Let me ask you two questions: First, what would you think if you knew that
the person writing you was using a commercial software application
typically used by businesses? Second, what would you think about
receiving e-mails from a mail client from someone claiming that they
were using an Internet Café? If you do not understand either of these
two questions, your vulnerability to being scammed is much greater.
There are two pieces of background information that will help you
understand why understanding the context of these two questions is
important:
First, managing the large number of scams that are necessary in order
to identify a victim is difficult. The solution is to use a commercial
software application that has the following characteristics:
1) The Scammer needs an e-mail client that can manage large amounts of
e-mail from many different e-mail accounts (using the same e-mail
account for communicating with many victims can be problematic since
once identified as a Scammer, there are enough Blacklists that the
e-mail account will be readily recognizable).
2) The Scammer needs an e-mail client that can sort messages from
different e-mail accounts into threads do that the dialogue over time
can be managed - this allows "customization" of the communication with
the victim to help avoid suspicion (not answering questions or
ignoring important information can tip off a victim that something is
wrong.
3) The Scammer needs a way to reduce the amount of effort required to
communicate with all their victims.
Second, as the scale of the scamming activity increases, the Scammer
will have a problem using a web e-mail service:
1) E-mail service providers, once aware of a scam, can involve law
enforcement agencies and can identify other victims and send out
warnings - the Scammer needs to minimize, as much as possible, traces
of their scamming activities.
2) Most people would never consider using an e-mail application from
an Internet Café (which many Scammers claim to be using) since all of
their mail would be left on the computer they were using! If someone
is using an e-mail application of any kind (Outlook Express, Outlook,
etc.) while stating that they are using an Internet Café warning
lights and a siren should be going off.
Now that we have identified the characteristics, we can discuss two
simple tests that you can do yourself: First, as soon as possible, ask
the person that you are corresponding with where they live. With this
information, you can inspect the e-mail message header (most e-mail
clients will show this information as "message header" or "show
original message") - the part that you are looking for looks like
this:
Received: from 192.168.0.4 (29.214.dialup.mari-el.ru [195.161.214.29])
(authenticated bits=0)
by mailc.rambler.ru (8.12.10/8.12.10) with ESMTP id jBHJSM2V039983
for ; Sat, 17 Dec 2005 22:29:30 +0300 (MSK)
Date: Sat, 17 Dec 2005 22:26:48 +1100
From: scammer
X-Mailer: The Bat! (v2.01)
Step one is to find out where the message actually came from - for
this example I am using an e-mail where the woman claimed to be using
an Internet Café in Cheboksary, Russia. I enter the following URL into
my web browser:
https://www.ripe.net/perl/whois
Next, I enter the IP address from the line that starts with
"Received:" which is:
195.161.214.29
And enter it into the "Search for" field on the web page, which
returns the following results:
person: Nikolay Nikolaev
address: Volgatelecom Mari El branch
address: Sovetskaya 138
address: 424000 Yoshkar-Ola
address: Russia MariEl Republic
phone: +7 8362 421549
phone: +7 8362 664435
fax-no: +7 8362 664151
e-mail: nnb@relinfo.ru
nic-hdl: NN-RIPE
source: RIPE # Filtered
I am expecting the address to be Cheboksary and Chuvash Republic - I
am not expecting the address to be Yoshkar-Ola and MariEl Republic!
Actually, I already had a warning flag in the e-mail header:
Received: from 192.168.0.4
(29.214.dialup.mari-el.ru
[195.161.214.29])
If the e-mail actually came from Cheboksary, I would expect to see the
following:
person: Medukov J Alexandr
address: 428000 Cheboxary Lenin av 2a
phone: +7 8352 662912
e-mail: master@chtts.ru
nic-hdl: MJA4-RIPE
source: RIPE # Filtered
How did I get this information? Simple, find a government or business
URL in the city you are interested in and enter it into Ripe. You may
need to identify the IP address by using the PING command - this will
turn a text URL into an IP address that can be searched on Ripe. I
will not go into this more, since this topic wanders off topic a bit.
The important thing to note is that the city and republic do not match
what was expected - there are a lot of people on this and other web
site forums that can assist you if you need more help.
The second test is to examine the message header and look for
"X-Mailer:" - in our example we find the following:
X-Mailer: The Bat! (v2.01)
This means that the person sending me the e-mail from a supposed
Internet Café is using an e-mail client application. By now, "Red
Alert" should be flashing! Why would someone use an e-mail client from
an Internet Cafe? Well, most normal people would not - so this is very
likely a scam!
Now that I have covered how you can test your own e-mails for scamming
attempts, I want to return to the technology topic.
The Bat! (also known as TB! And TB) - I will use TB! From this point
on - is an e-mail client application (a program that runs on a
personal computer) that is marketed towards companies and individuals
that need to manage large volumes of e-mail. The OECD refers to a
category of company as a Small to Medium-Sized Enterprise - an SME for
short. Smaller SME's often have very limited budgets and cannot afford
specialized Sales and Marketing, Customer Service, and other forms of
Customer Relationship Management (CRM) software. Our laboratory
supports a group company that helps smaller SME's adapt TB! for their
business. I mention this because TB! Has been associated with both
Spamming and Scamming - the product is legitimate and is a valuable
tool for many businesses; unfortunately, the same features that make
TB! effective and efficient for companies, also provide a similar
benefit to Scammers. There are two features that Scammers find
particularly useful:
1) TB! supports a sophisticated macro programming language and a
sophisticated ability to manage templates - predefined text that can
be dynamically changed by the macro programming language to respond to
e-mails. This allows a technically competent person to create a
Scamming system that has a high degree of automation while at the same
time allowing the scammer to add custom text in predefined areas
within the template. The more people that the Scammer can correspond
with, the more likely a victim can be found.
2) TB! is designed to work with multiple e-mail servers
simultaneously. This makes it very easy for the Scammer to use
numerous "dummy" e-mail accounts for Scamming unsuspecting victims
(TB! downloads and erases the e-mails from each e-mail server making
it harder for investigators to track what was happening).
An e-mail client such as Outlook Express or Outlook Professional and
most web e-mail clients such as Yahoo and Hotmail do not offer this
level of sophistication. TB! is also very affordable at less than USD
$60.00 - well within the means of the typical Scammer. TB! is a
product of RIT Labs, which is based in Moldova.
This article was produced by the Enterprise Systems Architecture
Laboratory (ESAL) located in Stockholm, Sweden. Reuse of this
information free of royalty is hereby granted providing that this
notice is included in any reproductions.
Our footnote. Beware!! recently scammers started using other mass-mailing programs (those are usually used to send spam). In particular: FC'2000, Becky and CommuniGate Pro.