Sam Spade on the Spam Case

Time is of the essence when you're trying to trace a suspicious IP address or domain. So whether you're investigating a possible phishing scam or determining whether the email clogging your corporate mailboxes is legitimate or spam, turn to the classic Sam Spade. I'm talking about the long-available freeware suite of network-query tools, not Dashiell Hammett's hard-boiled private eye in The Maltese Falcon. Like its namesake detective, this tool bundle will help you track down the bad guys, but it will also help you shave time off your network reconnaissance activities.

Sam Spade integrates a variety of well-known and separately available network-investigation tools—including IP block, reverse DNS lookups, Ping, Traceroute, and Whois—using a common GUI that lets you easily feed one tool's results to another tool for further analysis. Sam Spade also provides spam-detection functionality, letting you analyze suspicious email headers and URLs.

Oldie but Goodie
You can find Sam Spade FAQs and a library of download links at http://www.samspade.org; the most recent Windows version of the suite, 1.14 (released December 1999), is available for download at http://static.samspade.org/ssw/spade114.exe. Although the tool's interface is a bit dated, it still works well. When you open the tool, you'll see a large blank window ringed by icons and input fields. Whenever you run a command in Sam Spade, the output pops up in a new window within the main program. You can easily jump between queries without having to scroll through a shell to find information. You can also customize most of the UI. For example, you can run your Whois queries in yellow and your IP block queries in cyan, letting you quickly spot the query you want when tracking lots of information.

To demonstrate Sam Spade's value, let's see how you might use the tool to investigate a phishing attack operating under the guise of a security email message from a bank. You might not investigate phishing email every day. But new threats are always developing, and understanding how to analyze components of an email message—especially an HTML message, whose nice layout can mask subversive underlying code—is an important skill for anyone responsible for a system's security.

Decoding a URL
In your phishing case, you first check the message for phishing characteristics by viewing the message's HTML source code. In the source code, you find a spoofed link to the bank Web site. These days, many phishing attacks obfuscate the URL to make it more difficult to identify a spoofed link. Sam Spade includes a feature to decode a URL. Although this feature doesn't unravel an obfuscated source, it does return the alias and IP addresses associated with a URL on the Internet.

For example, if you use Sam Spade's Decode URL tool to look up the URL http://www.microsoft.com, the tool confirms the canonical name as www.microsoft.com and returns the associated IP addresses. In fact, you'll see quite a few addresses, which is appropriate given Microsoft's size and business model. However, suppose the message allegedly from Microsoft contains a link to http://www.micros0ft.com. If you enter this URL in Decode URL, the tool confirms the alias because someone registered it as a domain name. But the tool returns only one IP address—which should set off alarm bells, because a large company likely has multiple Web gateways. Note that, as with any investigation, you need to use the tool's output together with your own experience and intuition to determine whether you're looking at legitimate or malicious activity.

Now, you can right-click the IP address Sam Spade returned to access a context-aware set of commands you can run against the address. Select IP block, and Sam Spade will tell you that the IP address associated with www.micros0ft.com is registered to Verizon Internet Services. It's doubtful that a company as large as Microsoft would use an ISP that serves residential and small business customers, adding to the evidence that micros0ft.com is a misleading Web site related to a phishing scam.

Analyzing Email Headers
Every email message includes Inter-net headers, which Sam Spade can parse to help you separate legitimate email from spam or phishing attacks. To use Microsoft Outlook to find the raw Internet headers, open an email message, select the View menu, then click Options. Next, select and copy the Internet headers. Switch to Sam Spade, click the Tools menu, then click Parse Email Headers. Paste the copied data into the dialog box that appears, and click the Parse button.

Sam Spade opens two new windows. The first window contains a color-coded analysis of the headers, which highlights useful information such as sender email address and domain and the IP address of the originating server. The second window is an email message containing a copy of the header, which you can send to an ISP abuse address. Sam Spade looks up the abuse email address (available from the ISP via its domain information records) and creates an email message for you; the tool even includes a set of predefined abuse email templates you can choose from, including Webhosting, clickthrough, dialup, dropbox, relay, and dns. You need only edit the email message and click Send.

A phishing message often spoofs the From address of a well-known domain. For example, some email senders route messages through their own domain or maybe their ISP's domain. Other companies hire third parties to send their email. But spoofing the IP address of the sending computer is much more difficult. Even if the phishing perpetrator uses a mail relay, the relay won't match the IP address associated with the domain in the email message's From address. Using email Internet header information, you can right-click the sending IP address (or resolved name) and select the Whois tool to perform additional analysis, as Figure 1 shows. (Note that the IP addresses in Figure 1 are whited out for privacy reasons.)

I used this feature, for example, to analyze an email message I received from eTrade, which came from a mail server named eppsuiron1.adp-ics.com. Sam Spade identified the server owner as ADP-BPS. I then searched for ADP-BPS and ADP-ICS in Google and found that ADP-ICS stands for Automatic Data Processing Investor Communication Services, a division of ADP's Brokerage Services Group. Everything checked out.

Sam Spade's most helpful feature is its context awareness. It can recognize Fully Qualified Domain Names (FQDNs) and IP addresses from any of its output windows. To investigate further, just right-click one of these objects and select from the several additional tasks. For example, after you parse the email headers, you can right-click the sender IP address and select IP block to learn more about the network owner of that IP address. All the tools in Sam Spade have context-aware menus, making it easier and quicker to investigate by using the bundled suite than by using each tool individually.

DNS and IP Lookup
I use Sam Spade predominately for its IP address lookup and DNS reverse lookup features. In the tool suite, right-click an FQDN or enter it into the main field, then click the Whois tool. Sam Spade returns reverse DNS lookup information from one of a variety of Whois sites. The tool bundle also includes the DNS lookup tools Dig and Nslookup.

Sam Spade color-codes its output, letting you easily scan for relevant information, such as organization name and host country. The tool also gives you information about a net-block (a block of consecutive IP addresses, aka a subnet) so that you can see whether the ISP is, for example, a large provider for a DSL or cable service or a provider for a single company. In addition, Sam Spade includes a rudimentary port scanner, an SMTP relay test tool, a blackhole lookup tool, and a Web site fetching tool similar to Wget.

On the Case
Sam Spade lets you easily run multiple commands to look for different pieces of information and further analyze the results by using the tool's context-aware menus. You can even configure the suite's logging to save all the interesting information you find during your investigations and copy it to another program or write it to a text file. Although spam, phishing, and other email threats continue to grow, you probably won't analyze even a fraction of the total email you receive. But when you do need to investigate a suspicious email message, Sam Spade is on the case.