How is some wiretapping person/bot learning about my linked documents?
April 9, 2010 1:11 PM Subscribe
I think someone is wiretapping my internet/email and I have hard evidence. Need some techno-sleuths. Paranoia story inside.
I usually send people large documents (usually .docx) by posting them on my web server and putting the link in email. For example, I will put MyDoc.docx on my server which is accessible via http://example.com/MyDoc.docx
When I look in my server logs, I will see a http 200 for that document from that person's IP. Great. However, sometimes just minutes after that person accesses the document, someone/something from a different IP address tries to access that document but with lowercase letters (and thus gets an http 404). For example, there will be a request for http://example.com/mydoc.docx
The user agent for that request is always Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1). This has happened on several occasions when I've sent files to different people, and there is no way some bot is guessing urls because my document names are fairly complex. The latest IP to try this is 64.124.203.72. I thought perhaps this is some bad virus-scanner but this happens when I send to @hotmail.com as well as @gmail.com. I've asked the email recipients whether they have tried opening the document from different computers, or have tried to type in the URL, and they are certain they haven't.
Are there any non-paranoid explanations for this, and how can I find who is doing this?
I usually send people large documents (usually .docx) by posting them on my web server and putting the link in email. For example, I will put MyDoc.docx on my server which is accessible via http://example.com/MyDoc.docx
When I look in my server logs, I will see a http 200 for that document from that person's IP. Great. However, sometimes just minutes after that person accesses the document, someone/something from a different IP address tries to access that document but with lowercase letters (and thus gets an http 404). For example, there will be a request for http://example.com/mydoc.docx
The user agent for that request is always Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1). This has happened on several occasions when I've sent files to different people, and there is no way some bot is guessing urls because my document names are fairly complex. The latest IP to try this is 64.124.203.72. I thought perhaps this is some bad virus-scanner but this happens when I send to @hotmail.com as well as @gmail.com. I've asked the email recipients whether they have tried opening the document from different computers, or have tried to type in the URL, and they are certain they haven't.
Are there any non-paranoid explanations for this, and how can I find who is doing this?
Is the intruder IP consistent? Have you tried running tracert on that IP?
posted by cosmicbandito at 1:16 PM on April 9, 2010
posted by cosmicbandito at 1:16 PM on April 9, 2010
Would it be a malfunctioning cache request from the user's ISP (or an ISP somewhere along the route to the user's machine?)
posted by jangie at 1:17 PM on April 9, 2010
posted by jangie at 1:17 PM on April 9, 2010
Also consider how paranoid or not this really is. How likely is someone to put criminal energy into reading those documents / your email? Would you think it's worth the effort?
posted by oxit at 1:23 PM on April 9, 2010
posted by oxit at 1:23 PM on April 9, 2010
Response by poster: The IP is usually about the same. The few times I've looked it up, it's been from *.above.net
I was thinking it might be a cache request, but how would above.net (not an ISP) know about this URL, and what kind of cache goes and reads links in people's emails and tries to grab the associated files? I didn't think such a thing existed.
posted by lpctstr; at 1:23 PM on April 9, 2010
I was thinking it might be a cache request, but how would above.net (not an ISP) know about this URL, and what kind of cache goes and reads links in people's emails and tries to grab the associated files? I didn't think such a thing existed.
posted by lpctstr; at 1:23 PM on April 9, 2010
Any time somebody makes a standard http request, anybody where that request is being routed through (their ISP, e.g.) can see exactly what is being requested.
Also, if they're using unsecured wifi, e.g., other people near them can intercept the requests as well.
posted by jangie at 1:25 PM on April 9, 2010
Also, if they're using unsecured wifi, e.g., other people near them can intercept the requests as well.
posted by jangie at 1:25 PM on April 9, 2010
Yeah, it could be a proxy somewhere trying to prefetch links. It could easily prefetch links in people's e-mail if they're reading it in a Web mail client.
posted by kindall at 1:27 PM on April 9, 2010
posted by kindall at 1:27 PM on April 9, 2010
There is no reason to think that above.net are reading the emails. If they are part of the route for the request that your mail recipient makes, then they will know the URL without knowing anything about the email, like jangie says.
posted by mjg123 at 1:27 PM on April 9, 2010
posted by mjg123 at 1:27 PM on April 9, 2010
I have heard that Google toolbar will see what urls are being opened by a browser and report that back to the Google mothership. That way, Google finds out about URLS that are not linked and can use them for more indexing.
If the person who gets the mail and then retrieves the document is from someplace that uses a proxy, the proxy will see the download. It won't need the email.
posted by procrastination at 1:28 PM on April 9, 2010
If the person who gets the mail and then retrieves the document is from someplace that uses a proxy, the proxy will see the download. It won't need the email.
posted by procrastination at 1:28 PM on April 9, 2010
As an experiment, you could try reading the URL over the phone instead of emailing it - if you get the same pattern of requests then that points to the mail not being intercepted. You could also ask your people to run traceroute between themselves and your doc server and see if above.net are part of the route or not.
posted by mjg123 at 1:35 PM on April 9, 2010
posted by mjg123 at 1:35 PM on April 9, 2010
Okay just to be clear: Are you sending these links to anyone but yourself? Is it possible that your recipient might be emailing these links on? To somewhere else? A virus scanner makes sense, but why would it hit the page after your clients
Okay so there are two ways that an attacker could be getting that URL:
1) Intercepting the email
2) Seeing the link as someone clicks on it and the request goes through
You can reduce the chances of 2 by using https://, since the URLs are sent encrypted, and an eavesdropper would only be able to see the request if they were doing a man in the middle attack.
Have you tried setting up a Gmail account and testing this yourself? You might want to try it.
Try it with http and https and see if there's any difference. If nothing comes through when you download the email yourself, that should indicate that the problem is on your recipients end.
posted by delmoi at 1:46 PM on April 9, 2010
Okay so there are two ways that an attacker could be getting that URL:
1) Intercepting the email
2) Seeing the link as someone clicks on it and the request goes through
You can reduce the chances of 2 by using https://, since the URLs are sent encrypted, and an eavesdropper would only be able to see the request if they were doing a man in the middle attack.
Have you tried setting up a Gmail account and testing this yourself? You might want to try it.
Try it with http and https and see if there's any difference. If nothing comes through when you download the email yourself, that should indicate that the problem is on your recipients end.
posted by delmoi at 1:46 PM on April 9, 2010
According to the following information about the IP address you listed. It was (at one point) the IP address of various hosts that were part of Accoona Corp. Accoona Corp was a business search engine and they had a web browser toolbar that they used to distribute.
My guess is that one or more of your recipients has the Accoona toolbar installed. Is it always the same recipient that triggers the second access attempt?
posted by NormieP at 1:56 PM on April 9, 2010 [1 favorite]
My guess is that one or more of your recipients has the Accoona toolbar installed. Is it always the same recipient that triggers the second access attempt?
posted by NormieP at 1:56 PM on April 9, 2010 [1 favorite]
In delmoi's scenario #2, a MITM attack is not the only way to find out the full URL being accessed. That URL is also likely to be stored in the browser history, and so a browser plugin (nice spot, NormieP!) would be able to find out the full URL, too.
posted by mjg123 at 2:35 PM on April 9, 2010
posted by mjg123 at 2:35 PM on April 9, 2010
Send an email with the link to another email account of yours, do not click the the link. Check logs.
posted by Sonic_Molson at 4:50 PM on April 9, 2010
posted by Sonic_Molson at 4:50 PM on April 9, 2010
lpctstr;: Is there some reason you suspect eavesdropping beyond the document requests from IP addresses you don't recognize? In other words, did you notice the requests and eavesdropping is one explanation you are considering, or did you suspect eavesdropping already and the document requests are confirmation?
posted by Justinian at 5:54 PM on April 9, 2010
posted by Justinian at 5:54 PM on April 9, 2010
Do you see any other requests from the suspicious IP addresses, or using that particular user-agent string? If so, might give you more of a clue about the human or mechanism behind them.
posted by hattifattener at 6:19 PM on April 9, 2010
posted by hattifattener at 6:19 PM on April 9, 2010
So someone is intercepting your mail to get these links, and then can't figure out case sensitivity? If I'm reading your post correctly, the suspicious requests are always using a an all-lowercase letter, and have not managed to get anything so far, right? That's one incompetent hacker, I have to say.
NormieP probably has it, this looks more like some dumb piece of software than malicious activity.
posted by Dr Dracator at 10:18 PM on April 9, 2010
NormieP probably has it, this looks more like some dumb piece of software than malicious activity.
posted by Dr Dracator at 10:18 PM on April 9, 2010
I'm tired so I want to double-check: am I correct that you ALWAYS see the recipient hit the file on your server BEFORE you see the weird lower-case request?
If so, this indicates that the lower-case request is being triggered by the recipient clicking on the link. That at least narrows down where the "wiretapping" is happening.
You say the recipients swear they aren't checking it from a different computer. Have them try checking it from a different computer, but within the same office. Then have them click the link from their computer at home. Have someone completely unrelated click the link and see what happens. (I'd be happy to help you with testing - memail me.)
My personal crazy-ass guess is that the recipients all work at the same office, and that this office has a very poorly-configured Net Nanny-type program that's trying to check that document to see if it's porn.
posted by ErikaB at 10:22 PM on April 9, 2010
If so, this indicates that the lower-case request is being triggered by the recipient clicking on the link. That at least narrows down where the "wiretapping" is happening.
You say the recipients swear they aren't checking it from a different computer. Have them try checking it from a different computer, but within the same office. Then have them click the link from their computer at home. Have someone completely unrelated click the link and see what happens. (I'd be happy to help you with testing - memail me.)
My personal crazy-ass guess is that the recipients all work at the same office, and that this office has a very poorly-configured Net Nanny-type program that's trying to check that document to see if it's porn.
posted by ErikaB at 10:22 PM on April 9, 2010
Response by poster: Thanks for all the responses so far. The man-in-the-middle or browser plugin seem most plausible. I will ask one of my recipients to run a tracert.
Here are some clarifications:
This has happened for 3 recipients (in different cities who do not know each other) I've sent the links to, off the top of my head. One of them is my sister, who I know reads her email through Hotmail in Internet Explorer at home, on a laptop I set up for her.
This is hard to test since it seems to only happen about 2-3% of the time so I can't just randomly email links to myself and check.
The eavesdropper seems to consistently try to grab the document 10-20 minutes after the recipient opens it. Always with the same user agent. I've always used capital letters in my document filenames so I don't think it has been successful getting anything so far. I've also started using 7-zip to compress and encrypt my documents and one time the eavesdropped tried downloading a .7z file.
I haven't seen the IP or user agent elsewhere in my logs, and originally found this suspicious because of the lowercasing thing and I couldn't find report of this occurring to anyone else. I would have imagined this would be more widely reported if it were a browser toolbar/plugin.
posted by lpctstr; at 11:30 PM on April 9, 2010
Here are some clarifications:
This has happened for 3 recipients (in different cities who do not know each other) I've sent the links to, off the top of my head. One of them is my sister, who I know reads her email through Hotmail in Internet Explorer at home, on a laptop I set up for her.
This is hard to test since it seems to only happen about 2-3% of the time so I can't just randomly email links to myself and check.
The eavesdropper seems to consistently try to grab the document 10-20 minutes after the recipient opens it. Always with the same user agent. I've always used capital letters in my document filenames so I don't think it has been successful getting anything so far. I've also started using 7-zip to compress and encrypt my documents and one time the eavesdropped tried downloading a .7z file.
I haven't seen the IP or user agent elsewhere in my logs, and originally found this suspicious because of the lowercasing thing and I couldn't find report of this occurring to anyone else. I would have imagined this would be more widely reported if it were a browser toolbar/plugin.
posted by lpctstr; at 11:30 PM on April 9, 2010
This thread is closed to new comments.
posted by caveat at 1:14 PM on April 9, 2010