 17 Dec 2005 22:29:30 +0300 (MSK)
Date: Sat, 17 Dec 2005 22:26:48 +1100
From: scammer
X-Mailer: The Bat! (v2.01)

Step one is to find out where the message actually came from – for this example I am using an e-mail where the woman claimed to be using an Internet Café in Cheboksary, Russia. I enter the following URL into my web browser:

Next, I enter the IP address from the line that starts with "Received:" which is:

And enter it into the "Search for" field on the web page, which returns the following results:

person: Nikolay Nikolaev
address: Volgatelecom Mari El branch
address: Sovetskaya 138
address: 424000 Yoshkar-Ola
address: Russia MariEl Republic
phone: +7 8362 421549
phone: +7 8362 664435
fax-no: +7 8362 664151
nic-hdl: NN-RIPE
source: RIPE # Filtered

I am expecting the address to be Cheboksary and Chuvash Republic – I am not expecting the address to be Yoshkar-Ola and MariEl Republic! Actually, I already had a warning flag in the e-mail header:

Received: from

If the e-mail actually came from Cheboksary, I would expect to see the following:

person: Medukov J Alexandr
address: 428000 Cheboxary Lenin av 2a
phone: +7 8352 662912
nic-hdl: MJA4-RIPE
source: RIPE # Filtered

How did I get this information? Simple, find a government or business URL in the city you are interested in and enter it into Ripe. You may need to identify the IP address by using the PING command – this will turn a text URL into an IP address that can be searched on Ripe. I will not go into this more, since this topic wanders off topic a bit.

The important thing to note is that the city and republic do not match what was expected – there are a lot of people on this and other web site forums that can assist you if you need more help.

The second test is to examine the message header and look for "X-Mailer:" – in our example we find the following:

X-Mailer: The Bat! (v2.01)

This means that the person sending me the e-mail from a supposed Internet Café is using an e-mail client application. By now, "Red Alert" should be flashing! Why would someone use an e-mail client from an Internet Cafe? Well, most normal people would not – so this is very likely a scam!

Now that I have covered how you can test your own e-mails for scamming attempts, I want to return to the technology topic.

The Bat! (also known as TB! And TB) – I will use TB! From this point on – is an e-mail client application (a program that runs on a personal computer) that is marketed towards companies and individuals that need to manage large volumes of e-mail. The OECD refers to a category of company as a Small to Medium-Sized Enterprise – an SME for short. Smaller SME's often have very limited budgets and cannot afford specialized Sales and Marketing, Customer Service, and other forms of Customer Relationship Management (CRM) software. Our laboratory supports a group company that helps smaller SME's adapt TB! for their business. I mention this because TB! Has been associated with both Spamming and Scamming – the product is legitimate and is a valuable tool for many businesses; unfortunately, the same features that make TB! effective and efficient for companies, also provide a similar benefit to Scammers. There are two features that Scammers find particularly useful:

1) TB! supports a sophisticated macro programming language and a sophisticated ability to manage templates – predefined text that can be dynamically changed by the macro programming language to respond to e-mails. This allows a technically competent person to create a Scamming system that has a high degree of automation while at the same time allowing the scammer to add custom text in predefined areas within the template. The more people that the Scammer can correspond with, the more likely a victim can be found. 2) TB! is designed to work with multiple e-mail servers simultaneously. This makes it very easy for the Scammer to use numerous "dummy" e-mail accounts for Scamming unsuspecting victims (TB! downloads and erases the e-mails from each e-mail server making it harder for investigators to track what was happening).

An e-mail client such as Outlook Express or Outlook Professional and most web e-mail clients such as Yahoo and Hotmail do not offer this level of sophistication. TB! is also very affordable at less than USD $60.00 – well within the means of the typical Scammer. TB! is a product of RIT Labs, which is based in Moldova.

This article was produced by the Enterprise Systems Architecture Laboratory (ESAL) located in Stockholm, Sweden. Reuse of this information free of royalty is hereby granted providing that this notice is included in any reproductions.

Our footnote. Beware!! recently scammers started using other mass-mailing programs (those are usually used to send spam). In particular: FC'2000, Becky and CommuniGate Pro.


I hope this article is useful and informative to everybody!

Saturday, December 5, 2009

A Gift of Spam Mails and Malwares (Malicious Software) these Holiday Seasons

Are you upset every time you open your personal email account flooded with spam mails? Have you ever wondered why there are many bulk mails eating most of your inbox storage? Despite of replacing your personal email and then later you have seen again a growing spam mails. The spam mails can penetrate your spam protection because they have passed the filtering process. This holiday seasons the Federal Bureau of Investigation has warned the public on email scams. From these spam mails some of it have electronic greeting cards (known as e-cards, or postcards) that after viewing the attachment you will be prompted to click the link on the webpage which has malwares.
Before opening any attachments sent to you from unsolicited mails it is recommended to conduct your own investigation if there are malwares attached into it. Run your updated Anti-virus from your computer and/or from a trusted website that provides free services in scanning the files that you have received.

Email Registration Required by Many Websites

Do not just give your personal email address to any websites you encounter while surfing the internet. It would be advisable to use a dummy email address to satisfy some websites requirements if you do not trust them. Ask yourself why they are requiring you to fill up some personal information and your email address to be indicated if there has no relevance. Obviously what they would do before you provide further information you will be prompted that they do not save password or sell your email address.

How To Catch Websites Who Sell Email Addresses?

An ordinary internet user can catch if a website is engaged to email address database selling to another parties. Nowadays, before you can participate into forums and/or use their services you will be required to enter your email address. Although not all forum sites or any websites that ask you to provide email address as part of registration process (before you can participate to their forum, for example) are selling email addresses to others but it will become like a form of spamming once you have registered and you will be automatically emailed if there are some updates on the site you have joined. Aside from this, some of the sites make a good profit by selling email addresses. As stated here, you can use a dummy email address but expect many spam emails flooding your message box.
If you want to identify which sites are engaged on spamming emails it will be easy but it will eat up some of your time. For example, create three new email accounts and assigned each one of them to three suspected sites that sell email addresses to another parties. Do not disclose your three new accounts to anybody and wait for about one to three months if your message inbox are free or flooded with spam emails.
In a study, even if you will not register your email address to any websites but you disclose it by posting comments to blogs or forum threads the said email address will be at risk of spam emails as well. Just be careful and once you have received spam mails it would be best if you will just delete it right away and do not dare to open it.

What Should You Need To Do If You Get Spammed?

If you have many bulk mails and mostly are unsolicited then you just need to delete all of them or use a best software that blocks all these in the possible penetration in the future. Make sure that you do not react or make any replies to them. If you do, the chance is you will be getting more unwanted emails to be received in few days. Answering to spam messages will put you into more difficult situation and you will be out of control.
If you have received those obviously fraudulent messages then do not reply and if you want to report it to authorities then it would be good. To give you an example, you might have received a notification letter that says you have won US$1 million from a lottery or a Nigerian Scam that was telling you to contact them with their telephone number. You might have noticed that the message was obviously has not been sent to you directly as you can see that the mailto was not your email address (“undisclosed recipients”, or only shows other email addresses). Why in the letter that you must call them and why not them? The email address that they were using is just a yahoo mail, msn, gmail, etc. or the account that can be gotten from any websites that offer free email addresses to anybody.