In yesterday's example, I showed you how to trace an email back to it's point of origin. I made seem so easy, that the questions came in asking; "If it's that simple, Why can't you catch all those bad guys?" Well the example yesterday was a bit unusual. And was obviously written by someone who either was very inexperienced and unschooled as to the use of email headers, or she didn't care who found the pc that sent the message (It wasn't her computer to begin with).
A skilled email fraudster isn't so glib about loosing one of his OWNED systems. And generally uses a technique known as FORGED HEADERS to make source impossible to trace.
Lets look at what a set of forged email headers might look like:
From collegebabe@aol.com Mon Jun 7 16:54:12 2003
Return-Path: collegebabe@aol.com
Received: from trademeca.co.kr (unknown [211.219.20.86])
by mail.someplace.com (Postfix) with SMTP id 2304964253A
for; Mon, 7 Jun 2004 16:54:10 -0500 (EST)
Received: from smtp0422.mail.yahoo.com (80.237.200.67)
by trademeca.co.kr (211.219.20.86) with [Nmail V3.1 20010905(S)]
for from ;
Thu, 3 Jun 2004 15:55:00 +0900
Date: Thu, 3 Jun 2004 11:34:52 GMT
From: "Pamela" collegebabe@aol.com
Subject: Hey buddie! What's going on?
Return-Path: collegebabe@aol.com
Received: from trademeca.co.kr (unknown [211.219.20.86])
by mail.someplace.com (Postfix) with SMTP id 2304964253A
for
Received: from smtp0422.mail.yahoo.com (80.237.200.67)
by trademeca.co.kr (211.219.20.86) with [Nmail V3.1 20010905(S)]
for
Thu, 3 Jun 2004 15:55:00 +0900
Date: Thu, 3 Jun 2004 11:34:52 GMT
From: "Pamela" collegebabe@aol.com
Subject: Hey buddie! What's going on?
The Received: headers tell the real story of this poor forgery, but you have to examine several of these to truly understand the details. This particular e-mail is identifiable because it doesn't make any sense for a person with an AOL account to use one of Yahoo's e-mail servers to relay e-mail through a server in the .kr top level domain, which is Korea.
Furthermore, a DNS lookup failed to find smtp0422.mail.yahoo.com, so this IP address doesn't exist. Even if it did, the IP address 80.237.200.67 belongs to a network in Germany, which I discovered by checking the online American Registry for Internet Numbers (ARIN) database. Chances are that collegebabe@aol.com had absolutely nothing to do with it.
LET'S TRY ANOTHER
Delivered-To: NUNYA@gmail.com
Received: by 10.14.53.6 with SMTP id f6cs241029eec;
Wed, 19 Jan 2011 17:25:50 -0800 (PST)
Return-Path:
Received-SPF: pass (google.com: domain of randomrights@gmail.com designates 10.150.54.8 as permitted sender) client-ip=10.150.54.8;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of randomrights@gmail.com designates 10.150.54.8 as permitted sender) smtp.mail=randomrights@gmail.com; dkim=pass header.i=randomrights@gmail.com
Received: from mr.google.com ([10.150.54.8])
by 10.150.54.8 with SMTP id c8mr1483694yba.350.1295486749756 (num_hops = 1);
Wed, 19 Jan 2011 17:25:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:date:message-id:subject:from:to
:content-type;
bh=HaPN8FFW++8MwYEugOSew94FjrPmlsWKi1gG+mbcHxU=;
b=Xtge1v5RQnC/y+CkvV/WLbXhqBoQp4xc1ozy+a0+qBjDcGDuqwkFrchmbs2UClLC3F
RXsfyCTauaL5V5Zu+Q9VASqqKGFB9nan2/wqYGFS0WEHEfDKGsBIAO2oeb4/UkSOuJs1
RikipehrxIS+Ep1yq0GwxqjAT/tr++wjXr8ww=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=DA3UCn1lbPa8czDANmPYLwzAa/TKfWJGuYUfIOyP056BpoLhA2Kme3kYwNgAtdll46
RU9sy/SR+bw9yctvG0ua0+qS6swO7HJ/5eqPAQboIWc6hYilCIxlenDFfnAxVfN3OjV2
myseLjasj0Zml3IoFwy9gQiJ1iXbX9GNoAU7k=
MIME-Version: 1.0
Received: by 10.150.54.8 with SMTP id c8mr1483694yba.350.1295486749743; Wed,
19 Jan 2011 17:25:49 -0800 (PST)
Received: by 10.147.125.13 with HTTP; Wed, 19 Jan 2011 17:25:49 -0800 (PST)
Date: Wed, 19 Jan 2011 20:25:49 -0500
Message-ID:
Subject: here goes.......
From: random
To: NUNYA@gmail.com
Content-Type: multipart/alternative; boundary=00151748df088799af049a3d036f
--00151748df088799af049a3d036f
Content-Type: text/plain; charset=ISO-8859-1
Received: by 10.14.53.6 with SMTP id f6cs241029eec;
Wed, 19 Jan 2011 17:25:50 -0800 (PST)
Return-Path:
Received-SPF: pass (google.com: domain of randomrights@gmail.com designates 10.150.54.8 as permitted sender) client-ip=10.150.54.8;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of randomrights@gmail.com designates 10.150.54.8 as permitted sender) smtp.mail=randomrights@gmail.com; dkim=pass header.i=randomrights@gmail.com
Received: from mr.google.com ([10.150.54.8])
by 10.150.54.8 with SMTP id c8mr1483694yba.350.1295486749756 (num_hops = 1);
Wed, 19 Jan 2011 17:25:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:date:message-id:subject:from:to
:content-type;
bh=HaPN8FFW++8MwYEugOSew94FjrPmlsWKi1gG+mbcHxU=;
b=Xtge1v5RQnC/y+CkvV/WLbXhqBoQp4xc1ozy+a0+qBjDcGDuqwkFrchmbs2UClLC3F
RXsfyCTauaL5V5Zu+Q9VASqqKGFB9nan2/wqYGFS0WEHEfDKGsBIAO2oeb4/UkSOuJs1
RikipehrxIS+Ep1yq0GwxqjAT/tr++wjXr8ww=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=DA3UCn1lbPa8czDANmPYLwzAa/TKfWJGuYUfIOyP056BpoLhA2Kme3kYwNgAtdll46
RU9sy/SR+bw9yctvG0ua0+qS6swO7HJ/5eqPAQboIWc6hYilCIxlenDFfnAxVfN3OjV2
myseLjasj0Zml3IoFwy9gQiJ1iXbX9GNoAU7k=
MIME-Version: 1.0
Received: by 10.150.54.8 with SMTP id c8mr1483694yba.350.1295486749743; Wed,
19 Jan 2011 17:25:49 -0800 (PST)
Received: by 10.147.125.13 with HTTP; Wed, 19 Jan 2011 17:25:49 -0800 (PST)
Date: Wed, 19 Jan 2011 20:25:49 -0500
Message-ID:
Subject: here goes.......
From: random
To: NUNYA@gmail.com
Content-Type: multipart/alternative; boundary=00151748df088799af049a3d036f
--00151748df088799af049a3d036f
Content-Type: text/plain; charset=ISO-8859-1
In this elaborately forged example, the person appears to be trying to put so much info, no one will want to drag through all of it to find the give away. However, with only a tertiary knowledge of internet communication protocols, you will immediately notice the impossibility of this being a legitimate message.
1. There are several RECIEVED BY: 10.150.54.8 and 10.147.125.13 but they don't follow protocol, because they don't have a corresponding FROM: statement.
2. NOTICE THAT EVERY IP ADDRESS LISTED IS IN THE CLASS "A" ADDRESS AREA 10.0.0.0
10.14.53.6
10.150.54.8
10.147.125.13
Addresses in this range are reserved for a special purpose. And while it may be perfectly legitimate for the recipient's address to be in this range. In fact it's also possible for the sender to have a 10.0.0.0 address. Outside of your private network, a 10.0.0.0 address is not routable, and no legitimate SMTP SERVER will have a 10.0.0.0 address.
So, while these messages cannot be traced back to their source. At least you know that the message was sent by a person with intent to defraud you.
What's that you say?
You don't have a degree in Computer Science?
You have no idea what a CLASS "A" ADDRESS is?
Before yesterday you never heard of EMAIL HEADERS?
Isn't there some little software program that will parse an email header for me?
Yes! you're in luck
DOWNLOAD SAM SPADE 1.14
click HERE
BE SAFE OUT THERE. THE INTERNET HAS A DARKSIDE.
4 comments:
This is very interesting. I have learned something new here. You should start a 101 type post like this once a week. Thanks!
I agree with Marnie. This is fascinating as is your knowledge of such things,which I would like to see more posts on.
How do we work the Sam Spade, Kurt?
What would we do without you?
Very informative! :D
Post a Comment