Docstoc

Emails - cox.net

Document Sample
Emails - cox.net Powered By Docstoc
					Emails


Reading eMail Headers
Internet e-mail system
                               Mail Server
                           sendmail, procmail etc.

                  HTTP / SMTP


            User Agents
      Outlook, Eudora, Pine etc
                                                     Mail Server

                                                                                 User Agents


                                                                   POP3 / SMTP
                                    SMTP



                                                                                 User Agents

           User Agents

                   IMAP / SMTP


                                                                         User Agents
             User Agents
                                  Mail Server
User Agents

• a.k.a. mail reader
• Composing, editing, reading mail messages
    - e.g., Eudora, Outlook, elm, Netscape Messenger
• Outgoing, incoming messages stored on server
Mail Servers
• mailbox contains incoming messages for                user
  user                                                 agent
                                               mail
• message queue of outgoing (to be sent)      server
                                                                          user
                                                                         agent
  mail messages
• SMTP protocol between mail servers to                 SMTP     mail
  send email messages                                           server      user
                                             SMTP                          agent
   - Sender side mail server is the client
   - Receiving side mail server is the                  SMTP
                                               mail                       user
       server                                 server                     agent


                                                         user
                                                        agent         outgoing
                                                user             message queue
                                               agent
                                                                  user mailbox
Alice sends message to Bob
                                              Alice’s email server creates
                                              a TCP based SMTP client connection             Bob’s user-agent uses
      Alice’s user-agent
                                              to an SMTP server running on Bob’s             a client POP3/IMAP/
      uses SMTP client connection
                                              mail server. Sends Alice’s email to            HTTP connection to
      to push message to a SMTP
                                              Bob’s mail server.                             Bob’s mail server
      server on Alice’s mail server




Alice composes                                                                                 Bob uses his
                               Alice’s mail                         Bob’s mail                 user-agent to
email message
                                  server                             server                    retrieve email
Provides Bob’s                 Alice’s mail server                  Bob’s mail server          message
email address to               queues up message                    queues up message
her user-agent                 for a suitable time                  to be picked up by
                               to deliver                           Bob at a suitable time
Email message format
SMTP: protocol for exchanging email msgs
RFC 822: standard for text message format:    header
• header lines, e.g.,                                  blank
     - To:                                              line
     - From:
     - Subject:
     different from SMTP commands!            body
• body
     - the “message”, ASCII characters only
Email headers

• Every received email message will have a header
• Header lines are added by entities (email tools, user-agents, email servers) as
  they store and forward and email messages
• The header lines are a series of text lines
    - Syntax Header-Name: Header-Value
    - If a line starts with a “tab” character or a “space” then that line is a continuation of
      previous header-value
Email header

    Date: Wed, 16 Jun 2004 12:34:49 +0200
    From: Marta Oliva <oliva@eps.udl.es>
    To: Dr. Indrajit Ray <indrajit@CS.ColoState.EDU>
    Subject: Re: Registration to the 18th Annual IFIP WG 11.3 WC on Data and
      Application Security, 2004
Email header (full)
 Received: from mailr3.udl.es (mailr3.udl.es [193.144.10.36])
              by chico.cs.colostate.edu (8.12.10/8.12.9) with ESMTP id i5GAYmvN008288
              for <indrajit@CS.ColoState.EDU>; Wed, 16 Jun 2004 04:34:50 -0600 (MDT)
 Received: from eps.udl.es (fermat.udl.net [10.50.54.28])
              by mailr3.udl.es (8.11.6/8.11.6) with ESMTP id i5GAYga31371
              for <indrajit@CS.ColoState.EDU>; Wed, 16 Jun 2004 12:34:42 +0200
 Received: from eps.udl.es by eps.udl.es (8.8.8+Sun/SMI-SVR4)
              id MAA22736; Wed, 16 Jun 2004 12:34:40 +0200 (MET DST)
 Message-ID: <40D02249.6090105@eps.udl.es>
 Date: Wed, 16 Jun 2004 12:34:49 +0200
 From: Marta Oliva <oliva@eps.udl.es>
 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
 X-Accept-Language: en-us, en
 MIME-Version: 1.0
 To: "Dr. Indrajit Ray" <indrajit@CS.ColoState.EDU>
 Subject: Re: Registration to the 18th Annual IFIP WG 11.3 WC on Data and Application
               Security, 2004
 References: <40CDD679.3060008@eps.udl.es>            <Pine.GSO.4.58.0406151344360.18975@salieri.cs.colostate.edu>
 In-Reply-To: <Pine.GSO.4.58.0406151344360.18975@salieri.cs.colostate.edu>
 Content-Type: text/plain; charset=us-ascii; format=flowed
 Content-Transfer-Encoding: 7bit
Displaying email headers

• You can instruct most email programs to display the full header
    -   In Eudora: Click the Blah Blah Blah button.
    -   In Netscape: Select: View->Headers->All
    -   In Outlook: Select: View->Options
    -   In Pine: Type H. (Requires the enable-full-header-cmd feature.)
    -   In WebMail: Click the Options button, then select "Show message headers in body of
        message" and click OK.
Generation of email headers (1)



salieri.cs.colostate.edu   chico.cs.colostate.edu     mailhost.isse.gmu.edu   pinky.isse.gmu.edu




     From: alice@cs.colostate.edu (Alice The Great)
     To: bob@isse.gmu.edu                              Header generated by Alice’s
     Date: Fri, 18 Jun 2004 10:22:55 -0600 (MDT)       user agent and handed off to
     X-Mailer: Pine v2.32                              chico.cs.colostate.edu
     Subject: Conference call today?
Generation of email headers (2)



salieri.cs.colostate.edu    chico.cs.colostate.edu          mailhost.isse.gmu.edu          pinky.isse.gmu.edu


     Received: from salieri.cs.colostate.edu (salieri.cs.colostate.edu [129.82.45.76] by
                 chico.cs.colostate.edu (8.12.10/8.12.9) id i5IGMtv0004345
     From: alice@cs.colostate.edu (Alice The Great)
     To: bob@isse.gmu.edu
     Date: Fri, 18 Jun 2004 10:22:55 -0600 (MDT)
     Message-ID: <Pine.GS0.4.58.0406181022460@salieri.cs.colostate.edu>
     X-Mailer: Pine v2.32
     Subject: Conference call today?



                           Header fields added by chico.cs.colostate.edu as it transmits the
                           message to mailhost.isse.gmu.edu
Generation of email headers (3)



salieri.cs.colostate.edu    chico.cs.colostate.edu          mailhost.isse.gmu.edu          pinky.isse.gmu.edu

     Received: from chico.cs.colostate.edu (chico.cs.colostate.edu [129.82.45.30]) by
                 mailhost.isse.gmu.edu (8.8.5/8.7.2) with ESMTP id LAA20869 for
                 <bob@isse.gmu.edu>; Fri, 18 Jun 2004 12:24:24 -0400 (EDT)
     Received: from salieri.cs.colostate.edu (salieri.cs.colostate.edu [129.82.45.76] by
                 chico.cs.colostate.edu (8.12.10/8.12.9) id i5IGMtv0004345
     From: alice@cs.colostate.edu (Alice The Great)
     To: bob@isse.gmu.edu
     Date: Fri, 18 Jun 2004 10:22:55 -0600 (MDT)
     Message-ID: <Pine.GS0.4.58.0406181022460@salieri.cs.colostate.edu>
     X-Mailer: Pine v2.32
     Subject: Conference call today?

                           Added by mailhost.isse.gmu.edu after it has received and finished
                           processing the email for Bob to pickup
Examining email headers

• The most important header field for email tracing purposes is the Received
  header line(s)
• Syntax
    Received: from ? by ? via ? with ? id ? for
      ? ; date-time
    - where from, by, via, with, id, and for are token with
      values within a single header value
    - Not all tokens will have values all the times
 Examining Received header

 • We are interested in the from and by tokens in the Received header
   field
        - from              name (dns-name [ip-address])
                  Received:
                               from chico.cs.colostate.edu (chico.cs.colostate.edu [129.82.45.30])


This piece of mail was received from a machine calling itself (name)
chico.cs.colostate.edu
which is really named (dns-name) chico.cs.colostate.edu
and has the IP address ([ip-address]) 129.82.45.30


                       Single most important piece of information for tracing email
 Examining Received headers (2)
 by        receiving-host-name (software version number)


                 by mailhost.isse.gmu.edu (8.8.5/8.7.2)



The machine that received the email was (receiving-host-name) mailhost.isse.gmu.edu
It’s running a software with version (software version number) 8.8.5/8.7.2
               by default the software is sendmail
Examining Received headers (3)
with (protocol) ID (server-assigned-id)


               with ESMTP ID LAA20869



 The machine that received the mail was running (protocol) ESMTP
 The machine assigned the identifier number (server-assigned-id) LAA20869
 „ the system administrator needs to have this ID number to look up the message
   in the machine’s log files ‟ no other use for this ID number
Examining Received headers (4)
  for (<recipient's email address>);


                  for <bob@isse.gmu.edu>;



The email was addressed to (<recipient’s email address>) bob@isse.gmu.edu
Note ‟ This header is not related to the email address provided in the To: header line


 date-time
                  Fri, 18 Jun 2004 12:24:24 -0400 (EDT)

This mail transfer (from chico.cs.colostate.edu to mailhost.isse.gmu.edu) occurred on
Friday, 18 June, 2004 at 12:24:24 Eastern Daylight Time which is 4 hours
behind Greenwich Mean Time
Examining Received headers (5)

• Every time an email moves through a new mail transfer agent (a mail server or a mail
  relay), a new Received header line is added to the beginning of the headers list
    - This means that as we read the Received headers in an email message from top to bottom, we are
      gradually moving closer to the machine/person that sent the email.



                        Received: from chico.cs.colostate.edu (chico.cs.colostate.edu [129.82.45.30]) by
       closest to Bob                 mailhost.isse.gmu.edu (8.8.5/8.7.2) with ESMTP id LAA20869 for
                                      <bob@isse.gmu.edu>; Fri, 18 Jun 2004 12:24:24 -0400 (EDT)
                        Received: from salieri.cs.colostate.edu (salieri.cs.colostate.edu [129.82.45.76] by
       one hop away
                                      chico.cs.colostate.edu (8.12.10/8.12.9) id i5IGMtv0004345
                        From: alice@cs.colostate.edu (Alice The Great)
                        To: bob@isse.gmu.edu
                        Date: Fri, 18 Jun 2004 10:22:55 -0600 (MDT)
                        Message-ID: <Pine.GS0.4.58.0406181022460@salieri.cs.colostate.edu>
                        X-Mailer: Loris v2.32
                        Subject: Conference call today?
Examining other portions of email header
• From: alice@cs.colostate.edu (Alice The Great)
    - This mail was sent by alice@cs.colostate.edu, who gives her real name as Alice The
      Great
• To: bob@isse.gmu.edu
    - The mail was addressed to bob@isse.gmu.edu
• Date: Fri, 18 Jun 2004 10:22:55 -0600 (MDT)
    - The email was composed on Friday 18 June 2004 at 10:22:55 Mountain Daylight Time
      which is 6 hours behind GMT
Examining other portions of email header

• Message-ID: <Pine.GS0.4.58.0406181022460@salieri.cs.colostate.edu>
    - The email was provided with this number by chico.cs.colostate.edu to identify it.
        • This ID is different from the ESMTP / SMTP ID numbers in the Received: headers
        • It is attached to the message for life
        • Sometimes this ID may provide valuable clue, most of the time it is un-intelligible
               - information about sender’s email address
               - information about the machine on which the email was composed
               - Email program used to compose email
Examining other portions of email header

• X-Mailer: Pine v2.32
    - The message was sent using a program called Pine, version 2.32
• Subject: Conference Call Today?
    - Subject matter for the email




   There can be many other header fields in the email header,
   like Bcc, Cc etc. For the most part these do not contribute
   for email tracing purposes. For complete list of header
   fields please see RFC 2076
Simple Mail Transfer Protocol (RFC 2821)

• Principal application layer protocol for Internet electronic mail.
• Runs over TCP (port 25)
• It is used to push email messages from one mail server to another or from an user agent to a
  mail server


                                  SMTP                                SMTP
             Application Layer                                               Application Layer


               UDP               TCP                                     TCP             UDP


                   Network Layer                                          Network Layer


                     Physical Layer                                     Physical Layer
Transcript of SMTP connection between Alice's mail server and
Bob's
S: 220 mailhost.isse.gmu.edu ESMTP Sendmail
8.8.5/1.4/8.7.2/1.13; Fri, 18 Jun 2004 12:24:24 -0400
(EDT)                                                  •   Client SMTP running on sending mail server host,
C: HELO mailhost.isse.gmu.edu
                                                           establishes TCP connection on port 25 to server
S: 250 Hello chico.cs.colostate.edu, pleased to meet you
                                                           SMTP running on receiving email server host.
C: MAIL FROM: <alice@cs.colostate.edu>
S: 250 alice@cs.colostate.edu … Sender ok                    - TCP guarantees error-free delivery of email
C: RCPT TO: bob@isse.gmu.edu                                     message
S: 250 bob@isse.gmu.edu … Recipient ok                 •   ASCII texts prefaced with C:/S: are exactly the
C: DATA                                                    lines the client/server send
S: 354 Enter mail, end with “.” on a line by itself
C: Received: from salieri.cs.colostate.edu
                                                       •   Client issued 5 commands. Server replied to each
(salieri.cs.colostate.edu [129.82.45.76] by …….            command with each reply accompanied by a
C: ……                                                      reply-code
C: Subject: Conference Call Today?
C: Are we having the conference call today?
C: .
S: 250 LAA20869 Message accepted for delivery
C: QUIT
S: 221 hamburger.edu closing connection
Understanding SMTP commands

• HELO
  - Identifies the sending machine
  - The sender can lie
      • Nothing, in principle, prevents chico.cs.colostate.edu from saying “HELO abc.freebie.com”
      • Receiver can find out the sending machine’s real identity, using reverse DNS lookup, for
        example
           - Most modern email servers do this
Understanding SMTP commands

• MAIL FROM
   - Initiates email processing
   - Address need not be the same as the sender’s own address
   - Turns into the from address in the Received header
• RCPT TO
   - Dual of MAIL FROM
   - Specifies the intended recipient (the one to which the email will be delivered regardless of whatever is
     specified in the To: line in the message)
   - One mail can be sent to multiple recipients by including multiple RCPT TO command
   - Turns into the for address in the Received header
Understanding SMTP commands

• DATA
   - Starts the actual mail entry. Everything following it is considered the message
   - No restrictions on its form
   - Lines at the beginning of the message that start with a single word followed by a colon
     is considered part of message header
   - Line consisting only of a period terminates the message
• QUIT
   - Terminates the SMTP connection
Effect of firewalls on email headers

• Introduces one extra hop in the e-mail's passage.
     - Firewall acts as just one more machine that forwards email
     - Adds Received: line for each extra hop


                                      firewall.cs.colostate.edu firewall.isse.gmu.edu




 salieri.cs.colostate.edu chico.cs.colostate.edu                              mailhost.isse.gmu.edu pinky.isse.gmu.edu
Effect of firewall on email headers

Received: from firewall.isse.gmu.edu (firewall.isse.gmu.edu [129.174.142.12]) by
            mailhost.isse.gmu.edu (8.8.5/8.7.2) with ESMTP id LAA20869 for
            <bob@isse.gmu.edu>; Fri, 18 Jun 2004 12:24:24 -0400 (EDT)
Received: from firewall.cs.colostate.edu (firewall.cs.colostate.edu [129.82.45.35]) by
            firewall.isse.gmu.edu (8.8.3/8.7.1) with ESMTP id LAA20869 for
            <bob@isse.gmu.edu>; Fri, 18 Jun 2004 12:23:54 -0400 (EDT)
Received: from chico.cs.colostate.edu (chico.cs.colostate.edu [129.82.45.30]) by
            firewall.cs.colostate.edu (8.12.10/8.12.9) with ESMTP id i5IGMtv0004345 for
            <bob@isse.gmu.edu>; Fri, 18 Jun 2004 10:23:56 -0600 (MDT)
Received: from salieri.cs.colostate.edu (salieri.cs.colostate.edu [129.82.45.76] by
            chico.cs.colostate.edu (8.12.10/8.12.9) id i5IGMtv0004345
From: alice@cs.colostate.edu (Alice The Great)
To: bob@isse.gmu.edu
Date: Fri, 18 Jun 2004 10:22:55 -0600 (MDT)
Message-ID: <Pine.GS0.4.58.0406181022460@salieri.cs.colostate.edu>
X-Mailer: Pine v2.32
Subject: Conference call today?
Email relays

• SMTP allows messages to be relayed to other SMTP servers towards a
  destination
   - Historically this was the way SMTP was meant to be
   - Currently, only unethical spammers use SMTP relaying to conceal the source of their
     messages
       • This way spammers hope to deflect complaints to the (innocent) relay site rather than the
         spammers’ own ISP
Email relays
Received: from unwilling.intermediary.com (unwilling.intermediary.com [98.134.11.32]) by
            mailhost.isse.gmu.edu (8.8.5/8.7.2) ID 004B32 for <bob@isse.gmu.edu>; Fri, 18 Jun 2004
            16:39:50 -0400 (EDT)
Received: from galangal.org ([104.128.23.115]) by unwilling.intermediary.com (8.6.5/8.5.8) with SMTP ID
            LAA12741; Fri, 18 Jun 2004 16:36:28 -0400 (EDT)
From: Anonymous Spammer <junkmail@galangal.org>
To: (recipient list suppressed)
Message-Id: <w45qxz23-34ls5@unwilling.intermediary.com>
X-Mailer: Massive Annoyance
Subject: WANT TO MAKE ALOT OF MONEY???



Message originated at galangal.org, was passed from there
to unwilling.intermediary.com
and from there to mailhost.isse.gmu.edu
How did that happen? (Most likely scenario)

• galangal.org simply connected to the port 25 at unwilling.intermediary.com
• Told unwilling.intermediary.com to send message to bob@isse.gmu.edu
    - RCPT TO: bob@isse.gmu.edu
• unwilling.intermediary.com handed off the email to mailhost.isse.gmu.edu in
  the usual manner
    - One thing to note is that Message-ID: line was filled in not by the sending machine but
      by the relayer:                 Message-Id: <w45qxz2334ls5@unwilling.intermediary.com>
                   • One way to confirm relayed mail
Mail Access Protocols

• Used by Email reader programs to pull stored email messages from the mail
  server to the recipient’s machine.
    - For the most part do not add anything extra to the email header
    - May format the email header
POP3 Protocol
                                            S:   +OK POP3 server ready
                                            C:   user bob
• Authorization phase                       S:   +OK
                                            C:   pass hungry
     - client commands:                     S:   +OK user successfully logged   on
          • user: declare username
           • pass: password                 C:   list
     - server responses                     S:   1 498
                                            S:   2 912
           • +OK
                                            S:   .
           • -ERR
                                            C:   retr 1
• transaction phase, client:                S:   <message 1 contents>
     -   list: list message numbers         S:   .
     -   retr: retrieve message by number   C:   dele 1
                                            C:   retr 2
     -   dele: delete
                                            S:   <message 1 contents>
     -   quit                               S:   .
                                            C:   dele 2
                                            C:   quit
                                            S:   +OK POP3 server signing off
POP3 (more) and IMAP

• Previous example uses download and        • Keep all messages in one place: the
  delete mode.                                server
• Bob cannot re-read e-mail if he changes   • Allows user to organize messages in
  client                                      folders
• Download-and-keep mode: copies of         • IMAP is Internet Message Access
  messages on different clients               Protocol
• POP3 is stateless across sessions         • IMAP keeps user state across sessions:
• POP3 is post office protocol(3)               - names of folders and mappings between
                                                  message IDs and folder name

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:11
posted:8/3/2011
language:English
pages:35