Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Internet Explorer User Interface Races, Redeux
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Wed, 26 Apr 2006 21:25:19 -0500

Hash: RIPEMD160

Robert Lemos wrote:
Hi, Matt, thanks for this. Another 50 bucks is in the mail. This is
exactly what I need to make the Securityfocus homepage exciting again.

This Lemos spoof is rather entertaining, but not the least bit
convincing.  There are three errors here.

1) The assumption that people can pay me for quotes.  Pretty obvious
give away to me -- maybe not to other people.

2) A Yahoo! account for Lemos.  I have his e-mail address (as any
contact would) and you can bet it's not @yahoo.com.

3) Headers that clearly identify the message as originating from a GMail

    Received: from pproxy.gmail.com (pproxy.gmail.com [])
        by lists.grok.org.uk (Postfix) with ESMTP id F0B1C8E8   for
 <full-disclosure () lists grok org uk>; Thu, 27 Apr 2006 01:22:53 +0100 (BST)

    Received: by pproxy.gmail.com with SMTP id i75so1983751pye  for
 <full-disclosure () lists grok org uk>; Wed, 26 Apr 2006 17:22:53 -0700 (PDT)

    Received: by with SMTP id f9mr960804pyl; Wed,
 26 Apr 2006 17:22:53 -0700 (PDT)
Received: by with HTTP; Wed, 26 Apr 2006 17:22:53 -0700 (PDT)

'pproxy.gmail.com' on a @yahoo.com alias?  Unlikely.  But it gets better:

    DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;

4) Message-IDs that reveal the identity of the spoofer

The MID on this post is remarkably similar to that of another list pos(t)er:

The Message-ID on the spoof:
3a166c090604261722l2e6236d3h1e68774bc2094bd9 () mail gmail com

The Message-ID on another post:
3a166c090604242027s2d4acc87p147135d127489b3 () mail gmail com

Notice that the first 13 bytes of the MIDs are identical.  I had a
theory that these two messages were of similar origin, so I produced two
non-spoofed e-mails from my OWN gmail  account.  I discovered that the
two MIDs were:

a394e3d90604261816p28f5de3uea1382f966c2da3f () mail gmail com
a394e3d90604261816u53c64b05md8c9d5c151954d14 () mail gmail com

Notice that in two MIDs of messages sent only seconds apart with only
three bytes in content variation, there are still only 18 bytes in
common, though the MIDs generated by Google would likely have a
relatively poor rate of entropy over a period of only a few seconds.

Compare this with the MID of a third message sent from a second GMail ID
I own only minutes later with a similar level of content variance:

ef96773a0604261847l3be92ed9j5f11657ed384f9af () mail gmail com

Notice that there is a commonality in the string "06042618" which
appears to identify my computer -- presumably by IP or session.

This accounts for the difference in MID uniqueness, because my IP was
*EXACTLY* identical and I was using the SAME session when I sent these
two messages.  The first eight bytes appear to uniquely identify the
account of the originator.

They are EXACTLY identical in the spoofed "Robert Lemos" e-mail when
compared with a previous e-mail of a list poster who's previously been
responsible for noise.

Further, you'll notice that MOST of the computer-specific bytes are
identical, indicating that our sender was probably behind the same
network when the two messages were sent.

Game's up, n3td3v.  You can quit hiding behind your fake Yahoo account
now.  Go away kid, before you hurt somebody.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]