Byung Kyu Park's Personal Website

Still fairly obvious, but it looks like phishers are getting better. Below is the email with full-headers (headers revealing my secret email server setup redacted):

Return-path: xxxx...@berkeley.edu
Envelope-to: xxx...@xxxxxx.xxx
Delivery-date: Sat, 20 Feb 2010 21:19:26 -0800
Received: from xxxxxxxx.berkeley.edu ([128.32.xxx.xxx])
        by xxxxx.xxxxxxxxxxxx.xxx with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
        (Exim 4.69)
        (envelope-from <xxxx...@berkeley.edu>)
        id 1Nj4E2-0003HR-Mg
        for xxx...@xxxxxx.xxx; Sat, 20 Feb 2010 21:19:26 -0800
Received: from xxxxxxx by xxxxxxxx.Berkeley.EDU with local (Exim 4.69)
        (envelope-from <xxxx...@berkeley.edu>)
        id 1Nj4E2-0004s1-Bl
        for xxx...@xxxxxx.xxx; Sat, 20 Feb 2010 21:19:26 -0800
Received: from cm03fe.ist.berkeley.edu ([169.229.218.144])
        by xxxxxxxxx.Berkeley.EDU with esmtp (Exim 4.69)
        (envelope-from <webm...@berkeley.edu>)
        id 1Nj4E2-0004rv-9i
        for xxx...@xxxxxxxxxxxx.xxx; Sat, 20 Feb 2010 21:19:26 -0800
Received: from cm09be.ist.berkeley.edu ([169.229.218.182])
        by cm03fe.ist.berkeley.edu with esmtps (TLSv1:AES256-SHA:256)
        (Exim 4.69)
        (envelope-from <webm...@berkeley.edu>)
        id 1Nj4E1-0005NQ-Cn
        for xxx...@xxxxxxxxxxxx.xxx; Sat, 20 Feb 2010 21:19:25 -0800
Received: from cyrus by cm09be.ist.berkeley.edu with local (Exim 4.69)
        (envelope-from <webm...@berkeley.edu>)
        id 1Nj4E1-0002WX-Ra
        for xxx...@xxxxxxxxxxxx.xxx; Sat, 20 Feb 2010 21:19:25 -0800
Received: from cm01fe.ist.berkeley.edu (cm01fe.IST.Berkeley.EDU [169.229.218.142])
        by cm09ms.ist.berkeley.edu (Cyrus v2.3.13-CalMail-v2.3) with LMTPA;
        Sat, 20 Feb 2010 21:19:25 -0800
X-Sieve: CMU Sieve 2.3
Received: from persius.rz.uni-potsdam.de ([141.89.68.1])
        by cm01fe.ist.berkeley.edu with esmtp (Exim 4.69)
        (envelope-from <webm...@berkeley.edu>)
        id 1Nj4Dy-0007hK-52; Sat, 20 Feb 2010 21:19:24 -0800
Received: from arnim.rz.uni-potsdam.de (arnim.rz.uni-potsdam.de [141.89.68.11])
        by persius.rz.uni-potsdam.de (8.12.11/8.12.11) with ESMTP id o1L50smS001879;
        Sun, 21 Feb 2010 06:00:54 +0100 (CET)
Received: from uni-potsdam.de (localhost.localdomain [127.0.0.1])
        by arnim.rz.uni-potsdam.de (8.13.8/8.13.8) with ESMTP id o1L50qp1025812;
        Sun, 21 Feb 2010 06:00:52 +0100
Received: from 41.138.182.176 ([41.138.182.176]) by webmail.uni-potsdam.de
        (Horde MIME library) with HTTP; Sun, 21 Feb 2010 06:00:52 +0100
Message-ID: <2010...@webmail.uni-potsdam.de>
Date: Sun, 21 Feb 2010 06:00:52 +0100
From: "Berkeley.edu Web-Administration" <webm...@berkeley.edu>
Reply-to: supp...@live.com
To: undisclosed-recipients: ;
Subject: Alert: Update your CalMail  account
MIME-Version: 1.0
Content-Type: text/plain;
        charset=ISO-8859-1;
        DelSp="Yes";
        format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.6)
X-Virus-Scanned: clamav-milter 0.95.3 at arnim.rz.uni-potsdam.de
X-Virus-Status: Clean
X-j-chkmail-Score: MSGID : 4B80BE06.000 on persius : j-chkmail score : X : 5/50 0
X-Miltered: at persius with ID 4B80BE06.000 by Joe's j-chkmail (http://j-chkmail.ensmp.fr)!
X-Ucb-Scan-Signature: 606d01dea56a423fb13a5c3f55ff5ffa3eae29a5
X-Ucb-Spam: Gauge=IIIIIII, Probability=7%, Report=''
X-Ucb-Notice: This message has been processed by a spam tagging system.
        See http://mailinfo.berkeley.edu/ for more information.

--

Dear CalMail User,

Your email account needs to be upgraded with our new F-Secure® HTK4S
anti-virus/anti-spam 2010 version.
Fill the columns below and click reply to send back or your account will be
suspended temporary from our services.

CalNet ID:
Passphrase:
Phone Number:

Berkeley.edu Web-Administration
Greg Silva

https://calmail.berkeley.edu/

----©2010, University Of California.

Note the fairly convincing From: address. A lot of the suspicious routing information will be hidden by most email clients, however, the Reply-to: header (which would route the email to supp...@live.com and which the phishing relies on) should be set to visible by most email clients, which means, yet again, people who pay attention to details shouldn’t be taken in by this rather amateurish phishing attempt.

Not to mention one should never send passphrases over email—even if you know the recipient; email is transmitted in clear text between servers and is inherently insecure.

For regular visitors of my blog from UCB, here’s an early holiday Christmas present to you: Calmail leaks IP addresses! Here’s a quick demonstration (I’ve seen similar headers on emails from friends and colleagues, but I didn’t want to expose their info; I’ve redacted some info here as I didn’t want to expose my … secret email server scheme, or my real username for Calmail):

Return-path: xxxx...@visitor3.berkeley.edu
Envelope-to: bkp...@xxxxxx.xxx
Delivery-date: Sun, 29 Nov 2009 01:32:12 -0800
Received: from visitor3.berkeley.edu ([128.32.124.159])
        by helen.byungkyupark.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
        (Exim 4.69)
        (envelope-from <xxxx...@visitor3.berkeley.edu>)
        id 1NEg8a-0000jX-J7
        for bkp...@xxxxxx.xxx; Sun, 29 Nov 2009 01:32:12 -0800
Received: from xxxxxxx by visitor3.Berkeley.EDU with local (Exim 4.69)
        (envelope-from <xxxx...@visitor3.berkeley.edu>)
        id 1NEg8a-0001rk-4v
        for bkp...@xxxxxx.xxx; Sun, 29 Nov 2009 01:32:12 -0800
Received: from smtp-out1.berkeley.edu ([128.32.61.106])
        by visitor3.Berkeley.EDU with esmtp (Exim 4.69)
        (envelope-from <xxxx...@berkeley.edu>)
        id 1NEg8a-0001rW-2q
        for bkp...@byungkyupark.com; Sun, 29 Nov 2009 01:32:12 -0800
Received: from arsenic.calmail ([192.168.1.2] helo=calmail.berkeley.edu)
        by fe2.calmail with esmtpsa (TLSv1:AES256-SHA:256)
        (Exim 4.69)
        (auth plain:xxxx...@berkeley.edu)
        (envelope-from <xxxx...@berkeley.edu>)
        id 1NEg8T-0000qs-8R
        for bkp...@byungkyupark.com; Sun, 29 Nov 2009 01:32:06 -0800
MIME-Version: 1.0
Received: from visitor3.Berkeley.EDU [128.32.124.159]
        with HTTP/1.1 (POST); Sun, 29 Nov 2009 01:32:05 -0800
Date: Sun, 29 Nov 2009 01:32:05 -0800
From: "Byung Kyu Park, BA" <xxxx...@berkeley.edu>
To: bkp...@byungkyupark.com
Subject: This will demonstrate how Calmail leaks IP addresses
Message-ID: <7272...@berkeley.edu>
X-Sender: xxxx...@berkeley.edu
User-Agent: RoundCube Webmail/0.3-RC1.UCB3
Content-Type: multipart/alternative;
        boundary="=_ad4b95d1d25a334cada12ae4c3335783"

Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

And this email was composed on the RoundCube webmail client.

Andrew

You will see that the detailed email header (which most email clients hide, but there is always an option to show full headers) reveals the IP from which I was accessing Calmail’s webmail interface (no, I’m not in the lab right now; but I am proxying through one of my servers, because I consider my current IP address a confidential, personal, private information). Similar headers show if you use SMTP protocol or if you use the other webmail.

I am not entirely sure if this is a feature or bug—embedding IP information in headers will help with legitimate activities of law enforcement authorities, as well as illegitimate (is there any other kind?) squelching of dissenting voices—so I haven’t reported it to abu...@berkeley.edu or, I don’t know, h...@berkeley.edu? secu...@berkeley.edu?

In any case, now that you know, now you can avoid using Calmail—if you value your privacy.

Ironically, GMail may be one of the most secure email system to use, as far as privacy goes, because headers from GMail is fairly clean from any private information. Or, I guess if you are like me, you run a computer server at work, on which you run a bunch of things like websites and email servers so whose IP address isn’t exactly a state secret. You can proxy everything through that server (like I did here) or run your mail clients and what-not on that server.

No matter what you do, just remember: when you send an email through Calmail, you announce to your recipient what your IP address is at that moment. Don’t send that email if you are not comfortable with that.