Try sam spade, there is an option to parse email headers and that gives
you a trace of the email servers and origin. Used in conjunction with
GeekTools Whois. You can find out lots of information.
There are commercial tools made specifically for this, however I think
Sam Spade is the best and its Free, as with GeekTools whois.
Good Luck
steve mclaughlin | adventi it
T 0845 658 2080 | F 0131 623 7279
E stevenm@adventi.com | W www.adventi.com
(MCSE:Security, CCNA, Security+, A+, Network+, Server+)
-----Original Message-----
From: P S [mailto:seclistmail@hotmail.com]
Sent: 28 August 2004 15:27
To: security-basics@securityfocus.com
Subject: e-mail tracing
Hi,
I have been getting e-mails about confirming my credit card number and
pin
at different banks
and I decided to try to trace them back just to see where it is really
coming from.
At school in the network security class we learnt how e-mail goes
through
MTA's, and spammers can send e-mails through open mail servers but we
didn't
go into details and of course they didn't give us any hands on either.
So I googled "reading e-mail headers" and went through lots of pages and
learnt a lot but I still have a few questions and I would really
apprechiate
if somebody could help me.
What I learnt is I have to read the headers from bottom to top, thats
how it
goes through the MTAs. Now I am reading these headers but the bottom
"from"
lines are confusing. I will copy 3 of the headers here:
Received:
from pmta04.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by
imta41.mta.everyone.net (Postfix) with ESMTP id 7547A50809for
<xxxx@cbgb.net>; Sun, 22 Aug 2004 17:58:31 -0700 (PDT)
from 216.200.145.35 (61.149.215.9 [61.149.215.9])by
pmta04.mta.everyone.net
(EON-PMTA) with SMTP id 894D1584for <xxxx@cbgb.net>; Sun, 22 Aug 2004
17:58:31 -0700
from E39 (a222.53.141.148.oeo6.wsj.admin170@citibank.com
[160.129.208.70])by
mail67.k.yahoo.com
(606.70.4q95/1.773.2) with SMTP id vvh21F66RMEpjz471;Mon, 23 Aug 2004
14:59:29 +0100
Received:
from pmta11.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by
imta39.mta.everyone.net (Postfix) with ESMTP id EC06C4A619for
<xxxx@cbgb.net>; Wed, 25 Aug 2004 13:25:59 -0700 (PDT)
from 216.200.145.35 (4.16.55.202 [4.16.55.202])by
pmta11.mta.everyone.net
(EON-PMTA) with SMTP id F1842D83for <xxxx@cbgb.net>; Wed, 25 Aug 2004
13:25:59 -0700
from 6.190.168.160 by 4.16.55.202; Wed, 25 Aug 2004 14:23:52 -0700
Received:
from pmta08.mta.everyone.net (bigiplb-dsnat [172.16.0.19])by
imta38.mta.everyone.net (Postfix) with ESMTP id 718FF4A636for
<xxxx@cbgb.net>; Wed, 25 Aug 2004 12:13:39 -0700 (PDT)
from x1-6-00-08-0e-8a-58-75.k149.webspeed.dk (80.162.14.71
[80.162.14.71])by
pmta08.mta.everyone.net (EON-PMTA) with SMTP id 16ED3FB9for
<xxxx@cbgb.net>;
Wed, 25 Aug 2004 12:13:39 -0700
from 30.34.132.240 by 80.162.14.71; Wed, 25 Aug 2004 16:09:33 -0400
The first one says it's coming from
a222.53.141.148.oeo6.wsj.admin170@citibank.com and from this I think the
IP
address should be 148.141.53.222 but in brackets it says 160.129.208.70.
After this the received by says it was sent through yahoo's mail server.
Now
to me it looks like this field is fake, am I right?
The second from field says 216.200.145.35 but the relaying mailserver
put in
the real IP as 61.149.215.9. Is this the real spammer IP where the mail
is
really coming from? Same with the other two headers, it looks like the
first
(bottom) fields are fake. Am I right when I think the spammer sent the
mails
from 4.16.55.202 and 80.162.14.71?
Every answer and help will be really apprechiated, thank you.
Peter
_________________________________________________________________
Scan and help eliminate destructive viruses from your inbound and
outbound
e-mail and attachments.
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU
=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Start enjoying all the benefits of MSN(r) Premium right now and get
the
first two months FREE*.
------------------------------------------------------------------------
---
Computer Forensics Training at the InfoSec Institute. All of our class
sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand
skills of
a certified computer examiner, learn to recover trace data left behind
by
fraud, theft, and cybercrime perpetrators. Discover the source of
computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------
----
---------------------------------------------------
This email from dns has been validated by dnsMSS Managed Email Security and is
free from all known viruses.
For further information contact email-integrity@dns.co.uk
---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
