Difference between pages "Yahoo! Mail Header Format" and "LEET '08"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m (New page: As the Internet has become a universal mechanism for commerce and communication, it has also become an attractive medium for online criminal enterprise. Today, widespread vulnerabilities i...)
 
Line 1: Line 1:
The '''Yahoo! Web Mail''' header format has changed over time, but currently includes the [[IP addresses in webmail messages|sender's IP address]], a domain key signature, and some other helpful information.
+
As the Internet has become a universal mechanism for commerce and
 +
communication, it has also become an attractive medium for online
 +
criminal enterprise. Today, widespread vulnerabilities in both software
 +
and user behavior allow miscreants to compromise millions of hosts,
 +
conceal their activities with sophisticated system software, and manage
 +
these resources via a distributed command and control framework. This
 +
platform in turn provides economics of scale for a wide range of
 +
criminal activities including spam, phishing, DDoS, click fraud, and so
 +
on.
  
DomainKey-Signature
+
LEET has evolved from the combination of two other successful workshops,
<pre>
+
the ACM Workshop on Recurring Malcode (WORM) and the USENIX Workshop on
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
+
Hot Topics in Understanding Botnets (HotBots), which have each dealt
  s=s1024; d=yahoo.com;
+
with aspects of this problem. However, while papers relating to both
  h=Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
+
worms and botnets are explicitly solicited, LEET has a broader charter
  b=ql3kRKrhner1LTFFVBgCYI1uqK4+8hrb6d/Fefr/HkLuObQwIrIpEXA1OiagbuFZU+H+ue1anFvm1cHQ4hjpdUcjpIIPL7ldNL9YnOxauugdVW+
+
than its predecessors. We encourage submissions of papers that focus on
  OpbTvAu0XaGf2t7eBqOWJF0Y5gM7TE27WdElgVRikunfCQca1VFV6KSuQP0o=;
+
any aspect of the underlying mechanisms used to compromise and control
</pre>
+
hosts, the large-scale "applications" being perpetrated upon this
 +
framework, or the social and economic networks driving these threats.
  
Here is a sample mail header. Note that the 'date' field will change from (PDT) to (PST) depending on the status of daylight savings time in California, USA. The sender's IP address is represented as a.b.c.d in the example below.
+
Topics of interest include, but are not limited to:
  
Mail Header
+
- Infection vectors for malware (worms, viruses, etc.)
<pre>
+
- Botnets, command, and control channels
Received: from [a.b.c.d] by web53409.mail.re2.yahoo.com via HTTP; Sat, 14 Feb 2009 05:42:03 PST
+
- Spyware
X-Mailer: YahooMailWebService/0.7.260.1
+
- Operational experience
Date: Sat, 14 Feb 2009 05:42:03 -0800 (PST)
+
- Forensics
From: Sender Name <sender@yahoo.com>
+
- Click fraud
Reply-To: sender@yahoo.com
+
- Measurement studies
Subject: Test Message
+
- New threats and related challenges
To: recipient@domain.com
+
- Boutique and targeted malware
MIME-Version: 1.0
+
- Phishing
Content-Type: text/plain; charset=us-ascii
+
- Spam
Message-ID: <695976.86300.qm@web53409.mail.re2.yahoo.com>
+
- Underground markets
</pre>
+
- Carding and identity theft
 +
- Miscreant counterintelligence
 +
- Denial-of-service attacks
 +
- Hardware vulnerabilities
 +
- Legal issues
 +
- The arms race (rootkits, anti-anti-virus, etc.)
 +
- New platforms (cellular networks, wireless networks, mobile devices)
 +
- Camouflage and detection
 +
- Reverse engineering
 +
- Vulnerability markets and zero-day economics
 +
- Online money laundering
 +
- Understanding the enemy
 +
- Data collection challenges
  
 +
LEET '08 will be a one-day event, Tuesday, April 15, 2008, co-located
 +
with the 5th USENIX Symposium on Networked Systems Design and
 +
Implementation (NSDI '08), which will take place April 16-18, 2008.
  
== Message IDs ==
+
The submissions deadline is 11:59 p.m. EST on Monday, February 11, 2008.
The Message-ID header in yahoo emails is a good identifier for the device that sent the message. Below are some samples:
+
Submissions guidelines can be found at
 +
http://www.usenix.org/leet08/cfpb
  
Sent via Yahoo!® Mail for Android application on Android (Jelly Bean):
+
We look forward to your submissions.
<pre>Message-ID: <1332714176.54741.androidMobile@web141101.mail.bf1.yahoo.com></pre>
+
  
Sent via Yahoo Webmail from Chrome:
+
Fabian Monrose, Johns Hopkins University
<pre>Message-ID: <1332793663.59921.YahooMailNeo@web121601.mail.bf1.yahoo.com></pre>
+
LEET '08 Program Chair
 
+
leet08chair@usenix.org
Sent via Android browser on via mobile webmail interface:
+
<pre>Message-ID: <1332792527.64712.BPMail_high_noncarrier@web121601.mail.bf1.yahoo.com></pre>
+
 
+
Sent via Android email application configured for SMTP (jelly bean):
+
<pre>Message-ID: <gf4yxl2u7us2lp89xkgbty9u.1342797846221@email.android.com></pre>
+
 
+
Sent via iPod (IOS 5.0.1)
+
<pre>Message-ID: <1341798412.80181.YahooMailMobile@web124306.mail.ne1.yahoo.com></pre>
+
 
+
[[Category:Email Analysis]]
+

Revision as of 16:32, 19 January 2008

As the Internet has become a universal mechanism for commerce and communication, it has also become an attractive medium for online criminal enterprise. Today, widespread vulnerabilities in both software and user behavior allow miscreants to compromise millions of hosts, conceal their activities with sophisticated system software, and manage these resources via a distributed command and control framework. This platform in turn provides economics of scale for a wide range of criminal activities including spam, phishing, DDoS, click fraud, and so on.

LEET has evolved from the combination of two other successful workshops, the ACM Workshop on Recurring Malcode (WORM) and the USENIX Workshop on Hot Topics in Understanding Botnets (HotBots), which have each dealt with aspects of this problem. However, while papers relating to both worms and botnets are explicitly solicited, LEET has a broader charter than its predecessors. We encourage submissions of papers that focus on any aspect of the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, or the social and economic networks driving these threats.

Topics of interest include, but are not limited to:

- Infection vectors for malware (worms, viruses, etc.) - Botnets, command, and control channels - Spyware - Operational experience - Forensics - Click fraud - Measurement studies - New threats and related challenges - Boutique and targeted malware - Phishing - Spam - Underground markets - Carding and identity theft - Miscreant counterintelligence - Denial-of-service attacks - Hardware vulnerabilities - Legal issues - The arms race (rootkits, anti-anti-virus, etc.) - New platforms (cellular networks, wireless networks, mobile devices) - Camouflage and detection - Reverse engineering - Vulnerability markets and zero-day economics - Online money laundering - Understanding the enemy - Data collection challenges

LEET '08 will be a one-day event, Tuesday, April 15, 2008, co-located with the 5th USENIX Symposium on Networked Systems Design and Implementation (NSDI '08), which will take place April 16-18, 2008.

The submissions deadline is 11:59 p.m. EST on Monday, February 11, 2008. Submissions guidelines can be found at http://www.usenix.org/leet08/cfpb

We look forward to your submissions.

Fabian Monrose, Johns Hopkins University LEET '08 Program Chair leet08chair@usenix.org