boz4: SIMPLISTIC EMAIL TRACING
Don't you ever run into that occasional user that pisses you off so bad you just want to strangle the bastard? Well now through this special blizzard of oz offer you might be able to. Most people think email tracing is a complicated procedure only an admin can perform correctly, not the case if you can use a web browser you can trace email.
So here's the gig. All email sent and recieved has a header. The header has the i.p.'s of all the smtp servers which sent, relayed, and recieved a message. So here's an actual mail header sent from and recieved by actual people using netscape navigator with "show all header information" turned on slightly reformatted and broken down in easy to read form.
Received:
from mail.webchoice.net (webchoice.net.6.240.24.in-addr.arpa [24.240.6.14] (may be forged)) by services.computerland.net (8.8.7/8.8.7) with ESMTP id MAA2667933 for <kbooth@computerland.net>; Wed, 26 Jan 2000 12:33:29 -0600 (CST)
<< mail.webchoice.net aka 24.240.6.14 is the sending mail server the may be forged line was inserted automatically since it is possible to forge the sending server. services.computerland.net is the receiving mail server running extended simple mail transfer protocol (ESMTP) ver. 8.8.7 plus the esmtp id, which isn't of much use to you unless your a sys admin on that mail server, and then the address it was implemented for, which would be the pop account - kbooth. >>
Received:
from logan (unverified [208.18.8.3]) by mail.webchoice.net (Rockliffe SMTPRA 3.2.0) with SMTP id <B0000471457@mail.webchoice.net> for <kbooth@computerland.net>; Wed, 26 Jan 2000 12:36:45 -0600
<< the webchoice mail server got the request to nab this message off the server from "logan" @ 208.18.8.3 which would be the place the pop3 server was logged into from. there's another smtp id we don't need and the date. >>
Message-ID:
<388F3F12.7DB2@webchoice.net>
<< only useful to the admin of the smtp server >>
X-Mailer:
Mozilla 3.04 (Win95; I)
MIME-Version:
1.0
<< the o/s and mail client used to mail >>
Reply To:
logan@webchoice.net
I snipped the last 5 entries or so since thier pretty useless for tracing purposes really. So the bulk of the information we need is in the first header. First things first, we need to identify the server the mail was sent from. Which is webchoice.net, next we need to know the user name which is anything before the @ in the reply to address. Which would be logan. So it looks like the mail was sent from a user named "logan" through the webchoice.net smtp server. But what was logan's point of origin? Check out the second recieve header - from logan at 208.18.8.3 by webchoice. That ip isn't even close the webchoice smtp server's. So "logan" wasn't getting his internet service from the webchoice dial-up server. A quick scan on 208.18.8.3 will tell you that that ip has a firewall, which means someone has a reason for hiding behind it and that would have to be a business of some sort possibly a corporation. So that's all great but we need more information.
At this point it would be in our best interest to make a WHOIS query. What is a whois query? Every domain on the net has to be registered through internic, internic by law is required to make those records public information searchable through a database. There are a ton of whois servers out there and so i'm just gonna name a few that I have had good luck with.
www.arin.net - American Registy for Internet #'s really excellent. 5 star service.
www.apnic.net - good for getting info on asian pacific servers.
www.aunic.net - good for getting info on australian servers.
www.nic.mil - all you ever wanted to know about military servers-beware monitoring.
www.nic.gov - secrets of the government revealed.
www.ripe.net - good for european servers.
samspade.org/t/ - more than just whois excellent set of tools.
So I plug in 24.240.6.14 to the whois server windows and hit go:
High Speed Access Corp (NETBLK-HSACORP-2BLK) HSACORP-2BLK 24.240.0.0 - 24.240.127.255
HSA Corporation (NETBLK-HSA-COLUMBIA1) HSA-COLUMBIA1 24.240.6.0 - 24.240.6.255
Interesting, webchoice's t-whatever block is served to them by HSA Corporation. Useful, you could take superscan and work up the whole ip block and the cross reference webchoice to the ip's and query that ip but i think we can do better. Skip over to samspade.org/t/ and plugin webchoice.net to the address digger and check the whois box. Put webchoice.net in the box and stand back cuz' its about to get messy.
Registrant:
Capital International Holdings (WEBCHOICE3-DOM)
7777 Bonhomme Ave. Suite 1715
St. Louis, MO 63105
US
Domain Name: WEBCHOICE.NET
Administrative Contact:
Meier, Mary (MM10406) mmcap@AOL.COM
314 726 0099 (FAX) 314 726 4880
Technical Contact, Zone Contact:
Ruthenberg, Mark (MR15519) noc@WEBCHOICE.NET
573-875-0396 (FAX) 573-875-3007
Billing Contact:
Meier, Mary (MM10406) mmcap@AOL.COM
314 726 0099 (FAX) 314 726 4880
Record last updated on 19-Jan-2000.
Record created on 16-Dec-1997.
Database last updated on 26-Jan-2000 14:15:01 EST.
Domain servers in listed order:
DNS1.WEBCHOICE.NET 24.240.6.9
DNS2.WEBCHOICE.NET 24.240.7.9
That's more like it. These are the people that registered the webchoice domain. A look at www.webchoice.net will tell you the home office is in columbia, mo so we want to find which one of these contact #'s is columbia based. Well the 314 area-code is St. Louis so we'll search on the 573.875.3007 #. Over to www.phoneloser.org/pi.html for an area code and prefix search and KABLAM. We now have a contact name and number to social engineer details about the account. Using the number on the homepage is always an option but the numbers here are upper administration if we can't weasal any info about logan out of Mark Ruthenburg we can just as easily call up the home office in St. Louis and talk to our new friend Mary. The conversation would go a little something like this.
Hello this is Mark can I help you?
Yea, this is (name of admin) for computerland internet services and we received a message from your mail server using an account called "logan" and would like to contact the owner of the message concerning it's content. Could you tell me the name on the account?
Well, Im sorry to hear that one of our users is misusing thier account, Ill get that information for you just one minute << one minute later >> Yea that account is registered to Chad Logan and he didn't leave a phone #.
Thank you very much, SUCKAH, I mean Mark. Have a fantastic day.
It really is that easy usually. Back over the phoneloser's pi page with a person search for columbia,mo and here's mr. chad logan who due to the fact he didn't sign up to have his # unlisted has made his address and phone # public record. So now you know without a question the owner of the account's full name, address, and telephone number. Now if we could just figure out where he works at. A quick call the Columbia Utility office pretending to be chad wanting to check his current billing address and work information will tell us his place of employment. Lucky for us Mr. Logan has a job at mbs books who has a website www.mbsbooks.com by taking the info from a search on arin.net for 208.18.8.3 and mbsbooks.com you can see that mbsbooks domain server is server via sprintlink as is the 208.* ip address. So it looks the firewall at mbs gave up the identity of the user at the terminal the mail was sent from. KABLAM. Another piece of the puzzle now we know the sender where the sender works where the sender was at when the message was sent the date and time. You still want more information? Well let's say this Chad Logan clown is an underground kingpin and you cant take him on alone. Call up his work and make up something halfway beleivable and more than likely they'll tell you his SS# over the phone. Then you will own the chadster. Every service he is subscribed to, every loan, every traffic ticket, every credit card transaction can be exploited to it's full extent. I dont have enough room here to cover all that but in future issues watch for it.
So now you know the basic fundamentals of tracing down an email message. There are a few services which are going to be tough to trace through like hotmail, flashemail, and yahoo. It can be done, but it will require a little advanced social engineering and some mad technique since they specifically safeguard against things like that. The only real problem in tracing email, like tracing anything it doesn't do you any good to trace something to the source if the source isn't the place the person is at or they are using a hacked account and dialing in anonymously, since most isp's aren't gonna cough it up for ANI2 these people are invisible. If thier thinking ahead anyway they wont dialup from home to send a message they dont want traced. So a word to the wise be careful where you send your mail it's really not that hard to pinpoint exactly where it came from.
