Time is of the essence when you're trying to trace a suspicious IP address
or domain. So whether you're investigating a possible phishing scam or determining
whether the email clogging your corporate mailboxes is legitimate or spam, turn
to the classic Sam Spade. I'm talking about the long-available freeware suite
of network-query tools, not Dashiell Hammett's hard-boiled private eye in The
Maltese Falcon. Like its namesake detective, this tool bundle will help
you track down the bad guys, but it will also help you shave time off your network
reconnaissance activities.
Sam Spade integrates a variety of well-known and separately available network-investigation tools—including IP block, reverse DNS lookups, Ping, Traceroute, and Whois—using a common GUI that lets you easily feed one tool's results to another tool for further analysis. Sam Spade also provides spam-detection functionality, letting you analyze suspicious email headers and URLs.
Oldie but Goodie
You can find Sam Spade FAQs and a library of download links at http://www.samspade.org; the most recent Windows version of the suite, 1.14 (released
December 1999), is available for download at http://static.samspade.org/ssw/spade114.exe.
Although the tool's interface is a bit dated, it still works well. When you
open the tool, you'll see a large blank window ringed by icons and input fields.
Whenever you run a command in Sam Spade, the output pops up in a new window
within the main program. You can easily jump between queries without having
to scroll through a shell to find information. You can also customize most of
the UI. For example, you can run your Whois queries in yellow and your IP block
queries in cyan, letting you quickly spot the query you want when tracking lots
of information.
To demonstrate Sam Spade's value, let's see how you might use the tool to investigate
a phishing attack operating under the guise of a security email message from
a bank. You might not investigate phishing email every day. But new threats
are always developing, and understanding how to analyze components of an email
message—especially an HTML message, whose nice layout can mask subversive
underlying code—is an important skill for anyone responsible for a system's
security.
Decoding a URL
In your phishing case, you first check the message for
phishing characteristics by viewing the message's HTML source code. In the source
code, you find a spoofed link to the bank Web site. These days, many phishing
attacks obfuscate the URL to make it more difficult to identify a spoofed link.
Sam Spade includes a feature to decode a URL. Although this feature doesn't
unravel an obfuscated source, it does return the alias and IP addresses associated
with a URL on the Internet.
For example, if you use Sam Spade's Decode URL tool to look up the URL http://www.microsoft.com,
the tool confirms the canonical name as www.microsoft.com and returns the associated
IP addresses. In fact, you'll see quite a few addresses, which is appropriate
given Microsoft's size and business model. However, suppose the message allegedly
from Microsoft contains a link to http://www.micros0ft.com.
If you enter this URL in Decode URL, the tool confirms the alias because someone
registered it as a domain name. But the tool returns only one IP address—which
should set off alarm bells, because a large company likely has multiple Web
gateways. Note that, as with any investigation, you need to use the tool's output
together with your own experience and intuition to determine whether you're
looking at legitimate or malicious activity.
Now, you can right-click the IP address Sam Spade returned to access a context-aware set of commands you can run against the address. Select IP block, and Sam Spade will tell you that the IP address associated with www.micros0ft.com is registered to Verizon Internet Services. It's doubtful that a company as large as Microsoft would use an ISP that serves residential and small business customers, adding to the evidence that micros0ft.com is a misleading Web site related to a phishing scam.
Analyzing Email Headers
Every email message includes Inter-net headers,
which Sam Spade can parse to help you separate legitimate email from spam or
phishing attacks. To use Microsoft Outlook to find the raw Internet headers,
open an email message, select the View menu, then click Options. Next, select
and copy the Internet headers. Switch to Sam Spade, click the Tools menu, then
click Parse Email Headers. Paste the copied data into the dialog box that appears,
and click the Parse button.
Sam Spade opens two new windows. The first window contains a color-coded analysis of the headers, which highlights useful information such as sender email address and domain and the IP address of the originating server. The second window is an email message containing a copy of the header, which you can send to an ISP abuse address. Sam Spade looks up the abuse email address (available from the ISP via its domain information records) and creates an email message for you; the tool even includes a set of predefined abuse email templates you can choose from, including Webhosting, clickthrough, dialup, dropbox, relay, and dns. You need only edit the email message and click Send.
A phishing message often spoofs the From address of a well-known domain. For
example, some email senders route messages through their own domain or maybe
their ISP's domain. Other companies hire third parties to send their email.
But spoofing the IP address of the sending computer is much more difficult.
Even if the phishing perpetrator uses a mail relay, the relay won't match the
IP address associated with the domain in the email message's From address. Using
email Internet header information, you can right-click the sending IP address
(or resolved name) and select the Whois tool to perform additional analysis,
as Figure
1 shows. (Note that the IP addresses in Figure
1 are whited out for privacy reasons.)
I used this feature, for example, to analyze an email message I received from eTrade, which came from a mail server named eppsuiron1.adp-ics.com. Sam Spade identified the server owner as ADP-BPS. I then searched for ADP-BPS and ADP-ICS in Google and found that ADP-ICS stands for Automatic Data Processing Investor Communication Services, a division of ADP's Brokerage Services Group. Everything checked out.
Sam Spade's most helpful feature is its context awareness. It can recognize Fully Qualified Domain Names (FQDNs) and IP addresses from any of its output windows. To investigate further, just right-click one of these objects and select from the several additional tasks. For example, after you parse the email headers, you can right-click the sender IP address and select IP block to learn more about the network owner of that IP address. All the tools in Sam Spade have context-aware menus, making it easier and quicker to investigate by using the bundled suite than by using each tool individually.