RE: e-mail tracing

[Ryan Murphy <RMurphy () irvinecompany com>]

This is an interesting topic. Does anyone on the list know of a definitive
guide to reading e-mail headers? I may be the only one here that doesn't
know all the ins and outs of it, but chances are I'm not, and a fair number
of people on the list could benefit from having such a guide.

Thanks,

Ryan

-----Original Message-----
From: P S [mailto:seclistmail () hotmail com]
Sent: Saturday, August 28, 2004 7:27 AM
To: security-basics () securityfocus com
Subject: e-mail tracing


Hi,
I have been getting e-mails about confirming my credit card number and pin 
at different banks
and I decided to try to trace them back just to see where it is really 
coming from.
At school in the network security class we learnt how e-mail goes through 
MTA's, and spammers can send e-mails through open mail servers but we didn't

go into details and of course they didn't give us any hands on either.

So I googled "reading e-mail headers" and went through lots of pages and 
learnt a lot but I still have a few questions and I would really apprechiate

if somebody could help me.

What I learnt is I have to read the headers from bottom to top, thats how it

goes through the MTAs. Now I am reading these headers but the bottom "from" 
lines are confusing. I will copy 3 of the headers here:

Received:
from pmta04.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by 
imta41.mta.everyone.net (Postfix) with ESMTP id 7547A50809for 
<xxxx () cbgb net>; Sun, 22 Aug 2004 17:58:31 -0700 (PDT)

from 216.200.145.35 (61.149.215.9 [61.149.215.9])by pmta04.mta.everyone.net 
(EON-PMTA) with SMTP id 894D1584for <xxxx () cbgb net>; Sun, 22 Aug 2004 
17:58:31 -0700

from E39 (a222.53.141.148.oeo6.wsj.admin170 () citibank com [160.129.208.70])by

mail67.k.yahoo.com

(606.70.4q95/1.773.2) with SMTP id vvh21F66RMEpjz471;Mon, 23 Aug 2004 
14:59:29 +0100


Received:
from pmta11.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by 
imta39.mta.everyone.net (Postfix) with ESMTP id EC06C4A619for 
<xxxx () cbgb net>; Wed, 25 Aug 2004 13:25:59 -0700 (PDT)

from 216.200.145.35 (4.16.55.202 [4.16.55.202])by pmta11.mta.everyone.net 
(EON-PMTA) with SMTP id F1842D83for <xxxx () cbgb net>; Wed, 25 Aug 2004 
13:25:59 -0700

from 6.190.168.160 by 4.16.55.202; Wed, 25 Aug 2004 14:23:52 -0700


Received:
from pmta08.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by 
imta38.mta.everyone.net (Postfix) with ESMTP id 718FF4A636for 
<xxxx () cbgb net>; Wed, 25 Aug 2004 12:13:39 -0700 (PDT)

from x1-6-00-08-0e-8a-58-75.k149.webspeed.dk (80.162.14.71 [80.162.14.71])by

pmta08.mta.everyone.net (EON-PMTA) with SMTP id 16ED3FB9for <xxxx () cbgb net>;

Wed, 25 Aug 2004 12:13:39 -0700

from 30.34.132.240 by 80.162.14.71; Wed, 25 Aug 2004 16:09:33 -0400

The first one says it's coming from 
a222.53.141.148.oeo6.wsj.admin170 () citibank com and from this I think the IP 
address should be 148.141.53.222 but in brackets it says 160.129.208.70. 
After this the received by says it was sent through yahoo's mail server. Now

to me it looks like this field is fake, am I right?

The second from field says 216.200.145.35 but the relaying mailserver put in

the real IP as 61.149.215.9. Is this the real spammer IP where the mail is 
really coming from? Same with the other two headers, it looks like the first

(bottom) fields are fake. Am I right when I think the spammer sent the mails

from 4.16.55.202 and 80.162.14.71?

Every answer and help will be really apprechiated, thank you.

Peter

_________________________________________________________________
Scan and help eliminate destructive viruses from your inbound and outbound 
e-mail and attachments. 
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=htt
p://hotmail.com/enca&HL=Market_MSNIS_Taglines 
  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------


 
============================= 
Notice to recipient:  This e-mail is meant for only the intended recipient
of the transmission, and may be a confidential communication or a
communication privileged by law.  If you received this e-mail in error, any
review, use, dissemination, distribution, or copying of this e-mail is
strictly prohibited.  Please notify us immediately of the error by return
e-mail and please delete this message from your system.  Thank you in
advance for your cooperation. 

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------