Security Basics mailing list archives
RE: e-mail tracing
From: LordInfidel () directionweb com
Date: Wed, 1 Sep 2004 01:00:40 -0400
Before I get into the nut's and bolts of what you are seeing, One of the best places to learn about e-mail is actually from reading the RFC's. The RFC's governing e-mail are 2822 and 2821 (www.faqs.org is my rfc archive of choice) Now why do I recommend reading the RFC's? Because even though using tools such as sam spade is great ( I personally use sam spade and encourage you to download a copy of it), nothing beats knowledge of deciphering it yourself. As I am sure you have learned in your net sec class, there are certain rules and guidelines that everything must follow on the net, from the 3 way handshake to ftp transmissions. SMTP is the same way, it has set guidelines. Now you will see in each MTA relay (or handoff), a ip in brackets as well as a spoofed FQDN. Well both of those items are part of the rfc and must be there in one form or another (no FQDN then an IP must appear). Now here is the cool part, the FQDN of the MTA can be spoofed and the next MTA in line still must accept the e-mail. But the IP in the brackets can not be spoofed, at least not according to the RFC. Which is where it get's into grey area. MTA's that do not function correctly can be tricked into accepting e-mail from spoofed source address'. Typically when this is done you will see multiple MTA's in the e-mail header. This is accomplished by none other, our friend, mr source-routing. But wait, source routing e-mail? I thought that was only for IP. But no, e-mail also has source routing capabilities where you can tell each MTA to whom(next MTA) to deliver the envelope. (which is why operating open relay's is bad) Usually whenever you see multiple MTA transfers that do not follow a logical pattern (same IP block like in large org's) you can bet your last dollar it (the IP) is going to be spoofed and the e-mail is spam. Now there are several ways to tell where the e-mail really came from. 1: hope the originating IP is not spoofed 2: the next hop MTA correctly records the IP 3: The next hop MTA has logging enabled at either a choke point, or other network monitoring device. The headers you provided are a classic example of open-relays and spoofing. The 1st entry written is fake and can not be trusted at all, it was meant to muddy the waters so to say and to look like it was coming from citibank: from E39 (a222.53.141.148.oeo6.wsj.admin170 () citibank com [160.129.208.70])by mail67.k.yahoo.com The 2nd MTA to handle this e-mail hopefully recorded the correct IP of the sending MTA in the [brackets] (remember your RFC's). original sending IP= 61.149.215.9. The 2nd MTA lawfully abided by the RFC and accepted the e-mail even though it was clearly spoofed. from 216.200.145.35 (61.149.215.9 [61.149.215.9])by pmta04.mta.everyone.net (EON-PMTA) with SMTP id 894D1584for <xxxx () cbgb net>; Sun, 22 Aug 2004 17:58:31 -0700 The next and final MTA, imta39.mta.everyone.net, received the e-mail from pmta04.mta.everyone.net [172.16.0.19] (note this is a reserverd address and in the same namespace as the final MTA, meaning it is NAT'd since pmta04 resolves to 216.200.145.35, and the bigiplb-dsnat entry gives it away, {the BigIP is a network device from F5 and is a great loadbalancer, it's the ferrari of loadbalancers}. So the e-mail entered into the eveyone.net's 172.16 from the public net passing thru the BigIP, DNAT to pmta11, and then deliverd to imta39, in turn delivering it to your mailbox. from pmta11.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by imta39.mta.everyone.net (Postfix) with ESMTP id EC06C4A619for <xxxx () cbgb net>; Wed, 25 Aug 2004 13:25:59 -0700 (PDT) What we can derive from the 1st header written was that this e-mail was generated on a local machine, had it's headers spoofed and sent directly from that local machine to everyone.net. Who happily accepted it because the final destination host@domain was in the namespace that they are accepting mail for. Hope that answeres your question LordInfidel -----Original Message----- From: P S [mailto:seclistmail () hotmail com] Sent: Saturday, August 28, 2004 10:27 AM To: security-basics () securityfocus com Subject: e-mail tracing Hi, I have been getting e-mails about confirming my credit card number and pin at different banks and I decided to try to trace them back just to see where it is really coming from. At school in the network security class we learnt how e-mail goes through MTA's, and spammers can send e-mails through open mail servers but we didn't go into details and of course they didn't give us any hands on either. So I googled "reading e-mail headers" and went through lots of pages and learnt a lot but I still have a few questions and I would really apprechiate if somebody could help me. What I learnt is I have to read the headers from bottom to top, thats how it goes through the MTAs. Now I am reading these headers but the bottom "from" lines are confusing. I will copy 3 of the headers here: Received: from pmta04.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by imta41.mta.everyone.net (Postfix) with ESMTP id 7547A50809for <xxxx () cbgb net>; Sun, 22 Aug 2004 17:58:31 -0700 (PDT) from 216.200.145.35 (61.149.215.9 [61.149.215.9])by pmta04.mta.everyone.net (EON-PMTA) with SMTP id 894D1584for <xxxx () cbgb net>; Sun, 22 Aug 2004 17:58:31 -0700 from E39 (a222.53.141.148.oeo6.wsj.admin170 () citibank com [160.129.208.70])by mail67.k.yahoo.com (606.70.4q95/1.773.2) with SMTP id vvh21F66RMEpjz471;Mon, 23 Aug 2004 14:59:29 +0100 Received: from pmta11.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by imta39.mta.everyone.net (Postfix) with ESMTP id EC06C4A619for <xxxx () cbgb net>; Wed, 25 Aug 2004 13:25:59 -0700 (PDT) from 216.200.145.35 (4.16.55.202 [4.16.55.202])by pmta11.mta.everyone.net (EON-PMTA) with SMTP id F1842D83for <xxxx () cbgb net>; Wed, 25 Aug 2004 13:25:59 -0700 from 6.190.168.160 by 4.16.55.202; Wed, 25 Aug 2004 14:23:52 -0700 Received: from pmta08.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by imta38.mta.everyone.net (Postfix) with ESMTP id 718FF4A636for <xxxx () cbgb net>; Wed, 25 Aug 2004 12:13:39 -0700 (PDT) from x1-6-00-08-0e-8a-58-75.k149.webspeed.dk (80.162.14.71 [80.162.14.71])by pmta08.mta.everyone.net (EON-PMTA) with SMTP id 16ED3FB9for <xxxx () cbgb net>; Wed, 25 Aug 2004 12:13:39 -0700 from 30.34.132.240 by 80.162.14.71; Wed, 25 Aug 2004 16:09:33 -0400 The first one says it's coming from a222.53.141.148.oeo6.wsj.admin170 () citibank com and from this I think the IP address should be 148.141.53.222 but in brackets it says 160.129.208.70. After this the received by says it was sent through yahoo's mail server. Now to me it looks like this field is fake, am I right? The second from field says 216.200.145.35 but the relaying mailserver put in the real IP as 61.149.215.9. Is this the real spammer IP where the mail is really coming from? Same with the other two headers, it looks like the first (bottom) fields are fake. Am I right when I think the spammer sent the mails from 4.16.55.202 and 80.162.14.71? Every answer and help will be really apprechiated, thank you. Peter _________________________________________________________________ Scan and help eliminate destructive viruses from your inbound and outbound e-mail and attachments. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=htt p://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN(r) Premium right now and get the first two months FREE*. --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- RE: e-mail tracing Steven McLaughlin (Aug 31)
- <Possible follow-ups>
- RE: e-mail tracing Ryan Murphy (Aug 31)
- Re: e-mail tracing Tomas Wolf (Sep 02)
- RE: e-mail tracing David Gillett (Aug 31)
- Re: e-mail tracing Steve (Sep 02)
- RE: e-mail tracing LordInfidel (Sep 01)
- Re: e-mail tracing P S (Sep 08)
- RE: e-mail tracing CHRIS GRABENSTEIN (Sep 09)
- Re: e-mail tracing phrag (Sep 10)
- Re: e-mail tracing Paul Kurczaba (Sep 13)
- Re: [low probable spam] Re: e-mail tracing Steve (Sep 16)
- Re: e-mail tracing phrag (Sep 10)
- Re: e-mail tracing Gaurav Kumar (Sep 12)
- e-mail tracing Hayden Searle (Sep 10)
- RE: e-mail tracing David Gillett (Sep 13)