SMTP(Simple mail transfer protocol)Port 25
POP(Post office protocol)Port 110
Whenever click on the send button of your browser for sending a mail, the mail first reaches the Source mail server from there it goes to Interim mail server from there it moves to Destination mail server and at last to destination inbox. So as you see its not a complicated process and can be described by the following diagram: |Sender Outbox-----> Source Mail Server-----> Interim Mail Servers-----> Destination Mail Server------> Destination Inbox|
All the emails does not travel alone they carry email header with them.
This email header reveals the path taken by the email to reach its
destination.
Tracing Time:
Here I will take a real life example of a email that was send to me.The email header is:
From John Wed Jun 12 20:36:53 2013
X-Apparently-To: divya_football@yahoo.co.in via 203.104.17.163; Wed, 12 Jun 2013 20:36:53 +0530
Return-Path: <dt_biz@terenciri.com>
X-YahooFilteredBulk: 209.124.87.14
X-Originating-IP: [209.124.87.14]
Received: from 209.124.87.14 (HELO org.pickepair.com) (209.124.87.14)
by mta189.mail.in.yahoo.com with SMTP; Wed, 12 Jun 2013 20:36:53 +0530
From: John <DT_Biz@terenciri.com>
Subject:Stop paying for CDs.
To: divya_football@yahoo.co.in
Date: Wed, 12 Jun 2013 11:06:53 EDT
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"
Before tracing the first thing is to divide the mails in 3-4 lines and then
I will explain you each line.
So lets begin:
Date: Wed, 12 Jun 2013 11:06:53 EDT
From: John <DT_Biz@terenciri.com>
To: divya_football@yahoo.co.in
Subject:Stop paying for CDs.
Date: Wed, 12 Jun 2013 11:06:53 EDT
This line tells us the date on which the mail was sent to me.
From: John <DT_Biz@terenciri.com>
This line tells me the email of the person who sent the the mail.
To: divya_football@yahoo.co.in
This line tells us to whom the mail was sent , in this case it is my email.
Subject:Stop paying for CDs.
This line tells us the subject of the message.
X-Apparently-To: divya_football@yahoo.co.in via 203.104.17.163; Wed, 12 Jun 2013 20:36:53 +0530
Return-Path: <dt_biz@terenciri.com>
X-YahooFilteredBulk: 209.124.87.14
X-Apparently-To: divya_football@yahoo.co.in via 203.104.17.163; Wed, 12 Jun 2013 20:36:53 +0530
This line tells me the that the message was sent to my email via 203.104.17.163
on Wednesday 12nd June 2013.
Return-Path: <dt_biz@terenciri.com>
again this line tells me the email of the person who send me this mail.
X-YahooFilteredBulk: 209.124.87.14
This line tells me that the message was filtered by 209.124.87.14
X-Originating-IP: [209.124.87.14]
This line tells me the IP address of the person who send me this email.
Received: from 209.124.87.14 (HELO org.pickepair.com) (209.124.87.14)
by mta189.mail.in.yahoo.com with SMTP; Wed, 12 Jun 2013 20:36:53 +0530
Again this line tells us the IP address of the person who sent this mail and contain some SMTP command which you will learn in the next lesson.
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"
MIME-Version: 1.0
This line tells me the software that the attacker used to send me the
message
Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"
This line tells me the type of the text the email used.
The header can be viewed by going to action in yahoo mail and in gmail it would be found in settings. If you use some other website then the best way is to find it using google. Now if you have got the IP address what can you do?
The answer is very simple you can just do a whois scan for that IP address.
Whois is a tool that has information about all the hosts.When I did a whois scan for the above IP address it reavels the following information:
Whois IP 209.124.87.14 | Updated 1 second ago |
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=209.124.87.14?showDetails=true&showARIN=false&ext=netref2 # # start NetRange: 209.124.64.0 - 209.124.95.255 CIDR: 209.124.64.0/19 OriginAS: NetName: DRAGON-BLK-1 NetHandle: NET-209-124-64-0-1 Parent: NET-209-0-0-0-0 NetType: Direct Allocation Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1999-04-20 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET-209-124-64-0-1 OrgName: Dragon Networks, Inc. OrgId: DRAGON-8 Address: 93, Moor Lane City: Wilmslow StateProv: Cheshire PostalCode: SK9 6BR Country: GB RegDate: 2002-05-19 Updated: 2012-06-21 Ref: http://whois.arin.net/rest/org/DRAGON-8 OrgAbuseHandle: ABUSE1150-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1 404.300.9889 OrgAbuseEmail:@dragonnetwurx.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE1150-ARIN OrgNOCHandle: CTS4-ARIN OrgNOCName: Smith, Charles T OrgNOCPhone: +1 404-949-7884 OrgNOCEmail:
@dragonnetwurx.com OrgNOCRef: http://whois.arin.net/rest/poc/CTS4-ARIN OrgTechHandle: ABUSE1150-ARIN OrgTechName: Abuse OrgTechPhone: +1 404.300.9889 OrgTechEmail:
@gmail.com OrgAbuseRef: http://whois.arin.net/rest/poc/ADMIN4210-ARIN OrgTechHandle: ADMIN4210-ARIN OrgTechName: Administrator OrgTechPhone: +1-760-683-4974 OrgTechEmail:
No comments:
Post a Comment