E-MaiL HeadeR
|
Hack Attacks Denied: A Complete Guide to Network Lockdown for UNIX, Windows, and Linux, Second Edition |
How To Read Email Headers And Find Internet
Hosts
Author:- PranaY ([email protected])
Nick:- P
Description:-
This article is written for educational purpose.
Process:-
Now some of you may think that headers are
too simple or boring to waste time on. However,
a few weeks ago if anyone could
tell me exactly what email tricks I was playing
in the process of mailing out the Digests.
But not one person replied with a complete
answer -- or even 75% of the answer -- or
even suspected that for months almost all
have doubled as protests.
The targets: ISPs offering download sites
for email bomber programs.
Conclusion: it is time to talk headers!
In this Guide we will learn:
� what is an email header
� why email headers are fun
� how to see full email headers
� what all that stuff in your email headers means
� how to get the names of Internet host computers
from your email headers
� the foundation for understanding the forging
of email and Usenet posts, catching the people
who forge headers, and the theory behind
those email bomber programs that can bring
an entire Internet Service Provider (ISP)
to its knees
This is a Guide you can make at least some
use of without getting a shell account or
installing some form of Unix on your home
computer. All you need is to be able to send
and receive email, and you are in business.
However, if you do have a shell account,
you can do much more with deciphering headers.
Viva Unix!
Headers may sound like a boring topic. Heck,
the Eudora email program named the button
you click to read full headers "blah
blah blah." But all those guys who tell
you headers are boring are either ignorant
-- or else afraid you'll open a wonderful
chest full of hacker insights. Yes, every
email header you check out has the potential
to unearth a treasure hidden in some back
alley of the Internet.
Now headers may seem simple enough to be
a topic for one of our Beginners' Series
Guides. But when I went to look up the topic
of headers in my library of manuals, I was
shocked to find that most of them don't even
cover the topic. The two I found that did
cover headers said almost nothing about them.
Even the relevant RFC 822 is pretty vague.
If any of you super-vigilant readers looking
for flame bait happen to know of any literature
that *does* cover headers in detail, please
include that information in your tirades!
*********************************************
Technical tip: Information relevant to headers
may be extracted from Requests for Comments
(RFCs) 822 (best), as well as 1042, 1123,
1521 and
1891 (not a complete list). To read them,
take your Web browser to http://altavista.digital.com
and search for "RFC 822" etc.
*********************************************
Lacking much help from manuals, and finding
that RFC 822 didn't answer all my questions,
the main way I researched this article was
to send email back and forth among some of
my accounts, trying out many variations in
order to see what kinds of headers they generated.
Hey, that's how real hackers are supposed
to figure out stuff when RTFM (read the fine
manual) or RTFRFC (read the fine RFC)doesn't
tell us as much as we want to know. Right?
One last thing. People have pointed out to
me that every time I put an email address
or domain name in a Guide to (mostly) Harmless
Hacking, a zillion newbies launch botched
hacking attacks against these. All email
addresses and domain names below have been
fubarred.
************************************************
Newbie note: The verb "to fubar"
means to obscure email addresses and Internet
host addresses by changing them. Ancient
tradition holds that it is best to do so
by substituting "foobar" or "fubar"
for part of the address.
************************************************
What are email headers?
If you are new to hacking, the headers you
are used to seeing may be incomplete. Chances
are that when you get email it looks something
like this:
From: Cool Guy
Date: Fri, 1 March 2006
To: [email protected]
But if you know the right command, suddenly,
with this same email message, we are looking
at tons and tons of stuff:
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)
for [email protected] id OAA07210; Fri, 1
March 2006
Received: from ifi.foobar.no by o200.fooway.net
via ESMTP
(950413.SGI.8.6.12/951211.SGI)
for id OAA18967;
Fri, 1 March 2006
Received: from gyllir.ifi.foobar.no ([email protected]
[129.xxx.64.230]) by ifi.foobar.no with ESMTP
(8.6.11/ifi2.4)
id for
; Fri, 1 March 2006
From: Vegbar Fubar
Received: from localhost (Vegbarha@localhost)
by gyllir.ifi.foobar.no ; Fri,
1 March 2006
Date: Fri, 1 March 2006
Message-Id: <[email protected]>
To: [email protected]
Hey, have you ever wondered why all that
stuff is there and what it means? We'll return
to this example later in this tutorial. But
first we must consider the burning question
of the day:
Why are email headers fun?
Why bother with those "fucking"
headers? They are boring, right? Wrong!
1) Ever hear a wannabe hacker complaining
he or she doesn't have the addresses of any
good computers to explore? Have you ever
used one of those IP scanner programs that
find valid Internet Protocol addresses of
Internet hosts for you? Well, you can find
gazillions of valid addresses without the
crutch of one of these programs simply by
reading the headers of emails.
2) Ever wonder who really mailed that "Make
Money Fast" spam? Or who is that klutz
who email bombed you? The first step to learning
how to spot email forgeries and spot the
culprit is to be able to read headers.
3) Want to learn how to convincingly forge
email? Do you aspire to write automatic spam
or email bomber programs? (I disapprove of
spammer and email bomb programs, but let's
be honest about the kinds of knowledge their
creators must draw upon.) The first step
is to understand headers.
4) Want to attack someone's computer? Find
out where best to attack from the headers
of their email. I disapprove of this use,
too. But I'm dedicated to telling you the
truth about hacking, so like it or not, here
it is.
How can you see full email headers?
So you look at the headers of your email
and it doesn't appear have any good stuff
whatsoever. Want to see all the hidden stuff?
The way you do this depends on what email
program you are using.
The most popular email program today is Eudora.
To see full headers in Eudora, just click
the "blah, blah, blah" button on
the far left end of the tool bar.
The Netscape web browser includes an email
reader. To see full headers, click on Options,
then click the "Show All Headers"
item.
Sorry, I haven't looked into how to do that
with Internet Explorer. Oh, no, I can see
the flames coming, how dare I not learn the
ins and outs of IE mail! But, seriously,
IE is a dangerously insecure Web browser
because it is actually a Windows shell. So
no matter how often Microsoft patches its
security flaws, chances are you will be hurt
by it one of these days. Just say "no"
to IE.
Another popular email program is Pegasus.
Maybe there is an easy way to see full headers
in Pegasus, but I haven't found it. The hard
way to see full headers in Pegasus -- or
IE -- or any email program -- is to open
your mail folders with Wordpad. It is included
in the Windows 95 operating system and is
the best Windows editing program I have found
for handling documents with lots of embedded
control characters and other oddities.
The Compuserve 3.01 email program automatically
shows full headers. Bravo, Compuserve!
What does all that stuff in your email headers mean?
We'll start by taking a look at a mildly
interesting full header. Then we'll examine
two headers that reveal some interesting
shenanigans. Finally we will look at a forged
header.
OK, let us return to that fairly ordinary
full header we looked at above. We will decipher
it piece by piece. First we look at the simple
version:
From: Cool Guy
Date: Fri, 1 March 2006
To: [email protected]
The information within any header consists
of a series of fields separated from each
other by a "newline" character.
Each field consists of two parts: a field
name, which includes no spaces and is terminated
by a colon; and the contents of the field.
In this case the only fields that show are
"From:," "Date:," and
"To:".
In every header there are two classes of
fields: the "envelope," which contains
only the sender and recipient fields; and
everything else, which is information specific
to the handling of the message. In this case
the only field that shows which gives information
on the handling of the message is the Date
field.
When we expand to a full header, we are able
to see all the fields of the header. We will
now go through this information line by line.
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for
[email protected] id OAA07210; Fri, 1 March
2006
This line tells us that I downloaded this
email from the POP server at a computer named
o200.fooway.net. This was done on behalf
of my account with email address of [email protected].
The (950413.SGI.8.6.12/951211.SGI) part identifies
the software name and version running that
POP server.
********************************************
Newbie note: POP stands for Post Office Protocol.
Your POP server is the computer that holds
your email until you want to read it. Usually
your the email program on your home computer
or shell account computer will connect to
port 110 on your POP server to get your email.
A similar, but more general protocol is IMAP,
for Interactive Mail Access Protocol. Trust
me, you will be a big hit at parties if you
can hold forth on the differences between
POP and IMAP, you big hunk of a hacker, you!
(Hint: for more info, RTFRFCs.)
********************************************
Now we examine the second line of the header:
Received: from ifi.foobar.no by o200.fooway.net
via ESMTP
(950413.SGI.8.6.12/951211.SGI)for
id OAA18967; Fri,
1 March 2006
Well, gee, I didn't promise that this header
would be *totally* ordinary. This line tells
us that a computer named ifi.foobar.no passed
this email to the POP server on o200.fooway.net
for someone with the email address of [email protected].
This is because I am piping all email to
[email protected] into the account [email protected].
Under Unix this is done by setting up a file
in your home directory named ".forward"
with the address to which you want your email
sent. Now there is a lot more behind this,
but I'm not telling you. Heh, heh. Can any
of you evil geniuses out there figure out
the whole story?
"ESMTP" stands for "extended
simple mail transfer protocol." The
"950413.SGI.8.6.12/951211.SGI"
designates the program that is handling my
email.
Now for the next line in the header:
Received: from gyllir.ifi.foobar.no ([email protected]
[129.xxx.64.230]) by ifi.foobar.no with ESMTP
(8.6.11/ifi2.4) id
for
; Fri, 1 March 2006
This line tells us that the computer ifi.foobar.no
got this email message from the computer
gyllir.ifi.foobar.no. These two computers
appear to be on the same LAN. In fact, note
something interesting. The computer name
gyllir.ifi.foobar.no has a number after it,
129.xxx.64.230. This is the numerical representation
of its name. (I substituted ".xxx."
for three numbers in order to fubar the IP
address.) But the computer ifi.foobar.no
didn't have a number after its name. How
come?
Now if you are working with Windows 95 or
a Mac you probably can't figure out this
little mystery. But trust me, hacking is
all about noticing these little mysteries
and probing them (until you find something
to break, muhahaha -- only kidding, OK?)
But since I am trying to be a real hacker,
I go to my trusty Unix shell account and
give the command:
>nslookup ifi.foobar.no
Server: Fubarino.com
Address: 198.6.71.10
Non-authoritative answer:
Name: ifi.foobar.no
Address: 129.xxx.64.2
Notice the different numerical IP addresses
between ifi.foobar.no and gyllir.ifi.foobar.no.
Hmmm, I begin to think that the domain ifi.foobar.no
may be a pretty big deal. Probing around
with dig and traceroute leads me to discover
lots more computers in that domain. Probing
with nslookup in the mode "set type=any"
tells me yet more.
|
