Email Tracing - PowerPoint PPT Presentation

Loading...

PPT – Email Tracing PowerPoint presentation | free to download - id: 139a6a-OTIzZ



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Email Tracing

Description:

Email has become a primary means of communication. Email can ... X-Modus-BlackList: 129.210.16.1=OK;jholliday_at_engr.scu.edu=OK. X-Modus-Trusted: 129.210.16.1=NO ... – PowerPoint PPT presentation

Number of Views:548
Avg rating:3.0/5.0
Slides: 33
Provided by: thomass155
Learn more at: http://www.cse.scu.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Email Tracing


1
Email Tracing
  • Computer Forensics 252

?Thomas Schwarz, S.J. 2006
2
Email Investigations Overview
  • Email has become a primary means of
    communication.
  • Email can easily be forged.
  • Email can be abused
  • Spam
  • Aid in committing a crime
  • Threatening email,

3
Email Investigations Overview
  • Email evidence
  • Is in the email itself
  • Header
  • Contents
  • In logs
  • Left behind as the email travels from sender to
    recipient.
  • Law enforcement uses subpoenas to follow the
    trace.
  • System ads have some logs under their control.
  • Notice All fakemailing that you will be learning
    can be easily traced.

4
Email Fundamentals
  • Email travels from originating computer to the
    receiving computer through email servers.
  • All email servers add to the header.
  • Use important internet services to interpret and
    verify data in a header.

5
Email Fundamentals
  • Typical path of an email message

Mail Server
Client
Mail Server
Client
Mail Server
6
Email FundamentalsImportant Services
  • Verification of IP addresses
  • Regional Internet Registry
  • APNIC (Asia Pacific Network Information Centre).
  • ARIN (American Registry of Internet Numbers).
  • LACNIC Latin American and Caribbean IP address
    Regional Registry.
  • RIPE NCC (Réseau IP Européens Network
    Coordination Centre).
  • Whois
  • www.samspade.org
  • Numerous other websites.

My Favorite.
7
Email Fundamentals Important Services
  • Domain Name System (DNS) translates between
    domain names and IP address.
  • Name to address lookup
  • Parses HOSTS file.
  • Asks local nameserver
  • Local nameserver contacts nameserver responsible
    for domain.
  • If necessary, contact root nameserver.
  • Remote nameserver sends data back to local
    nameserver.
  • Local nameserver caches info and informs client.
  • HOSTS files can be altered.
  • You can use this as a low-tech tool to block
    pop-ups.
  • Local nameservers can/could be tricked into
    accepting unsolicited data to be cached.
  • Hilary for Senate case.

8
Email Fundamentals Important Services
  • Domain Name System (DNS) translates between
    domain names and IP address.
  • MX records in the DNS database specify the hosts
    or domains mail exchanger
  • Can have multiple MX records, with priority
    attached
  • Email to user_at_scu.edu will then be sent to
    user_at_cse.scu.edu.
  • If that site is down, then it will be sent to
    user_at_mailhost.soe.ucsc.edu.
  • The mailer at both sites needs also be set up to
    accept the messages.

MX 10 cse MX 100 mailhost.soe.uscs.edu
9
Email Fundamentals
  • IP-Addressing Fundamentals
  • IP Version 4 is slowly replaced by IP Version 6.
  • IPv4 4 digital numbers between 0 and 255.
  • IPv6 8 digital numbers between 0000 and 0xffff.
  • Static / dynamic addresses
  • Dynamic addresses assigned by DHCP within a local
    domain (with same leading portion of IP address).

10
Email Fundamentals Important Services
  • Many organizations use Network Address
    Translation.
  • NAT boxes have a single visible IP.
  • Incoming I-packet analyzed according to address
    and port number.
  • Forwarded to interior network with an internal IP
    address.
  • Typically in the private use areas
  • 10.0.0.0 10.255.255.255
  • 172.16.0.0 172.31.255.255
  • 192.168.0.0-192.168.255.255
  • Private use addresses are not valid addresses
    externally.

11
Email Protocols
  • Email program such as outlook or groupwise are a
    client application.
  • Needs to interact with an email server
  • Post Office Protocol (POP)
  • Internet Message Access Protocol (IMAP)
  • Microsofts Mail API (MAPI)
  • Web-based email uses a web-page as an interface
    with an email server.

12
Email Protocols
  • A mail server stores incoming mail and
    distributes it to the appropriate mail box.
  • Behavior afterwards depends on type of protocol.
  • Accordingly, investigation needs to be done at
    server or at the workstation.

13
Email Protocols
14
Email Protocols SMTP
  • Neither IMAP or POP are involved relaying
    messages between servers.
  • Simple Mail Transfer Protocol SMTP
  • Easy.
  • Has several additions.
  • Can be spoofed
  • By using an unsecured or undersecured email
    server.
  • By setting up your own smtp server.

15
Email Protocols SMTPHow to spoof email
  • telnet endor.engr.scu.edu 25
  • 220 endor.engr.scu.edu ESMTP Sendmail
    8.13.5/8.13.5 Wed, 28 Dec 2005 145849 - 0800
  • helo 129.210.16.8
  • 250 server8.engr.scu.edu Hello dhcp-19-198.engr.sc
    u.edu 129.210.19.198, please
  • d to meet you
  • mail from jholliday_at_engr.scu.edu
  • 250 2.1.0 jholliday_at_engr.scu.edu... Sender ok
  • rcpt to tschwarz_at_scu.edu
  • 250 2.1.5 tschwarz_at_scu.edu... Recipient ok
  • data
  • 354 Enter mail, end with "." on a line by itself
  • This is a spoofed message.
  • .
  • 250 2.0.0 jBSMwnTd023057 Message accepted for
    delivery
  • quit
  • 221 2.0.0 endor.engr.scu.edu closing connection

16
Email Protocols SMTP
Return-path ltjholliday_at_engr.scu.edugt Received
from MGW2.scu.edu 129.210.251.18 by
gwcl-22.scu.edu Wed, 28 Dec 2005 150029
-0800 Received from endor.engr.scu.edu
(unverified 129.210.16.1) by MGW2.scu.edu (Virco
m SMTPRS 4.2.425.10) with ESMTP id
ltC0066443608_at_MGW2.scu.edugt for lttjschwarz_at_scu.edugt
Wed, 28 Dec 2005 150029 -0800 X-Modus-BlackLis
t 129.210.16.1OKjholliday_at_engr.scu.eduOK X-Mod
us-Trusted 129.210.16.1NO Received from
bobadilla.engr.scu.edu (bobadilla.engr.scu.edu
129.210.18.34) by endor.engr.scu.edu
(8.13.5/8.13.5) with SMTP id jBSMwnTd023057 for
tjschwarz_at_scu.edu Wed, 28 Dec 2005 150054
-0800 Date Wed, 28 Dec 2005 145849 -0800 From
JoAnne Holliday ltjholliday_at_engr.scu.edugt Message-I
d lt200512282300.jBSMwnTd023057_at_endor.engr.scu.edu
gt this is a spoofed message.
This looks very convincing. Only hint received
line gives the name of my machine. If I were to
use a machine without a fixed IP, then you can
determine the DHCP address from the DHCP logs.
17
Email Protocols SMTPHow to spoof email
  • Endor will only relay messages from machines that
    have properly authenticated themselves within the
    last five minutes.
  • Subject lines etc. are part of the data segment.
    However, any misspelling will put them into the
    body of the message.

18
Email Protocols SMTPHow to spoof email
  • telnet endor.engr.scu.edu 25
  • 220 endor.engr.scu.edu ESMTP Sendmail
    8.13.5/8.13.5 Wed, 28 Dec 2005 153613 -
  • 0800
  • mail from plocatelli_at_scu.edu
  • 250 2.1.0 plocatelli_at_scu.edu... Sender ok
  • rcpt to tschwarz_at_scu.edu
  • 250 2.1.5 tschwarz_at_scu.edu... Recipient ok
  • data
  • 354 Enter mail, end with "." on a line by itself
  • Date 23 Dec 05 112233
  • From plocatelli_at_scu.edu
  • To tschwarz_at_scu.edu
  • Subject Congrats
  • You are hrby appointed the next president of
    Santa Clara University, effectively
  • immediately.
  • Best, Paul
  • .

19
Email Protocols SMTPHow to spoof email
20
Email Protocols SMTP
  • Things are even easier with Windows XP.
  • Turn on the SMTP service that each WinXP machine
    runs.
  • Create a file that follows the SMTP protocol.
  • Place the file in Inetpub/mailroot/Pickup

21
Email Protocols SMTP
To tschwarz_at_engr.scu.edu From
HolyFather_at_vatican.va This is a spoofed message.
From HolyFather_at_vatican.va Tue Dec 23 172550
2003 Return-Path ltHolyFather_at_vatican.vagt Received
from Xavier (dhcp-19-226.engr.scu.edu
129.210.19.226) by server4.engr.scu.edu
(8.12.10/8.12.10) with ESMTP id
hBO1Plpv027244 for lttschwarz_at_engr.scu.edugt Tue,
23 Dec 2003 172550 -0800 Received from mail
pickup service by Xavier with Microsoft
SMTPSVC Tue, 23 Dec 2003 172533 -0800 To
tschwarz_at_engr.scu.edu From HolyFather_at_vatican.va
Message-ID ltXAVIERZRTHEQXHcJcKJ00000001_at_Xaviergt X
-OriginalArrivalTime 24 Dec 2003 012533.0942
(UTC) FILETIMED3B5616001C3C9 BC Date 23 Dec
2003 172533 -0800 X-Spam-Checker-Version
SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp)
on server4.engr.scu.edu X-Spam-Level X-Spam-Statu
s No, hits0.3 required5.0 testsNO_REAL_NAME
autolearnno version2.60-rc3 This is a spoofed
message.
22
Email Protocols SMTP
  • SMTP Headers
  • Each mail-server adds to headers.
  • Additions are being made at the top of the list.
  • Therefore, read the header from the bottom.
  • To read headers, you usually have to enable them
    in your mail client.

23
SMTP Headers
  • To enable headers
  • Eudora
  • Use the Blah Blah Blah button
  • Hotmail
  • Options ? Preferences ? Message Headers.
  • Juno
  • Options ? Show Headers
  • MS Outlook
  • Select message and go to options.
  • Yahoo!
  • Mail Options ? General Preferences ? Show all
    headers.
  • Groupwise
  • Message itself is attached to each email. You
    need to look at it.

24
SMTP Headers
  • Headers consists of header fields
  • Originator fields
  • from, sender, reply-to
  • Destination address fields
  • To, cc, bcc
  • Identification Fields
  • Message-ID-field is optional, but extremely
    important for tracing emails through email server
    logs.
  • Informational Fields
  • Subject, comments, keywords
  • Resent Fields
  • Resent fields are strictly speaking optional, but
    luckily, most servers add them.
  • Resent-date, resent-from, resent-sender,
    resent-to, resent-cc, resent-bcc, resent-msg-id

25
SMTP Headers
  • Trace Fields
  • Core of email tracing.
  • Regulated in RFC2821.
  • When a SMTP server receives a message for
    delivery or forwarding, it MUST insert trace
    information at the beginning of the header.

26
SMTP Headers
  • The FROM field, which must be supplied in an SMTP
    environment, should contain both (1) the name of
    the source host as presented in the EHLO command
    and (2) an address literal containing the IP
    address of the source, determined from the TCP
    connection.
  • The ID field may contain an "_at_" as suggested in
    RFC 822, but this is not required.
  • The FOR field MAY contain a list of ltpathgt
    entries when multiple RCPT commands have been
    given.
  • A server making a final delivery inserts a
    return-path line.

27
SMTP Header
  • Spotting spoofed messages
  • Contents usually gives a hint.
  • Each SMTP server application adds a different set
    of headers or structures them in a different way.
  • A good investigator knows these formats.
  • Use internet services in order to verify header
    data.
  • However, some companies can outsource email or
    use internal IP addresses.
  • Look for breaks / discrepancies in the Received
    lines.

28
SMTP Header
  • Investigation of spoofed messages
  • Verify all IP addresses
  • Keeping in mind that some addresses might be
    internal addresses.
  • Make a time-line of events.
  • Change times to universal standard time.
  • Look for strange behavior.
  • Keep clock drift in mind.

29
Server Logs
  • E-mail logs usually identify email messages by
  • Account received
  • IP address from which they were sent.
  • Time and date (beware of clock drift)
  • IP addresses

30
Server Logs
  • Dec 31 182615 endor sendmail30597
    k012OV1i030597 fromevil_at_evil.com, size147,
    class0, nrcpts1, msgidlt200601010225.k012OV1i030
    597_at_endor.engr.scu.edugt, protoSMTP, daemonMTA,
    relayc-24-12-227-211.hsd1.il.comcast.net
    24.12.227.211
  • Dec 31 182615 endor spamd28512 spamd
    connection from localhost 127.0.0.1 at port
    42865
  • Dec 31 182615 endor spamd28512 spamd setuid
    to tschwarz succeeded
  • Dec 31 182615 endor spamd28512 spamd
    processing message lt200601010225.k012OV1i030597_at_en
    dor.engr.scu.edugt for tschwarz1875
  • Dec 31 182615 endor spamd28512 spamd clean
    message (4.6/5.0) for tschwarz1875 in 0.2
    seconds, 525 bytes.
  • Dec 31 182615 endor spamd28512 spamd
    result . 4 - MSGID_FROM_MTA_ID,RCVD_IN_NJABL_DUL,
    RCVD_IN_SORBS_DUL scantime0.2,size525,usertschw
    arz,uid1875,required_score5.0,rhostlocalhost,ra
    ddr127.0.0.1,rport42865,midlt200601010225.k012OV
    1i030597_at_endor.engr.scu.edugt,autolearnno
  • Dec 31 182615 endor spamd21352 prefork
    child states II
  • Dec 31 182615 endor sendmail30726
    k012OV1i030597 totschwarz_at_engr.scu.edu,
    delay000102, xdelay000000, mailerlocal,
    pri30464, dsn2.0.0, statSent

Sample log entry at endor.
31
Server Logs
  • Many servers keep copies of emails.
  • Most servers purge logs.
  • Law-enforcement
  • Vast majority of companies are very cooperative.
  • Dont wait for the subpoena, instead give system
    administrator a heads-up of a coming subpoena.
  • Company
  • Local sys-ad needs early warning.
  • Getting logs at other places can be dicey.

32
Unix Sendmail
  • Configuration file /etc/sendmail.cf and
    /etc/syslog.conf
  • Gives location of various logs and their rules.
  • maillog (often at /var/log/maillog)
  • Logs SMTP communications
  • Logs POP3 events
  • You can always use locate .log to find log
    files.
About PowerShow.com