Security Basics: Email Survey Requests are Dangerous

Quick post this afternoon based on a semi regular security email I send out to all users at work.

Both at home and at work, we often see companies sending out email surveys, often with enticements like coupons, entries in draws etc.

It is often extremely hard to tell if these are legitimate.

Here are 2 I’ve recently received

 

b1b2

Now we know that the very first thing to do when we are trying to find out if an email is from a legitimate source is check the FROM address.

(Of course we always keep in mind that FROM addresses can be spoofed, right?)

Here are the 2 FROM addresses for the above emails

b3

b4

Can you tell which is legitimate? Knowing that emails from Walmart or Telus should have a @ walmart.com or @ telus.com (same origin emails) doesn’t help in the case of many legitimate surveys. As stated in the Telus email, companies often contract survey work out to companies who specialize in this kind of thing.

Neither of the above is from same origin but there are some clues in the emails themselves that hint which is legitimate and which is not.

 

  • One says you’ve WON!* something, the other says you’ll be entered for a chance to win. Guess which is more likely to be legitimate.
  • One only offers links to click, the other offers a copy and paste option. Copy and paste allows you to see where the link actually goes. (of course we all hover over links to see where they point always in any case right?)
  • We actually -are- a client of Telus. We/I don’t have any Walmart association (ask yourself “how did they get my email”)

 

So yes, the Telus email is legitimate. The Walmart one points to a malware exploit.

My advice is to ignore and delete survey requests from all senders.

*See Rule Of Exclamation Points In Email

 

Rule Of Exclamation Points In Email

The chances of a email being legitimate is inversely proportional to the number of exclamation marks it contains!!!

 

 

Advertisements

http:BL_CFML – A Project Honeypot Blacklist Implementation for ColdFusion.

At the urging of Charlie Arehart, I’ve cleaned up my http:BL_CFML implementation and added a bit more in the way of comments. I’m putting this here so it’s easy to link to from the http:BL implementations site. For more in depth information about the code, please check out the links to my previous posts listed below.

Stopping Comment Spammers & Email Harvesters with Coldfusion & Project Honeypot

Project Honeypot & Coldfusion Part 2

<cfcomponent displayname="http:BL_CFML v1.01">

<!--- Some original code from mximize.com (which no longer exists) with modifications by JayB sidfishes.wordpress.com
More detailed explanation available here:
https://sidfishes.wordpress.com/2011/06/09/stopping-comment-spammers-email-harvesters-with-coldfusion-project-honeypot/
https://sidfishes.wordpress.com/2011/12/06/project-honeypot-coldfusion-part-2/
https://sidfishes.wordpress.com/2014/07/31/httpbl_cfml-a-project-honeypot-blacklist-implementation-for-coldfusion/

You are free to use or modify this code for any purpose provided links to original posts are maintained.
--->
<!---
This CFC contains the following functions

honeypotCheck: Main framework
newVisitorCheck:  Check with our white list table to see if this ip has visited in the last 3 months.
addToWhiteList: IP's that check as clean against http:BL are added to our white list table to increase page load performance.
getHostAddress: does a reverse lookup of the client IP address against the blacklist at http:BL.
reverseIP: return IP in reverse format as required by http:BL api

You need to create a new table to track white listed IP's

MySQL
/************************************/
CREATE TABLE `visitor_ip_addys` (
`ip_id` int(10) unsigned NOT NULL auto_increment,
`ipaddy` varchar(15) NOT NULL,
`visitdate` datetime NOT NULL,
PRIMARY KEY  (`ip_id`)
) ENGINE=InnoDB AUTO_INCREMENT=510495 DEFAULT CHARSET=utf8$$
/************************************/

MSSQL
/************************************/
CREATE TABLE [dbo].[visitor_ip_addys](
[ip_id] [int] IDENTITY(1,1) NOT NULL,
[ipaddy] [varchar](15) NOT NULL,
[visitdate] [datetime] NOT NULL,
CONSTRAINT [PK_deleteme] PRIMARY KEY CLUSTERED
(
[ip_id] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]
/************************************/

The table is cleared daily of IP's older than 3 months to revalidate visitors in case they may have been
compromised in the time and to keep table size reasonable
--->

<cffunction name="honeypotCheck" returntype="struct" hint="Check Project HoneyPot http:BL">
<cfargument name="ip" required="yes" type="string">
<cfset var aVal = "">
<!---  Make sure to replace {your_API_key} with the API key you receive from the http:BL project --->
<cfset var hpkey = "{your_API_key}">
<cfset var stRet = structNew()>
<cfset var result="">
<cfinvoke method="newVisitorCheck" returnvariable="result">
<cfinvokeargument name="ip" value="#arguments.ip#" />
</cfinvoke>
<cfif result eq "new">
<!--- do the blacklist lookup IP values --->
<cfset aVal = listToArray(gethostaddress("#hpkey#.#reverseip(arguments.ip)#.dnsbl.httpbl.org"),".")>
<cfif aVal[1] eq "IP-Address not known">
<!--- then no match on the Black list --->
<!--- set a value indicating ok address --->
<cfset stRet = {type=99}>
<!--- insert into visitor_ip_addys table --->
<cfinvoke method="addToWhiteList" returnvariable="result">
<cfinvokeargument name="ip" value="#arguments.ip#" />
</cfinvoke>
<cfelse>
<!--- there was a match so set the return values --->
<cfset stRet.days = aVal[2]>
<cfset stRet.threat = aVal[3]>
<cfset stRet.type = aVal[4]>
<!--- Get the HP info message ie: threat level --->
<cfswitch expression="#aVal[4]#">
<cfcase value="0">
<cfset stRet.message = "Search Engine (0)">
</cfcase>
<cfcase value="1">
<cfset stRet.message = "Suspicious (1)">
</cfcase>
<cfcase value="2">
<cfset stRet.message = "Harvester (2)">
</cfcase>
<cfcase value="3">
<cfset stRet.message = "Suspicious & Harvester (1+2)">
</cfcase>
<cfcase value="4">
<cfset stRet.message = "Comment Spammer (4)">
</cfcase>
<cfcase value="5">
<cfset stRet.message = "Suspicious & Comment Spammer (1+4)">
</cfcase>
<cfcase value="6">
<cfset stRet.message = "Harvester & Comment Spammer (2+4)">
</cfcase>
<cfcase value="7">
<cfset stRet.message = "Suspicious & Harvester & Comment Spammer (1+2+4)">
</cfcase>
</cfswitch>
</cfif>
<cfelse>
<!--- good address  --->
<cfset stRet = {type=99}>
</cfif>
<cfreturn stRet>
</cffunction>

<cffunction name="newVisitorCheck" returntype="string">
<cfargument name="ip" required="yes" type="string">
<cfset var vQry = "">
<cfset var result="">
<cfquery name="vQry" datasource="#local.dsn#">
select ipaddy from visitor_ip_addys where ipaddy = <cfqueryparam cfsqltype="cf_sql_varchar" value="#arguments.ip#">
</cfquery>
<cfif vQry.recordcount eq 0>
<!--- then it's a new visitor  --->
<cfset result = "new">
<cfelse>
<cfset result ="existing">
</cfif>
<cfreturn result>
</cffunction>

<cffunction name="addToWhiteList" hint="I add client IP's that don't match with http:BL entries (ie: not comment spammer)">
<cfargument name="ip" type="string" required="true">
<cfset var iQry = "">
<cfquery name="iQry" datasource="#local.dsn#">
insert into visitor_ip_addys (ipaddy, visitdate) values
(<cfqueryparam cfsqltype="cf_sql_varchar" value="#arguments.ip#">,
<cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#"> )
</cfquery>
</cffunction>

<cffunction name="ipTableCleanup" hint="I run from a daily scheduled task">
<cfset var deleteIP = "">
<cfquery name="deleteIP" datasource="#local.dsn#">
delete from visitor_ip_addys where visitdate <= DATE_ADD(CURRENT_TIMESTAMP, INTERVAL -90 day)
</cfquery>
</cffunction>

<cffunction name="getHostAddress" returntype="string" hint="I do the dns lookup against the http:bl servers">
<cfargument name="host" required="Yes" type="string">
<cfset var obj = "">
<cfset var result="">
<cftry>
<!--- error handling as error is thrown if host lookup has no match in http:BL ie: it's not been reported as a problem --->
<!--- Init class --->
<cfset obj = CreateObject("java", "java.net.InetAddress")>
<cfset result =  obj.getByName(host).getHostAddress() >
<cfcatch type="any">
<!--- an "error" in this case is an unknown address, which means it is not reported to http:BL --->
<cfset result="IP-Address not known">
</cfcatch>
</cftry>
<!--- Return result --->
<cfreturn result>
</cffunction>

<cffunction name="reverseIP" returntype="string" hint=" I return IP in reverse format as required by http:BL api">
<cfargument name="ip" required="Yes" type="string">
<cfset var aIp = listToArray(arguments.ip,".")>
<!--- Return IP reversed --->
<cfreturn aIp[4] & "." & aIp[3] & "." & aIp[2] & "." & aIp[1]>
</cffunction>

</cfcomponent>

To use this CFC, simply add the following code to a page on your site where a comment spammer or email harvester would visit. If they are on the Blacklist, they will get a 404 error when they try to visit that page.

You can also add this on a site wide include if you like (but this could have performance implications)

</pre>
<!--- Check Project HoneyPot --->
<cfinvoke method="honeypotcheck" component="com.HoneyPotdns" returnvariable="stCheck">
<cfinvokeargument name="ip" value="#cgi.remote_addr#" />
</cfinvoke>

<cfif isDefined("stCheck") AND (stCheck.type GTE 4 AND stCheck.type LTE 7)>
<!--- Send a simple 404 message rather than a hey spammer get lost message. No use in poking a hornets nest --->
<cfheader statuscode="404" statustext="Not Found">
404 Not Found
<cfabort>
</cfif>