Author Topic: debunking message headers  (Read 1253 times)

Master of Reality

  • VIP
  • Member
  • ***
  • Posts: 4,249
  • Kudos: 177
    • http://www.bobhub.tk
debunking message headers
« on: 12 August 2002, 05:41 »
i want to know what all the info in an email message header is. Is there any good pages or can anyone tell me?
I wanna figure out where exactly some emails with windoze viru came from.
Disorder | Rating
Paranoid: Moderate
Schizoid: Moderate
Linux User #283518
'It takes more than a self-inflicted gunshot wound to the head to stop Bob'

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
debunking message headers
« Reply #1 on: 12 August 2002, 06:25 »
Look at the header, there will be a "Received:" line.  The first IP address you see in that line (in brackets "[]") is the important part. Ignore any host name associated with that address as it could be forged (and so can the "From:" address obviously).  Now do an "nslookup <ip address>" and get the mail server name that it came from.  The domain associated with that address should give a clue as to who sent the email with a virus.  

Usually when you get an email from someone with a virus attached it will be from someone you know (your name is in their address book).  Now who do you know with an email address from that domain?  Of course an email server can serve many domains so it's not 100% accurate.  And if you know several people with email addresses from that domain it could be any one of them.  The only way you can pin it to one specific person is to contact the owner of the email server and have them trace their logs.  Good luck.

Of course I have my email servers set up to block any message with attachments that have an extention of "*.exe, *.pif, *.bat, *.com, *.lnk, *.scr, etc, etc, etc, etc, etc".  So I (or any other people that use my servers can't get messages with viruses). The message is just bounced back to the sender with a custom message explaining why I do not accept messages containing such attachments.

[ August 11, 2002: Message edited by: VoidMain ]

Someone please remove this account. Thanks...

Master of Reality

  • VIP
  • Member
  • ***
  • Posts: 4,249
  • Kudos: 177
    • http://www.bobhub.tk
debunking message headers
« Reply #2 on: 12 August 2002, 07:12 »
http://www.stopspam.org/email/headers/headers.html
here is a good page about mail headers.
Disorder | Rating
Paranoid: Moderate
Schizoid: Moderate
Linux User #283518
'It takes more than a self-inflicted gunshot wound to the head to stop Bob'

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
debunking message headers
« Reply #3 on: 14 August 2002, 21:34 »
As long as you understand that the "From:" address is easily spoofed, and the host names in the "Received:" is also easily spoofed.  You can only trust the IP address  in the "Received:" ([xxx.xxx.xxx.xxx]) which makes it nearly impossible to track it to a specific sender without getting the owner of said IP address involved.  That IP address is the IP address of the SMTP server that the user sent the message through, not their home address.

[ August 14, 2002: Message edited by: VoidMain ]

Someone please remove this account. Thanks...