In f r a s t r u c t u r e s N e t w o r k in gX - M S M a il- P r io r it y : N o r m a l X - M a...

DigitalInvestigator

Networking

Infrastructures

SMTP, POP-3 and IMAP

Author: Prof Bill Buchanan

Ne

t F

ore

ns

ics

SMTP

SM

TP

Ne

t F

ore

nsic

s


Email Architecture

Email gateway

- SMTP.

- MS Mail.

Email Server

· - Post Office

· - Email database

Email client

SM

TP

Ne

t F

ore

nsic

s


SMTP

HELO domain

250 OK

MAIL FROM: fred@home

250 OK

RCPT TO: bert@home

250 OK

MESSAGE

354

DATA

.

250 OK

Email gateway

- SMTP (TCP: 25/465/587)

- MS Mail.

SM

TP

Ne

t F

ore

nsic

s


SMTP

Email gateway

- SMTP (TCP: 25/465/587)

- MS Mail.

220 napier Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at

Mon, 11 Mar 2013 22:06:28 +0000

EHLO napier

250-napier Hello [192.168.0.12]

250-TURN

250-SIZE 2097152

250-ETRN

250-PIPELINING

250-DSN

250-ENHANCEDSTATUSCODES

250-8bitmime

250-BINARYMIME

250-CHUNKING

250-VRFY

250 OK

MAIL FROM: <[email protected]>

250 2.1.0 [email protected] OK

RCPT TO: <[email protected]>

250 2.1.5 [email protected]

DATA

354 Start mail input; end with <CRLF>.<CRLF>

Message-ID: <327D7B5223214259B3756468AFF23AAE@napier>

From: "Fred Smith" <[email protected]>

To: <[email protected]>

Subject: Test

Date: Mon, 11 Mar 2013 22:10:34 -0000

MIME-Version: 1.0

Content-Type: text/plain;

.format=flowed;

.charset="iso-8859-1";

.reply-type=original

Content-Transfer-Encoding: 7bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.3790.3959

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3959

.

250 2.6.0 <327D7B5223214259B3756468AFF23AAE@napier> Queued mail for

delivery

QUIT

221 2.0.0 napier Service closing transmission channel


Ne

t F

ore

ns

ics

IMAP 4

IMA

PN

et F

ore

nsic

s


IMAP 4

Email server

- IMAP 4 (RFC 3501). TCP: 143/993

- POP-3. TCP 110/993

- Exchange.

>> * OK IMAP4rev1 Service Ready

a001 login mrc secret

>> a001 OK LOGIN completed

a002 select inbox

>> * 18 EXISTS

>> * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)

>> * 2 RECENT

>> * OK [UNSEEN 17] Message 17 is the first unseen message

>> * OK [UIDVALIDITY 3857529045] UIDs valid

>> a002 OK [READ-WRITE] SELECT completed

a003 fetch 12 full

>> * 12 FETCH (FLAGS (\Seen) INTERNALDATE "17-Jul-1996 02:44:25 -0700"

RFC822.SIZE 4286 ENVELOPE ("Wed, 17 Jul 1996 02:23:25 -0700 (PDT)"

"IMAP4rev1 WG mtg summary and minutes"

(("Terry Gray" NIL "gray" "cac.washington.edu"))



((NIL NIL "imap" "cac.washington.edu"))

((NIL NIL "minutes" "CNRI.Reston.VA.US")

("John Klensin" NIL "KLENSIN" "MIT.EDU")) NIL NIL

"<[email protected]>")

BODY ("TEXT" "PLAIN" ("CHARSET" "US-ASCII") NIL NIL "7BIT" 3028

92))

>> a003 OK FETCH completed

a004 fetch 12 body[header]

>> * 12 FETCH (BODY[HEADER] {342}

>> Date: Wed, 17 Jul 1996 02:23:25 -0700 (PDT)

>> From: Terry Gray <[email protected]>

>> Subject: IMAP4rev1 WG mtg summary and minutes

>> To: [email protected]

>> cc: [email protected], John Klensin <[email protected]>

>> Message-Id: <[email protected]>

>> MIME-Version: 1.0

>> Content-Type: TEXT/PLAIN; CHARSET=US-ASCII

>>

>> )

>> a004 OK FETCH completed

a005 store 12 +flags \deleted

>> * 12 FETCH (FLAGS (\Seen \Deleted))

>> a005 OK +FLAGS completed

a006 logout

>> * BYE IMAP4rev1 server terminating connection

>> a006 OK LOGOUT completed


Ne

t F

ore

ns

ics

POP-3

PO

P-3

Ne

t F

ore

nsic

s


POP-3

+OK POP server ready H mimap15 0LfD5x-1VsVU4327M-00pHSn

AUTH

-ERR 1 argument required

CAPA

+OK Capability list follows

TOP

USER

UIDL

STLS

SASL PLAIN

IMPLEMENTATION trinity

.

AUTH PLAIN

+

AGRpZ2l0YWxpbnZlc3RpZ2F0b3JAbmV0d29ya3NpbXMuY29tAG5hcGllcjEy

Mw==

+OK mailbox "[email protected]" has 3 messages (19191

octets) H mimap15

STAT

+OK 3 19191

LIST

+OK

1 5565

2 8412

3 5214

.

UIDL

+OK

1 0M8Oog-1VyW6I2B74-00vNGA

2 0LalaO-1VwtZq3DAW-00kuzg

3 0MLPgA-1VC2Ru34ja-000jOl

.

RETR 1

+OK

Return-Path: <[email protected]>

Delivery-Date: Thu, 22 Aug 2013 21:14:44 +0200

Received: from mbulk.1and1.com (mbulk.1and1.com [212.227.126.222])

.by mx.kundenserver.de (node=mxeu0) with ESMTP (Nemesis)

Email server

- IMAP 4 (RFC 3501). TCP: 143/993

- POP-3. TCP 110/993

- Exchange.

USER name

PASS password

RETR mailbox

REDEL mailbox

RVEC

RCVD

QUIT

NOOP

RSET

DigitalInvestigator

Networking

Infrastructures

SMTP, POP-3 and IMAP

In f r a s t r u c t u r e s N e t w o r k in gX - M S M a il- P r io r it y : N o r m a l X - M a...

Documents

Transcript of In f r a s t r u c t u r e s N e t w o r k in gX - M S M a il- P r io r it y : N o r m a l X - M a...