Email tracing
1 / 27

Email Tracing - PowerPoint PPT Presentation

  • Uploaded on

Email Tracing. Computer Forensics 152 / 252. Email Investigations: Overview. Email has become a primary means of communication. Email can easily be forged. Email can be abused Spam Aid in committing a crime … Threatening email, …. Email Investigations: Overview. Email evidence:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Email Tracing' - lance

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Email tracing

Email Tracing

Computer Forensics 152 / 252

Email investigations overview
Email Investigations: Overview

  • Email has become a primary means of communication.

  • Email can easily be forged.

  • Email can be abused

    • Spam

    • Aid in committing a crime …

    • Threatening email, …

Email investigations overview1
Email Investigations: Overview

  • Email evidence:

    • Is in the email itself (header)

    • Left behind as the email travels from sender to recipient.

      • Contained in the various logs.

        • Law enforcement can use subpoenas

        • System ads have some logs.

Email fundamentals
Email Fundamentals

  • Email travels from originating computer to the receiving computer through email servers.

  • All email servers add to the header.

  • Use important internet services to interpret and verify data in a header.

Email fundamentals1
Email Fundamentals

  • Typical path of an email message:

Mail Server


Mail Server


Mail Server

Email fundamentals important services
Email Fundamentals:Important Services

  • Verification of IP addresses:

    • Regional Internet Registry

      • APNIC (Asia Pacific Network Information Centre).

      • ARIN (American Registry of Internet Numbers).

      • LACNIC Latin American and Caribbean IP address Regional Registry.

      • RIPE NCC (Réseau IP Européens Network Coordination Centre).

  • Whois


  • Numerous other websites.

  • My Favorite.

    Email fundamentals important services1
    Email Fundamentals: Important Services

    • Domain Name System (DNS) translates between domain names and IP address.

      • Name to address lookup:

        • Parses HOSTS file.

        • Asks local nameserver

        • Local nameserver contacts nameserver responsible for domain.

        • If necessary, contact root nameserver.

        • Remote nameserver sends data back to local nameserver.

        • Local nameserver caches info and informs client.

      • HOSTS files can be altered.

        • You can use this as a low-tech tool to block pop-ups.

      • Local nameservers can/could be tricked into accepting unsolicited data to be cached.

        • “Hilary for Senate” – case.

    Email fundamentals2
    Email Fundamentals

    • IP-Addressing

    • IP Version 4 is slowly replaced by IP Version 6.

      • IPv4: 4 digital numbers between 0 and 255.

      • IPv6: 8 digital numbers between 0000 and 0xffff.

    • Static / dynamic addresses

      • Dynamic addresses assigned by DHCP within a local domain (with same leading portion of IP address).

    Email fundamentals important services2
    Email Fundamentals: Important Services

    • Many organizations use Network Address Translation.

      • NAT boxes have a single visible IP.

      • Incoming I-packet analyzed according to address and port number.

      • Forwarded to interior network with an internal IP address.

      • Typically in the private use area:

        • –

        • –


      • Private use addresses are never used externally.

    Email protocols
    Email Protocols:

    • Email program such as outlook is a client application.

    • Needs to interact with an email server:

      • Post Office Protocol (POP)

      • Internet Message Access Protocol (IMAP)

      • Microsoft’s Mail API (MAPI)

    Email protocols1
    Email Protocols:

    • A mail server stores incoming mail and distributes it to the appropriate mail box.

    • Behavior afterwards depends on type of protocol.

    • Accordingly, investigation needs to be done at server or at the workstation.

    Email protocols smtp
    Email Protocols: SMTP

    • Neither IMAP or POP are involved relaying messages between servers.

    • Simple Mail Transfer Protocol: SMTP

      • Easy, but can be spoofed easily.

    Email protocols smtp1
    Email Protocols: SMTP

    How to spoof email:

    telnet 25

    220 ESMTP Sendmail 8.12.10/8.12.10; Tue, 23 Dec 2003 16:32:07 -0800 (PST)


    250 Hello [], pleased to meet you

    mail from: [email protected]

    250 2.1.0 [email protected] Sender ok

    rcpt to: tschwarz

    250 2.1.5 tschwarz... Recipient ok


    354 Enter mail, end with "." on a line by itself

    This is a spoofed message.


    250 2.0.0 hBO0W76P002752 Message accepted for delivery


    221 2.0.0 closing connection

    Email protocols smtp2
    Email Protocols: SMTP

    From [email protected] Tue Dec 23 16:44:55 2003

    Return-Path: <[email protected]>

    Received: from ([email protected] [])

    by (8.12.10/8.12.10) with ESMTP id hBO0itpv008140

    for <[email protected]>; Tue, 23 Dec 2003 16:44:55 -0800

    From: JoAnne Holliday <[email protected]>

    Received: from ( [])

    by (8.12.10/8.12.10) with SMTP id hBO0W76P002752

    for tschwarz; Tue, 23 Dec 2003 16:41:55 -0800 (PST)

    Date: Tue, 23 Dec 2003 16:32:07 -0800 (PST)

    Message-Id: <[email protected]>

    X-Spam-Checker-Version: SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp) on


    X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=ham version=2.60-r


    This is a spoofed message.

    This looks very convincing.

    Only hint: received line gives the name of my machine, defaulting to dhcp-19-198.

    The DHCP server logs might tell you what machine this is, given the time. But you need to know the clock drift at the various machines.

    Email protocols smtp3
    Email Protocols: SMTP

    • Things are even easier with Windows XP.

      • Turn on the SMTP service that each WinXP machine runs.

      • Create a file that follows the SMTP protocol.

      • Place the file in Inetpub/mailroot/Pickup

    Email protocols smtp4
    Email Protocols: SMTP

    To: [email protected]

    From: [email protected]

    This is a spoofed message.

    From [email protected] Tue Dec 23 17:25:50 2003

    Return-Path: <[email protected]>

    Received: from Xavier ( [])

    by (8.12.10/8.12.10) with ESMTP id hBO1Plpv027244

    for <[email protected]>; Tue, 23 Dec 2003 17:25:50 -0800

    Received: from mail pickup service by Xavier with Microsoft SMTPSVC;

    Tue, 23 Dec 2003 17:25:33 -0800

    To: [email protected]

    From: [email protected]

    Message-ID: <[email protected]>

    X-OriginalArrivalTime: 24 Dec 2003 01:25:33.0942 (UTC) FILETIME=[D3B56160:01C3C9


    Date: 23 Dec 2003 17:25:33 -0800

    X-Spam-Checker-Version: SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp) on


    X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=no


    This is a spoofed message.

    Email protocols smtp5
    Email Protocols: SMTP

    • SMTP Headers:

      • Each mail-server adds to headers.

      • Additions are being made at the top of the list.

        • Therefore, read the header from the bottom.

    • To read headers, you usually have to enable them.

    Smtp headers
    SMTP Headers

    To enable headers:

    • Eudora:

      • Use the Blah Blah Blah button

    • Hotmail:

      • Options  Preferences  Message Headers.

    • Juno:

      • Options  Show Headers

    • MS Outlook:

      • Select message and go to options.

    • Yahoo!:

      • Mail Options  General Preferences  Show all headers.

    Smtp headers1
    SMTP Headers

    • Headers consists of header fields

      • Originator fields

        • from, sender, reply-to

      • Destination address fields

        • To, cc, bcc

      • Identification Fields

        • Message-ID-field is optional, but extremely important for tracing emails through email server logs.

      • Informational Fields

        • Subject, comments, keywords

      • Resent Fields

        • Resent fields are strictly speaking optional, but luckily, most servers add them.

        • Resent-date, resent-from, resent-sender, resent-to, resent-cc, resent-bcc, resent-msg-id

    Smtp headers2
    SMTP Headers

    • Trace Fields

      • Core of email tracing.

      • Regulated in RFC2821.

      • When a SMTP server receives a message for delivery or forwarding, it MUST insert trace information at the beginning of the header.

    Smtp headers3
    SMTP Headers

    • The FROM field, which must be supplied in an SMTP environment, should contain both (1) the name of the source host as presented in the EHLO command and (2) an address literal containing the IP address of the source, determined from the TCP connection.

    • The ID field may contain an "@" as suggested in RFC 822, but this is not required.

    • The FOR field MAY contain a list of <path> entries when multiple RCPT commands have been given.

    • A server making a final delivery inserts a return-path line.

    Smtp header
    SMTP Header

    • Spotting spoofed messages

      • Contents usually gives a hint.

      • Each SMTP server application adds a different set of headers or structures them in a different way.

        • A good investigator knows these formats.

      • Use internet services in order to verify header data.

        • However, some companies can outsource email or use internal IP addresses.

      • Look for breaks / discrepancies in the “Received” lines.

    Smtp header1
    SMTP Header

    • Investigation of spoofed messages

      • Verify all IP addresses

        • Keeping in mind that some addresses might be internal addresses.

      • Make a time-line of events.

        • Change times to universal standard time.

        • Look for strange behavior.

        • Keep clock drift in mind.

    Server logs
    Server Logs

    • E-mail logs usually identify email messages by:

      • Account received

      • IP address from which they were sent.

      • Time and date (beware of clock drift)

      • IP addresses

    Server logs1
    Server Logs

    • Many servers keep copies of emails.

    • Most servers purge logs.

      • Law-enforcement:

        • Vast majority of companies are very cooperative.

        • Don’t wait for the subpoena, instead give system administrator a heads-up of a coming subpoena.

      • Company:

        • Local sys-ad needs early warning.

        • Getting logs at other places can be dicey.

    Unix sendmail
    Unix Sendmail

    • Configuration file /etc/ and /etc/syslog.conf

      • Gives location of various logs and their rules.

    • maillog (often at /var/log/maillog)

      • Logs SMTP communications

      • Logs POP3 events

    • You can always use: locate *.log to find log files.