Thursday, May 3, 2007

How to Read Mail Internet Headers

We will take look internet mail headers and learn how to read them. (The best way to read is from bottom to up). This will be useful to identify a spoofed E-mail came to your organization or to be able to get the sender IP address so that it can be blocked either on exchange or depending upon your configuration, smart host mail gateways and etc.

First we need to spoof an E-mail; here is an easy way to do, go to my blog (assuming you are on it).On the bottom Trouble shooting Links click on mail relay testing tool now we would achieve the same result by going to command line

Telnet arcsmtp14.redcross.org 25

220 Donate blood today ESMTP Give blood and save lives today (250 mean Hi)

Helo  <SpamKing@Spamkingdom.com>    ( you could just put,  <>, it means null reverse-path

mail from:<oz@usa.redcross.org>

250 2.1.0 MAIL ok

Rcpt to:<oz@Usa.redcross.org> Recipient to giving the receiver information

250 2.0.0 Ok

Subject: Spoofing Practices

I am Spam King and I am about to Spoof your E-mail ad Blah blah blah

.

250 2.6.0 message received

Quit ( exit telnet session)


 

Now we will learn and identify the spoofed e-mails and where it originated from. In the example, I have sent mail to oz@usa.redcross.org and I claimed to be oz@usa.redcross.org Now if the mail servers were performing RDNS (reverse DNS) they will be doing this.I am sitting on a server and claiming to be a valid user from @SMTP.org Domain. First thing the server who I am talking too will say, HI oz@SMTp25.org let me ask ROOT DNS servers where you located then, the Mail server will do a recursive query to its configured Public DNS servers and will say

Hey, this IP address X.Y.Z.E is claiming to be autherative SMTP domain for @SMTP25.org, is IP address is matching the IP address of the registered Domain.

DNS servers than will do another Recursive query to ROOT servers, and asking where is SMTP25.org, ROOT server will say, We don't know, but we know where .ORG domains are, here is the IP address go and ask them, Than I do another recursive query to .ORG domains and ask SMTP25.org, and the DNS server who has the record for this DNS SMTP name space will say, Yes I am the Autherative Domain, I have the registration for this Domain, and this is my IP address A.B.C.D Now answers will go back to your DNS server and your DNS servers are now, know that I am not the person who I clam to be, and Close the connection. IF mail server won't do, perform RDNS records, you can claim to be the president of united state, and mail server will tell you

250 meaning Sure MR. President

Below is the mail headers, I have taken from the e-mail I send it to myself, if you pay attention

The sender address is my E-mail address and recipient address is the same.

From: oz@usa.redcross.org

To: oz@usa.redcross.org

In a perfect world when a mail server accept SMTP connection it would do reserve DNS

Microsoft Mail Internet Headers Version 2.0

Received: from nhqdtcsmtp3.archq.ri.redcross.net ([10.160.9.234]) by EX1VS.archq.ri.redcross.net with Microsoft SMTPSVC(6.0.3790.1830);

                 Wed, 2 May 2007 15:40:05 -0400

Received: from arcsmtp14.redcross.org ([162.6.217.98]) by nhqdtcsmtp3.archq.ri.redcross.net with Microsoft SMTPSVC(6.0.3790.1830);

                 Wed, 2 May 2007 15:40:05 -0400

Received: from arcsmtp14.redcross.org (127.0.0.1) by arcsmtp14.redcross.org (MlfMTA v3.2r1b3) id h73jqu0171sp for <oz@usa.redcross.org>; Wed, 2 May 2007 15:34:07 -0400 (envelope-from
<oz@usa.redcross.org>)

Received: from box2 ([64.182.102.193])

                by arcsmtp14.redcross.org (SonicWALL 5.0.2.8439)

                with SMTP; Wed, 02 May 2007 15:34:07 -0400

Subject: Spoofing King Spam King

X-Mlf-Threat: nothreat

X-Mlf-Threat-Detailed: nothreat;none;none;rules_rules_Score=-1.16_Lang=1

X-Mlf-UniqueId: i200705021934070337302

From: oz@usa.redcross.org

Bcc:

Return-Path: oz@usa.redcross.org

Message-ID: <NHQDTCSMTP3XCH5n00z00007966@nhqdtcsmtp3.archq.ri.redcross.net>

X-OriginalArrivalTime: 02 May 2007 19:40:05.0105 (UTC) FILETIME=[AECD5E10:01C78CF1]

Date: 2 May 2007 15:40:05 -0400

Now look at the line in the middle says

" Received: from box2 ([64.182.102.193])"
oz@usa.redcross.org , now lets see if this IP address is really represent the mail domain @SMTP25.org ?

Go back to my Blog, on the right lover corner, Click the link which says "Arin Who is "In the search place the IP address "64.182.102.193" which Claims to be the autherative SMTP domain for oz@usa.redcross.org., fair enough the name servers comes up as

NameServer: NS.CIHOST.COM

NameServer: NS2.CIHOST.COM

So obvious they are not @Usa.Redcross.org. Now you know you are dealing with Spoofed E-mail

Best Regards

Oz Ozugurlu

2 comments:

Anonymous said...

Thanks Oz!
Now I can do some real damage :)
Just kiddin', this is very informative. I am a huge fan of your skills, dedication, and humor.
PS: Please be nice to your wife, or you will seek shelter soon

Oz Casey, Dedeal said...

I am happy to hear you found the post informative; I will let my wife know about your recommendation, I am sure she will be content to hear this (- : Thanks for taking your time and reading my posts
Best Regards
Oz