How to determine if email is being intercepted

[John Currie]

I suspect that my emails are being intercepted and read. Is there a way I can find out if this is happening and what can I do about it?

I am using Eudora 6,1 as my email program.

[mikmik]

First off, I would go to another computer and change all your passwords.
Then do scans for trojans and spyware. You may want to check for keyloggers and remote access trojans.

I am not that familiar with this sort of thing, but I will help look into it with you more.

Wen has a list of scans here: Free Scans and tools

[John Currie]

I have indeed done scans with Xoftspy and Spybot Search & Destroy which found lots, but I have become aware of possible email interception only today, after I have scanned and removed lots of stuff.

[John Currie]

Quote:

Originally Posted by mikmik

First off, I would go to another computer and change all your passwords.

Why should I go to another computer to change passwords?

[wenwilder]

You'd change them on another computer to make sure they're not being stolen by a keylogger or other malware. The only thing is, you'd have to make sure the other computer was completely secure.

If there is a backdoor trojan someone could be using your email to send out emails. Backdoors aren't just used to 'mess' with the computer user. They're used to do anything the person controling it wants to do.

[Nargule]

Quote:

Originally Posted by John Currie

I suspect that my emails are being intercepted and read.

So what makes you suspect this?

[mikmik]

Good question, Nargule, was wondering that myself.

Thanks wen, that is exactly why I suggested another computer.

I didn't add, however, that you might want to make a copy of your new passwords on a text file and copy that to a floppy disk.
Then, back at your computer, you can cut and paste them into the text input boxes for the passwords.
If you are sure that it is a keylogger you have. There are lots of trojans and hacker tools that can steal your passwords by reading them directly from your email client, browser, hard drive etc.

[John Currie]

I suspect my email is being intercepted because a prospective client contacted me via email enquiring about some of my products for his sister.

This was the first contact between our two companies. In his email to me he listed his sister's details including her telephone number but asked that I set up a time he could phone me to discuss this issue as his sister was over 70 and very frail.

I duly setup a time for him to telephone me.

The next communication I got from from the client was to ask if I had given his sister's name out to someone using an 0800 number in the US.

His sister had been telephoned and pressured into buying a product. The caller said "John from South Africa" asked them to call.

I had nothing to do with that and I suspect that somehow his original email that contained his sister's details was intercepted.

[mikmik]

I would say it is way more likely that there is something on your clients computer.
Here is something about a 'stealth redirector':
http://www.spywareguide.com/product_show.php?id=687

and how to check if your computer is infected with something (signs to watch for and steps to take for detection):

Quote:

So who do you know if you are being spied upon? We list the key points below on how to monitor your system and check for the signs of spy software.

http://www.spywareguide.com/txt_detect.html

Read this....

Quote:

The latest permutations of Spyware include the use of routines to mail out user activity via e-mail or posting information to the web where the spy can view it at their leisure. Also many spyware vendors use "stealth routines" and "polymorphic" (meaning to change" techniques to avoid detection and removal by popular anti-spy software. In some cases Spyware vendors have went as far as to counter-attack anti-spy packages by attempting to break their use. In addition they may use routines to re-install the spyware application after it has been detected.

...on this page of definitions:
Intro to Spyware

Here is a report on an FBI program called 'Carnivore' that has this:

Quote:

The point of all of this is to demonstrate how easy it is for your email to be seen by any number of people at any number of computers throughout the world. An email message is by no means private (unless, of course, it is encrypted, which means it is saved in a form that cannot be read except by the receiver)

http://www.mailmsg.com/carnivore.htm
And this called "How Private Is Your Email?" can show even more ways to get e-mail content.

That is why I want to know where the computers are, what enviornment they are installed in.
If they (yours or your clients) are part of a network, like at work (intranet), then there are many ways things can happen.

You both have to do a thorough job of checking your computers.
It would seem to me that this could be difficult because if networks are involved, lots of computers could be infiltrated or points of entry - weak points - and every computer would be suspect.

The best way to find out after all the scans and probing, is to set a trap, and find out where the phonecall comes from. Then the 'authorities' can help, and will be interested in doing so.

Stuff like this can take a lot more than a few anti-spyware scans to detect, because this can be sophisticated hacker stuff.

You may have to do a lot of detective work and start eliminating possibilities by setting traps...like having him send similar e-mails to another address and have you retrieve it using another computer or him sending from another computer, and many hackers also know how to watch for traps anyways.
The one saving grace here, is that whoever it is looks like they are unsophisticated enough to phone his sister and give themselves away.
It also may be coincidental that his sister got called after sending an email to you, they may have gotten info on her any number of ways, even using non computer spying methods.

There are a lot of possibilities here.

I recently spent several hundreds of dollars trying to find out how my computer was being compromised, and it still was a matter of some luck, and savvy observation, that allowed me to find out what was going on. One suspicious possible method of intrusion I strongly checked out and cleared later turned out to be the cause, but it was virtually impossible to locate and took buying n4ew hardware and comparing what went on.
There are many possibilities that may have to be ruled out. It is unfortunate that certain hackers etc. can make life so difficult for others.

If you have more questions, I will try to help, and maybe there are more knowledgeable people than me around. If it is serious enough of a problem it may take some very specialized help.
I hope I am overlooking something simple, but from my own experiences, it seems that the possibile causes are many.

I may be capable of helping you along the way if you have more questions. I found some interesting sites in my efforts, believe me :O)

[John Currie]

mikmik I must thank you for your efforts! You have indeed given much to think about. My PC's are are on W2K network, are firewall protected and just run Norton Antivirus. I am now also running F-Prot and Xoftspy which has cleaned up a lot. I did run Hijack this but do not have the technical knowhow to know what I saw.
Thanks again, I am going after this company. The problem is that the odl lady cannot remember the 0800 number, we are hoping they call again soon as they promissed to do.

I will post an update as soon as I learn more.

[lanlocked]

Another possiblity is that there is a sniffer on your network. POP3 passwords are generally sent in plain text and there are a ton of sniffers that will collect usernames/passwords that are sent in plain text. This also applies to web-forms (non-ssl) amongst other things. If the person sniffing the network knows where your mail server is (IP address or FQDN) and has your login info, it is trivial to download all of your mail while leaving copies on the server (so that you would never know it had been looked at).

[John Currie]

So how can I check for a sniffer on the network?

[mikmik]

Here are many network forensics tools:
http://www.treachery.net/tools/

http://foundstone.com/ also has a deadly array of forensic tools. They are free as well, for now anyways. They just got bought out by MacAffee.
Look under resources and then free tools.