Email Tracing

COEN 152 / 252Computer Forensics

Thomas Schwarz, S.J. 2006

Email Investigations: Overview

Email has become a primary means of communication.

Email can easily be forged. Email can be abused

Spam Aid in committing a crime … Threatening email, …

Email Investigations: Overview Email evidence:

Is in the email itself Header Contents

In logs: Left behind as the email travels from sender to

recipient. Law enforcement uses subpoenas to follow the

trace. System admins have some logs under their control.

Notice: All fakemailing that you will be learning can be easily traced.

Email Fundamentals Email travels from originating computer to the

receiving computer through email servers. All email servers add to the header. Use important internet services to interpret

and verify data in a header.

Email Fundamentals

Typical path of an email message:

ClientMail Server

Mail Server

Mail Server

Client

Internet Basics

IP Address – IPv4 IP Address – IPv6 IP Address Types Hostnames & DNS Email Routing Resources

Internet Basics:IP Address – IPv4 Dominant standard for addressing 32 bit address space

4 bytes 232 or 4.3B addresses Typical representation is 4 octets

Ranges from 0.0.0.0 to 255.255.255.255 E.g. – 209.191.122.70

Integer representation is 3,518,986,822 Almost a 30 year old standard >90% of all IPv4 addresses allocated

Internet Basics:IP Address – IPv6 Next Generation of Internet addressing 128 bit address space

16 bytes 2128 or 3.4×1038 340 trillion trillion trillion 340,000,000,000,000,000,000,000,000,000,000 000,000

Represented as 8 hexadecimal numbers Ranges from 0:0:0:0:0:0:0:0 to

FFFF:FFFF:FFFF:FFFF: FFFF:FFFF:FFFF:FFFF Examples (with shorthand notation)

2001:db8:1f70::999:de8:7648:6e8 FF3E:40:2001:dead:beef:cafe:1234:5678

10+ years of deployment, but still maturing

Internet Basics:IP Address Types Public / Private

Some addresses are public or externally visible Others are private or internal to an organization RFC 3330 defines these ranges and their purpose The most commonly seen “private” addresses

10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255

Private addresses are unroutable externally Proxies

Anonymizers, Satellites, International and Regional

Internet Basics:IP Address Types (cont) Static / Dynamic addresses

Some IP addresses are statically assigned to a single computer

Typically infrastructure and/or servers Some are shared by multiple computers using

NAT or DHCP within a local organization Many organizations use Network Address

Translation (NAT) NAT boxes – single externally visible IP address Incoming packet examined and routed

according to the source address and port number

Forwarded to an internal, private IP address

Internet Basics:Hostnames & DNS DNS is the Domain Name System Translates between human friendly

host/domain names (e.g. www.yahoo.com) and machine friendly IP addresses

Forward DNS Lookup “dig www.yahoo.com” or “nslookup

www.yahoo.com” www.yahoo.com 209.191.122.70

Reverse DNS Lookup “dig –x 209.191.122.70” or “nslookup

209.191.122.70” 209.191.122.70 www.yahoo.com

Internet Basics:Hostnames & DNS

DNS Overview Conceptually a cached hierarchy of

host/domain name assignments and IP addresses

Each node is a name server Requests originate local to the user and

escalate “up” only as far as necessary, then “down” as soon as possible – tree traversal

DNS Root servers are at the “top”

Internet Basics:Hostnames & DNS DNS Overview (continued)

Searches start with the “local host” file Missing or stale entries escalate up Local name server is the first stop, then

usually the local ISP’s up through to the Root Name Servers as necessary

Once an authoritative, responsible name server is found, the search is downward focused until the specific machine name/address is found.

Internet Basics:Hostnames & DNS DNS Overview (continued)

Complete escalation is usually not required, as caching is extensively used

The local “host file” file can be altered Can be used to block pop-ups and bad websites

E.g., Spybot uses this as a preventative technique Malware can use this “feature” as well

Local name servers can/could be injected with malicious data

See the “Hillary for Senate” case

Internet Basics:Resources

Internet Assigned Numbers Authority Responsible for the global coordination

of the DNS Root, IP addressing, and other Internet protocol resources

Managed resources include Port Numbers Autonomous Systems Numbers Top Level Domains (TLDs)

www.iana.org

Internet Basics:Resources (cont) Regional Internet Registries

Five regions APNIC – Asia and the Pacific region ARIN – North America (the first registry, legacy entries) LACNIC – Latin American and Caribbean RIPE – Europe AfriNIC – Africa

Regionally allocates IP addresses to orgs Each provides IP address “whois”

services i.e. who is responsible for an IP address

Internet Basics:Resources (cont) IP address top level allocations and registry

assignments www.iana.org/assignments/ipv4-address-space

whois Regional Internet registries definitive source DNSStuff - http://www.dnsstuff.com

alternative whois provides owner, location, contact info

Geolocation Maxmind - www.maxmind.com

Internet Basics:Resources (cont)

Hostname lookups dig, replacing nslookup “dig www.scu.edu” “dig –x 129.210.2.1” (reverse lookup)

“traceroute” (tracert) Great for verifying general location and

possible affiliations Web versions are available from around

the world

Email Fundamentals: Important Services Domain Name System (DNS) translates between

domain names and IP address. MX records (http://en.wikipedia.org/wiki/MX_record) in

the DNS database specify the host’s or domains mail exchanger

Can have multiple MX records, with priority attached:

Email to user@scu.edu will then be sent to user@cse.scu.edu.

If that site is down, then it will be sent to user@mailhost.soe.ucsc.edu.

The mailer at both sites needs also be set up to accept the messages.

MX 10 cse

MX 100 mailhost.soe.uscs.edu

Email Protocols:

A mail server stores incoming mail and distributes it to the appropriate mail box.

Behavior afterwards depends on type of protocol.

Accordingly, investigation needs to be done at server or at the workstation.

Email Protocols: Email program such as Outlook or

Groupwise are a client application. Needs to interact with an email

server: Post Office Protocol (POP) Internet Message Access Protocol (IMAP) Microsoft’s Mail API (MAPI)

Web-based email uses a web-page as an interface with an email server.

Email Protocols:

Post Office Service

Protocol Characteristics

Stores only incoming messages.

POP Investigation must be at the workstation.

Stores all messages

IMAPMS’ MAPILotus Notes

Copies of incoming and outgoing messages might be stored on the workstation or on the server or on both.

Web-based send and receive.

HTTP Incoming and outgoing messages are stored on the server, but there might be archived or copied messages on the workstation. Easy to spoof identity.

Email Protocols: SMTP Neither IMAP or POP are involved

relaying messages between servers. Simple Mail Transfer Protocol: SMTP

Easy. Has several additions. Can be spoofed:

By using an unsecured or undersecured email server.

By setting up your own smtp server.

Email Protocols: SMTPHow to spoof emailtelnet endor.engr.scu.edu 25220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005

14:58:49 - 0800

helo 129.210.16.8250 server8.engr.scu.edu Hello dhcp-19-198.engr.scu.edu

[129.210.19.198], pleased to meet you

mail from: jholliday@engr.scu.edu250 2.1.0 jholliday@engr.scu.edu... Sender ok

rcpt to: tschwarz@scu.edu250 2.1.5 tschwarz@scu.edu... Recipient ok

data354 Enter mail, end with "." on a line by itself

This is a spoofed message.. 250 2.0.0 jBSMwnTd023057 Message accepted for delivery

quit 221 2.0.0 endor.engr.scu.edu closing connection

Email Protocols: SMTPReturn-path: <jholliday@engr.scu.edu>Received: from MGW2.scu.edu [129.210.251.18]by gwcl-22.scu.edu; Wed, 28 Dec 2005 15:00:29 -0800Received: from endor.engr.scu.edu (unverified [129.210.16.1]) by MGW2.scu.edu(Vircom SMTPRS 4.2.425.10) with ESMTP id <C0066443608@MGW2.scu.edu> for <tjschwarz@scu.edu>;Wed, 28 Dec 2005 15:00:29 -0800X-Modus-BlackList: 129.210.16.1=OK;jholliday@engr.scu.edu=OKX-Modus-Trusted: 129.210.16.1=NOReceived: from bobadilla.engr.scu.edu (bobadilla.engr.scu.edu [129.210.18.34])by endor.engr.scu.edu (8.13.5/8.13.5) with SMTP id jBSMwnTd023057for tjschwarz@scu.edu; Wed, 28 Dec 2005 15:00:54 -0800Date: Wed, 28 Dec 2005 14:58:49 -0800From: JoAnne Holliday <jholliday@engr.scu.edu>Message-Id: <200512282300.jBSMwnTd023057@endor.engr.scu.edu>

this is a spoofed message.

This looks very convincing.

Only hint: received line gives the name of my machine.

If I were to use a machine without a fixed IP, then you can determine the DHCP address from the DHCP logs.

Email Protocols: SMTPHow to spoof email Endor will only relay messages from machines

that have properly authenticated themselves within the last five minutes.

Subject lines etc. are part of the data segment. However, any misspelling will put them into the body of the message.

Email Protocols: SMTPHow to spoof emailtelnet endor.engr.scu.edu 25220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 15:36:13 -0800mail from: plocatelli@scu.edu250 2.1.0 plocatelli@scu.edu... Sender okrcpt to: tschwarz@scu.edu250 2.1.5 tschwarz@scu.edu... Recipient okdata354 Enter mail, end with "." on a line by itselfDate: 23 Dec 05 11:22:33From: plocatelli@scu.eduTo: tschwarz@scu.eduSubject: Congrats

You are hrby appointed the next president of Santa Clara University, effectively

immediately.

Best, Paul.250 2.0.0 jBSNaDlu023813 Message accepted for deliveryquit

Email Protocols: SMTPHow to spoof email

Email Protocols: SMTPHow to spoof email

Unix Use sendmail %usr/lib/sendmail –t –f

HolyFather@vatican.va < test_message

Email Protocols: SMTP

Things are even easier with Windows XP.

Turn on the SMTP service that each WinXP machine runs. Create a file that follows the SMTP protocol. Place the file in Inetpub/mailroot/Pickup

Email Protocols: SMTP

To: tschwarz@engr.scu.eduFrom: HolyFather@vatican.va

This is a spoofed message.

From HolyFather@vatican.va Tue Dec 23 17:25:50 2003Return-Path: <HolyFather@vatican.va>Received: from Xavier (dhcp-19-226.engr.scu.edu [129.210.19.226])by server4.engr.scu.edu (8.12.10/8.12.10) with ESMTP id hBO1Plpv027244for <tschwarz@engr.scu.edu>; Tue, 23 Dec 2003 17:25:50 -0800Received: from mail pickup service by Xavier with Microsoft SMTPSVC;Tue, 23 Dec 2003 17:25:33 -0800To: tschwarz@engr.scu.eduFrom: HolyFather@vatican.vaMessage-ID: <XAVIERZRTHEQXHcJcKJ00000001@Xavier>X-OriginalArrivalTime: 24 Dec 2003 01:25:33.0942 (UTC) FILETIME=[D3B56160:01C3C9BC]Date: 23 Dec 2003 17:25:33 -0800X-Spam-Checker-Version: SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp) onserver4.engr.scu.eduX-Spam-Level:X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=noversion=2.60-rc3

This is a spoofed message.

Email Protocols: SMTP

SMTP Headers: Each mail-server adds to headers. Additions are being made at the top

of the list. Therefore, read the header from the

bottom.

To read headers, you usually have to enable them in your mail client.

SMTP HeadersTo enable headers: Eudora:

Use the Blah Blah Blah button Hotmail:

Options Preferences Message Headers. Juno:

Options Show Headers MS Outlook:

Select message and go to options. Yahoo!:

Mail Options General Preferences Show all headers. Groupwise:

Message itself is “attached” to each email. You need to look at it.

SMTP Headers Headers consists of header fields

Originator fields from, sender, reply-to

Destination address fields To, cc, bcc

Identification Fields Message-ID-field is optional, but extremely important

for tracing emails through email server logs. Informational Fields

Subject, comments, keywords Resent Fields

Resent fields are strictly speaking optional, but luckily, most servers add them.

Resent-date, resent-from, resent-sender, resent-to, resent-cc, resent-bcc, resent-msg-id

SMTP Headers

Trace Fields Core of email tracing. Regulated in RFC2821. When a SMTP server receives a

message for delivery or forwarding, it MUST insert trace information at the beginning of the header.

SMTP Headers The FROM field, which must be supplied in an

SMTP environment, should contain both (1) the name of the source host as presented in the EHLO command and (2) an address literal containing the IP address of the source, determined from the TCP connection.

The ID field may contain an "@" as suggested in RFC 822, but this is not required.

The FOR field MAY contain a list of <path> entries when multiple RCPT commands have been given.

A server making a final delivery inserts a return-path line.

SMTP Header Spotting spoofed messages

Contents usually gives a hint. Each SMTP server application adds a different

set of headers or structures them in a different way.

A good investigator knows these formats. Use internet services in order to verify header

data. However, some companies can outsource email or

use internal IP addresses. Look for breaks / discrepancies in the

“Received” lines.

SMTP Header

Investigation of spoofed messages Verify all IP addresses

Keeping in mind that some addresses might be internal addresses.

Make a time-line of events. Change times to universal standard time. Look for strange behavior. Keep clock drift in mind.

Additonal Info: http://www.uic.edu/depts/accc/newsletter/adn29/headers.html

Server Logs

E-mail logs usually identify email messages by: Account received IP address from which they were sent. Time and date (beware of clock drift) IP addresses

Server LogsDec 31 18:26:15 endor sendmail[30597]: k012OV1i030597: from=evil@evil.com,

size=147, class=0, nrcpts=1, msgid=<200601010225.k012OV1i030597@endor.engr.scu.edu>, proto=SMTP, daemon=MTA, relay=c-24-12-227-211.hsd1.il.comcast.net [24.12.227.211]

Dec 31 18:26:15 endor spamd[28512]: spamd: connection from localhost [127.0.0.1] at port 42865

Dec 31 18:26:15 endor spamd[28512]: spamd: setuid to tschwarz succeeded Dec 31 18:26:15 endor spamd[28512]: spamd: processing message

<200601010225.k012OV1i030597@endor.engr.scu.edu> for tschwarz:1875 Dec 31 18:26:15 endor spamd[28512]: spamd: clean message (4.6/5.0) for

tschwarz:1875 in 0.2 seconds, 525 bytes. Dec 31 18:26:15 endor spamd[28512]: spamd: result: . 4 -

MSGID_FROM_MTA_ID,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL scantime=0.2,size=525,user=tschwarz,uid=1875,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=42865,mid=<200601010225.k012OV1i030597@endor.engr.scu.edu>,autolearn=no

Dec 31 18:26:15 endor spamd[21352]: prefork: child states: II Dec 31 18:26:15 endor sendmail[30726]: k012OV1i030597:

to=tschwarz@engr.scu.edu, delay=00:01:02, xdelay=00:00:00, mailer=local, pri=30464, dsn=2.0.0, stat=Sent

Sample log entry at endor.

Server Logs Many servers keep copies of emails. Most servers purge logs.

Law-enforcement: Vast majority of companies are very cooperative. Don’t wait for the subpoena, instead give system

administrator a heads-up of a coming subpoena. Company:

Local sys-ad needs early warning. Getting logs at other places can be dicey.

Unix Sendmail Configuration file /etc/sendmail.cf

and /etc/syslog.conf Gives location of various logs and their

rules. maillog (often at /var/log/maillog)

Logs SMTP communications Logs POP3 events

You can always use: locate *.log to find log files.

Techniques

Investigating email for forgery Evidentiary material is

Directly in header Indirectly in formatting headers Timestamps

Header Trace Resource http://www.ip-adress.com/

trace_email/

Techniques Header Investigation

Lookup all host names and IP addresses Check for inconsistencies Be aware of

internal IP addresses web hosting company

Generate Timeline Be aware of

clock drift, delays, time zone differences