Search This Blog

Sunday, April 4, 2010

+ Backtracking EMAIL'S

Tracking email back to its source: Twisted Evil

cause i hate spammers... Evil or Very Mad

Ask most people how they determine who sent them an email message and the response is almost universally, "By the From line." Unfortunately this symptomatic of the current confusion among internet users as to where particular messages come from and who is spreading spam and viruses. The "From" header is little more than a courtesy to the person receiving the message. People spreading spam and viruses are rarely courteous. In short, if there is any question about where a particular email message came from the safe bet is to assume the "From" header is forged.

So how do you determine where a message actually came from? You have to understand how email messages are put together in order to backtrack an email message. SMTP is a text based protocol for transferring messages across the internet. A series of headers are placed in front of the data portion of the message. By examining the headers you can usually backtrack a message to the source network, sometimes the source host. A more detailed essay on reading email headers can be found .


If you are using Outlook or Outlook Express you can view the headers by right clicking on the message and selecting properties or options.

Below are listed the headers of an actual spam message I received. I've changed my email address and the name of my server for obvious reasons. I've also double spaced the headers to make them more readable.

Return-Path: < s359dyxtt@yahoo.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it >

X-Original-To: davar@example.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Delivered-To: davar@example.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Received: from 12-218-172-108.client.mchsi.com (12-218-172-108.client.mchsi.com [12.218.172.108])

by mailhost.example.com (Postfix) with SMTP id 1F9B8511C7

for < davar@example.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it >; Sun, 16 Nov 2003 09:50:37 -0800 (PST)

Received: from (HELO 0udjou) [193.12.169.0] by 12-218-172-108.client.mchsi.com with ESMTP id <536806-74276>; Sun, 16 Nov 2003 19:42:31 +0200

Message-ID:

From: "Maricela Paulson" < s359dyxtt@yahoo.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it >

Reply-To: "Maricela Paulson" < s359dyxtt@yahoo.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it >

To: davar@example.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Subject: STOP-PAYING For Your PAY-PER-VIEW, Movie Channels, Mature Channels...isha

Date: Sun, 16 Nov 2003 19:42:31 +0200

X-Mailer: Internet Mail Service (5.5.2650.21)

X-Priority: 3

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"

According to the From header this message is from Maricela Paulson at s359dyxxt@yahoo.com.This e-mail address is being protected from spam bots, you need JavaScript enabled to view it I could just fire off a message to abuse@yahoo.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it , but that would be waste of time. This message didn't come from yahoo's email service.

The header most likely to be useful in determining the actual source of an email message is the Received header. According to the top-most Received header this message was received from the host 12-218-172-108.client.mchsi.com with the ip address of 21.218.172.108 by my server mailhost.example.com. An important item to consider is at what point in the chain does the email system become untrusted? I consider anything beyond my own email server to be an unreliable source of information. Because this header was generated by my email server it is reasonable for me to accept it at face value.

The next Received header (which is chronologically the first) shows the remote email server accepting the message from the host 0udjou with the ip 193.12.169.0. Those of you who know anything about IP will realize that that is not a valid host IP address. In addition, any hostname that ends in client.mchsi.com is unlikely to be an authorized email server. This has every sign of being a cracked client system.


Here's is where we start digging. By default Windows is somewhat lacking in network diagnostic tools; however, you can use the tools at to do your own checking.

davar@nqh9k:[/home/davar] $whois 12.218.172.108

AT&T WorldNet Services ATT (NET-12-0-0-0-1)

12.0.0.0 - 12.255.255.255

Mediacom Communications Corp MEDIACOMCC-12-218-168-0-FLANDREAU-MN (NET-12-218-168-0-1)

12.218.168.0 - 12.218.175.255

# ARIN WHOIS database, last updated 2003-12-31 19:15

# Enter ? for additional hints on searching ARIN's WHOIS database.

I can also verify the hostname of the remote server by using nslookup, although in this particular instance, my email server has already provided both the IP address and the hostname.

davar@nqh9k:[/home/davar] $nslookup 12.218.172.108

Server: localhost

Address: 127.0.0.1

Name: 12-218-172-108.client.mchsi.com

Address: 12.218.172.108

Ok, whois shows that Mediacom Communications owns that netblock and nslookup confirms the address to hostname mapping of the remote server,12-218-172-108.client.mchsi.com. If I preface a www in front of the domain name portion and plug that into my web browser, http://www.mchsi.com, I get Mediacom's web site.

There are few things more embarrassing to me than firing off an angry message to someone who is supposedly responsible for a problem, and being wrong. By double checking who owns the remote host's IP address using two different tools (whois and nslookup) I minimize the chance of making myself look like an idiot.

A quick glance at the web site and it appears they are an ISP. Now if I copy the entire message including the headers into a new email message and send it to abuse@mchsi.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it with a short message explaining the situation, they may do something about it.

But what about Maricela Paulson? There really is no way to determine who sent a message, the best you can hope for is to find out what host sent it. Even in the case of a PGP signed messages there is no guarantee that one particular person actually pressed the send button. Obviously determining who the actual sender of an email message is much more involved than reading the From header. Hopefully this example may be of some use to other forum regulars.
Posted by at No comments:

+ 10 Security Enhancements

Ten Fast and Free Security Enhancements :

Before you spend a dime on security, there are many precautions you can take that will protect you against the most common threats.

1. Check Windows Update and Office Update regularly (_http://office.microsoft.com/productupdates); have your Office CD ready. Windows Me, 2000, and XP users can configure automatic updates. Click on the Automatic Updates tab in the System control panel and choose the appropriate options.

2. Install a personal firewall. Both SyGate (_www.sygate.com) and ZoneAlarm (_www.zonelabs.com) offer free versions.


3. Install a free spyware blocker. Our Editors' Choice ("Spyware," April 22) was SpyBot Search & Destroy (_http://security.kolla.de). SpyBot is also paranoid and ruthless in hunting out tracking cookies.

4. Block pop-up spam messages in Windows NT, 2000, or XP by disabling the Windows Messenger service (this is unrelated to the instant messaging program). Open Control Panel | Administrative Tools | Services and you'll see Messenger. Right-click and go to Properties. Set Start-up Type to Disabled and press the Stop button. Bye-bye, spam pop-ups! Any good firewall will also stop them.

5. Use strong passwords and change them periodically. Passwords should have at least seven characters; use letters and numbers and have at least one symbol. A decent example would be f8izKro@l. This will make it much harder for anyone to gain access to your accounts.

6. If you're using Outlook or Outlook Express, use the current version or one with the Outlook Security Update installed. The update and current versions patch numerous vulnerabilities.

7. Buy antivirus software and keep it up to date. If you're not willing to pay, try Grisoft AVG Free Edition (Grisoft Inc., w*w.grisoft.com). And doublecheck your AV with the free, online-only scanners available at w*w.pandasoftware.com/activescan and _http://housecall.trendmicro.com.

8. If you have a wireless network, turn on the security features: Use MAC filtering, turn off SSID broadcast, and even use WEP with the biggest key you can get. For more, check out our wireless section or see the expanded coverage in Your Unwired World in our next issue.

9. Join a respectable e-mail security list, such as the one found at our own Security Supersite at _http://security.ziffdavis.com, so that you learn about emerging threats quickly and can take proper precautions.

10. Be skeptical of things on the Internet. Don't assume that e-mail "From:" a particular person is actually from that person until you have further reason to believe it's that person. Don't assume that an attachment is what it says it is. Don't give out your password to anyone, even if that person claims to be from "support."
Posted by at No comments:

+ Send Emails Anonymously

We are going to explain you a way to send home-made e-mails. I mean it’s a way to send Anonymous e-mails without a program, it doesn't take to much time and its cool and you can have more knowledge than with a stupid program that does all by itself. This way (to hackers) is old what as you are new by to this stuff, perhaps you may like to know how these anonymous-mailers work, (home-made)


Well.....

Go to Start, then Run...
You have to Telnet (Xserver) on port 25
Well, (In this Xserver) you have to put the name of a server without the ( ) of course...
Put in iname.com in (Xserver) because it always work it is a server with many bugs in it.
(25) mail port.
So now we are like this.
telnet iname.com 25
and then you hit enter
Then When you have telnet open put the following like it is written
helo

and the machine will reply with smth.
Notice for newbies: If you do not see what you are writing go to Terminal's menu (in telnet) then to Preferences and in the Terminal Options you tick all options available and in the emulation menu that's the following one you have to tick the second option.
Now you will see what you are writing.
then you put:

mail from:< whoeveryouwant@whetheveryouwant.whetever.whateverThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it > and so on...
If you make an error start all over again

Example:
mail from:< askbill@microsoft.com.netThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it >
You hit enter and then you put:
rcpt to:
This one has to be an existance address as you are mailing anonymously to him.
Then you hit enter
And you type
Data
and hit enter once more
Then you write
Subject: whatever
And you hit enter
you write your mail
hit enter again (boring)
you put a simple:
Yes you don't see it it’s the little F**king point!
and hit enter
Finally you write
quit
hit enter one more time
and it's done


Look: Try first do it with yourself I mean mail anonymously yourself so you can test it!
Don't be asshole and write f**king e-mails to big corps. Because its symbol of stupidity and childhood and it has very much effect on Hackers they will treat you as a Lamer!
Posted by at No comments:
Subscribe to: Posts (Atom)