Tracking Down Email Return To Archives | Search

Please Visit Our New Forums at Mycotopia
Please visit our Sponsors

Mycotopia Web Archive ArchiveSecrecy & Stealth ; Privacy & Security. � Tracking Down Email Previous Next

Topic Author Last Poster Posts Pages Last Post

Top of pageBottom of pageLink to this message

Hippie3 (Admin)
Board Administrator
Username: Admin

Post Number: 15398
Registered: 02-2001
Posted on Friday, March 12, 2004 - 01:44 pm:Edit Post Quote Text Delete Post Print Post Move Post (Moderator/Admin Only)

For the most part when you are using your email client like Outlook, Eudora, Netscape, pine, elm, etc. all that you see of the email header looks something like this:

Date: Fri, 15 Dec 2000 06:12:01 -0600
From: Hahaha
Subject: Snowhite and the Seven Dwarfs - The REAL story!


But this is just the tip of the iceburg. As you can see with the above example, which is a real email header from the virus that we have all received (or you would not be at this site most likely), most people including some of you reading this header on your computer automatically say:

"Damit another SPAMMED email, well I think I am going to threten the owner of the domain, the user (which in this case is the spoofed / faked From: field) and the people that are hosting the domains website (that would be me slowmoe.com) with legal actions, report them to the FCC, FBI, Local Law, the government, they parents, their dog, etc..."

without digging a little deeper to find out what the real story behind this SPAM is.
Digging a little deeper:


The below header information is altered, and is here only to help you read other headers. This is only a guide, any similarities with actual providers/people are unintentional.


Now most email clients have some way to view the full email header of a email message. I think with OutLook when you have the message open you can do a VIEW / OPTIONS and the window that opens up will show you the full header. Netscape I am sure has some why to do the same. Here is a example of what the full email header looks like:

UPDATE: HERE is a link that tell you how to view the full email header for may different email clients.

Return-Path: <>
Received: from emerald.somedomain.abc (IDENT:[email protected] [10.46.57.20])
by nullspace.neonova.net (8.9.3/8.9.3) with ESMTP id HAA25532
for ; Fri, 15 Dec 2000 07:12:20 -0500
Received: from zano (bar-pm3-1-11.somedomain.abc [10.145.183.26])
by emerald.somedomain.abc (Pro-8.9.3/Pro-8.9.3) with SMTP id GAA28296
for ; Fri, 15 Dec 2000 06:12:01 -0600
Date: Fri, 15 Dec 2000 06:12:01 -0600
Message-Id: <[email protected]>
From: Hahaha
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0


Being that the virus tries its best to hide itself, this header looks smaller then a real header of a email sent from a normal email client. We still have the same information displayed that the normal header view above showed but we also added the following Fields: Return-Path, Received, Message-Id and MIME-Version.

The main thing we want to look at to find out who really sent this email are the Received: fields. When a email is sent from your computer to your ISP's mail server the mail server reads in the email from your computer and it will then add one of these Received: fields to your emails header. As the email get transfered from mail server to mail server, each mail server that your email passes thru will add its own Received: field to your message on top of the one from the last server. In the above example our email has two (2) Received: fields meaning that it passed thru two (2) email servers before it got to me.

So now to find out who really sent me this email all I need to do is back track thru the Received: fields until I reach the computer that sent this to me.

The first Received: field says:

Received: from emerald.somedomain.abc (IDENT:[email protected] [10.46.57.20])
by nullspace.neonova.net (8.9.3/8.9.3) with ESMTP id HAA25532
for ; Fri, 15 Dec 2000 07:12:20 -0500


You can pretty much read this line just like english. It says: My mail server nullspace.neonova.net received a email going to [email protected] from the mail server emerald.somedomain.abc.

So I now know that the server that had this email right before it was dropped off in my inbox on my mail server is: emerald.somedomain.abc, but we are not done yet.

The second (last) Received: field says:

Received: from zano (bar-pm3-1-11.somedomain.abc [10.145.183.26])
by emerald.somedomain.abc (Pro-8.9.3/Pro-8.9.3) with SMTP id GAA28296
for ; Fri, 15 Dec 2000 06:12:01 -0600


Reading this like english again we get: The mail server emerald.somedomain.abc received a email going to [email protected] from zano (bar-pm3-1-11.somedomain.abc [10.145.183.26]).

Being that this is the last Received: field in our email header we now know that this email was sent from the computer that has the internet address of: bar-pm3-1-11.somedomain.abc which converts to the IP of ???.145.183.26 and told their mail server their name was zano.
So now we know who sent the email, now what? :
So we now know that internet address and the IP of the user that really did send the email to you, you can now do one of the following.

1) Well hey I know a friend that is named Zano or I know a friend that uses somedomain.abc as their ISP, he must be infected with the virus, I think I will call him up and let them know they are infected and have them visit http://www.sexyfun.net/ to help them clean their computer up.

2) I don't know a Zano, I don't know anyone that uses somedomain.abc as their ISP, I think I will contact Zano's ISP and tell them that one of their users are sending SPAM with a virus attachment. You can find out who Zano's ISP is by check the DNS Whois information of somedomain.abc being that this is the network Zano is coming from. Or you can check out who owns the IP that Zano is coming from at Arin's website. Either method should give you the contact information for their ISP.

When you contact Zano's ISP provide them with the Internet address (bar-pm3-1-11.somedomain.abc) the IP (10.145.183.26) and the time date stamp on the email. that way they should be able to go thru their logs and find out which of their users were logged in with that IP / internet address at the time the email was sent and contact them to inform them they have a virus or IF they are the virus creator, take the needed actions against them.

If you have not noticed by now this email did not come form the sexyfun.net domain or the company that is hosting this site :-) ..

-------------------------------------------------- ------------------------------
Well I hope this helps everyone find your friends that are infected and if your lucky find the person that started this whole mess.. Have fun!!!

If you can't tell the EXACT person that sent you the virus, you should still be able to tell the ISP that was used. If you only have the ISP info, then you may want to try emailing the abuse and postmaster accounts of the ISP and ask for their help. REMEMBER: Be nice. They may get hundred's of these a day. If you are rude, they may not be as willing to go the extra mile for you. 'You catch more flies with honey, than you do with vinegar'.



from http://www.sexyfun.net/index.shtml

archive material to security

Add Your Message Here
Post:
Bold text Italics Underline Create a hyperlink Insert a clipart image

Username: Posting Information:
This is a private posting area. Only registered users and moderators may post messages here.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action: