Laugh Date: Saturday, April 29, 2017

What's Inside

Best of RAH96:
Stupid E-mail Tricks - The NaughtyRobot Hoax

by Dave Bealer

Copyright © 1997 Dave Bealer, All Rights Reserved.


Fear and Ignorance

Human beings are always suspicious of that which they don't understand, and computers are the least understood appliances to enter most homes and offices since the invention of electricity. A good deal of the fear and misperceptions come from science fiction. The "M-5" episode of "Star Trek" combined with movies such as Colossus: The Forbin Project, Wargames, and Terminator serve to perpetuate the myth of computers as evil entities that are out to "destroy" those they supposedly serve.

Take it from someone who has worked closely with computers for more than fifteen years - computers aren't smart enough to be evil. They only do what programmers - humans - tell them to do. And therein lies the problem.

The bad news is that there are malevolent idiots out there with a great deal of computer skill who use their skills to harm rather than help. The good news is that evil programmers are constrained by the same technical limitations as programmers who are trying to create useful/helpful programs.

It may therefore be helpful for non-expert computer users to at least understand some of the things that their computer, and the various kinds of software that they use on it, cannot do. A classic example from recent history is the "Good Times" virus, which was supposed to be transmitted through e-mail messages. It so happens that viruses cannot be transmitted through the text of an e-mail message. This didn't stop thousands of people from being frightened by the situation. (It must be noted here that viruses can be transmitted through a program or macro attached to an e-mail message, although not through the text of the message itself. See "Further References" at the end of this article for more information.)

In fact such attacks, which take advantage of the technical ignorance of many computer and internet users, are becoming increasingly popular. One big advantage is that such a psychological attack doesn't require any real technical expertise on the part of the perpetrator.

NaughtyRobot

This morning I found the following message in my e-mail inbasket:

______________________________


Subject: security breached by NaughtyRobot
Date: Thu, 6 Feb 97 07:16 MET 
From: dave@rah96.com
Reply-To: "Dave Bealer" <dave@rah96.com>
Organization: NaughtyRobot
To: dave

This message was sent to you by NaughtyRobot, an Internet spider that crawls into your server through a tiny hole in the World Wide Web.

NaughtyRobot exploits a security bug in HTTP and has visited your host system to collect personal, private, and sensitive information.

It has captured your Email and physical addresses, as well as your phone and credit card numbers. To protect yourself against the misuse of this information, do the following:

  1. alert your server SysOp,
  2. contact your local police,
  3. disconnect your telephone, and
  4. report your credit cards as lost.

Act at once. Remember: only YOU can prevent DATA fires.

This has been a public service announcement from the makers of NaughtyRobot -- CarJacking its way onto the Information SuperHighway.

______________________________

Interesting, I don't remember sending this message to myself. In fact, I don't remember writing this message or sending it to anyone! As I approach the age of forty, my memory has gotten a bit unreliable, but I'm sure I'd remember writing something this ridiculous. Obviously someone forged the sender address on the message to make it appear I had sent it to myself.

Of course the threats in the message are patently impossible to accomplish since none of the information, except for my e-mail address, actually resides anywhere on the RAH96 web server machine. And the e-mail address of the publisher of a commercial web magazine is hardly a trade secret. Obviously someone is trying to prey on the ignorance of webmasters who are so technologically innocent that they might believe the threats to be real. We'll skip over the obvious point that anyone who is that stupid should not only not be running a website, but that they deserve whatever they get.

Unmasking The Forgery

Although not fooled in the slightest, I was curious as to how good a job of forgery the miscreant had managed. So I went into the "Options" menu in Netscape 2.0 and clicked on the "Show All Headers" option. (In Netscape 3.0 the option is Show Headers - use to side menu to select "All".) The display in the Netscape e-mail window changed to the following:

______________________________


From dave@rah96.com Thu Feb 06 01: 12:13 1997
Received: by rah96.com from localhost
     (router,SLmail95 V1.2,beta 1); Thu, 06 Feb 1997 01:12:13
Received: by rah96.com from gimli.Informatik.Uni-Oldenburg.DE
     (134.106.1.10::mail daemon; unverified,SLmail95 V1.2,beta 1);
 Thu, 06 Feb 1997 01:12:11
Received: by gimli.Informatik.Uni-Oldenburg.DE (Smail3.1.29.1)
     id <m0vsN88-0003MiC>; Thu, 6 Feb 97 07:16 CET
Apparently-From: dave@rah96.com
Received: at Infodrom Oldenburg (/\##/\ Smail3.1.29.1 #29.10 Joey)
     by finlandia.Infodrom.North.DE from rah96.com with smtp
     id <m0vsN8L-001ZGPC>; Thu, 6 Feb 97 07:16 MET
Message-Id: <m0vsN8L-001ZGPC@finlandia.Infodrom.North.DE>
Date: Thu, 6 Feb 97 07:16 MET
Apparently-From: dave@rah96.com
Apparently-To: dave@rah96.com
Reply-to: "Dave Bealer" <dave@rah96.com>
Registered-mail-reply-requested-by: dave@rah96.com
Sensitivity: PERSONAL-CONFIDENTIAL
Precedence: EMERGENCY
Priority: URGENT
Comment: Authenticated sender is <dave@rah96.com>
Organization: NaughtyRobot
Subject: security breached by NaughtyRobot
From: dave@rah96.com
To: dave
X-Mozilla-Status: 0001

This message was sent to you by NaughtyRobot, an Internet spider that crawls into your server through a tiny hole in the World Wide Web.

NaughtyRobot exploits a security bug in HTTP and has visited your host system to collect personal, private, and sensitive information.

It has captured your Email and physical addresses, as well as your phone and credit card numbers. To protect yourself against the misuse of this information, do the following:

  1. alert your server SysOp,
  2. contact your local police,
  3. disconnect your telephone, and
  4. report your credit cards as lost.

Act at once. Remember: only YOU can prevent DATA fires.

This has been a public service announcement from the makers of NaughtyRobot -- CarJacking its way onto the Information SuperHighway.

______________________________

Not a particularly effective job of forgery, as it turns out. Several of the "received" routing lines at the top of the message point to an origin somewhere in Germany. Any domain address with "de" as the highest domain indicates that the originating system is located somewhere in Germany, or DEutschland, as the Germans refer to their own nation.

The line which would actually allow me to begin tracking down the culprit is:

Message-Id: <m0vsN8L-001ZGPC@finlandia.Infodrom.North.DE>

This is the specific message identifier generated by the originating system in Germany. If I e-mailed a copy of the message to the postmaster of the originating system (postmaster@finlandia.Infodrom.North.DE), that person would be able to determine from the message id and the timestamps exactly which user on his system had sent the message.

As it happens, I didn't bother. All I got out of the situation was a good laugh. But after Greg Borek responded to the copy I forwarded to him with the observation that if NaughtyRobot "can get one person to cut up their credit cards, it has created enough chaos," I decided to write this article. (Greg owns the world rights to chaos and is quite interested in protecting his territory.)

So there it is. I still don't have much sympathy for anyone gullible enough to fall for something so obvious, but at least this article gives such "victims" the information needed to track down the person responsible for the message. (Be sure to check your own copy of the message for the message id. It is entirely possible that your message was sent from a different system than mine. Send your complaint to the postmaster of the system appearing in the message id on your copy of the message.)

Another thing to look out for is the fact that someone forging the return address on a message isn't limited to placing the recipient's address in that field. The miscreant can just as easily forge your address on a message sent to someone else. This will cause the third party to complain to you about the message you just "sent." I know this is possible because it has happened to me in the past.

Research has found that people who are depressed from being victimized in this way can easily find relief by visiting the RAH96 web site for a few much-needed laughs.

Situation Update
2/7/97, around 12 Noon

It turns out that at least two sites in Europe were used to propogate the NaughtyRobot messages. In addition to the site in Germany where my message originated, a system in Norway was also used to forward these crank messages.

I would like to thank Kwin Pegg (kcp@triax.com), the editor of Total Obscurity Magazine, for sending me the response Kwin received from the adminstrator of the finlandia.Infodrom.North.DE site in Germany. It turns out that the messages were faked when sent to the European sites, and that they originated from the "uu.net" site in San Francisco, California. Apparently more than 1000 NaughtyRobot messages were channeled through the German site alone.

Thanks also go to Ola Thori Kogstad (ola@bibsyst.no), the postmaster of the other victimized site in Norway. Ola provides the following explanation from the point of view of the e-mail administrator of an internet site.

In the smtp-session it is possible to set the sending server to any name you like, without any consistency checking (reverse dns-lookup). In your message, it is set to localhost. This means that the server in Germany does not carry the correct name of the originator.

Unfortunately, the logging facitity of the mailserver is poor, so we do not have the ip-munber of the real originator. We will take actions to be able to trace new attempts.

I've got some pretty nasty messages today, and I would appreciate that your page emphasized the fact that the originator of the mail most likely is hidden behind a fake domain/machine (localhost), and is not hosted by the sending machine.

So there you have it. Please be polite when writing to any postmaster or other internet adminstrator to complain about the antics of one of their users. The person you are writing to is almost certainly not the one responsible for the problem you are experiencing. In fact that person (along with his or her system) may actually be just as much a victim of the situation as you.

It is entirely possible that the perpetrator of this hoax will never be caught. But at least the messages sent by recipients of the NaughtyRobot message are causing the administrators of the various "sending sites" to take steps against a reoccurance. The firewalls are already up in Germany, and the Norwegians are working on ways to trace such hoaxes in the future.

Search Engine Express?

The other remaining mystery is how my original article made it up on all the search engines so quickly. I posted the article live on RAH96 at approximately 4:00 PM on 2/6/97. I fed the URL to the Alta Vista spider a few moments later. It usually takes a few days for new articles to appear in the Alta Vista database, from which they slowly propogate to the other search engines.

Imagine my surprise when I began to receive e-mail referring to my article at approximately 11:30 PM on 2/6/97. I checked Alta Vista and sure enough, the article was there! Even more surprising was the fact that responses to my first responses showed that Yahoo had the article indexed within six or so hours of my posting it online! My first guess is that people at the major search engines received the NaughtyRobot message as well and expedited the cataloging of my article on the subject.

I'm Not The Detective
2/11/97, About 1:30 AM. EST

The response to this article has been gratifying. More than 650 people have read the article in the last few days and I have received dozens of e-mail messages on the subject. While I did receive the NaughtyRobot message and investigated the situation enough to write this article, I must point out that I'm just a webmaster and humorist, not a system administrator.

I'm not actually trying to track down the culprits who are doing this, although I sincerely hope someone does. Please don't send me your system logs or the "message-id" line from your copy of the NaughtyRobot message. I can't do anything with these things. If someone would like to volunteer for the Cliff Stoll role in this little farce and coordinate the search, just let me know. I'll post your e-mail address here with the article.

That said, I'm proud to have been able to provide some sorely needed information about this latest piece of net mischief. No, I don't really look down on anyone victimized by this hoax, all jokes to the contrary aside. Everyone did realize this article is part of a humor magazine, right?

Why ME?
2/16/97, About 11:30 AM. EST

It has been ten days since my own NaughtyRobot experience and more than 1900 people have read this article in that time. Well over 100 of you have e-mailed me about this subject. The most popular question remains "why me?" Since it appears that I didn't really cover that too well, here is all I have on the subject.

Hackers can't divine your e-mail address out of thin air, no matter what they say on "The X Files." Most of the victims seem to be webmasters, or other people whose e-mail addresses are available on web pages. In this case a spider program could actually sift through the web pages, collecting any e-mail addresses it finds for later use. The silly human (or humans) behind the NaughtyRobot idiocy could also grab the addresses from web pages or even printed material using the low technology expedient of reading them with human eyes.

One group of victims appears to be members of a introductory computer programming class at some college. These people are unlikely to be hosting their own web pages. Conversely, they may know how to use web browsers and might be leaving their e-mail addresses on various website guestbooks around the net. Yes, if you post your e-mail address in a website guestbook or in a public message in a USENET newsgroup you have just published your e-mail address to the world. Something to think about, although I wouldn't advise abandoning these practices if they please you.

The thing to remember about e-mail is that it can't hurt you. It can't give you or your computer a virus, and it can't read your diary. A good defense against hoaxes like NaughtyRobot is to take any message from an unknown correspondent, especially one with a program or macro attached, with many grains of salt. Another good idea is to read the information available on the following sites.

Further References

Martin Schulze, the postmaster of the system in Germany which was used by the NaughtyRobot author to send me my copy of the hoax, has posted his response to this whole mess. Please do remember that Martin is not the person responsible for the message you received, nor is the postmaster of any system listed in the header of your NaughtyRobot message. The messages are all originating (apparently) from somewhere behind uu.net in California.

In an amazing coincidence, CNet published a feature on network crime on 2/6/97! For more information on e-mail forgery and other topics, see their article Net Crime: don't be a victim. (Missing as of August 2002.)

Charles Hymes, a Senior Human Factors Engineer with Hewlett-Packard (I'm not even sure I want to know what that entails), maintains an informative page called Don't Spread That Hoax!

The Computer Incident Advisory Capability (CIAC) at the U.S. Department of Energy has a web page on Internet Hoaxes, including Good Times and NaughtyRobot. The page is much more interesting than the name of the organization would suggest. Capability as a type of organization? It was probably invented by one of those new-fangled Senior Human Factors Engineers.

You can also read a good Frequently Asked Questions (FAQ) file on spam and other e-mail abuse.

Reminder: Although it is not possible to transmit a computer virus through the text of a message (e.g. "Good Times") it is possible for a program or macro attached to an e-mail message to contain a virus. Scan any program or macro you receive for viruses before executing it!

More than 80,000 NaughtyRobot victims have read this article since 02/06/97.
You are not alone!

______________________________

Dave Bealer is a fifty-something mainframe systems programmer who works with CICS, z/OS and all manner of nasty acronyms at one of the largest heavy metal shops on the East Coast. He shares a waterfront townhome in Pasadena, MD. with a cat who annoys him endlessly as he assiduously avoids writing for and publishing Random Access Humor. Dave can be reached via e-mail at:

______________________________

Random Nonsense:
Operator! Trace this call and tell me where I am.
 

Classic RAH
Commentaries
Features
Reviews
Shopping
Masthead

 

Search the site:



Advanced Search

Copyright © 1992-2015 Dave Bealer, All Rights Reserved.