Tracing email
description
Transcript of Tracing email
![Page 1: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/1.jpg)
Tracing emailTracing email
![Page 2: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/2.jpg)
![Page 3: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/3.jpg)
HeadersHeaders Return-path: <[email protected]> Received: from mta23.srv.hcvlny.cv.net (mta23.srv.hcvlny.cv.net [167.206.5.184]) by mstr2.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with ESMTP id <[email protected]> for [email protected]; Tue, 29 Nov 2005 05:40:50 -0500 (EST) Received: from hotmail.com (bay114-dav14.bay114.hotmail.com [65.54.169.86]) by mta23.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with ESMTP id <[email protected]> for [email protected] (ORCPT [email protected]); Tue, 29 Nov 2005 05:40:49 -0500 (EST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 29 Nov 2005 02:40:48 -0800 Received: from 212.100.250.216 by BAY114-DAV14.phx.gbl with DAV; Tue, 29 Nov 2005 10:40:48 +0000 Date: Tue, 29 Nov 2005 11:47:47 +0100 From: Dele Belgore <[email protected]> Subject: Dear Malinowski (Urgent/Confidential Request) X-Originating-IP: [212.100.250.216] X-Sender: [email protected] Bcc: Reply-to: Dele Belgore <[email protected]> Message-id: <[email protected]> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4939.300 X-Mailer: Microsoft Outlook Express 5.50.4922.1500 Content-type: multipart/alternative; boundary="Boundary_(ID_PSl9uVHx8QZ3EPypzGbkVQ)" X-Priority: 3 X-MSMail-priority: Normal X-Originating-Email: [[email protected]] Original-recipient: rfc822;[email protected] X-OriginalArrivalTime: 29 Nov 2005 10:40:48.0512 (UTC) FILETIME=[5C60D800:01C5F4D1]
Return-path: <[email protected]> Received: from mta23.srv.hcvlny.cv.net (mta23.srv.hcvlny.cv.net [167.206.5.184]) by mstr2.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with ESMTP id <[email protected]> for [email protected]; Tue, 29 Nov 2005 05:40:50 -0500 (EST) Received: from hotmail.com (bay114-dav14.bay114.hotmail.com [65.54.169.86]) by mta23.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with ESMTP id <[email protected]> for [email protected] (ORCPT [email protected]); Tue, 29 Nov 2005 05:40:49 -0500 (EST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 29 Nov 2005 02:40:48 -0800 Received: from 212.100.250.216 by BAY114-DAV14.phx.gbl with DAV; Tue, 29 Nov 2005 10:40:48 +0000 Date: Tue, 29 Nov 2005 11:47:47 +0100 From: Dele Belgore <[email protected]> Subject: Dear Malinowski (Urgent/Confidential Request) X-Originating-IP: [212.100.250.216] X-Sender: [email protected] Bcc: Reply-to: Dele Belgore <[email protected]> Message-id: <[email protected]> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4939.300 X-Mailer: Microsoft Outlook Express 5.50.4922.1500 Content-type: multipart/alternative; boundary="Boundary_(ID_PSl9uVHx8QZ3EPypzGbkVQ)" X-Priority: 3 X-MSMail-priority: Normal X-Originating-Email: [[email protected]] Original-recipient: rfc822;[email protected] X-OriginalArrivalTime: 29 Nov 2005 10:40:48.0512 (UTC) FILETIME=[5C60D800:01C5F4D1]
![Page 4: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/4.jpg)
Checking IP addressesChecking IP addresses
IP (and other info) can be spoofed at nodes where the suspect may have control
What information might be revealed from an email?Despite spoofing attempts?
What happens if a remailer or anonymizer is used?
IP (and other info) can be spoofed at nodes where the suspect may have control
What information might be revealed from an email?Despite spoofing attempts?
What happens if a remailer or anonymizer is used?
![Page 5: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/5.jpg)
IP address blocksIP address blocks
www.iana.org/assignments/ipv4-address-space ARIN
063.x.x.x thru 072.x.x.x 199.x.x.x 204.x.x.x thru 209.x.x.x 216.x.x.x
APNIC 058.x.x.x thru 061.x.x.x 202.x.x.x thru 203.x.x.x 210.x.x.x thru 211.x.x.x 218.x.x.x thru 222.x.x.x
RIPE 062.x.x.x 081.x.x.x thru 088.x.x.x 193.x.x.x thru 195.x.x.x 212.x.x.x thru 213.x.x.x 217.x.x.x
LACNIC 200.x.x.x thru 201.x.x.x
www.iana.org/assignments/ipv4-address-space ARIN
063.x.x.x thru 072.x.x.x 199.x.x.x 204.x.x.x thru 209.x.x.x 216.x.x.x
APNIC 058.x.x.x thru 061.x.x.x 202.x.x.x thru 203.x.x.x 210.x.x.x thru 211.x.x.x 218.x.x.x thru 222.x.x.x
RIPE 062.x.x.x 081.x.x.x thru 088.x.x.x 193.x.x.x thru 195.x.x.x 212.x.x.x thru 213.x.x.x 217.x.x.x
LACNIC 200.x.x.x thru 201.x.x.x
![Page 6: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/6.jpg)
Domain NamesDomain Names
Top level domains (TLD) assigned by ICANN (Internet Corp on Assigned Names and Numbers)Responsible for IANA
Top level domains (TLD) assigned by ICANN (Internet Corp on Assigned Names and Numbers)Responsible for IANA
![Page 7: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/7.jpg)
![Page 8: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/8.jpg)
![Page 9: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/9.jpg)
![Page 10: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/10.jpg)
![Page 11: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/11.jpg)
digdig
Gets IP for the hostname tower:~$ dig @ns.adnc.com FreeSoft.org mx [1] ; <<>> DiG 2.1 <<>> @ns.adnc.com FreeSoft.org
mx [2] ; (1 server found) [3] ;; res options: init recurs defnam dnsrch [4] ;; got answer: [5] ;; ->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 10 [6] ;; flags: qr aa rd ra; Ques: 1, Ans: 1, Auth: 2, Addit: 2 [7] ;; QUESTIONS: [8] ;; FreeSoft.org, type = MX, class = IN [9] [10] ;; ANSWERS: [11] FreeSoft.org. 86400 MX 100 mail.adnc.com. [12]
Gets IP for the hostname tower:~$ dig @ns.adnc.com FreeSoft.org mx [1] ; <<>> DiG 2.1 <<>> @ns.adnc.com FreeSoft.org
mx [2] ; (1 server found) [3] ;; res options: init recurs defnam dnsrch [4] ;; got answer: [5] ;; ->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 10 [6] ;; flags: qr aa rd ra; Ques: 1, Ans: 1, Auth: 2, Addit: 2 [7] ;; QUESTIONS: [8] ;; FreeSoft.org, type = MX, class = IN [9] [10] ;; ANSWERS: [11] FreeSoft.org. 86400 MX 100 mail.adnc.com. [12]
Name Server (opt)
Record type (opt)
![Page 12: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/12.jpg)
digdig
[13] ;; AUTHORITY RECORDS: [14] FreeSoft.org. 86400 NS ns.adnc.com. [15] FreeSoft.org. 86400 NS ns2.adnc.com. [16] [17] ;; ADDITIONAL RECORDS: [18] ns.adnc.com. 86400 A 205.216.138.22 [19] ns2.adnc.com. 86400 A 205.216.138.24 [20] [21] ;; Total query time: 464 msec [22] ;; FROM: tower to SERVER: ns.adnc.com
205.216.138.22 [23] ;; WHEN: Tue Mar 19 20:31:58 1996 [24] ;; MSG SIZE sent: 30 rcvd: 126
[13] ;; AUTHORITY RECORDS: [14] FreeSoft.org. 86400 NS ns.adnc.com. [15] FreeSoft.org. 86400 NS ns2.adnc.com. [16] [17] ;; ADDITIONAL RECORDS: [18] ns.adnc.com. 86400 A 205.216.138.22 [19] ns2.adnc.com. 86400 A 205.216.138.24 [20] [21] ;; Total query time: 464 msec [22] ;; FROM: tower to SERVER: ns.adnc.com
205.216.138.22 [23] ;; WHEN: Tue Mar 19 20:31:58 1996 [24] ;; MSG SIZE sent: 30 rcvd: 126
![Page 13: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/13.jpg)
digdig
$ dig @ns.adnc.com mail.adnc.com [1] ; <<>> DiG 2.1 <<>> @ns.adnc.com
mail.adnc.com [2] ; (1 server found) [3] ;; res options: init recurs defnam dnsrch [4] ;; got answer: [5] ;; ->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 10 [6] ;; flags: qr aa rd ra; Ques: 1, Ans: 2, Auth: 3, Addit: 3 [7] ;; QUESTIONS: [8] ;; mail.adnc.com, type = A, class = IN [9] [10] ;; ANSWERS: [11] mail.adnc.com. 86400 CNAME gemini.adnc.com. [12] gemini.adnc.com. 86400 A 205.216.138.22
$ dig @ns.adnc.com mail.adnc.com [1] ; <<>> DiG 2.1 <<>> @ns.adnc.com
mail.adnc.com [2] ; (1 server found) [3] ;; res options: init recurs defnam dnsrch [4] ;; got answer: [5] ;; ->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 10 [6] ;; flags: qr aa rd ra; Ques: 1, Ans: 2, Auth: 3, Addit: 3 [7] ;; QUESTIONS: [8] ;; mail.adnc.com, type = A, class = IN [9] [10] ;; ANSWERS: [11] mail.adnc.com. 86400 CNAME gemini.adnc.com. [12] gemini.adnc.com. 86400 A 205.216.138.22
![Page 14: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/14.jpg)
digdig
% dig +short mail.adnc.com 205.216.138.22
% dig +short mail.adnc.com 205.216.138.22
![Page 15: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/15.jpg)
whoiswhois
http:www.networksolutions.com/en_US/whois/index.html
http://verisign-grs.com/cgi-bin/whois http://www.easywhois.com
http:www.networksolutions.com/en_US/whois/index.html
http://verisign-grs.com/cgi-bin/whois http://www.easywhois.com
![Page 16: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/16.jpg)
![Page 17: Tracing email](https://reader035.fdocuments.us/reader035/viewer/2022081501/56812b08550346895d8eebbe/html5/thumbnails/17.jpg)
traceroutetraceroute
www.wvi.com/cgi-bin/tracewww.wvi.com/cgi-bin/trace