Nuffnang Ads

Wednesday, June 12, 2013

Trace Email

While sending or receiving an email ,our browser uses two protocols:
SMTP(Simple mail transfer protocol)Port 25
POP(Post office protocol)Port 110

Whenever click on the send button of your browser for sending a mail, the mail first reaches the Source mail server from there it goes to Interim mail server from there it moves to Destination  mail server and at last to destination inbox. So as you see its not a complicated process and can be described by the following diagram: |Sender Outbox-----> Source Mail Server-----> Interim Mail Servers-----> Destination Mail Server------> Destination Inbox|

All the emails does not travel alone they carry email header with them.
This email header reveals the path taken by the email to reach its
destination.

Tracing Time:

Here I will take a real life example of a email that was send to me.
The email header is:

From John Wed Jun 12 20:36:53 2013

X-Apparently-To: divya_football@yahoo.co.in via 203.104.17.163; Wed, 12 Jun 2013 20:36:53 +0530

Return-Path: <dt_biz@terenciri.com>

X-YahooFilteredBulk: 209.124.87.14

X-Originating-IP: [209.124.87.14]

Received: from 209.124.87.14  (HELO org.pickepair.com) (209.124.87.14)

by mta189.mail.in.yahoo.com with SMTP; Wed, 12 Jun 2013 20:36:53 +0530

From: John <DT_Biz@terenciri.com>

Subject:Stop paying for CDs.
To: divya_football@yahoo.co.in

Date: Wed, 12 Jun 2013 11:06:53 EDT

MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"


Before tracing the first thing is to divide the mails in 3-4 lines and then
I will explain you each line.
So lets begin:
Date: Wed, 12 Jun 2013 11:06:53 EDT

From: John <DT_Biz@terenciri.com>

To: divya_football@yahoo.co.in

Subject:Stop paying for CDs.

Date: Wed, 12 Jun 2013 11:06:53 EDT

This line tells us the date on which the mail was sent to me.
From: John <DT_Biz@terenciri.com>

This line tells me the email of the person who sent the the mail.
To: divya_football@yahoo.co.in
This line tells us to whom the mail was sent , in this case it is my email.
Subject:Stop paying for CDs.
This line tells us the subject of the message.

X-Apparently-To: divya_football@yahoo.co.in via 203.104.17.163; Wed, 12 Jun 2013 20:36:53 +0530

Return-Path: <dt_biz@terenciri.com>

X-YahooFilteredBulk: 209.124.87.14


X-Apparently-To: divya_football@yahoo.co.in via 203.104.17.163; Wed, 12 Jun 2013 20:36:53 +0530

This line tells me the that the message was sent to my email via 203.104.17.163
on Wednesday 12nd June 2013.
Return-Path: <dt_biz@terenciri.com>

again this line tells me the email of the person who send me this mail.
X-YahooFilteredBulk: 209.124.87.14

This line tells me that the message was filtered by 209.124.87.14
X-Originating-IP: [209.124.87.14]

This line tells me the IP address of the person who send me this email.
Received: from 209.124.87.14  (HELO org.pickepair.com) (209.124.87.14)

by mta189.mail.in.yahoo.com with SMTP; Wed, 12 Jun 2013 20:36:53 +0530

Again this line tells us the IP address of the person who sent this mail and contain some SMTP command which you will learn in the next lesson.

MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"

MIME-Version: 1.0
This line tells me the software that the attacker used to send me the
message
Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"
This line tells me the type of the text the email used.
The header can be viewed by going to action in yahoo mail and in gmail it would be found in settings. If you use some other website then the best way is to find it using google. Now if you have got the IP address what can you do?

The answer is very simple you can just do a whois scan for that IP address.
Whois is a tool that has information about all the hosts.When I did a whois scan for the above IP address it reavels the following information:

Whois IP 209.124.87.14

Updated 1 second ago
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=209.124.87.14?showDetails=true&showARIN=false&ext=netref2
#


# start

NetRange:       209.124.64.0 - 209.124.95.255
CIDR:           209.124.64.0/19
OriginAS:       
NetName:        DRAGON-BLK-1
NetHandle:      NET-209-124-64-0-1
Parent:         NET-209-0-0-0-0
NetType:        Direct Allocation
Comment:        ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:        1999-04-20
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-209-124-64-0-1

OrgName:        Dragon Networks, Inc.
OrgId:          DRAGON-8
Address:        93, Moor Lane
City:           Wilmslow
StateProv:      Cheshire
PostalCode:     SK9 6BR
Country:        GB
RegDate:        2002-05-19
Updated:        2012-06-21
Ref:            http://whois.arin.net/rest/org/DRAGON-8

OrgAbuseHandle: ABUSE1150-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1 404.300.9889 
OrgAbuseEmail:  email@dragonnetwurx.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE1150-ARIN

OrgNOCHandle: CTS4-ARIN
OrgNOCName:   Smith, Charles T
OrgNOCPhone:  +1 404-949-7884 
OrgNOCEmail:  email@dragonnetwurx.com
OrgNOCRef:    http://whois.arin.net/rest/poc/CTS4-ARIN

OrgTechHandle: ABUSE1150-ARIN
OrgTechName:   Abuse
OrgTechPhone:  +1 404.300.9889 
OrgTechEmail:  email@dragonnetwurx.com
OrgTechRef:    http://whois.arin.net/rest/poc/ABUSE1150-ARIN

# end


# start

NetRange:       209.124.87.0 - 209.124.87.15
CIDR:           209.124.87.0/28
OriginAS:       AS22653
NetName:        NET-209-124-87-0-1
NetHandle:      NET-209-124-87-0-1
Parent:         NET-209-124-64-0-1
NetType:        Reassigned
RegDate:        2013-04-26
Updated:        2013-04-26
Ref:            http://whois.arin.net/rest/net/NET-209-124-87-0-1

OrgName:        J. Eaton
OrgId:          JE-98
Address:        PO Box 3109 # 22016
City:           Houston
StateProv:      TX
PostalCode:     77253-3109
Country:        US
RegDate:        2013-04-26
Updated:        2013-04-26
Ref:            http://whois.arin.net/rest/org/JE-98

OrgAbuseHandle: ADMIN4210-ARIN
OrgAbuseName:   Administrator
OrgAbusePhone:  +1-760-683-4974 
OrgAbuseEmail:  email@gmail.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/ADMIN4210-ARIN

OrgTechHandle: ADMIN4210-ARIN
OrgTechName:   Administrator
OrgTechPhone:  +1-760-683-4974 
OrgTechEmail:  email@gmail.com
OrgTechRef:    http://whois.arin.net/rest/poc/ADMIN4210-ARIN

# end



#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html 
#

No comments:

Post a Comment