Stop Microsoft

Miscellaneous => Programming & Networking => Topic started by: Master of Reality on 12 August 2002, 05:41

Title: debunking message headers
Post by: Master of Reality on 12 August 2002, 05:41

i want to know what all the info in an email message header is. Is there any good pages or can anyone tell me?
I wanna figure out where exactly some emails with windoze viru came from.

Title: debunking message headers
Post by: voidmain on 12 August 2002, 06:25

Look at the header, there will be a "Received:" line.  The first IP address you see in that line (in brackets "[]") is the important part. Ignore any host name associated with that address as it could be forged (and so can the "From:" address obviously).  Now do an "nslookup <ip address>" and get the mail server name that it came from.  The domain associated with that address should give a clue as to who sent the email with a virus.  

Usually when you get an email from someone with a virus attached it will be from someone you know (your name is in their address book).  Now who do you know with an email address from that domain?  Of course an email server can serve many domains so it's not 100% accurate.  And if you know several people with email addresses from that domain it could be any one of them.  The only way you can pin it to one specific person is to contact the owner of the email server and have them trace their logs.  Good luck.

Of course I have my email servers set up to block any message with attachments that have an extention of "*.exe, *.pif, *.bat, *.com, *.lnk, *.scr, etc, etc, etc, etc, etc".  So I (or any other people that use my servers can't get messages with viruses). The message is just bounced back to the sender with a custom message explaining why I do not accept messages containing such attachments.

[ August 11, 2002: Message edited by: VoidMain ]

Title: debunking message headers
Post by: Master of Reality on 12 August 2002, 07:12

http://www.stopspam.org/email/headers/headers.html (http://www.stopspam.org/email/headers/headers.html)
here is a good page about mail headers.

Title: debunking message headers
Post by: voidmain on 14 August 2002, 21:34

As long as you understand that the "From:" address is easily spoofed, and the host names in the "Received:" is also easily spoofed.  You can only trust the IP address  in the "Received:" ([xxx.xxx.xxx.xxx]) which makes it nearly impossible to track it to a specific sender without getting the owner of said IP address involved.  That IP address is the IP address of the SMTP server that the user sent the message through, not their home address.

[ August 14, 2002: Message edited by: VoidMain ]