The Script Kiddie Cookbook Abstract


Computer Security for Everyday Users
Copyright 2005 by Matthew J. Basham


The Script Kiddie Cookbook: Computer Security for Everyday Users Matthew J. Basham Copyright ©2005 Published by: Lulu Press ( All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher or the author, except for the inclusion of brief quotations in a review. Any reproductions for learning purposes should be reported to authors for accounting purposes ( Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 This manuscript was supplied camera-ready by the author.


Table of Contents of the Script Kiddie Cookbook available at Chapter 1 Introduction ……………………………………………… 5 10 11 42 94 105 106 115 119 132 135 137 147 202 215 235 252 264 286 289 296 335 336 341 345

Unit I: Legal Stuff ……………………………………………………… Chapter 2: Legal system basics ……………………………………… Chapter 3: Cases of Interest ……………………………………… Chapter 4: Acceptable Use Policies ……………………………… Unit 2: Hacking History and Foundational Stuff ……………………… Chapter 5: History and Psychology of Hacking ……………………… Chapter 6: Networking Frameworks ……………………………… Chapter 7: Logic Problem Fundamentals/Cryptography Fundamentals Chapter 8: The “Anatomy of a Hack” ……………………………… Unit 3: Tools of the Trade ……………………………………………… Chapter 9: Downloading stuff from the web ……………………… Chapter 10: DOS ……………………………………………………… Chapter 11: Password Protection ……………………………………… Chapter 12: Protocol Inspectors ……………………………………… Chapter 13: Port Scanners ……………………………………… Chapter 14: Having fun on the Internet…or not ……………………… Chapter 15: E-mail and SPAM ……………………………………… Chapter 16: H4xor 5p34k ……………………………………………… Chapter 17: How to stop those frigging pop-up ads ……………… Chapter 18: Knoppix STD: an introduction ……………………… Unit 4: Putting it all together ……………………………………………… Chapter 19: Case Studies in Hacking ……………………………… Chapter 20: Prologue ……………………………………………… Cool email from “Phantom” ………………………………………………


What most schools are not doing is following up on those huge logs and policing the activities of its users…at least not yet. Many times people forget their computer is part of a bigger mesh of computers. ICQ©. MSN©. 4 . At any given point monitoring can and usually is taking place. Just because you are relatively alone while you are using the Internet does not mean you are not being watched.Chapter 9: Downloading stuff from the web • • • • • Introduction What about when I need to download things for work? Geek Stuff: Virus basics Summary Exercises One of the biggest problems with letting people use the web is the apparent isolation of each user. et. I know it all sounds Orwellian. al)? Everything can be recorded with monitoring devices. but in today’s litigious society schools need to monitor everything very carefully. EVERYTHING in a school network passes through multiple monitoring devices. Yahoo!©. Are you using an instant messenger (AOL©.

Several years ago there was a couple of websites that were being touted as being very funny. Why am I bringing them up here? I am bringing them up because the “frog in the blender” and “fish bowl blender” websites were made for purely malicious activities.exe or 1 Frog picture retrieved May 16.1 You would not believe how many people have seen many of these sites. The first one is called the “frog in the blender” or the “fish bowl blender” of the same vein.” and others. your school has firewalls and other safety measures. for the hacker to use…they basically have by-passed all of your security. The everyday user has no idea. Depending upon which sites you may have visited one iteration of the “frog in the blender” was set up by hackers to become a Trojan horse. In short you could push a button that blended the fish or frog into a frothy little puree. In everyday terms. All that site contained was a mesmerizing little flock of hamsters doing a simple little dance with this catchy little tune that you could not get out of your head for days upon end.html 5 .org/gallery/mystuff/doodles4. This website. also spawned bunches of other sites like the “cow dance. from the inside of the network to the outside of the network. But the problem is: SECURITY IS ONLY AS GOOD AS IT’S WEAKEST LINK.” The other incarnation of these blenders (hackers are big-time copy-cats) starts the same way: you press the blend button. Oh I know. How do you know it is there? You can search for these files: blender. We call them Trojan’s in reference to the Trojan Horse in Greek History…“Beware Greeks bearing gifts. by you merely pushing the button to make the frog or fish shake you had inadvertently turned your computer into a computer that the hacker could control at any time. Only this time you have unknowingly downloaded a virus on to your computer. Why? Some people thought it was a lot of fun. When you have this virus it will sit in hiding until May 28th and then become “active” and erase everything on your hard drive. which site is innocent and which is not innocent. By you activating this blender you have created a hole. The other site was called the “Hamster Dance” website. like the frog in the blender.” “fish dance. 2003 from http://allaboutfrogs.

or to visit a funny site then do it at home. Who looked at it first? We can find out from our logs and pinpoint them. What About When I do need to Download Things for Work? There are times (just as I did with the frog picture) that you cannot avoid having to download things from the Internet on to your computer. First open a browser window using Internet Explorer (or Netscape Navigator).com/dispVirus. 2 From http://vil. Sure it is the quickest and easiest thing to do but we really need to go the “extra” mile and scan it for viruses just in case. when you go to insert the file later most programs start at or very near the “my pictures” folder. Even by doing that you still just never really can be certain but at least you have done everything you can possibly do.k.exe.asp?virus_k=10172 6 . I still used my virus checker for that little extra bit of protection too. You should see a window like in figure 1 on the next page. in this step you may be tempted to just copy and paste the frog into your document.mcafee. In general sites that exist solely for the purposes of uploading and downloading like download. If you must download then I generally will “sort-of” trust other educational or not-for-profit sites.a. If you want to download a should not be used at In addition.html into your navigation/address bar and hit or cnet. “right-click”) on the picture. It is not worth losing your job over something like this…it may seem trivial to you but when just visiting one cute little site you usually cannot help but send it to your friends. Again. Notice how the frog picture was downloaded from a not-for-profit site. Now. Then we can select the “Save Picture As” option and put the picture into a folder. In figure 2 we can see what menu “pops up” when we use the right mouse button (a. Next thing you know an epidemic is on hand. What’s that? You don’t know how to use your virus scanner? Well then let’s just spend some time and show you how to do it with our frog picture. I would suggest saving the picture in a folder in the “my pictures” folder so you can more easily find it when we start using the virus scanner.2 Even the cutest little sites can be dangerous to your files and the school network in general. Next you will see that same frog that appeared on the last The rule is simple: be knowledgeable enough to know where you can download things and where you cannot. And then they “activate” it and send it to their friends. Then put http://allaboutfrogs. do this stuff at home because it does not belong at work. A good overall rule is to never download anything or “execute” or “play any games” with your work computer.

Figure 2—Right click on the frog and select “Save Picture As.” 7 .Figure 1—IE page for frog picture download.

Figure 3—Saving the picture in a folder on my computer. St. To start the process use the “start” button on your taskbar (usually the lower left-hand side of the screen). Next we need to start the virus scanner. Petersburg College has chosen Mcaffee’s Virus Scanner and the tool of choice. 8 . find the “Network Associates” link. then “Virus Scan” (see figure 4). I saved the picture in a folder called “downloads” in the “my pictures” folder as shown in figure 3 above. Figure 4—Finding the Mcaffee console.

I also added a “downloads” folder as shown in figure 6 below. 9 . Once the pop-up “on-demand” window comes up then use the “browse” button to navigate to your folder with the frog picture in it. Then you just need to click on the “scan now” button on the upper right hand corner and Mcaffee will scan everything in that folder.” or “user specified files. Usually you should be able to just select “my documents” then “my pictures” and you are there. Next look at figure 6 on the options on the lower left-hand side of this window.” “all files.” Since I am only putting things in here that I download (and is thus a very small number) then I will switch it to “all files” as shown in figure 7 on the next page. Figure 6—Navigate to the folder where you put the file. When Mcaffee is finished you will see a window like in figure 8 on the next page. You can select “default files.Figure 5—Mcaffee Virus Scan “On demand” console.

Should I be worried? Only if I did not know what I was doing. 10 . There appears to be no problem with viruses. Being a computer guy I know those “infected” files are actually programs for testing network security and that they show up as “Trojans” because that is the very nature of the program.Figure 7—Switching the scan to “all files. In figure 9 I am showing you a screen shot of what happens when you have viruses of some sort on your computer. Ok. for the frog picture.” Figure 8—Results of scanning the folder where the frog picture was placed. So you are out of the woods. at this time.

To keep it simple I would always ask for paper copies of In most cases I would say “most definitely” to delete the file. There are even sites that sell CD-roms with thousands of viruses on them. download their homework assignments and then upload their next assignments right onto their laptop.3 Usually teenagers are out there buying these things and bringing them in to school on floppy disks or CD’s and they will sometimes have viruses right on the same one they turn their assignments into you with.Figure 9—Output from scanner showing “infected” files. students come into the classroom. by putting the burden of purchasing computers on the students in a community college setting we may be inadvertently segregating our educational facilities into the people who can afford laptops and those 3 See. I have a couple of diskette storage bins full of viruses that I use in classes where I teach students how to remove them. At some schools. Furthermore. for example. On one hand. Being an inquisitive computer guy I usually save the file off on diskette first. during the scan if you have an infected file the scanning will stop and ask you if you wish to delete the file. http://www. On the other hand.ameaglepubs. As our classrooms move to being more technologically savvy we will have to ever more vigilant about our use of virus scanners.html 11 . Since budgets are being hacked and slashed at an alarming rate this would seem like a good idea. having students purchase laptops would save considerable resources for other projects. like the University of Florida. There has been considerable debate about implementing this style of classroom in community college settings. then re-scan a couple of times to make certain the file is gone. hook their laptop into an Ethernet jack in the seat.

Basically all virus scanners work the same way: they use a “test” pattern4 to compare against files. Go out to the web and find some pictures or icons to use in creating a powerpoint presentation for your class. 2. Ok. We have yet to create a program capable of “thinking” for itself but with every new generation of super-computer we are coming closer to the day this will happen. The test pattern in one virus checker will cause a “false positive” reading when another virus checker is running.who cannot. 3. You cannot avoid viruses but you can severely reduce the chances of being infected by one. Since most user policies are written to put the burden on the user you need to know this stuff (it’s a technical term). How else can they have “fixes” (also known as patches) for them within hours after the new strain of virus is first discovered? While you may be shopping for virus protection packages you may encounter claims of “will detect 97%” of all viruses or “will detect 98% of all viruses. like me. Alas the debate will rage on for quite some time I am sure. Your instructor should be giving you a diskette for you to use. There is a rumor that virus companies are responsible for creating and releasing many viruses onto the network. The early writers wanted to create a computer program that could learn from its mistakes and become better. Solomon. and others but I happen to like Norton for home use and Mcaffee on a corporate-style network. PC-Cillin. There are many good anti-virus packages out there like Norton. In short. they replicate and usually become stronger with every iteration. you will be chasing many “ghost” viruses that do not exist and may even end up causing damage to your system. Exercise 2 1. It can even cause you to lose your job in some circumstances.” If. F-Prot. Dr. Save the pictures to a folder on your hard drive. you are a mathematically minded person you will probably be tempted to buy several hoping to raise that detection up to almost 100%. I can urge you now to only use ONE anti-virus package. Viruses in a Nutshell Computer viruses were started back in the mid-1960s as an attempt at creating artificial intelligence. The bottom line is to only download things on the Internet for work-related purposes only and to virus scan them thoroughly using the latest version of scanning software. Summary In this chapter you learned downloading things from the Internet onto your work computer can cause you to inadvertently put viruses on your computer if not done properly. Biological viruses work in the same fashion. 12 . Virus scan the folder and all of its contents. Exercise 1 1. 4 Commonly called the “EICAR” test pattern. now let’s have you try to run a virus scan on a diskette. Those who cannot would not be able to attend.

From time to time you should check on the version of virus scanner your computer is using. Remember its your computer and your responsibility to check this…you will need to notify the help desk for any updates if needed. More importantly you should check that the latest virus update files have been applied.2. 2. If your diskette has a virus on it then what procedures would you take to remove the virus? Exercise 3 1. What are your procedures for putting in a work order for your computer? 13 .

History files Just like Hansel and Grettle did in the Hans Christian Anderson story when you go out on the Internet you leave a little trail behind you of everyplace you go. How it is recorded and removed on the network is out of your control so. A plus: no one can usually come behind you and see what sites you have visited.Chapter 14 Having fun on the Internet…or not • • • • • • Introduction History files Favorites Daemons Geek stuff: Cookies basics Summary There are times when you might be out on the Internet looking for something for work and you might start to stray. The history file was created to actually save you time when traveling over the Internet.” You should see a pop-up window similar to figure 15-2. First let’s open up IE and then click on the little down arrow to “see” some of the past sites visited (see figure 15-1). So it’s a bit nice to see all of those sites sometimes. Let’s actually clear out your history file. Have you ever wanted to return to a website by starting to type it in only to have your computer finish the address for you? This happens because the computer matched what you typing to the addresses stored in your history file. But that is why we have a “favorites” folder to hold that information. To the lay person you can easily clear out your “trail” by clearing your history files. By clearing out your history file you can already see plusses and minuses. At the toolbars in IE click on the “Tools” pull down menu and select “Internet Options. A minus: you will have to re-type every website again. again. of course). the best thing to do is keep your surfing habits to work-related sites only (even if you are on a break). especially if you visit them often (for work. In this chapter we will look at how this information is recorded on your computer and how it is removed. Maybe it is a pop-up ad that gets your attention or maybe you accidentally went to the wrong site…in either case there are several things that happen on your computer and the network that “record” where you have been. as most people seem to do we’ll use IE. Since I have been using Internet Explorer (IE) lately. 14 . Let’s go see what dirty little sites that I have been to on my computer.

Figure 15-1—Looking at your history file. Y will see a button named “Clear history. look down near the lower right-hand corner in the “History” box. Now let’s look at our “history” again (see figure 15-3). Figure 15-2—The “Internet Options” pop up window. 15 .” Next click on the “ok” button on the Internet Options window to make it close out.” Another pop-up window will ask you if you really want to clear your history files (which you do) so click “yes. Next.

If you set that to keep them for 0 days you will not see anything ever appear in there. How do you think you could set your computer to never keep anything in your history file? This way you will not have to keep clearing all those sites every now and then? You just pulled up that Internet Options window a second ago and cleared the history file (figure 15-2). 16 . As we have said all through this manual it is easy when you know how. Favorites You may be diligent in removing those history files or have even set it to not contain any at all but there are other ways to find information on your computer. Here you may have “bookmarked” an Internet site for easy return. In IE just click on the “favorites” pull down menu (see figure 15-4). By default it is set to keep them for 20 days.Figure 15-3—Cleared history file. This one is really easy to see. If you look to the left of that clear history button you will see an option for keeping those files in your history file. One easy tell-tale place is within your “favorites” list. It does not take very long to do but you also have to remember the next time you visit a site you are generating more entries in your history file.

is not that new. Instead of putting it on their website. and information about 17 . Geek Stuff: Cookies Lab The Internet is a wonderful place. The websites you visit usually do not have any real way of keeping track of all of the specifics of each visitor to their site and what they did while they were there. any usernames and passwords (usually encrypted). in UNIX. In fact the term “cookie” is a descendent of the UNIX operating system (written in 1969) function called “magic cookie. This would require an enormous amount of resources for every single website. Of course you still have to remember if you computer is on a network at school your websites visited are also recorded at possible several high power computers. are used for transferring small “tokens” of information between two computers. Daemons Privacy tab in Internet Options settings (accept or deny cookies). Like we said.” It performs very much the same function as Windows-based cookies.” as it relates to computer technology. So another good tip is: if you do not want anyone to see where you have been on the computer do not keep history and do not book mark a site. The term “cookie. a cookie is a text file full of information about you. When you visit the site again the website accesses that cookie from your computer and can even use that information to “greet you by name” upon the second visit to their website. the pages you visited. There are millions of different sites for you to visit and even more new ones being added everyday. Instead website programmers use something called a “cookie” to keep track of your access.Figure 15-4—Looking at the “favorites” pull down menu. they keep it on your workstation.” Magic cookies. Macintosh computers do not use the name “cookies” but sticks with the UNIX name “MagicCookies. In fact.

” 3. Someone could be out there using your username and password right now. and even turned off on our computers. Ahh…the smoking gun. They could upload all of the cookies instead of just their cookie. You should see a cookie appear with the Disney name in there somewhere (in your cookie folder) along with several other cookies (we’ll get to those in a moment). etc. Usually there is one cookie (or more) “set” per website that you visit. No more than 300 cookies should exist on your computer at any time. To find the cookies in Windows 2000: 1. We know those passwords are encrypted but those are easy to reverse engineer too. If this limit is exceeded then the newer cookies should be written over the oldest cookies. and you should find a folder. server. username. Now they can get a profile of you. Then open it up. called “ back to a central source. your user name (if it is attached to a network). Let’s open one up! What? Don’t have any? Let’s make some! Open Internet Explorer and go to www. possibly. it could take weeks or months before it happens and you will probably not be able to trace it back to where you got it from…pure evil. Finding and Viewing Cookies on Your Computer Let’s start off with one of the more popular browsers: Internet Explorer. In this lab you will learn how to find cookies. and learn how to turn off the cookies feature in both Netscape Navigator and Internet Explorer. Cookies are to be no more than 4 kilobytes in size. Best of all. the workstation begins running slow and crashes. edited. 4. 2. Talk about damage incorporated. view source code in cookies. or domain. easily enough. You should see a line like this: 18 . Luckily for us cookies can be viewed. How can this be perverted into someone else’s advantage? That’s right. your web habits. 2. SHOULD be set on your workstation. your shopping habits.disney. Then navigate to “documents and settings”. Hmm…sounds like a good simple transparent virus-type code…change the cookies setting with programming so that no cookies are ever deleted and eventually the hard drive fills up.anything you have downloaded from their site. 3. No more than 20 cookies per website. and.” Even if you delete your cookies this file will still contain an entry about your cookies. IP address. So why do you think this may be important for us in a security class? Think outside the rules. Open it up and you will see all of your current cookies. As with everything else we have rules that apply to cookies to which website programmers try to adhere: 1. 4. In that folder you will find a file called “index. use a protocol inspector to see hexadecimal code for cookies.dat. Open Windows Explorer. Think about someone planting a Trojan deamon that periodically sends your cookies.

” 5.txt. You should find a file called “cookie. 6. machine ID numbers. Let’s try this again for Netscape Navigator on a Windows 95/98/2000 machine: 1. Then “Program Files. Ok…now how about Windows 95/98 (with IE): 1. Then “Netscape. etc. Open up Windows Explorer An interesting thing is to copy that line from word pad (it will open in word pad by default) and then copy it to Windows 2000…that one line of text breaks into several lines CP null* disney. 4.” 4. What’s that? You see cookies from sites in there like doubleclick. they are some mighty powerful little things. Then open the “cookies” Navigate to C:\” drive Sometimes the cookies will even include usernames. Open up Windows Explorer. Then open the “users” folder.CPnull*disney. If you do not have one for your id then open the “default” folder 7. passwords. Basically your information stored in your cookies is being “harvested” and sent to central database clearinghouses and then resold to direct marketing companies when you visit some websites. 2. hitbox.a “carriage returns”).com/ 0 017261923536 20305785 6590788738 56214783 567367 * with line breaks (a. Hmmm…looks like another opportunity for reverse engineering with a decompiler.go. Then to the “windows” folder. Navigate to “C:\” drive.” Here all cookie information is kept in one file. and other websites even though you know you have never been there? That is one of the growing legal issues surrounding the use of Globaltrack.go. These things are 19 . It generally falls under the “privacy” category in law because most of this is taking place without your knowledge. ISP from which the request originated. 3. focallink.k. In short. IP addresses. (Before you try it on my data I changed it…nice try).

Wait until we get to the lab on SPAM! Ever wonder how that junk mail shows up in your email box even though your company has a (seemingly) strict anti-spam policy? Yup…these transparent cookies are the culprits. I am quoting the Netscape site on the syntax of cookies for your information (emphasis added): Syntax of the Set-Cookie HTTP Response Header This is the format a CGI script would use to add to the HTTP headers a new piece of data which is to be stored by the client for later retrieval. "Tail matching" means that domain attribute is matched against the tail of the fully qualified domain name of the host.acme. expires is an optional attribute. This is the only required attribute on the Set-Cookie header.acme. then the cookie will go through path matching to see if it should be" would match host names "anvil. RFC 1036. Note: There is a bug in Netscape Navigator version 1. and RFC 1123. Here is the syntax to cookies during transmission…you can see this when you capture packets with a protocol inspector. expires=DATE. as the user. domain=DOMAIN_NAME When searching the cookie list for valid cookies. path=PATH. If there is a need to place such data in the name or value. DD-Mon-YYYY HH:MM:SS GMT This is based on RFC 822. comma and white space. Once the expiration date has been" as well as "shipping. secure NAME=VALUE This string is a sequence of characters excluding semi-colon. If not specified. Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods 20 . the cookie will no longer be stored or given out. expires=DATE The expires attribute specifies a date string that defines the valid life time of that cookie. The date string is formatted as: Wdy. though no encoding is defined or".“transparent” to you. If there is a tail match. RFC 850.crate. Only cookies whose path attribute is set explicitly to "/" will be properly saved between sessions if they have an expires attribute.1 and earlier. Most of them are written in http as a CGI script. with the variations that the only legal time zone is GMT and the separators between the elements of the date must be dashes. a comparison of the domain attributes of the cookie is made with the Internet domain name of the host from which the URL will be fetched. whether you like it or not. A domain attribute of "acme. Set-Cookie: NAME=VALUE. the cookie will expire when the user's session ends. Viewing Source Code for Cookies The syntax of a cookie is fairly simple. some encoding method such as URL style %XX encoding is recommended. domain=DOMAIN_NAME.

Here is the format of that line: Cookie: NAME1=OPAQUE_STRING1. Currently this means that secure cookies will only be sent to HTTPS (HTTP over SSL)". You can even compare it with the source programming code if you want. If a cookie is marked secure. and "INT". "NET". then disconnect from the web before editing the code. Don’t get them confused. The seven special top level domains are: "COM". Any domain that fails within one of the seven special top level domains listed below only require two periods. Front Page even changes the colors of some of the words to show which ones are tags. ". it will only be transmitted if the communications channel with the host is a secure one.html". a cookie is considered safe to be sent in the clear over unsecured channels.. "EDU". If the path is not specified. Ok. Ok. Any other domain requires at least three. etc. Source: http://wp. So now let’s look at a sample script for placing cookies onto your computer.. comments and". "ORG".html 14 June 2002 Remember: this is the code for transmission…not source code of cookies. If secure is not specified. Then copy and paste the source code into a blank Front Page document. then the pathname component of the URL is compared with the path attribute. the cookie is considered valid and is sent along with the URL request. If a cookie has already passed domain matching. The easiest way is to view the source code of a website that places cookies on your computer. We’ll look at the transmission code in the next section. the browser will match the URL against all cookies and if any of them match. Here is one I found on the AOL website (emphasis added): 21 . and "va. "MIL". Syntax of the Cookie HTTP Request Header When requesting a URL from an HTTP server. The default value of domain is the host name of the server which generated the cookie response. The path "/" is the most general path. Be sure to copy the source code. NAME2=OPAQUE_STRING2 . Before we move on to protocol inspectors let’s look at HTML source code a bit. Now you can “reverse engineer” html code live (without any legal repercussions). attributes. "GOV".in them to prevent domains of the form: ". and if there is a match. path=PATH The path attribute is used to specify the subset of URLs in a domain for which the cookie is valid. The path "/foo" would match "/foobar" and "/foo/". it as assumed to be the same path as the document being described by the header which contains the secure cookie. Never try to “upload” your source code to anything connected to the Internet. a line containing the name/value pairs of all matching cookies will be included in the HTTP request. Talk about being in deepkimchee.

isEmail).'nostatus. Can you reverse engineer the code above to determine exactly what is being done line-by-line? Use Front Page to test your hypotheses.screenname. quicktime.height=240.value.width=360. } function doSubmit() { document.indexOf("cookietest=yes") == -1) { alert('Please turn your cookies on."windowName".com/ Assignment #1: 1. From this example we can see AOL is placing cookies on our computer. The only problem is. et 22 . domain=. } else { var sn = document.cookiecentral.forms. document. though.href='http://dynamic.indexOf('@'). Then I copied it into Front"parentWindow". } function popWin(url){ var popWin= open(url.value=makeSN. } } Source: http://www. I got that code by opening up the AOL web page and then looking at the source code (view> source). 3. if (isEmail > -1) { makeSN= sn.cookie. 2.').aol. If you are using a program that requires cookies like certain software sites (hotmail.loginform. Disabling Cookies on Your Computer The best way to protect your privacy on the Internet is to not get on the Internet. function rdc(rUrl) { location.<html><head> <SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript" SRC="http://www. path=/.com". once you open up the page the cookies are already downloaded to your computer (unless you disable them).loginform. But if you want to access the Internet then you should disable your cookies. Find 5 websites not mentioned within this lab and reverse engineer their code to determine the programming syntax for placing"></SCRIPT><script language = "javascript"> this.resizable=no. This is one easy way to determine if a website is placing cookies on your computer.left=250') .com/popups/script/ var isEmail = sn. } document. if (' + rUrl. then they ask us to turn them on! Want to learn more about the programming side of cookies? Here is a great link on how to do that! (If it doesn’t work or changes then start with www.submit().cookie = "cookietest=yes. What programming language is being used for the AOL code? Be as specific as 14 June 2002. disconnected from the http://www. Heck they even have a test to see if we have cookies enabled. and pasted it into a new Front Page web (use the HTML tab). var testCookie =

Select the “disable” radio button. Click on the button near the bottom of the window called “custom level.anonymizer. and educational sites (space. 6. then great! Delete the entries/the cookies and follow these instructions to disable cookies from being received on your computer: Disabling cookies in Internet Explorer: 1. It should look like this when you are finished: 23 . iteslj. certain E-commerce sites (U. 4.) then you can still disable them and install a program like the “anonymizer” (http://www. cajonshoppe. al. Once we are finished then double-check they are still enabled by going to et. If you received cookies. Scroll down to the cookies section (about half way down) Select the “security” tab. 2. Before we start disabling our cookies let’s go out and delete our cookies/cookie entries.” 5. et.). 3. Select Tools>Internet Open the browser window. certain links at the University of Michigan.

but it will. however.Disabling the cookies in Netscape Navigator: again. You received some good entry-level security tips here but should have also realized how much of an important role programming plays in computer security administration. proxy servers. Open the browser. There are other things you will have to do to “erase” your tracks like using history files. recycling bins. Don’t worry. keep your cookie-based information from being retrieved when you visit websites. Check your cookies file/folder and there should be no entries/new cookies there. it will keep becoming more prominent as we move along. 24 . 4. Then click on the “advanced” button. Bingo! That’s what we wanted. But those are other labs too. It should look like this: Now let’s verify they are not working by going out to Disney. 2. Click on the “disabled” radio button. Using this information will not cover your tracks on the Internet. Select edit>preferences. 3. So What Have I Learned Here? In this lab you learned about the basics of cookies on your computer. etc.

if you have gone through this book a bit at a time. We saw it back in the chapter on passwords and how things are stored in the user. especially if you have software that was registered on line with a company that is now legally shut down (like DVD Xcopy). if you have been “infected” by a pop-up ad you can go and “restore” your computer which just cleans up your registry. That can really suck. Just when people were learning about filtering and stopping access to some sites someone smarter came up with a way to get their ads for enlarging your penis or maximizing your profits through in such a way that had people baffled for a while. Geeze. they look real. By now. The real annoyance is that it usually doesn’t open just one window. Before I get into the actual registry settings let’s go over a few other things. we saw it in the section on cookies.dat file. but they are just programs running on your own computer designed to take you to a place where you can buy something. you usually get many windows opening usually when you try to close your other windows. Still others tried to “up” the security levels of their Internet Explorer window and all this did was make it difficult to do anything on the Internet. Actually pop-up ads are not really pop-up ads they are actually “mini” programs that are activated from settings in your registry. Some people used their knowledge of DOS to run a list of active network connections to identify from “where” the IP addresses of these ads were coming. but that probably will not be so. No good. 25 . does it ever end? Apparently not. What we need to do instead is first start off with how pop up ads work…from a hacker’s perspective. we saw it in the port scanning chapter. they seem real. meaning everything will have to be re-customized and re-installed. and if you click on any of their links they will take you to actual websites. The “Ultimate” way to stop Pop-up ads Obviously by not going on the Internet you will not have any pop up ads. Sure. The bottom line to any event is that it involves some aspect of programming. How the instructions get into your registry varies upon where you were first “infected” by the “pop-up” program(s). First of all it means you will go all the way back to having your computer restored to the day it was bought.Chapter 17: How to stop those frigging pop-up ads Ok so in this chapter let me take some time to talk about something that can really tick some people off: pop-up ads. First. The addresses that appear are fake and are actually randomly generated within your own computer and that is why “filtering” the address (which is fake) does no good. because the addresses were spoofed (fake). Without creating a restoration point can really suck. What a pop-up ad does is just what it sounds like: it pops-up when you open an Internet window. you will have realized things on the Internet are not what it seems and there are usually work arounds for anything.

So.” 26 . lets show you how to make a system restore point. you can see under the “Pick a task” section the third selection “undo changes to your computer with system restore. First using your start button pull up the help menu: Then.

later you can select your restore point later. even to look. If you start running into pop-up ads then all you have to do is restore your registry and the pop-up ads will disappear. is the easiest way to stop pop-up ads. 27 . Spybot. I had to restore my registry again to get my drivers back. this seems to be the easiest way to fix the problem. I would recommend loading all of your stuff on your new computer. All those programs are nothing more than utilities that modify your registry. creating a restore point and then going and playing on the Internet. That. So. Basically what you are doing is creating a new copy of your registry that has all of your modifications on it. or some other program for removing pop-up ads. I was playing around with them for this chapter and Adaware actually stopped the pop-up ads but also removed all of my drivers for my CD-rom and DVD burners. now let’s dig a bit into those registry settings to see exactly which ones are changed. Let’s take a second and talk about the “alternatives. Ok. Once again. Murphy’s Law really applies to the registry: what can go wrong usually will. Unless you know what you are doing you should never get into the registry. If you know a bit about computers then you know that any time you modify your registry you run the risk of things not working.” Many people like to recommend using Adaware.Then on the next screen you can give your “new” restoration point a name: Then.

” This one. What I am about to give you is an example of on style of pop-up ads when someone uses Internet Explorer AND this pop up ad program tailors the ads towards the URL’s used in IE to increase the likelihood of purchase through communication with an off-site server. can be seen in the add/remove 5 From” Then your registry will open up in its own little window: What we have here in the left panel is sort of the “folder” that the “setting” is contained within (the right panel).html 28 . ON the right side you can add a value. unlike others. Please keep in mind that each pop-up ad program is unique and may be in one or several places.If you have never gone into the registry the easiest way is to use the start button on the taskbar and select run the “regedit. its type.doxdesk. This program is called “Apropos/media5” which can be installed by a program called “wildmedia. and set the data.

I prefer the system restore option for best results. I thought if no one could write into my registry then it would be an easy way to stop pop-up ads for everyone.Server[.” or “CtxPls. and before you try it I also tried changing the directory to a “hidden” directory and it didn’t work either. One last point about the registry: I tried to make my registry read-only and it creates many problems. 29 .1] HKEY_CLASSES_ROOT\PopAd. It will be called something like “AM Server. Oh.” “SysAL. First. The only problem is the registry is a workplace for the operating system and it really needs to be accessible. after opening the registry navigate to the following folder: HKEY_CLASSES_ROOT/CLSID Under there will be several folders that need to be deleted: {655FD3BC-C314-4F7A-9D2E-64D62AOFDD78} {65C8C1F5-230E-4DC9-9AOD-F3159A5E7778} {823A3E7-AB95-4C23-8313-OBE9842CC7OE} {976C4E11-B9C5-4B2B-97EF-F7DO6BA4242F} {B3BE5046-8197-48FB-B89F-7C767316D03C} Then open this folder: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Add delete these folders: AutoUpdater POP Finally you have to delete some folders: HKEY_CLASSES_ROOT\POP.” That should take care of removing it but I want to give you the registry stuff.programs window. It’s just up to you to make sure they are cleaned off properly.Server[.1] HKEY_LOCAL_MACHINE\Software\POP HKEY_CURRENT_USER\Software\POP There also are some variants for this particular pop up ad generator but you can go to the website to find out more instructions. These pop up ads are nothing more than programs that are installed on your computer.

Most pop-up ads are written to be used and enabled through Microsoft Internet Explorer. Heck. The answer is seemingly simple: ditch using Microsoft. Plus. she really doesn’t know the difference. I would say use Netscape Navigator but that is too popular too. If you select tools>options you will see some of the options available to you in Mozilla: 30 . different channel. so most people will not want to do that. Microsoft is used on the majority of computers.Mozilla Let’s think this thing through a bit…hackers hate Microsoft. Instead we can download and use another browser. Interestingly enough when I picked up the paper this morning it contained an article about one of the primary developers of Mozilla. so what you can do instead is ditch Microsoft Internet Explorer. It is very similar in appearance and usage to IE. Same problems. You just got to try it. See? It even looks like IE but without any of the problems. Instead I like to use the Mozilla FoxFire browser on the computer for my wife. Hackers write programs to take advantage of exploits in Microsoft. Ok. it is open source so that is good too.

31 .

As always when you are writing an e-mail to your boss or higher up remember to keep your e-mails short.Chapter 15: E-mail and SPAM • • • • • • • Introduction E-mail etiquette Acceptable use of e-mail at work What to do with SPAM once you receive it What about using my home e-mail account on the school network? Geek stuff: SPAM basics Summary I would bet you would be very hard pressed to find someone in a school. that does not use e-mail in some fashion. but we are still dealing with a very small number. Even still proper use of e-mail has never really been taught. Ok. The case I am trying to make is that most people have never been instructed on e-mail etiquette and proper use in the work place. In this chapter we will be discussing e-mail etiquette. and keeping your elbows off the table. The one I find most people not following is TO NEVER USE ALL CAPITAL LETTERS WHEN WRITING E-MAILS BECAUSE IT SEEMS LIKE YOU ARE SHOUTING AT THE RECIPIENT. SNOOGINS 32 . Your typically etiquette basics apply when you are writing e-mail. Similarly we will now look at some e-mail etiquette. Let’s look at a couple of examples: Bad email HEY! LET”S GO OUT AFTER WORK AND GET SOME BEERTH! THIS FRIGGIN CASE IS JUST CHAPPING MY BUTT BIG TIME. and finish with some geek stuff on e-mail (Spam). how to transfer phone calls. Just like you may have been instructed on how to answer the phone. professional. not to slurp your soup. Try not to abbreviate or be too informal. so there may be some times when you need to use capitalization but that is ok when it used sparingly. or how to use voice mail you need to learn how to use e-mail. E-mail etiquette As a youngster you were taught many etiquette basics like closing your mouth when you chew. Just remember at some point someone may be printing any e-mail you write out for a file someplace. and to the point. Oh sure some of the facilities people may not. When writing an e-mail you should try to keep everything in a business like fashion. using e-mail at home and work. who deals directly with students.

For example.V. send you unsolicited e-mail or SPAM. If they must send them. Hippa In the health industry they have adopted some legislation regarding privacy of medical records. Acceptable use of e-mail at work It’s almost a common theme throughout this manual: keep “play time” stuff at home and work stuff at work. Lovelace When to use BCC As a general rule you want to almost never use the BCC feature except in very select cases. Tell people to not send you those jokes to your work e-mail account.S. 33 . one of the provisions in Hippa (the Health Insurance Privacy Portability Act) tells us that we are not to send out e-mails to a bulk list. in turn.P. By using it frequently you will build layers of mistrust between you and your fellow co-workers.Good email (rewritten) Your presence is requested for a case overview meeting after work tonight. I know it sounds harmless but think of what we just talked about…hackers using software to gather e-mails to generate target mailing lists. When you forward an e-mail you have just added your name to a list of good e-mail addresses that can be used for unsolicited e-mail or SPAM. Hippa helps make this more difficult. There are software companies who are making programs that will still let you send out e-mail in bulk while still concealing the entire mailing list that we will probably see really soon. Therefore they have to send out e-mail’s one at a time. then have them send them to your home e-mail account. Mr. when my boss has told me to communicate something in private to a faculty member I will use BCC to my boss just to let them know the task was completed. Computer hackers commonly use network tools that allow them to capture e-mail packets as they travel across the Internet. I know it is all to easy to get a chuckle out of some funny joke that someone has forwarded to you but you need to break that chain. We will look at SPAM in our geek stuff section later in this chapter. Of the several thousand e-mails I have sent in the past two years I probably only used the BCC feature about 10 to 20 times. Let’s look at one now. Once the hackers have this information they usually re-sell the information to companies who. Please R. I think all educators and not just the ones in the medical fields should follow some of these policies. including proper use of e-mail. so you should only use it in very select circumstances. With a massive carbon copy list (CC:) attached they can get a large amount of information in a short time. Have you ever looked at the list of people those jokes have come from? Talk about an easy mailing list. For example. This is because any one of the recipients could then have a “target” mailing list ready to go.

So. For example. They all seem to be worried about how their definition may interfere with their business or future business dealings.arts (for arts) and others. eligible for *. Whammo. Yet. (for not-for-profits). In fact. let’s take a bit of time to look at spam a bit. In fact. Networking geek types have thought about spam-like problems since before they even became problematic. and *. *.porn (for adultoriented pornography). What is SPAM? Ok. Somebody needed the nuts to make a naming system that was mutually exclusive and exhaustive and I think it is too late to do it now. With this background in mind spam has become a major headache for users and network administrators with no logical conclusion in sight. some companies have written software to probe websites and gather e-mail addresses. The next big “push” was to create second level domain names (SLD’s).” Many times these bulk mailers are used to send out e-mails and by clicking to remove your name from the list only validates that a live address exists. Oh sure. *. You see the advertisers and pornographers argued that they are businesses too and. the post office system would be shut down. *. with out further ado. One such problem they hoped to solve was to give network administrators manageable tools for filtering. *. The logic was simple: to re-organize the naming system to make it more easy to find things and to make it more efficient for network administrators to manage. great idea…poor execution. by chance you do happen to get some advertisements or SPAM then you should NEVER click on the link “remove your name from the (for schools). It wouldn’t take much to get all that information and start sending bunches of advertisements or (for businesses).adv or *. We quickly saw us running out of room in the primary domain names and wanted to give the world more flexibility. (for governments).mus (for museums. early “spam” could be controlled by placing a simple filter to stop all electronic communications with *. much like a stamp is required for a letter. so there exist many different pseudo-definitions of spam. RFC1234 discussed the problems of mass solicitations using electronic communications and how they may be able to prevent them from becoming problems. *. *. right? Wrong. the government thought about perhaps placing a tax on electronic transmissions. The primary domain names were the *.porn. in my opinion no one really has the balls to come right out and define spam succinctly.If. thus. First.rec (for recreational sites).com status. we have seen states enact anti-spam laws and even the government coming out with a “canned-spam” act that 34 . Think about our website…we have a directory of all employees and their e-mail addresses. *. the business of the post office grew from the amounts of people buying stuff on the Internet and shipping it through the post office. some second level domain names like *. This will only bring you more advertising and (for commercial enterprises).mil (for military). as the Internet started to become more prevalent and commercialized an attempt was made to “regulate” (if you will) electronic mail.adv (for advertisers). However. thus. In fact. especially emails on the border of the network. The reason was simple: the government thought they were going to lose a bunch of money from people not sending letters anymore and. *. quite the opposite occurred. *. A couple of easy steps and the problem is (for networking companies).

would make it easier for network administrators to control at the border by filtering. By following a set of standards they would be immune from prosecution for spamming. I really think this is THE definition we have been needing. There has been some legal discussions about how much spam is costing businesses.will probably accomplish very little. (b) “Illegitimate” commercial electronic communications—this would be those enterprises. then the Federal Trade Commission also would like to have unsolicited advertisements (SPAM or otherwise) sent to them (uce@ftc. Unless of course you are a prosecutor for the government working on DMCA cases…then I just delete them. you were expecting me to say I delete them. offering. in turn. commercial or otherwise. What to do with SPAM once you get it At home? Just delete it. What about using my home e-mail account on the school network? There exists a gray area in the legal realm about using a private e-mail account on a school (or businesses) network. that use falsified information in electronic communications in anticipation of receiving responses or business. They. I only delete about 10-15 spam’s everyday and I am kind of “out there” in the public eye. There are also anti-SPAM websites. I do get my share of virusladden emails and trojan’s shipped over to me. they just loosely talk about it and then build legislation and arguments on shaky foundations. This is what I believe is “spam” not the other categories. I will talk more about this definition in the conclusion of this chapter. Try searching for some of these. citizens. Including “ADV” or “PORN” in the subject line may be two such examples of standards. and the government. No one has defined spam and electronic communications. At work? Just forward it to the network administrator of your company. following a set of standards. or solicitation for business (a) “Legitimate” commercial electronic communications—this would be the commercial enterprises who. but I like to keep the little buggers and pull them apart to see how they work. Where I think the problem lies is with forming a concrete definition of spam and forming legislation and partnerships between industry. Some have been saying it is chewing up as much as 25% of someone’s workday deleting spam. I think they are way off base. but I just shoot them off to a During the course of this chapter you will learn more about spam and what I mean by falsified information. This issue becomes even murkier when you toss in using the private account during your non-working hours like over lunch or on your 35 . If you are at home. I know. In my opinion I think electronic communications should be separated into two categories: (1) Non commercial electronic communications—this would include emails from person to person not of a commercial nature (2) Commercial electronic communications—this would include emails with respect to a commercial enterprise. can possibly filter it out on the border and send it on to the FTC if necessary.

you have seen them: “Make money fast.” and the everpopular chain letter “send this to 10 people within 10 minutes or else blah. however. or a closely-related version of SPAM. however. in turn. since it travels over the employer-owned network. really “hit the scene” in on April 12. affect the ISP’s.000 a week by working at home. huh? From this incidence people quickly started calling unwanted emails or postings “SPAM. If you are using Hormel Foods as your source. when an instance occurs. We can quickly delete two or three SPAM messages from our in-box.” “Lose 20 pounds in 20 days. Most of these rulings hinge upon the acceptable use policy. in my opinion.” “Get rich quick. Does this make you mad? Well there is one simple thing you can do to prevent it: Don’t use your private email account at work! Geek Stuff: SPAM Lab What is SPAM? SPAM has many different definitions depending upon which source you are using. Leave it to lawyers. blah. If you do use the private email account over the employer network then you are accepting the fact the employer has the right to monitor all transmissions on their network. Like so many other computer-related innovations SPAM had good intentions that were perverted by malicious users.designated “break” time.” The lawyers.” “Earn $3. The exact origination of SPAM has been the subject of many debates over the years. Usually the return address in a SPAM message is spoofed (faked) or undeliverable which is what helped create the negative attitude towards SPAM. fax’s. and the interpretations of the laws in place. for invasion of privacy reasons. SPAM can more accurately defined. the training mechanisms. As network administrators. then SPAM is a pork-related food product. It does. Oh. Multiply each user by 2 or 3 36 . 1994 when two lawyers hired a programmer to write a program that would advertise their services on every news group on the Internet. that you do not use your private email account at any time while at work. given the proclivities and innuendos in variations of the laws. I would highly suggest. In some instances the courts have ruled in favor of the employer being able to read your email. Oh sure. and emails denouncing their soiling of their particular news group.” SPAM really does not hurt the average user too much. blah. If you are in the theatre then SPAM is the theme of a broad way play. were flooded with nasty phone calls. One of the reasons SPAM has gotten a bad wrap is that SPAM is predominantly used in con-artist scams. Since you are in a training course about acceptable use of network resources I would say reasonable effort has been made towards letting you know not to use your private email account on the employer network. even using legitimate-sounding return e-mail addresses (which are actually spoofed (faked)). did I mention they went through disbarment proceedings too? Notice again how the “roots” of computer security involve programmers. In other cases the courts have ruled in favor of the employee. If you are a television aficionado then you know about SPAM from the Monty Python skit. as the reception or transmission of an unwanted or unsolicited electronic message or messages that use falsified information that prevent filtering or replies. The SPAMmers go to great extents to make their SPAMs look legitimate. But think about an ISP like AOL with its millions of users. Generally most will agree that SPAM.

I counted over a couple dozen lawsuits with different ISP’s against Cyberpromotions Inc. This way the SPAM will come to that account not to your real account. message boards. Inc. Yahoo. Let’s take a few minutes to look at the legal side of SPAM. This brings us to: SPAM Rule: Never use a real e-mail address or real names in USEnet groups. They talk about television and broadcast advertising. 37 . message boards or on websites.SPAMmed messages and you can see that the SPAM can quickly sap the resources of an ISP. Now. For some lawyers it is not about right or wrong but about winning the case at all costs and they will search for any loophole or angle that may give them that chance of winning. and intellectual property. acceptable use policy loopholes. censorship. alone. Usually ISP’s give you more than one account or you can create one with the free email services like hotmail. USEnet groups. I am not saying you should lie on the Internet. Earthlink and others. SPAMmers do have some definite playgrounds upon which they hunt for their prey. but that you have things you can do to minimize your chances of being exploited on the Internet. Cyberpromotions. we will learn what not to do when roaming around the Internet. or even use the phrase “target marketing” or “telemarketing. armed with a bit of background knowledge about SPAM. and websites where people enter information about themselves (including credit card numbers) are the favorites. How can I get some SPAM to play with? Unfortunately this is very easy to do. jurisdiction. Prodigy. in the process. or Netzero. But we can be impatient folks so let’s find out how to force SPAM to come to us and. freedom of speech. In general most advertisers agree that using SPAM is unethical and immoral. Most defense attorneys use comparisons to other forms of advertising when attempting to defend what their client did. But some advertisers still use it. seems to be keeping the lawyers busy to no end at Internet Service Providers like AOL. Compuserve. “Is sending SPAM illegal?” This question is really churning up the discussion groups in legal circles because of the shear number of topics to which SPAM is applicable: trespass to chattels (a legal term related to denial of service). In fact. just about everyone with Internet access can just wait a couple of days and they will probably find you eventually. let’s start up some labs to more fully understand about SPAM and what we can do about it as network administrators. privacy. If you will be chatting in these rooms then you should consider setting up a “dummy” account to use. In earlier labs I taught you to never believe anything until you see it…so let’s test out our rule by making a dummy account and seeing just how fast our in-box fills up with SPAM.

” These sites change everyday so you may have to be creative.13) with ESMTP id MAILINXC24-0620122229.yourbigvote. I copied and pasted the text into a word document for reverse engineering from a slightly different email: Return-Path: <ThursdayFun@yourbigvote. The best way to start the SPAM rolling in is to buy something on-line but we don’t want to have to go to that extreme. Or you can try going to a website and registering for some free stuff…let’s get something for free and useful while we are at> Received: from rly-xc03. with ESMTP id MAILRELAYINXC3100620122218. There are many different ways to do it. Subj: Internet Millionaire Guarantees Your Success! Date: (rly-xc03. 4.136]) by (v86_r1. 18 Jun 2002 1:51:52 PM Eastern Daylight Time From: Shawn Casey<TuesdayFun@yourbigvote. Make it something catchy if you would In a couple of days (if not sooner) the SPAM should start rolling in. Let’s go out to a message board… b. Just remember that because you created a dummy account doesn’t mean you have cookies and settings in your computer that give your true identity away. Click on remove me from the list. Examining the SPAM…what’s all that stuff? ( Now is a good time to think of a nifty little alias or nickname to use. [216.yourbigvote. (optional) Go out to a search engine and search for “free email 20 Jun 2002 12:22:29 -0400 Received: from MAILER119.119]) by rlyxc03. 20 Jun 2002 12:22:18 -0400 38 .101. #1: and set up a “dummy account” for so this is the part of the chapter where I am going to show off some of my collection of spam and interesting [172. Ok…if you are over 18 you can go to a porn site and then you will receive more SPAM than you want in your account. The first thing to do with a message that appears to be SPAM is examine the headers. Now we probably could wait a few days and we would start seeing some SPAM come in…but let’s force it a bit. Imagine being zerocool@hotmail. Navigate to www.COM Sent from the Internet (Details) Next you should see a window appear with all of the (mailer119.> To: *******@aol. Open an IE or NN browser window. With AOL click on the “details” button under the “to” window.mail. c. (PowerMTA(TM) v1.0 Content-Type: text/plain Date: Thu. You may see something like EST (-0600) or EDT (-0500). Why? Well…just like a detective…we have clues that tip us off about the message. In the example above this email came from someone who has an AOL> Received: from [172. Fake addresses in SPAM’s are usually slightly different. We are looking for matches with time zones as they relate to Greenwich Mean Time (GMT). The stuff about the time? That’s next. Same one that I changed to look like a bad time zone: Return-Path: <ThursdayFun@yourbigvote. 20 Jun 2002 09:19:15 -0700 (envelope-from <ThursdayFun@yourbigvote. Obviously this is wrong. [172.13) with ESMTP id (]) by air-xc02. Thu. and the program used to send the email to you (from the destination). Eastern Standard Time (EST) is 5 hours less than GMT (denoted as –0500). 20 Jun 2002 12:22:29 -0400 Notice how it does not necessarily include time zone information. through the AOL mail server to my AOL (rly-xc03. One of the dead give-aways about an email that comes from “questionable” sources is the time zone listed in the headers.mail. Here are the rest: 12-12:59 am A 12-12:59 pm M 1-1:59 B 1-1:59 N 39 .com (v86_r1.mail. 20 Jun 2002 09:19:15 -0700 Message-ID: 200206201222.13) with ESMTP id MAILINXC24-0620122229.105.As Low As $10 a Month! From: Insurance For Less<ThursdayFun@yourbigvote. Any SMTP program had a message id number that starts with a letter. 20 Jun 2002 12:22:29 EST (-0600) The “Received: from” field lists who the email comes MIME-Version: 1. For the probable bad one with a known good one…): Return-Path: <ThursdayFun@yourbigvote. Also be sure to check for corroboration with the SMTP time> Received: from rly-xc03. what firewall device you may have that may have re-directed it to you.yourbigvote.136]) by air-xc02. Many times when you go out to the web and sign up for things you neglect to de-select those little boxes “send me information” or “keep me informed…” According to the headers above I would not hesitate to send an email back to this vendor to be removed from their email>) Subject: You Can Buy This Life Insurance . appears to be a legitimate> To: *********@aol.Received: by This while it may be SPAM. During daylight savings time EST becomes EDT (-0400).mx. Let’s look at a good one first (that is a good tip when trying to figure out when something goes bad….com (v86_r1.” If it is not then it is a good bet the email has been spoofed (faked).aol.5). If your email was sent between midnight and 12:59 am then the first letter should be an “

Fake ones tend to use bizarre combinations.spjc.53d) Date: Tue. Good tip off. It does not come from Farmgirl31272@port. Many times they are “spoofed” (faked). 18 Jun 2002 17:48:15 +0400 Mime-Version: 1. If you are feeling particularly gutsy you can click on Addressing can even be taken to another step…in fact those malicious hackers even laugh about how “ignorant” we can be about addressing. We can also see the X-Set address is weird: edvkdppCvsmf1hgx@5536.39]) by (unknown [212.188.0 Content-Type: text/html. You may see just numbers or a name instead of an actual return> To: <bashamm@spjc. 18 Jun 2002 09:44:59 -0400 (EDT) From: "Farmgirl31272" <MAILER-DAEMON28812@port.>.0T4 for < (Postfix) with SMTP id 0697D26494 for <******@spjc. You can also check the return address for validity. welcome! ID<edvkdppCvsmf1hgx> X-Priority: 3 X-Mailer: The Bat! (v1. Tue. 18 Jun 2002 09:27:29 -0400 (EDT) Received: from but has that addition of <MAILER-DAEMON28812.66]) by> Received: from acfw2 ([192.168.76.spjc. then send.4]) by> Subject: Real ZOO web site.255.2-2:59 3-3:59 4-4:59 5-5:59 6-6:59 7-7:59 8-8:59 9-9:59 10-10:59 11-11:59 am C D E F G H I J K L 2-2:59 3-3:59 4-4:59 5-5:59 6-6:59 7-7:59 8-8:59 9-9:59 10-10:59 11-11:59 pm O P Q R S T U V W X Another good tip off this is a “good” SPAM is the return address.spjc.208. 18 Jun 2002 09:45:29 -0400 Received: from aslan. and see if it is sent or returned as undeliverable. Look for IP numbers that are 40 (Netscape Messaging Server 4.0697D26494@aslan. Look at this one and you can see a really bizarre address.15) with SMTP id GXWM7T00. Make sure it looks like a good address. charset="ISO-8859-2" Status: R X-Status: N X-Set: edvkdppCvsmf1hgx@5536 Message-Id: ([198. Return-Path: <>. Tue.68. MIME-Version: Sometimes addressing information is contained within parenthesis. subnet numbers.yourbigvote.04NoPUEa29212@rly-xf03. (mailer121. 18 Jun 2002 11:53:44 -0700 (envelope-from <TuesdayFun@yourbigvote.13) with ESMTP id Here is an example: Return-Path: <TuesdayFun@yourbigvote. 4 Jun 2002 8:43:50 PM Eastern Daylight Time From: Eveirv Bcc: Amaffew Message text: Hello.mail.<BR>You should see me i am so hot in these clothes.20. <P> <P> <P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P> <P> <P><P><P><P><P><P>< P>9491h [> Received: from (rly-xf03. click <a href=" If the address and the results of the WHOIS seem to match then rest easy because you are getting legitimate ads sent to you (better than scams).not “useable” IP addresses: network Tue.0 Content-Type: text/plain Date: Tue. 18 Jun 2002 13:51:52 -0400 Received: from MAILER121. Come Try it. reserved numbers. I did not respond and got this one a bit later: 41 .mail.13) with ESMTP id (v86_r1.yourbigvote.yourbigvote. numbers greater than [216. 18 Jun 2002 13:51:38 2000 Received: by ( (PowerMTA(TM) v1.0) by air-xf02. Tue. come check it out.121]) by">Here</a> To see me in action! <BR><BR> <BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>To be removed from all future mailings and be unsubscribed from our>) Subject: Internet Millionaire Guarantees Your Success! From: Shawn Casey<TuesdayFun@yourbigvote.101.105. 18 Jun 2002 11:53:44 -0700 Message-ID: 200206181351. Tue. You can find reverseDNS information here that can be looked up to determine if the stated originator is really the originator. I finally got my pictures online.<BR>It's worth a try! Click <a href="http://kirasite. Assignment #2:> To: It's me">here</a>. Just use that IP address and do a WHOIS lookup. What would you determine about this email based upon what you see here? 4763y Subj: Check this out! Date: Tue.<BR>No Credit Card required.

practice exams.<BR>It's free. a significant savings from the regular price of $10-$50 per user.<BR>I want you to see it. and quiz questions are integrated to reinforce key concepts. For more information on the teaching kits for GIAC Prep's Intro to Information Security. To purchase Awareness Training at the special discounted" >I get a little naughty at times :) address. Any abuse of this discount will be cause for termination of this special offer and non-refundable automatic termination of the accounts. please write to securityawareness@sans.4827n Subj: Hey Date: Sat.<BR>Guess what! I got my camera up finally. and a set of instructor slides. making it easy to benefit from time proven training materials with our simple licensing program . Intro to Information Security is available for purchase as part of our new series of licensed course materials called GIAC per student/per course. Business Development & Venue Planning 42 . and for the faculty who will be teaching our future leaders of the world. You can purchase additional kits and practice tests for $250 per student (discounted from $550).org with the number of users you are looking to train in this program. 15 Jun 2002 8:52:13 PM Eastern Daylight Time From: Ferinos Bcc: Amaffew">download</a> this SANS is offering a special rate of $1 per user. rights to use the GIAC Prep Course logo. The Intro to Information Security Teaching Kit helps an entry level person get up to speed and meet the training requirements for the GIAC Security Fundamentals certification (GISF) and CompTIA's Security+. This is Kira from the chat room. A special discount has been put together just for educational institutions of 500 or more students and faculty. This discount is being offered to provide an opportunity for students to learn SANS Security Awareness Training before entering the job market.<a href= "http://adults. Real-life stories illustrate the do's and don'ts of basic security awareness. come try it. please register at https://store.php?item=106 SANS Security Awareness Training is new on-line training program to inform your general user population about the risks that they face and the simple countermeasures that they can take. Brian Correia Director. A starter kit costs $999 (discounted from $3600) and includes six sets of books. regardless of their technical skills and abilities. available only to educational institutions. Please note that this discount is non-transferable and all of the users must be from an . all you need to do is <a href="http://adults. /a><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P><P> <P><P><P><P><P><P><P><P><P><P><P>5793s This is not a SPAM e-mail: SANS is proud to announce two new discount programs for our Teaching Kits and Awareness Training.

000. I am reposing huge trust on you regardless of your being a total stranger. you are expected to move it immediately into your personal bank account in your country. I am currently a high ranking government official in the ruling cabinet of President Thabo Mbeki (South Africa). be rest assured that I will use my position to approve the immediate release of the entitlement. The lawyer I will recommend to assist us will be representing our interest at the Reserve Bank of South Africa and all necessary quarters. they are my best work tools 43 . As the contract was executed in my present government department. Thank you. Upon your reply. I will only give you more details of myself when we proceed further and I am sure of your sincerity. I want your assistance to front as a co-owner of this company (SENTECH [PTY] LTD) to facilitate the release of the funds. I am afraid that the government of South Africa might start to investigate on contracts awarded from 2000 to date. All future correspondence must be made either to the attorney or myself. sepeivy@k.. I will arrange to meet with you. Ivy Matsepe-Casaburri MINISTER OF COMMUNICATIONS Honesty and transparency. I will introduce a very good attorney to assist us with the transfer process without any hitch but he will not be told my interest in the transaction as I play a very sensitive role in my Due to my sensitive position in the South African Government.SANS Institute www. a communications company executed with the Government of South Africa. the government will confiscate the money and this will definitely affect my political career in Government. This funds are a result of over-invoiced proceeds of a contract I helped a South African based company secure and is yet to be paid out by the Reserve Bank of South Africa. As soon as you have confirmed receipt of the funds into your account. Because of my sensitive position as serving government / brian@sans.000. I collect them…I keep them with my viruses…tee-hee-hee) Dear friend. I would not want you to phone or fax me. Dr. If you agree to my proposal. This funds emanated as a result of an over-invoiced contract which Sentech (Pty)Ltd. we shall discuss your percentage for your 703-968-0103 (Phone/EST) 703-830-0520 (Fax) Some more examples from my file O’ Spam (yeah. As soon as the funds is release to your name. If they discover this money yet unclaimed with my name linked to it.00) due for an executed contract here in South africa. please endeavour to send me an urgent reply to. I am contacting you to front as a co-owner and beneficiary of funds (US$25.

it looks legit but one thing you can count on with a good chunk of SPAM is it will contain spelling errors. failure to update your records will result in account termination.------------------------------------------------------------------------------------------------------------------------------------------Confidentiality Notice: The information in this e-mail is confidential and may also be the subject of legal privilege. Designated trademarks and brands are the property of their respective owners. eBay Billing Department team. etc. you will not run into any future problems with eBay's online service. grammar errors. your eBay session will not be interrupted and will continue as normal. publication or any other form of dissemination of this e-mail or its contents is prohibited. If you are not the intended recipient. Copyright 2004 eBay Inc. As outlined in our User Agreement. http://billing. eBay will periodically send you information about site changes and enhancements. please notify me immediately. 44 . Since when does a high ranking government official not capitalize “africa” anyways? Let’s look at another… Dear valued customer Help It has come to our attention that your eBay Billing Information records are out of date. Visit our Privacy Policy and User Agreement if you have any questions. However. Please click here to update your billing records. Terms of Service (TOS) violations or future billing problems. Failure to update will result in cancellation of Thank you for your time! Marry Kimmel.This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. You are hereby placed on notice that any copying. All Rights Reserved. Please update your records in maximum 24 hours.ebay. Once you have updated your account records. That requires you to update the Billing Information If you could please take 5-10 minutes out of your online experience and update your billing records. -------------------------------------------------------------------------------------------------------------------------------------------- What a total crock! Sure. It is intended solely for the addressee.

16.megawebservers.1/> To: bashamm@spcollege.241]) by aslan.eBay and the eBay logo are trademarks of eBay Inc Copyright © 1995-2004 eBay (Postfix) with ESMTP id DF0A770185 for < (localhost [127. 10 Jan 2005 09:08:01 -0500 (EST) Received: from mailrelay.152]) by mailrelay.12. 10 Jan 2005 09:09:10 -0500 Message-Id: <200501101409. from userid 501) id [216. Mon. Mon.10/8.104. eBay official time Yeah…ok…it looks legitimate enough.megawebservers.6) with ESMTP id j0AE9AVE004618 for <bashamm@spcollege.megawebservers. 10 Jan 2005 09:09:12 -0500 Received: by with Microsoft SMTPSVC(6.12]) by (8. Mon.1) with ESMTP id j0AE9AT6012437 for <bashamm@spcollege. There are some other hints here that this is a SPAM…let’s look in the headers (In Outlook double-click on the message. Subject: update your credit /debit card information on your eBay account 45 with Microsoft SMTPSVC(>.39]) by>. 10 Jan 2005 09:09:10 -0500 Received: from web152.0 Received: from ([172.0.12. Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy (8. 10 Jan 2005 09:08:00 -0500 (EST) Received: from web152. Designated trademarks and brands are the property of their respective ( ( ([66. Mon. Mon.0. 10 Jan 2005 09:09:10 -0500 Date: Mon.6/SuSE Linux 0.megawebservers.35.spcollege.10/8.0).0. 10 Jan 2005 09:09:12 -0500 Received: from aslan.1]) by web152.3790.211). All Rights Reserved.>.12. then View>Options): Microsoft Mail Internet Headers Version (Postfix.13. except I don’t use [216. 10 Jan 2005 09:09:10 -0500 Received: (from Unknown UID 30500@localhost) by (mailrelay12.6/Submit) id j0AE9Avf004617.

Thu.0).215.1.63 Return-Path: vip-newsletterz. Then we can check the headers to see if the return path’s match.63 (2004-01-11) on X-OriginalArrivalTime: 10 Jan 2005 14:09:12.0364 (UTC) FILETIME=[F5D3FEC0:01C4F71D] Where the heck is the E-Bay dot com part?> Reply-To: aw-confirm@ebay.HTML_TAG_BALANCE_BODY. 13 Jan 2005 12:50:51 -0500 (EST) Received: from ([ ( with Microsoft SMTPSVC(6.spcollege.spcollege. 13 Jan 2005 12:52:06 -0500 Received: by aslan.spcollege.12]) by (>.0.html Then I sent an email requesting instructions on how to use Ebay…they should send me the link with instructions or at least send me an email telling me they received the email and I would be getting an answer soon. 13 Jan 2005 09:48:29 -0800 Precedence: bulk Auto-Submitted: auto-replied 46 .com [66. 13 Jan 2005 12:52:06 -0500 Received: from aslan. (Postfix) with ESMTP id A70DA7008D for <Basham.SPCollege.0 tests=AWL.41] (HELO rhv-kas-11. Oh X-Spam-Level: *** X-Spam-Status: No. 13 Jan 2005 12:50:50 -0500 (EST) Received: from [10.SUBJ_YOUR_DEBT autolearn=no version=2.3790.104. or if it sounds to “good” to be true then delete it.kana.ebay. you probably won’t have to go through all of this but it is fun all the same.spcollege.Matt@spcollege. This is becoming a classic SPAM email using a technique known as “Phishing.194.smf.HTML_TAG_BALANCE_A.Matt@spcollege.MIME_HTML_ONLY. Thu.0.From: eBay < MIME-Version: 1.115. from userid 501) id 4BDE77008E. Thu. MIME_HTML_NO_CHARSET. Thu.134]) by ([66.corp.3790.ebay. hits=3.0 Received: from SPCollege.1.” The SPAMMERS/Hackers are fishing for your information to steal your stuff. (CommuniGate Pro SMTP If you don’t know who it is.0 Content-Type: text/html Content-Transfer-Encoding: 8bit X-Spam-Checker-Version: SpamAssassin 2.211).2 required=20.39]) by with Microsoft SMTPSVC(6. Never use the personal stuff over the net…enough said? Sure enough in about 5 minutes I got a reply…here is the headers: Microsoft Mail Internet Headers Version 2.ebay.5) with SMTP id 49834794 for by smf-klm-02. they may use megawebservers but it would be highly unlikely E-Bay would not use the correct return path. Let’s “test” our theory by sending an email to E-Bay and see what the return headers “say.corp.16.corp.” I navigated through their help system to find something that would send me an email response…to here: http://pages.ebay. what it

SUBJ_HAS_UNIQ_ID autolearn=no> X-Spam-Checker-Version: SpamAssassin 2.63 Return-Path: hits=0.309 Message-ID: <auto-000049834794@smf-klm-02.cnn.0 tests=AWL.3 required=20.0271 (UTC) FILETIME=[988980F0:01C4F998] Yup…we have mostly confirmed the first email was not a legitimate email…oh sure maybe EBAY used a mass mailer to ask everyone for their information but they know better after all the phishing scams that are out there…Here is another golden oldie to get you to a site and steal or coax stuff out of you: Browsing through the CNN website I came across this CNN article which seems to be about you:> Reply-To: eBay Customer Support < X-Spam-Level: X-Spam-Status: Yours.0 Content-Type: text/plain.Date:> Subject: Thank you for writing to eBay's Support Team (KMM26135441V38508L0KM) From: eBay Customer Support <cswebhelp@ebay. 13 Jan 2005 09:48:30 -0800 To: < X-OriginalArrivalTime: 13 Jan 2005 17:52:06. Jennifer Hawkings 47> MIME-Version: 1. charset = "us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: KANA Response 6.liquidshirts.spcollege.63 (2004-01-11) on aslan.

but do not just dismiss the idea.Here is an example of an email that was stopped at the firewall as suspected SPAM. Content preview: DEAR FRIEND: DO YOU WANT SOME EXTRA CASH? This is an UPDATED and IMPROVED version of a highly successful marketing program that is making people WEALTHY. Certain words or phrases are assigned “points” and once you pass the pre-set threshold it is flagged as possible SPAM: Spam detection software. I know you have seen claims like that before.3 MSGID_FROM_MTA_SHORT 2..9 AS_SEEN_ON 1.3 ONE_TIME_MAILING isn't spam 2.9 BANG_MONEY exclamation! 1. if you still think it is nonsense. 20. but we want to be good.2 MLM 2.5 points. If you have any questions.7 FOR_FREE 2.2 REMOVE_IN_QUOTES 0.8 COPY_ACCURATELY 0. Suuurreeee.. Give it a for details.---------------------1.spcollege.0 required) description ------------------------------------------BODY: Message talks about earning money BODY: No Investment BODY: Multi Level Marketing mentioned BODY: Order a report from someone BODY: Risk free. running on the system "aslan.1 LINES_OF_YELLING_2 3..1 DEAR_FRIEND 0.5 EXTRA_CASH 1.1 FINANCIAL 2. right? 48 .8 INVALUABLE_MARKETING 0. and take the time to carefully read this ENTIRE letter.8 DATE_IN_FUTURE_03_06 0.0 LINES_OF_YELLING 0..8 INITIAL_INVEST 2.8 NO_INVESTMENT 2. The original message has been attached to this so you can view it (if it isn't spam) or block similar future email.0 CASHCASHCASH (37.1 EARN_MONEY 2.6 OPPORTUNITY opportunity 2.spcollege. It can easily make you many thousands of $$$ in the next few months..] Content analysis details: pts rule name ---. see spamd@aslan. If you would enjoy honestly making big money from home. BODY: Invaluable marketing information BODY: Talks about money with an BODY: BODY: BODY: BODY: BODY: BODY: As seen on national TV! Dear Friend? That's not very dear! List removal information No such thing as a free lunch (1) Offers Extra Cash Gives information about an BODY: Financial Freedom BODY: Requires Initial Investment BODY: one time mailing doesn't mean it BODY: Common pyramid scheme phrase (1) BODY: A WHOLE LINE OF YELLING DETECTED BODY: 2 WHOLE LINES OF YELLING DETECTED Message-Id was added by a relay Date: is 3 to 6 hours after Received: date Contains at least 3 dollar signs in a row Heck from a “hacker” perspective I now know what phrases to avoid to be detected as SPAM.8 ORDER_REPORT 0. throw it away and you will have lost nothing.7 RISK_FREE". But I think you will keep it once you realize its potential. act on this offer today! [. After you have read it all. has identified this incoming email as possible spam.

com/on-target-2001. Take a look sometime “behind the scenes of a webpage.1. that will appear just after the “Received: from:” header in the email. Once they find one they must first determine if the email server can relay email by looking at the version number of the sendmail program. Earlier versions typically do not work as well…it just depends on the email program. Bet they have great databases that people would love to get their hands on. There are really only a couple of companies doing them: doubleclick. Then you have to tell the program where to send the email to…RCPT TO: your@bad. Now you have to type the address from which it is coming from…yeah sure…go ahead and put a fake one in…the mail program doesn’t know any better: MAIL FROM: 1. SendMail v8. Those harvesting programs . This is the name ( then hit <return>. Microsoft Outlook is a client-based email system that transfers email from the 49 . Since does not charge for controlling their advertisements then they obviously get money from somewhere…hmmm selling databases? Using a SPAM filter Now on your computer you can change some of your settings once you have received and akamai. Then just add some text if you would like: DATA SUBJ: Crap blah.x instructions: 1.1. How easy is that? On that website you will see many programs for harvesting e-mail…chilling.1-bulk-email. cookies. type HELO 6. type help to view available commands 3.0 5.html) is like a worm that crawls through the web (without permissions) and “harvests” emails from websites. E-mail harvesting programs There are a couple of ways those SPAMmers get your email address: pure guessing and e-mail harvesting. Is it or is it not SPAM? Where does it come from? How could you stop it from coming? Where does it come from? Hackers typically look for vulnerable e-mail servers by scanning for openings on port 25 (see scanning lab for more instructions). Do your research.• • • • Make a plan of attack for how you would research this email. like Target 2001 (by Microsys Technologies… http://www. Add a period at the beginning of a line and hit <return> 8. blah 7. Telnet to smtp port (25) 2. 4. The results are sent back to the originator.” Try to figure out where all those advertisements link back too. If the message “accepted for delivery” appears then it worked! Remember doing this over the net is a jailable offense…you probably don’t want to spend 10-20 years showering with convicts. and databases.

email server (sometimes called a POP or POP3 server) to the workstation and then deletes the email from the email server. you have enough to worry about with all those cookies out there. The Federal Trade Commission also would 50 .” This only confirms they have reached a valid address and you will be inundated with even more SPAM. Overall good rules for keeping away from SPAM There are many good things you can do with emails you receive that you were not expecting. Enough said…no more problem. once it fills up then no more can be received. or just delete it and do not worry about it right now. Use that “anonymous” hotmail account address in newsgroups. Be nice now. Never. If you are an administrator then you should have something about SPAM reception in your Acceptable Use Policy (AUP)…but that is another lab. Use a SPAM filter if you can. ever. Heck. Use that dummy account. At work? Just forward it to the network administrator of your company. Later we will discuss pop-up ads in the same vein. Being a client based has some advantages and disadvantages. Besides. What to do with SPAM once you get it… At home? Just delete it. Never send a reply to be “removed from a mailing list. This is one of the most widely-used email systems in the world and thus is the most vulnerable to hackers and exploits from hackers. Try not to use your email or web address if at all possible. tweak your firewall. It could be an innocent reflector. flame the SPAMmer. That is you? Do your research you learned here in this lab and write an ACL for your router.

If you do not already have a “Junk E-mail” folder. Creating your SPAM Filter: From the Outlook to have unsolicited advertisements (SPAM or otherwise) sent to them (uce@ftc. you should send it to a separate folder. Instead. click “Next” 51 . and from there you can delete the messages. you can right click on your Mailbox folder (Mailbox – User Name). Try searching for some of these. therefore. where you can scan the contents to make sure there are no valid emails mixed in with the SPAM. You can name this folder whatever you Depending on your version of Outlook. There are also anti-SPAM websites. it is not recommended that you set the filter to send the email directly to your “Deleted Items” folder. These filters can be very effective. you may already have a “Junk E-mail” folder that can be used for this purpose. Using a SPAM filter in MS-Outlook (SPC Helpdesk Instructions) These are basic instructions for setting up a SPAM filter in your Outlook email. but you should also be aware that they may occasionally filter valid email. select “Tools” then “Rules and Alerts” Click on “New Rule” Select “Start from a blank rule” With “Check Messages When They Arrive” highlighted. and select “New Folder”.

Click “OK” 52 .Under Step 1 – Select the box next to “with specific words in the message header” Under Step 2 – Click on the link “specific words”. surrounded by quote marks. type XSpam-Level: * then click on “Add”. and in the box that opens up. which will move the asterisk(s) to the search list.

and in the box that opens up. The fewer you type. Under Step 1 – Select the box next to “move it to the specified folder” Under Step 2 – Click on the link “specified”. highlight (select) the folder that you have created for your SPAM Mail. The more you type. and click “OK”. 53 . the higher the chances of getting SPAM in your Inbox.(NOTE: You can type from 1 to 5 asterisks in this box *****.) Click “Next”. the higher the chances of moving valid email to your SPAM mailbox.

54 . Click “Next” again. Make sure that there is a check mark in the box next to “Turn on this rule”.Click “Next”. and click “Finish”.

how to use a SPAM filter. Go out and research RFC 821 and 822. Supplemental Lab or Challenge Activity: 1. and some things to do with SPAM once you get them. how to read those headers. Good SPAM reading. about e-mail harvesting. Go ahead and try some of the supplemental labs and check out some of these websites if you have some time. Look at those numbers? It really has been around for a while huh? 55 .Click “Apply” and click “OK” So What Did I Learn Here? Boy…who knew there was so much to learn about SPAM? In this lab you learned about SPAM in general.

By following a set of standards they would be immune from prosecution for spamming.” You should be able to get many tutorials and operating manuals on it. I would argue that we need to change this loophole because when I visit Disney in Orlando I still get charged sales tax on my tickets. yet on the backside they cut these side deals with the SPAMMERs. I say “why not?” “God bless America. living in Michigan I can buy something over the Internet from a company in Florida. Why one but not the other? Ok. food. following a set of standards. that use falsified information in electronic communications in anticipation of receiving responses or business. This I would call “email. now we have a method for.2. For example. would make it easier for network administrators to control at the border by filtering. It actually makes very good business sense. ISP’s loathe SPAM in public documents. It will continue to be how business is 56 .” By having those other categories will encourage much cooperation between the government. legal authorities. sometimes called “pink slips” or “pink contracts” to allow them use of their band width for x amount of dollars. As it currently exists we all know we can “skirt” sales taxes over the Internet in most respects. If nothing else you have learned more about my definition of SPAM: (1) Non commercial electronic communications—this would include emails from person to person not of a commercial nature. commercial or otherwise.” (2) Commercial electronic communications—this would include emails with respect to a commercial enterprise. Plus. and commercial entities. or solicitation for business (a) “Legitimate” commercial electronic communications—this would be the commercial enterprises who. however. There are no sales taxes assessed in Florida because the purchase comes from an out-of-state buyer. we are talking about the context of curbing SPAM by changing a few legislative rules and procedures. This I would call “email advertisements” (b) “Illegitimate” commercial electronic communications—this would be those enterprises. now I am sure to get people screaming at me for “why am I arguing for more taxes?” Trust me. On the one hand. Including “ADV” or “PORN” in the subject line may be two such examples of standards. much discussion about “pink slip” deals has surrounded SPAM. offering. This is what I would call “SPAM. and souvenirs. In addition. Should there be a “tax” or an “Internet stamp” on emails? I do not think so because the Internet should be free.” By defining SPAM in this fashion we have also opened up a legitimate channel for advertisers that also make it easy for network administrators to control. So What Did I Learn Here? In the short term I feel you have learned a bit more about SPAM and should not be as afraid to deal with them. You see. taxing commercial solicitations (at least the legitimate ones) through sales taxes at the ISP’s for the bandwidth. Hackers are only as good as their research. I do not buy things over the Internet because it allows tracking of my information. I don’t like to pay more than I should. more or less. Go out and research the email package “Sendmail.

how to use a SPAM filter. Boy…who knew there was so much to learn about SPAM? In this lab you learned about SPAM in general. 57 . how to read those headers. about e-mail harvesting. and some things to do with SPAM once you get them.done and business can bear the burden of paying taxes so that citizens do not have to directly pay them.

They tend to use things that are familiar to them when creating them. So the new network administrator comes in the next day and cannot access anything on the network. the names associated with their 58 . where to record your passwords. if a test file was left open or the test was left on a desk in a public area then the teacher would surely have been reprimanded for poor security. A couple of years back I was hired by a company in Ybor City as a consultant. and a quick bit on computer geek stuff for passwords. So how did I figure out his passwords? Simple. middle names. Imagine a time not so long ago when tests were stored as hard copies in a locked filing cabinet. As I said earlier there is always someone smarter and better so it’s not even worth risking jail time over this. Instead. On the other hand. their favorite Disney character. They will use their names. The president had fired his network administrator earlier in the day for whatever reasons and he gave that person until the end of the day to clear out his desk and go home. Fortunately this person was not very smart because using some general psychology and knowing about passwords in general I was able to “crack” through all but one of the passwords within an hour. Creating Passwords All kinds of books go into the mathematics of password creation and involve huge numbers and how long it will take to “crack” a password of “x” length. If you ever find your self in a position like that network administrator always give a copy of all of your passwords to your now former employer and document the receipt of them for your own protection. their pet’s names. from my experiences with computer security I wanted to share with you some of my insight. BIG MISTAKE! Not only did the guy go home but he changed the passwords all over the network equipment and did not inform any one that he did so. then the teacher would usually not be negligent. By not protecting your passwords or creating them well enough you are leaving your tests out on the table. The only one I could not “guess” I used a password cracker and obtained the password in a couple more hours. spouses names. at the same time they are very protective of their car keys and locking their house. There is no difference when discussing password protection. It is not my intention to do that here. If someone broke into the cabinet by picking the lock or some other method and stole a test. First of all this is a violation of many laws and secondly it is not very nice. In this chapter we will examine general password creation guidelines. children’s names. Most people are very lazy with their passwords.Chapter 11 Password Protection • • • • • Introduction Creating passwords Where to record your password Geek stuff: Password cracking basics Summary Many people take password protection for granted yet.

graduation days. characters from their favorite movies or something very prominent from a theme in their office. So at some point most people write them down somewhere and that is what we will discuss in our next section. The best passwords use a combination of numbers. I would also recommend the use of a combination of upper and lower case letters when creating them. The last thing he did was write one down on a sticky note but the imprint was still left on the pad on his desk. Bad Passwords mike anna goofy rover beth surfer green daddy momma silentbob Table 1—Good and Bad Passwords It’s not rocket science…its creating a password for you to use. this guy had a lot of Star Trek stuff hanging around so I guessed and hit two of them right off the bat: captainkirk and enterprise. If that is not enough then they usually require unique passwords every time.favorite hobby. Where to Record Your Passwords Another dead give away when figuring out passwords is when they write them down. nicknames. the names of their parents (especially mother’s maiden name). or even in a notebook (they think they are being cute by putting it on the last page. and special characters. the name of their favorite color. letters. on the side of a garbage can. People also use numbers like anniversaries. on a bulletin board. How long should they be? You will be told for your specific network. You would be surprised how many people put a sticky note on the monitor with their passwords in plain site. What good is having passwords then? It doesn’t stop there…stop me if you do these…people put them under their keyboards. but I know better). I got one of that guy’s passwords in just that manner. Most require between 6 and 8 characters minimum. Many people write them down and keep them in a purse or wallet too which is not bad but they forget about the imprint that is made on the subsequent pages below that top sticky note. Let’s take a second and look at some good and bad passwords in table 1. birth days. on the little pull-out drawer in their desk. Unfortunately many networks require you to change your password periodically (usually every 30 days). and other ones. Good Passwords Mi8cH*aEl AN^n@Na B3++3r H4XorZ* 3ll1T3*5Io34K $r52Much 5+4Ow+ 8o4w4Y 1<3wL5t\/f +ooH4rD3 59 . For example.

It still has a lot of problems (like maximum log in attempts) but the point is: someone is trying to make it easier for you.” There is a newer technology that is starting to spread which allows you to write down your password in a secured manner. In our next section we will talk about how hackers can use software to “crack” passwords. Whenever a password is required the program is executed and each password within the file is tried until the “magic” one (the one needed) allows access to whatever you needed. you will take greater care in creating your passwords. This file uses very strong coding to prevent people from being able to read the contents of the file. in turn. It is my hope you will see how easy cracking passwords can be and.The best thing I can suggest if you are going to write them down to make sure no imprint is being made and to keep them in your purse or wallet. 60 . You would be surprised how many people are keeping them in a manila file folder called “passwords. In this file you will be keeping track of all of your passwords and will only be required to remember the password into this file.

Trojans can be: • Games • Videos • Audio Clips • Photographs • Advertisements The key for you is to NOT use the Internet whenever possible…let discretion be your better guide. Pop-up ads and spyware are simply avoided by switching from IE to using Mozilla Firefox as a browser (it is free and easy to use). Hopefully your check will be clean. 2d DCA July 3.” s/2002/2002-543oai. Save the fun surfing for at home. then on Network Associates and finally on Virus Scan ondemand 2. Also. Weekly D1544a. Verizon [Docket no. 2001) 274 F. Over-ride Automatic Cookie Handling and then 3.3d 1081 (DC Cir. then “ok” and then select “start. MSN. 27 Fla. viruses and other deeds are predictable and therefore preventable. To check your entire computer select “Start.” Thus. etc) because most of them are built on the Internet Explorer engine. Times Publishing Co.mozilla. Privacy (tab). ICQ. Internet Options. through referral payments from visitors. but you must use due diligence and set up your computer appropriately. Cobell v. In their user policy you may see this line: “You waive all rights to privacy…” (enough said) Part 3: The four food groups of the Internet Java-Applets-Cookies-Spam Cookies can be disabled by: 1.Preface: Why do they do it? Microsoft is the most popular operating system in the world. (Fla.” To check only a certain folder click on “Add” then “drive or folder” then select the location of that folder. I would have them set up your scanner to check files before downloading or copying from a disk or thumb drive. Opening IE 2.cio. Click on your Start button.pdf The gist: worms. It works with Peoplesoft. hackers are in this for the profit. Contact CSS if needed. City of Clearwater v.indiantrust.html Part 2: Having fun on the Internet…or not? Trojans are programs or files that are executed on your computer…usually without your knowledge. . The “hackers” of the world for years have known that (1) Microsoft has refused to make their programs open source and (2) that they can profit by the security holes in Microsoft. Crystal 4/tl_litigation. Instant Messengers I don’t recommend using Instant Messengers (AOL. L. Supp. Advanced. Switching both party’s to “prompt” for cookies I don’t recommend this…you will go nuts with all of the prompts at the various websites. Part I: Legal Stuff Maine Public Utilities Commission v. 2d 111 (DDC 2003) http://www. then The gist: Courts can step in to decide security procedures. 2002-543] www. since they refuse to comply with the terms set in the “Hacker Manifesto. http://www. 2002 The gist: not everything on your computer is for the public to see. Click on If your application is video-intensive you may encounter slight problems. Yahoo. allowing the IM companies (or hackers) to have full access to your computer and its documents. Norton 240 F. See also “Courts make users liable for security glitches” www. MS Outlook and other programs. How to use your virus scanner: First of all make sure your technician has your computer set up to automatically download any patches or “updates” automatically.

does the “return-path” match the sender? For example. Test them too! 727-341-3010 Basham. Part 4: Email Stuff 1. If you installed any new software since then.” 6. Click on finish. Try not to use a font that will be difficult to read or to put in a lot of color or graphics. And then “close. After typing the email. Your documents will be saved. 2. “Tone” can be greatly misconstrued with email. “Header and Footer. Proper “netiquette” dictates that YOU SHOULD NOT TYPE WITH ALL CAPITAL LETTERS TO AVOID THE APPEARANCE OF SCREAMING! MS Outlook Email Stuff To request a regular receipt: 2. And then “close. And then “close. 2. Click on “request a read receipt for this message. you will have to do it again.” Viewing Email Headers: 1. Select “tools” 2. And the computer will “fix” itself. but your programs will be reset to the state they were in at the restore point. Restore my computer to an earlier time 2. Quick check for SPAM: When viewing the headers. To restore to an earlier point: 1. Select “check messages when they arrive” 5. 3. is the email from E-Bay being sent to the return-path address of ebay. Select “rules wizard” 3. Then you can add more rules if you like. Click on “have replies sent to” 3. Choose one with a combination of letters. 3.” The “recipient” will send a “read” receipt (without their knowledge) to the sender. Example: “Linda” becomes “1in0|400o1” (Linda 0001) Part 6: Backing up your data It is vital to have your technician set up your computer to back up your emails to another server or show you how to back them up to a CD at least once a month. Then name it (I do this once a month). and email second. Create a restore point 2. In MS outlook. 4. And then “close. and symbols that will be easy to remember.SPYWARE AND POPUPs To “clean out” spyware and pop up ads you can use system restore points (XP/ME) in 2000 call your CSS technician: Creating a System Restore: 1.” “Delayed email” 1. open the email 2. Be careful not to “reply to all” and use “reply. After typing the Setting up a SPAM filter Windows 2000 1. in a Sunshine Law state think of any email as having the possibility of winding up in the newspaper. help. Never be afraid to use the phone first. Click on Start. click on “options” (on the standard toolbar.Matt@spcollege. Select an action (like move it to a folder or delete it) 8. click on “options”(on the standard toolbar). After typing the email. Add any exceptions 9. 2.” The “recipient” will then permit/deny a receipt to be sent to the sender. Have replies sent to: Sometimes you want to send out a bulk email for someone else but do not want replies sent to you: 1. Select “new” 4. Very sparingly use BCC. Click on “do not deliver before” and then select the date and time. pick a task. I prefer to not do this because you never know when you might “miss” an important email.” SPAM usually has time zones of -0400 and –0600 instead of -0500 EDT. You can request receipts for emails if needed. click on “options”(on the standard toolbar). Click on “View” and then 3. . Click on “request a delivery receipt for this message. 3. put them under your keyboard or in notebooks. 2. They can be blind requests or regular requests. Choose your “options” 6. Part 5: Passwords It is very important that you select good passwords and do not write them down on postit notes. numbers. Select a recipient. Select the word or phrase 7. pick a task. After typing the email. Click on Start. To request a blind receipt: 1. click on “options”(on the standard toolbar). Give the rule a name 10. help. 5. 3. 4. Also.


Basham .) (c) 2005 Matthew J. (a. Basham.Staying one step ahead of the hackers: Computer security tips for the everyday user Matthew J.b.D. Ph.d.

except for the brief t ti i i A (c) 2005 Matthew J. No part of this slide show or manual. All rights reserved. without explicit written permission from the author. Basham .copyright laws of the United States of America. or by any information storage and retrieval system. including photocopying. can be reproduced or transmitted in any form or by any means electronic or mechanical. or derivatives thereof. recording.

pagers. beepers. blackberries to not make any noise ♦ Feel free to go to the restroom whenever ♦ Food and drink are not allowed in the room ♦ Call me “Matt” (c) 2005 Matthew J. Basham .Some ground rules ♦ Please turn your cell phones.

Legal stuff for you to know… 2. I can get’em! 6. Passwords: You got’em.Today’s Agenda 1. Email stuff 5. Having fun on the Internet…or not! 3. Backing up your data ♦ QNA (c) 2005 Matthew J. The four food groups of the Internet 4. Basham .

♦ If you use Microsoft then you stand “in between” the hackers and Microsoft. Basham . (c) 2005 Matthew J. ♦ As such. as such.The World would be better off without Microsoft…or would it? ♦ Microsoft is the most popular (by default) operating system. it is the target of frequent criticism and hackers. you may have “problems” with your computer from time to time.

. Petersburg. Fla. SAMUELS. Petersburg. ♦ “Hackers pilfer eighth-grade science exam” St. St. Petersburg Times. Fla. Bill Varian (the boy hacked into a server in which grades were stored at Crystal River High School) (c) 2005 Matthew J. ADRIENNE P. 11. LINDA GIBSON. Fla. Feb. Petersburg Times. Petersburg Times. Petersburg. 14. Feb 19. St. St. 2000. Dec 14. 2000. charged with hacking” St. ♦ “Boy... Basham .“It won’t happen here…” ♦ “Hackers cripple SPC Internet Classes” St. 2004.

Legal Stuff for you to Know Part 1 (c) 2005 Matthew J. Basham .

Norton – “The gist:” Courts can step in to determine adequate security procedures (c) 2005 Matthew J. and other deeds are predictable and therefore preventable – You get’em…it’s your own fault ♦ Cobell v. viruses.Legal Stuff for you to Know… ♦ Maine Public Utilities v. Basham . Verizon – “The gist:” Worms.

Times Publishing Co. Basham .Legal Stuff for you to Know… ♦ City of Clearwater v. – “The gist: not everything on your computer is for the public to see…” ♦ The “key phrase” for you to remember is: – “Due diligence” (c) 2005 Matthew J.

Having fun on the Internet… or not! Part 2 (c) 2005 Matthew J. Basham .

usually without your knowledge. (c) 2005 Matthew J. Basham .Having fun on the Internet…or not? ♦ Hackers now use programs called “trojans” that are downloaded onto your computer. ♦ This can be done simply by an “executable” program being run from your computer to the website and depositing “stuff” onto your computer.

Basham .Having fun on the Internet…or not? ♦ Trojan programs can be: – Games – Videos – Audio clips – Photographs – Advertisements (c) 2005 Matthew J.

Having fun on the Internet…or not? ♦ Why do hackers do this? (c) 2005 Matthew J. Basham .

Having fun on the Internet…or not? (c) 2005 Matthew J. Basham .

Having fun on the Internet…or not? (c) 2005 Matthew J. Basham .

Basham .Having fun on the Internet…or not? ♦ The key phrase here is “avoidance.” ♦ Has anyone seen the commercial for the “pink slip” virus? (c) 2005 Matthew J.” ♦ Most of the time you do not need to be using the web…the less you use it the less likely you are to “cause problems.

Having fun on the Internet…or not? ♦ Be sure to learn how to use your virus checker to “scan” documents for viruses (c) 2005 Matthew J. Basham .

Having fun on the Internet…or not? (c) 2005 Matthew J. Basham .

Having fun on the Internet…or not? (c) 2005 Matthew J. Basham .

Basham .Having fun on the Internet…or not? (c) 2005 Matthew J.

Having fun on the Internet…or not?

♦ Final note here about Instant Messengers

(AOL, MSN, Yahoo, ICQ, etc) ♦ Using them might create a security breach for your computer and you…do you want to possibly cause having student data released onto the Internet?

(c) 2005 Matthew J. Basham

The four food groups of the Internet
Part 3

(c) 2005 Matthew J. Basham

The “Four Food groups of the Internet”
Nutrition Meat Fruits Breads Dairy Internet SPAM Applets Cookies Java

♦ We all know about food groups:

♦ The key phrase for you is the four food groups can

create “problems for you.”

(c) 2005 Matthew J. Basham

How does IE work? ♦ When you are on the Internet files are “downloaded” to your computer and “uploaded” from your computer. (c) 2005 Matthew J. ♦ Some of these files are called “cookies” and “applets. Basham .” ♦ There are security settings you can change to notify you every time these things happen but they would be a pain in the keister.

How does IE work? (c) 2005 Matthew J. Basham .

Why not IE? ♦ “Spyware” and “Pop-up Ads” work on the same premise… ♦ You are using IE…and “they” know that IE MUST allow files to be uploaded and downloaded at will. it is very easy to “download” trojans onto your computer and make your life “interesting” when you use your computer. (c) 2005 Matthew J. ♦ Thus. Basham .

What else is there? ♦ Mozilla’s Firefox program is very. spyware. Basham . trojans. ♦ Mozilla Firefox is a free program. ♦ Thus. any problems with hacker. except that the “code” was written completely differently. very similar to IE. and pop-up ads are “eliminated” by simply switching to Firefox. (c) 2005 Matthew J.

Basham .Mozilla Firefox Browser (c) 2005 Matthew J.

and MS Outlook.Some “issues” with Firefox ♦ There are some. Crystal Reports. ♦ Usually it is those sites that require Flash players. or advanced graphics tools. ♦ Firefox works ok with Peoplesoft. not many. Basham . websites that encounter “problems” with Firefox. (c) 2005 Matthew J.

just download it and you are ready to go! ♦ P.S. ♦ Then. just pick your favorite web searching engine…put it “mozilla firefox” and you should be pointed right to the website. Basham .How can I get Firefox? ♦ Simple. I don’t get any money for suggesting Firefox (c) 2005 Matthew J.

Basham .” ♦ To fix any problems you need to do a system restore (which is beyond this class but included in the on-line course). (c) 2005 Matthew J.What if I have a bunch of Pop-ups? ♦ Pop up ads are nothing more than trojans that have been downloaded to your computer that have “altered” the main core of the Windows operating system known as “the registry.

Basham .Email stuff Part 4 (c) 2005 Matthew J.

Basham . – Also.E-mail Stuff ♦ Netiquette: – You should try to refrain from using all capital letters SO YOU DON’T SEEM TO BE SCREAMING AT ME. try to use an “acceptable” font…nothing too big. nor too difficult to read – Try not to use the “BCC” option too much…people will be afraid to open your emails (c) 2005 Matthew J.

Basham .E-mail Stuff ♦ Be careful to chose “reply” and not “reply to all” ♦ You can request a “receipt” or physical acknowledgement by the recipient (c) 2005 Matthew J.

Basham .(c) 2005 Matthew J.

etc.” (c) 2005 Matthew J. it was “farmed” or “mined” information and “target marketed. Basham .” ♦ Most advertisements are generated from these methods and from you asking “to be kept informed of special events.SPAM ♦ What is SPAM? ♦ A “bunch” of what you receive is not SPAM. discounts.

(c) 2005 Matthew J. ♦ Internet Millionaire Guarantees your success! ♦ I am a Nigerian official trying to get money out of Africa. ♦ EBAY/PAYPAL: Your account has been suspended. Basham . Petersburg College: Your access may be discontinued.Which ones are SPAM? ♦ Huntington Bank: Your account information needs to be updated. ♦ St.

(c) 2005 Matthew J. Basham .How to tell if an email is SPAM. ♦ In MS Outlook View>Header and Footer ♦ We are in the Eastern Time Zone five hours behind GMT which is -0500 in computer speak.

Basham . (c) 2005 Matthew J.How to tell if an email is SPAM. ♦ A quick check is to look for the return address.

♦ You can set your own keywords too. cheating housewife=1. (c) 2005 Matthew J. ♦ If too high a total is reached for an incoming email it is “flagged” as possible SPAM. sex=1.SPAM filters ♦ They work by looking for “keywords” ♦ Each keyword is assigned a “point.” (Everything is mathematical in computers) ♦ Enlarger=1. etc. huntington bank=20. pornography=1. Basham .

MS Outlook SPAM filter setup (c) 2005 Matthew J. Basham .

Basham .MS Outlook SPAM filter setup (c) 2005 Matthew J.

MS Outlook SPAM filter setup (c) 2005 Matthew J. Basham .

Basham .MS Outlook SPAM filter setup (c) 2005 Matthew J.

MS Outlook SPAM filter setup (c) 2005 Matthew J. Basham .

Passwords: You got’em. Basham . I can get’em! Part 5 (c) 2005 Matthew J.

I can get’em! ♦ People are lazy with their passwords... – On a lamp – post-it note – desk top – side of monitor – pull-out drawer – garbage can – under a keyboard – in a rolodex – or in a notebook (c) 2005 Matthew J.Passwords: You got’em. Basham .

Basham .Backing up your data Part 6 (c) 2005 Matthew J.

♦ Periodically “spot check” and test the validity of the back up. ♦ If you do not know how. Basham . (c) 2005 Matthew J.Backing up Data ♦ Set up your computer so an archive copy of your emails are sent to another computer or server. then submit a work order to your CSS through the help desk to accomplish this task.

8104) (c) 2005 Matthew J.SPC Rules and Procedures ♦ You are responsible for everything on your computer and the college can look at anything at any time.900) ♦ You are responsible for the security of your data and your passwords (P6Hx23-1.6. Basham . private or not (6Hx23.

Summary of “Key Phrases”
“Due Diligence” “Avoids” “Problems for you”

(c) 2005 Matthew J. Basham

What is next?

♦ Normally there is a handout with step-by-

step instructions on each subject discussed here, but funds prohibit reproducing it. ♦ You can go to and download it for free.

(c) 2005 Matthew J. Basham

Question and Answer session
Feel free to contact me 341-3010

(c) 2005 Matthew J. Basham

or derivatives thereof.copyright laws of the United States of America. including photocopying. can be reproduced or transmitted in any form or by any means electronic or mechanical. All rights reserved. recording. without explicit written permission from the author. or by any information storage and retrieval system. except for the brief t ti i i A (c) 2005 Matthew J. No part of this slide show or manual. Basham .

Sign up to vote on this title
UsefulNot useful