Security Basics mailing list archives
RE: e-mail tracing
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 30 Aug 2004 15:38:01 -0700
While trying to read Received: headers is fun, I prefer to drop them into the form at http://spamcop.net and have it do it for me. It's better than I am at spotting faked headers. Typically, what you'll see in each line is Received: from AAA (BBB [CCC]) by DDD .... Where AAA - is the name that the host supplied on its HELO/EHLO packet to the SMTP server (DDD) CCC - is the actual source IP address of the packet BBB - is what a reverse DNS lookup on that IP address returns. So, looking to your examples: 1> from pmta04.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by 1> imta41.mta.everyone.net (Postfix) with ESMTP id 7547A50809for This is a local relay within everyone.net, and will probably appear just like this on every email you receive here. 1> from 216.200.145.35 (61.149.215.9 [61.149.215.9])by This host, 61.149.215.9, claimed to be named "216.200.145.35". I don't think it can be trusted. 1> from E39 (a222.53.141.148.oeo6.wsj.admin170 () citibank com 1> [160.129.208.70])by mail67.k.yahoo.com Unless that bogus host at 61.149.215.9 *is* mail67.k.yahoo.com (pretty unlikely!), this header is fake. 2> from pmta11.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by 2> imta39.mta.everyone.net (Postfix) with ESMTP id EC06C4A619for Local relay, see above. 2> from 216.200.145.35 (4.16.55.202 [4.16.55.202])by 2> pmta11.mta.everyone.net 4.16.55.202, claiming to be named "216.200.145.35". 2> from 6.190.168.160 by 4.16.55.202; Wed, 25 Aug 2004 14:23:52 -0700 Maybe it got there from 6.190.168.160. Maybe the line is fake. Maybe it got there from some other address claiming to be named "6.190.168.160"; since it didn't insert IP and rDNS info, this is *at best* a spammer-friendly relay. Note also that the MTA software isn't named -- I think this is probably a fake to divert blame away from 4.16.55.202. 3> from pmta08.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by 3> imta38.mta.everyone.net (Postfix) with ESMTP id 718FF4A636for Local relay again, as expected. 3> from x1-6-00-08-0e-8a-58-75.k149.webspeed.dk (80.162.14.71 3> [80.162.14.71])by pmta08.mta.everyone.net (EON-PMTA) Looks like a Danish broadband customer 3> from 30.34.132.240 by 80.162.14.71; Wed, 25 Aug 2004 16:09:33 -0400 Similar to 2, and same conclusion -- probably faked to throw suspicion away from the danish machine. David Gillett
-----Original Message----- From: P S [mailto:seclistmail () hotmail com] Sent: Saturday, August 28, 2004 7:27 AM To: security-basics () securityfocus com Subject: e-mail tracing Hi, I have been getting e-mails about confirming my credit card number and pin at different banks and I decided to try to trace them back just to see where it is really coming from. At school in the network security class we learnt how e-mail goes through MTA's, and spammers can send e-mails through open mail servers but we didn't go into details and of course they didn't give us any hands on either. So I googled "reading e-mail headers" and went through lots of pages and learnt a lot but I still have a few questions and I would really apprechiate if somebody could help me. What I learnt is I have to read the headers from bottom to top, thats how it goes through the MTAs. Now I am reading these headers but the bottom "from" lines are confusing. I will copy 3 of the headers here: Received: from pmta04.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by imta41.mta.everyone.net (Postfix) with ESMTP id 7547A50809for <xxxx () cbgb net>; Sun, 22 Aug 2004 17:58:31 -0700 (PDT) from 216.200.145.35 (61.149.215.9 [61.149.215.9])by pmta04.mta.everyone.net (EON-PMTA) with SMTP id 894D1584for <xxxx () cbgb net>; Sun, 22 Aug 2004 17:58:31 -0700 from E39 (a222.53.141.148.oeo6.wsj.admin170 () citibank com [160.129.208.70])by mail67.k.yahoo.com (606.70.4q95/1.773.2) with SMTP id vvh21F66RMEpjz471;Mon, 23 Aug 2004 14:59:29 +0100 Received: from pmta11.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by imta39.mta.everyone.net (Postfix) with ESMTP id EC06C4A619for <xxxx () cbgb net>; Wed, 25 Aug 2004 13:25:59 -0700 (PDT) from 216.200.145.35 (4.16.55.202 [4.16.55.202])by pmta11.mta.everyone.net (EON-PMTA) with SMTP id F1842D83for <xxxx () cbgb net>; Wed, 25 Aug 2004 13:25:59 -0700 from 6.190.168.160 by 4.16.55.202; Wed, 25 Aug 2004 14:23:52 -0700 Received: from pmta08.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by imta38.mta.everyone.net (Postfix) with ESMTP id 718FF4A636for <xxxx () cbgb net>; Wed, 25 Aug 2004 12:13:39 -0700 (PDT) from x1-6-00-08-0e-8a-58-75.k149.webspeed.dk (80.162.14.71 [80.162.14.71])by pmta08.mta.everyone.net (EON-PMTA) with SMTP id 16ED3FB9for <xxxx () cbgb net>; Wed, 25 Aug 2004 12:13:39 -0700 from 30.34.132.240 by 80.162.14.71; Wed, 25 Aug 2004 16:09:33 -0400 The first one says it's coming from a222.53.141.148.oeo6.wsj.admin170 () citibank com and from this I think the IP address should be 148.141.53.222 but in brackets it says 160.129.208.70. After this the received by says it was sent through yahoo's mail server. Now to me it looks like this field is fake, am I right? The second from field says 216.200.145.35 but the relaying mailserver put in the real IP as 61.149.215.9. Is this the real spammer IP where the mail is really coming from? Same with the other two headers, it looks like the first (bottom) fields are fake. Am I right when I think the spammer sent the mails from 4.16.55.202 and 80.162.14.71? Every answer and help will be really apprechiated, thank you. Peter _________________________________________________________________ Scan and help eliminate destructive viruses from your inbound and outbound e-mail and attachments. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&
DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSNĀ® Premium right now and get the first two months FREE*. --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- RE: e-mail tracing Steven McLaughlin (Aug 31)
- <Possible follow-ups>
- RE: e-mail tracing Ryan Murphy (Aug 31)
- Re: e-mail tracing Tomas Wolf (Sep 02)
- RE: e-mail tracing David Gillett (Aug 31)
- Re: e-mail tracing Steve (Sep 02)
- RE: e-mail tracing LordInfidel (Sep 01)
- Re: e-mail tracing P S (Sep 08)
- RE: e-mail tracing CHRIS GRABENSTEIN (Sep 09)
- Re: e-mail tracing phrag (Sep 10)
- Re: e-mail tracing Paul Kurczaba (Sep 13)
- Re: [low probable spam] Re: e-mail tracing Steve (Sep 16)
- Re: e-mail tracing phrag (Sep 10)
- Re: e-mail tracing Gaurav Kumar (Sep 12)
- e-mail tracing Hayden Searle (Sep 10)
- RE: e-mail tracing David Gillett (Sep 13)