Security Basics mailing list archives

RE: e-mail tracing

From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 30 Aug 2004 15:38:01 -0700

  While trying to read Received: headers is fun, I prefer to
drop them into the form at http://spamcop.net and have it do
it for me.  It's better than I am at spotting faked headers.

  Typically, what you'll see in each line is

Received: from AAA (BBB [CCC]) by DDD ....

  Where

AAA - is the name that the host supplied on its HELO/EHLO
      packet to the SMTP server (DDD)

CCC - is the actual source IP address of the packet

BBB - is what a reverse DNS lookup on that IP address returns.

  So, looking to your examples:

1> from pmta04.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by
1> imta41.mta.everyone.net (Postfix) with ESMTP id 7547A50809for

  This is a local relay within everyone.net, and will probably
appear just like this on every email you receive here.

1> from 216.200.145.35 (61.149.215.9 [61.149.215.9])by

  This host, 61.149.215.9, claimed to be named "216.200.145.35".
I don't think it can be trusted.

1> from E39 (a222.53.141.148.oeo6.wsj.admin170 () citibank com
1> [160.129.208.70])by mail67.k.yahoo.com

  Unless that bogus host at 61.149.215.9 *is* mail67.k.yahoo.com
(pretty unlikely!), this header is fake.


2> from pmta11.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by
2> imta39.mta.everyone.net (Postfix) with ESMTP id EC06C4A619for

  Local relay, see above.

2> from 216.200.145.35 (4.16.55.202 [4.16.55.202])by
2> pmta11.mta.everyone.net

  4.16.55.202, claiming to be named "216.200.145.35".

2> from 6.190.168.160 by 4.16.55.202; Wed, 25 Aug 2004 14:23:52 -0700

  Maybe it got there from 6.190.168.160.  Maybe the line is fake.
Maybe it got there from some other address claiming to be named
"6.190.168.160"; since it didn't insert IP and rDNS info, this is
*at best* a spammer-friendly relay.  Note also that the MTA software
isn't named -- I think this is probably a fake to divert blame
away from 4.16.55.202.


3> from pmta08.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by
3> imta38.mta.everyone.net (Postfix) with ESMTP id 718FF4A636for

  Local relay again, as expected.

3> from x1-6-00-08-0e-8a-58-75.k149.webspeed.dk (80.162.14.71
3> [80.162.14.71])by pmta08.mta.everyone.net (EON-PMTA)

  Looks like a Danish broadband customer

3> from 30.34.132.240 by 80.162.14.71; Wed, 25 Aug 2004 16:09:33 -0400

  Similar to 2, and same conclusion -- probably faked to throw
suspicion away from the danish machine.

David Gillett

-----Original Message-----
From: P S [mailto:seclistmail () hotmail com]
Sent: Saturday, August 28, 2004 7:27 AM
To: security-basics () securityfocus com
Subject: e-mail tracing

Hi,
I have been getting e-mails about confirming my credit card
number and pin
at different banks
and I decided to try to trace them back just to see where it
is really
coming from.
At school in the network security class we learnt how e-mail
goes through
MTA's, and spammers can send e-mails through open mail
servers but we didn't
go into details and of course they didn't give us any hands on either.

So I googled "reading e-mail headers" and went through lots
of pages and
learnt a lot but I still have a few questions and I would
really apprechiate
if somebody could help me.

What I learnt is I have to read the headers from bottom to
top, thats how it
goes through the MTAs. Now I am reading these headers but the
bottom "from"
lines are confusing. I will copy 3 of the headers here:

Received:
from pmta04.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by
imta41.mta.everyone.net (Postfix) with ESMTP id 7547A50809for
<xxxx () cbgb net>; Sun, 22 Aug 2004 17:58:31 -0700 (PDT)

from 216.200.145.35 (61.149.215.9 [61.149.215.9])by
pmta04.mta.everyone.net
(EON-PMTA) with SMTP id 894D1584for <xxxx () cbgb net>; Sun, 22 Aug 2004
17:58:31 -0700

from E39 (a222.53.141.148.oeo6.wsj.admin170 () citibank com
[160.129.208.70])by
mail67.k.yahoo.com

(606.70.4q95/1.773.2) with SMTP id vvh21F66RMEpjz471;Mon, 23 Aug 2004
14:59:29 +0100

Received:
from pmta11.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by
imta39.mta.everyone.net (Postfix) with ESMTP id EC06C4A619for
<xxxx () cbgb net>; Wed, 25 Aug 2004 13:25:59 -0700 (PDT)

from 216.200.145.35 (4.16.55.202 [4.16.55.202])by
pmta11.mta.everyone.net
(EON-PMTA) with SMTP id F1842D83for <xxxx () cbgb net>; Wed, 25 Aug 2004
13:25:59 -0700

from 6.190.168.160 by 4.16.55.202; Wed, 25 Aug 2004 14:23:52 -0700

Received:
from pmta08.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by
imta38.mta.everyone.net (Postfix) with ESMTP id 718FF4A636for
<xxxx () cbgb net>; Wed, 25 Aug 2004 12:13:39 -0700 (PDT)

from x1-6-00-08-0e-8a-58-75.k149.webspeed.dk (80.162.14.71
[80.162.14.71])by
pmta08.mta.everyone.net (EON-PMTA) with SMTP id 16ED3FB9for
<xxxx () cbgb net>;
Wed, 25 Aug 2004 12:13:39 -0700

from 30.34.132.240 by 80.162.14.71; Wed, 25 Aug 2004 16:09:33 -0400

The first one says it's coming from
a222.53.141.148.oeo6.wsj.admin170 () citibank com and from this
I think the IP
address should be 148.141.53.222 but in brackets it says
160.129.208.70.
After this the received by says it was sent through yahoo's
mail server. Now
to me it looks like this field is fake, am I right?

The second from field says 216.200.145.35 but the relaying
mailserver put in
the real IP as 61.149.215.9. Is this the real spammer IP
where the mail is
really coming from? Same with the other two headers, it looks
like the first
(bottom) fields are fake. Am I right when I think the spammer
sent the mails
from 4.16.55.202 and 80.162.14.71?

Every answer and help will be really apprechiated, thank you.

Peter

_________________________________________________________________
Scan and help eliminate destructive viruses from your inbound
and outbound
e-mail and attachments.
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&;

DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
  Start enjoying all the benefits of MSN® Premium right now and get the
first two months FREE*.


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------

Current thread:

RE: e-mail tracing Steven McLaughlin (Aug 31)
- <Possible follow-ups>
- RE: e-mail tracing Ryan Murphy (Aug 31)
  - Re: e-mail tracing Tomas Wolf (Sep 02)
- RE: e-mail tracing David Gillett (Aug 31)
  - Re: e-mail tracing Steve (Sep 02)
- RE: e-mail tracing LordInfidel (Sep 01)
- Re: e-mail tracing P S (Sep 08)
- RE: e-mail tracing CHRIS GRABENSTEIN (Sep 09)
  - Re: e-mail tracing phrag (Sep 10)
    - Re: e-mail tracing Paul Kurczaba (Sep 13)
    - Re: [low probable spam] Re: e-mail tracing Steve (Sep 16)
  - Re: e-mail tracing Gaurav Kumar (Sep 12)
- e-mail tracing Hayden Searle (Sep 10)
  - RE: e-mail tracing David Gillett (Sep 13)