Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Email tracing

VIEWS: 16 PAGES: 9

hackingz

More Info
  • pg 1
									                                EMAIL TRACING
1.    HOW TO TRACE A RECEIVED E-MAIL?
All email communications on the internet are possible by two protocols:
     1. Simple Mail Transfer Protocol (SMTP port-25)
     2. Post Office Protocol (POP port-110)
E-Mail hacking consists of various techniques as discussed below.
     Generally, the path taken by an email while travelling from sender to receiver can
be explained by following diagram.




    The most effective and easiest way to trace an email is to analyze it's email
headers.
      An email is an electronic mail sent on the internet for communication. Some time it
is necessary to trace the origin of the email. Here in the tutorial we will learn how to
trace an email.


2.    EMAIL STRUCTURE
An email consists of three vital components: the envelope, the header(s), and the body
of the message. The envelope is something that an email user will never see since it is
part of the internal process by which an email is routed. The body is the part that we
always see as it is the actual content of the message contained in the email. The
header(s), the third component of an email, is perhaps a little more difficult to explain,
though it is arguably the most interesting part of an email.

2.1. Email Header
In an e-mail, the body (content text) is always preceded by header lines that identify
particular routing information of the message, including the sender, recipient, date and
subject. Some headers are mandatory, such as the FROM, TO and DATE headers.

                                              1
Others are optional, but very commonly used, such as SUBJECT and CC. Other headers
include the sending time stamps and the receiving time stamps of all mail transfer
agents that have received and sent the message. In other words, any time a message is
transferred from one user to another (i.e. when it is sent or forwarded), the message is
date/time stamped by a mail transfer agent (MTA) - a computer program or software
agent that facilitates the transfer of email message from one computer to another. This
date/time stamp, like FROM, TO, and SUBJECT, becomes one of the many headers that
precede the body of an email.
    To really understand what an email header is, you must see one. Here is an
example of a full email header*:

Return-Path: <example_from@dc.edu>

X-SpamCatcher-Score: 1 [X]

Received: from [136.167.40.119] (HELO dc.edu)

 by fe3.dc.edu (CommuniGate Pro SMTP 4.1.8)

 with ESMTP-TLS id 61258719 for example_to@mail.dc.edu; Mon, 23 Aug
2004 11:40:10 -0400

Message-ID: <4129F3CA.2020509@dc.edu>

Date: Mon, 23 Aug 2005 11:40:36 -0400

From: Taylor Evans <example_from@dc.edu>

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1)
Gecko/20020823 Netscape/7.0

X-Accept-Language: en-us, en

MIME-Version: 1.0

To: Jon Smith <example_to@mail.dc.edu>

Subject: Business Development Meeting

Content-Type: text/plain; charset=us-ascii; format=flowed

Content-Transfer-Encoding: 7bit

* email headers should always be read from bottom to top.
     Fortunately, most of this information is hidden inside the email with only the most
relevant or mandatory headers appearing to the user. Those headers that we most often
see and recognize are bolded in the above example.

                                           2
2.1.1. How do I get the Header to Start the Trace Email Process?
Each electronic messaging program will vary as to how you get to the message options.
I'll cover the basics to start the trace...the rest is up to you.
       Outlook: Right click the message while it's in the inbox and choose Message
       Options. A window will open with the headers in the bottom of the window.
       Windows Live: Right click the correspondence while it's in the inbox, choose
       Properties, then click the Details tab.
       Gmail: Open the correspondence. In the upper right corner of the email you'll see
       the word Reply with a little down arrow to the right. Click the down arrow and
       choose Show Original.
       Hotmail: Right click the memo and choose View Message Source.
       Yahoo!: Right click the note and choose View Full Headers.
       AOL: Click Action and then View Message Source.
You can see that no matter the program, the headers are usually just a right click away.

2.1.2. Header Characteristics
A single email header has some important characteristics, including perhaps the most
important part of an email - this is the KEY: VALUE pairs contained in the header.
Looking at the above, you can tell some of the KEY: VALUE pairs used. Here is a
breakdown of the most commonly used and viewed headers, and their values:
       From: sender's name and email address (IP address here also, but hidden)
       To: recipient's name and email address
       Date: sent date/time of the email
       Subject: whatever text the sender entered in the Subject heading before sending

2.1.3. Headers Provide Routing Information
Besides the most common identifications (from, to, date, subject), email headers also
provide information on the route an email takes as it is transferred from one computer
to another. As mentioned earlier, mail transfer agents (MTA) facilitate email transfers.
When an email is sent from one computer to another it travels through a MTA. Each
time an email is sent or forwarded by the MTA, it is stamped with a date, time and
recipient. This is why some emails, if they have had several destinations, may have
several RECEIVED headers: there have been multiple recipients since the origination of
the email. In a way it is much like the same way the post office would route a letter:
every time the letter passes through a post office on its route, or if it is forwarded on, it
will receive a stamp. In this case the stamp is an email header.
     When viewed in their entirety, these multiple recipient headers will look like this
in an email:


                                             3
Received: from tom.bath.dc.uk ([138.38.32.21] ident=yalrla9a1j69szla
2ydr)

 by steve.wrath.dc.uk with esmtp (Exim 3.36 #2)id 19OjC3-00064B-00

 for example_to@imaps.bath.dc.uk; Sat, 07 Jun 2005 20:17:35 +0100



Received: from write.example.com ([205.206.231.26])

       by tom.wrath.dc.uk with esmtp id 19OjBy-0001lb-3V

       for example_to@bath.ac.uk; Sat, 07 Jun 2005 20:17:30 +0100



Received: from master.example.com (lists.example.com [205.206.231.19])

       by write.example.com (Postfix) with QMQP

       id F11418F2C1; Sat, 7 Jun 2005 12:34:34 -0600 (MDT)

      In the example shown above, there are three Received: stamps. Reading from the
bottom upwards, you can see who sent the message first, next and last, and you can see
when it was done. This is because every MTA that processed the email message added
a Received: line to the email's header. These Received: lines provide information on
where the message originated and what stops it made (what computers) before
reaching its final destination. As the example shows, these Received: lines provide the
email and IP address of each sender and recipient. They also provide the date and time
of each transfer. The lines also indicate if the email address was part of an email list. It is
all this information that is valued by computer programmers and IT department
associates when making efforts to track and stop SPAM email message. And it is this
information that arguable makes headers the most important part of an email.

2.1.4. So Let's Interpret Some Email Headers
First, there's the challenge of even getting to the real email headers. In Hotmail they're
apparently always visible. In Outlook, they're hidden by default, so with the message
open, click on View, and then Options, and you'll see a box labeled Internet Headers. In
Thunderbird, you can expand or collapse the headers by clicking on a simple control
next to the subject line.
In any case, headers typically look something like this:
Return-Path: <lnotenboom@hotmail.com>
Delivered-To: 1-leo-clean_nospam@pugetsoundsoftware.com
Received: (qmail 13384 invoked by uid 110); 13 May 2005 21:33:53 -0000
Delivered-To: 1-leo_nospam@pugetsoundsoftware.com

                                              4
Received: (qmail 13380 invoked from network); 13 May 2005 21:33:53 -0000
Received: from bay107-f18.bay107.hotmail.com (HELO hotmail.com) (64.4.51.28)
by pugetsoundsoftware.com with SMTP; 13 May 2005 21:33:53 -0000
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Fri, 13 May 2005 14:33:53 -0700
Message-ID: <BAY107-F18247D6C6473F92CC602D8D2120@phx.gbl>
Received: from 64.4.51.220 by by107fd.bay107.hotmail.msn.com with HTTP;
Fri, 13 May 2005 21:33:52 GMT
X-Originating-IP: [64.4.51.220]
X-Originating-Email: [lnotenboom@hotmail.com]
X-Sender: lnotenboom@hotmail.com
From: "Leo Notenboom" <lnotenboom@hotmail.com>
To: leo_nospam@pugetsoundsoftware.com
Bcc:
Subject: Example Email
Date: Fri, 13 May 2005 14:33:52 -0700
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 13 May 2005 21:33:53.0097 (UTC) FILETIME=[75980390:01C55803]
     Now yours may look a lot different. It may be longer or shorter, or have additional
information, or less. But the basic idea is that there's a lot of information in the headers
that has to do with the administration of getting the email from the sender to the
receiver.
     A detailed reference is more than I can present here, and quite honestly, probably
more than you need. But let's examine the headers above a little more closely, since it's a
good example of a "normal" email message. They are from a message I sent to my
regular email account from my Hotmail account.
    A good rule of thumb is to begin at the bottom and work your way up in the
headers. That'll make more sense in just a minute. Working from the bottom:
       X-OriginalArrivalTime: is the time the message was submitted to Hotmail ... in
       other words, the time I pressed "Send". Headers that begin with "X-" are "non
       standard", and may not be used by all mailers. They're often just informational.
       Note also the date and time: 13 May 2005 21:33:53.0097 (UTC). The "(UTC)"
       means that the time is recorded as "Universal Time Coordinated", sometimes
       thought of as Greenwich Mean Time or GMT. Since I'm in the Pacific time zone,
       and daylight savings time is in effect, that means I sent it at roughly 2:33 PM
       PDT.
       Content-Type: is how the mailers tell each other what the format of the mail is:
       plain text, as this example is, or HTML, or something else.
       Mime-Version: "Mime" stands for Multipurpose Internet Mail Extensions, and is
       the formatting protocol most often used to encode attachments and alternate
       representations in a single email.

                                             5
 Date: This is the more common place you'll find the date and time that the
 message was sent. This is added by the sending mailer, and is commonly used by
 your email client as the "Sent Date". Note that the time zone is specified as local
 time (2:33 PM) and an offset (-7 hours) from UTC. PDT is 7 hours behind UTC as
 I write this. Subtract the offset (and remember that subtracting a negative offset
 means to add it), and you'll get the equivalent 21:33 UTC.
 Subject: As you'd expect, the subject of the email as you typed it.
 Bcc: To be honest, I'm not sure why Hotmail includes this here, as they strip out
 any BCC'd recipients. BCC is supposed to be stripped from email completely
 before it is sent.
 To: Again, as you'd expect, the list of recipient email addresses that this message
 is addressed to. What most people don't realize is that the To: line doesn't define
 who the email actually goes to, but rather simply lists who the mailer claims it's
 to go to. A virus, for example, can easily create a mail message that has bogus
 addresses in the To: line, and then send the mail to someone else entirely. That's
 known as "spoofing".
 From: Just like To:, the "From:" address shows you from whom the mail was
 supposedly sent. And also like "To:", it's very easy for the spammers and virus
 writers to spoof the From: address to be pretty much anything they want.
 X-Sender: is another representation of the address the email originated from, but
 like all "X-" headers, is optional and not universally used or recognized. "X-
 Sender", and the similar "Sender:" are supposed to indicate the sender of the
 email, which might be an intermediary. For example, if you send mail to a
 mailing list, the mail might be "From:" you, but the mailing list software might be
 the "Sender:" to everyone else who receives it.
 X-Originating-Email: another representation of the sender of the email. Some
 mailers add this as a precaution against those who spoof the "From:" line.
 X-Originating-IP: The IP address of the computer on which the email originated.
 Once again, an optional and informational "X-" header. In this case, the IP
 address is one of Hotmail's servers.
 Received: Herein lies the gold. I'll get into more detail on that below.
 Deliver-To: is added by the receiving mail server when it finally delivers the
 email to a specific email alias or mailbox. In my case, I have my mailer
 configured to deliver my mail to two separate mailboxes: one with, and one
 without, spam filtering.
 Return-Path: is the address that the email, if it fails to be delivered, should be
 bounced back to.
"Email headers cannot be trusted, and not all email can be traced or authenticated."


                                       6
      The series of "Received" headers are the trail that tells us from where the message
was sent, and along what path or series of servers it traveled across the internet. And
this is why we started at the bottom, as each mail server adds a received header to the
top.
     In the first one we can see that a Hotmail server "by107fd.bay107.
hotmail.msn.com" got the message from the server at "64.4.51.220". In this case it lists an
IP address only, since there is apparently no name associated with the server at that
address. Since this is Hotmail, and I'm certain that Hotmail has many, many servers, it's
not surprising that they might not give all of them a name on the internet.
      Further up the header we can see that it left "bay107-f18.bay107.hotmail.com" and
was then received by "pugetsoundsoftware.com", my mail server. Note that this line
also includes a couple of interesting bits of information:
       (HELO hotmail.com): this is part of the SMTP mail protocol where the server
       identifies itself while connecting. Basically, it's saying "Hello, I'm Hotmail.com"
       when it initiates the transfer of mail to the next server to receive it. The receiving
       server logs this information as part of the "Received" header it adds.
       (64.4.51.28): this is the IP address of the server making the connection.
     As part of spam prevention and server authentication, a mail server may elect to
ensure that all three of these pieces of information match: the IP address reported
matches the server name reported, which in turn should match the end of the HELO
string. In practice, the internet is a little too fast and loose for that to be a reliable gauge
of authenticity ... too many legitimate servers are not configured to report the right
information for that check to always be valid.
     Another interesting use of the Received headers is to determine where a delay may
have occurred in transferring the mail. Since each is time-stamped, it's quickly apparent
where a message may have been held up.
     Now let’s look at the headers of some SPAM I recently received:
Return-Path: <fake@fakecompany.com>
Delivered-To: 1-leo-clean_nospam@pugetsoundsoftware.com
Received: (qmail 19652 invoked by uid 110); 14 May 2005 20:03:05 -0000
Delivered-To: 1-leo_nospam@pugetsoundsoftware.com
Received: (qmail 19649 invoked from network); 14 May 2005 20:03:05 -0000
Received: from fake.pittpa.adelphia.net (**.**.198.208)
by pugetsoundsoftware.com with SMTP; 14 May 2005 20:03:05 -0000
Received: from desk.fakecompany.com
by qdam.eiynwr.com with SMTP; Sat, 14 May 2005 13:03:09 -0800
Message-ID: <BKELLDAGKABIOCHDFD567DGAA.fake@fake.it>
From: "Fake Name" <fake@fakecompany.com>
To: leo_nospam@pugetsoundsoftware.com
Subject: Fast solution to your problems in a bed!
Date: Sat, 14 May 2005 13:03:09 -0800

                                               7
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--DELPHI7551932757739836KN"
[Note: everything that says "fake" is something I changed to anonymize this example.
Someone's real email address and real company domains were used in the original.]
     There are several interesting things about these headers:
      The "Message-ID:" references an account at a domain in Italy.
      The first "Received:" header references "desk.fakemailer.com" - fakemailer
      appears to be a legitimate business involved in bulk email technologies based in
      New York state.
      That header also references "qdam.eiynwr.com" - a domain that doesn't appear to
      exist.
      The next header appears to receive the message from "fake.pittpa.adelphia.net",
      which from the name would indicate a Pittsburgh, PA node of adelphia.net.
      The "From:" line indicates yet a third party, fakecompany.com. On the surface
      this company, in New York City, appears to be unrelated to any aspect of the
      message, though I could be wrong.
   The kicker is that the links for the products being sold by this email all go to a
domain registered in Bulgaria.
     So what to make of it all? It is possible that the originating computer,
desk.fakemailer. com, is, in fact, sending out spam on purpose. It's also possible that
this machine has been infected with a virus, and is sending out spam without realizing
it. And yet another scenario is that the machine is not involved at all, and that
spammers in Bulgaria have spoofed the headers of the originating machine (using the
company’s role in the bulk email business to confuse and obfuscate the issue).
      And therein lies the problem with SPAM and why there's no simple solution.
Email headers cannot be trusted, and not all email can be traced or authenticated.
Legitimate mail typically can be traced, but for SPAM and virus-generated email it's
difficult to say that the headers are absolutely trustworthy.
     But it's interesting information, nonetheless.
      Now you have the IP address of the sender and other intermediate serviers. What
all you need to do is trace the IP addresses for all the necessary information:

2.2. Tracking the Location of an Originating IP Address
Now that we have our originating IP address of 72.204.154.191, let’s find out where that
is! You can do this by perform a location lookup on the IP address. My favorites are
http://www.ip2location.com/free.asp and http://www.geobytes.com/IpLocator.htm.



                                             8
     GeoBytes gave me a big map of New Orleans, LA along with a bunch of other
information about the location itself.




     IP2Location also gave me the same information pretty much, including the ISP
(Cox Communications). Of course, this is correct since I live in New Orleans!
     If you want more information, you can do a WHOIS database search also. My
favorite one is the http://www.arin.net/whois/ . This will give you information on
who hosts that IP address and their registration information. You can always contact
them to try and find more information on that particular IP address.




                                         9

								
To top