1 / 17

Tracing email

Tracing email. Headers. Return-path: <delebelgore08@hotmail.com> Received : from mta23.srv.hcvlny.cv.net (mta23.srv.hcvlny.cv.net [167.206.5.184]) by mstr2.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005))

todd-roy
Download Presentation

Tracing email

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tracing email

  2. Headers • Return-path: <delebelgore08@hotmail.com> • Received: from mta23.srv.hcvlny.cv.net • (mta23.srv.hcvlny.cv.net [167.206.5.184]) by mstr2.srv.hcvlny.cv.net • (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) • with ESMTP id <0IQP000AVPO05S10@mstr2.srv.hcvlny.cv.net> for • cmalinow@optonline.net; Tue, 29 Nov 2005 05:40:50 -0500 (EST) • Received: from hotmail.com (bay114-dav14.bay114.hotmail.com [65.54.169.86]) • by mta23.srv.hcvlny.cv.net • (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) • with ESMTP id <0IQP00ADOPO0MBP2@mta23.srv.hcvlny.cv.net> for • cmalinow@optonline.net (ORCPT cmalinow@optonline.net); Tue, • 29 Nov 2005 05:40:49 -0500 (EST) • Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, • 29 Nov 2005 02:40:48 -0800 • Received: from 212.100.250.216 by BAY114-DAV14.phx.gbl with DAV; Tue, • 29 Nov 2005 10:40:48 +0000 • Date: Tue, 29 Nov 2005 11:47:47 +0100 • From: Dele Belgore <delebelgore08@hotmail.com> • Subject: Dear Malinowski (Urgent/Confidential Request) • X-Originating-IP: [212.100.250.216] • X-Sender: delebelgore08@hotmail.com • Bcc: • Reply-to: Dele Belgore <deleandchambers@hotmail.com> • Message-id: <BAY114-DAV144ED0D969FB3B0E52C7CEBB4B0@phx.gbl> • MIME-version: 1.0 • X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4939.300 • X-Mailer: Microsoft Outlook Express 5.50.4922.1500 • Content-type: multipart/alternative; • boundary="Boundary_(ID_PSl9uVHx8QZ3EPypzGbkVQ)" • X-Priority: 3 • X-MSMail-priority: Normal • X-Originating-Email: [delebelgore08@hotmail.com] • Original-recipient: rfc822;cmalinow@optonline.net • X-OriginalArrivalTime: 29 Nov 2005 10:40:48.0512 (UTC) • FILETIME=[5C60D800:01C5F4D1]

  3. Checking IP addresses • IP (and other info) can be spoofed at nodes where the suspect may have control • What information might be revealed from an email? • Despite spoofing attempts? • What happens if a remailer or anonymizer is used?

  4. IP address blocks • www.iana.org/assignments/ipv4-address-space • ARIN • 063.x.x.x thru 072.x.x.x • 199.x.x.x • 204.x.x.x thru 209.x.x.x • 216.x.x.x • APNIC • 058.x.x.x thru 061.x.x.x • 202.x.x.x thru 203.x.x.x • 210.x.x.x thru 211.x.x.x • 218.x.x.x thru 222.x.x.x • RIPE • 062.x.x.x • 081.x.x.x thru 088.x.x.x • 193.x.x.x thru 195.x.x.x • 212.x.x.x thru 213.x.x.x • 217.x.x.x • LACNIC • 200.x.x.x thru 201.x.x.x

  5. Domain Names • Top level domains (TLD) assigned by ICANN (Internet Corp on Assigned Names and Numbers) • Responsible for IANA

  6. dig NameServer (opt) Record type (opt) • Gets IP for the hostname • tower:~$ dig @ns.adnc.com FreeSoft.org mx • [1] ; <<>> DiG 2.1 <<>> @ns.adnc.com FreeSoft.org mx • [2] ; (1 server found) • [3] ;; res options: init recurs defnam dnsrch • [4] ;; got answer: • [5] ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 • [6] ;; flags: qr aa rd ra; Ques: 1, Ans: 1, Auth: 2, Addit: 2 • [7] ;; QUESTIONS: • [8] ;; FreeSoft.org, type = MX, class = IN • [9] • [10] ;; ANSWERS: • [11] FreeSoft.org. 86400 MX 100 mail.adnc.com. • [12]

  7. dig • [13] ;; AUTHORITY RECORDS: • [14] FreeSoft.org. 86400 NS ns.adnc.com. • [15] FreeSoft.org. 86400 NS ns2.adnc.com. • [16] • [17] ;; ADDITIONAL RECORDS: • [18] ns.adnc.com. 86400 A 205.216.138.22 • [19] ns2.adnc.com. 86400 A 205.216.138.24 • [20] • [21] ;; Total query time: 464 msec • [22] ;; FROM: tower to SERVER: ns.adnc.com 205.216.138.22 • [23] ;; WHEN: Tue Mar 19 20:31:58 1996 • [24] ;; MSG SIZE sent: 30 rcvd: 126

  8. dig • $ dig @ns.adnc.com mail.adnc.com • [1] ; <<>> DiG 2.1 <<>> @ns.adnc.com mail.adnc.com • [2] ; (1 server found) • [3] ;; res options: init recurs defnam dnsrch • [4] ;; got answer: • [5] ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 • [6] ;; flags: qr aa rd ra; Ques: 1, Ans: 2, Auth: 3, Addit: 3 • [7] ;; QUESTIONS: • [8] ;; mail.adnc.com, type = A, class = IN • [9] • [10] ;; ANSWERS: • [11] mail.adnc.com. 86400 CNAME gemini.adnc.com. • [12] gemini.adnc.com. 86400 A 205.216.138.22

  9. dig • % dig +short mail.adnc.com • 205.216.138.22

  10. whois • http:www.networksolutions.com/en_US/whois/index.html • http://verisign-grs.com/cgi-bin/whois • http://www.easywhois.com

  11. traceroute • www.wvi.com/cgi-bin/trace

More Related