Post by lilhack on Mar 13, 2007 17:53:55 GMT -5
For tracing purposes, the most interesting lines are the From: line (line
9) and the Received: lines (lines 2 through 7). The From: line can be
faked, as we will see below, and so is generally not trustworthy, but still
is worth pursuing. (We will look at tracing via the Received: lines in the
next example.)
We can send e-mail to the sender at this point. We might find out more
about wl.com since we may be able to get enough information elsewhere to
provide a way to approach the sender a bit more subtly.
There are two tools we can use on the Internet to give us information about
domain names, people, and organization. The first is the whois service. If
we issue the whois command with the argument wl.com it gives us the
following information.
% whois wl.com
Warner Lambert / Parke-Davis (WL-DOM)
2800 Plymouth Road
Ann Arbor, MI 48106
Domain Name: WL.COM
Administrative Contact, Technical Contact, Zone Contact:
Leibowitz, Allen K. (AL184) leibowa@WL.COM
(313) 998-3314
Record last updated on 29-Apr-93.
Domain servers in listed order:
ENVOY.WL.COM 162.48.254.3
MERIT.EDU 35.1.1.42
The other tool is nslookup. We issue the command to nslookup asking for a
Start of Authority (SOA) record for the domain wl.com.
% nslookup
Default Server: sol.TIS.COM
Address: 192.33.112.100
> set query=soa
> wl.com.
Server: sol.TIS.COM
Address: 192.33.112.100
Non-authoritative answer:
wl.com origin = envoy.wl.com
mail addr = root.wl.com
serial=22, refresh=10800, retry=600, expire=86400, min=86400
Authoritative answers can be found from:
ENVOY.WL.COM inet address = 162.48.254.3 MERIT.EDU inet address =
35.1.1.42 > exit
In this case, using nslookup doesn�t help. Unfortunately, the mail address
returned for the contact is a generic one ("root") and so is not as useful
as the information returned from whois in this case.
At this point, with a phone number, organization, and address, one can
proceed to contact the organization or individual involved. It might also
be worthwhile to gather more data, as if we assumed that the From: line was
faked.
Example 2: Intentional Cover-up
In this example, the mail address of the sender of the mail is suspected
(or known) to have been falsified.
1 Return-Path: little.joe@bonanza.org
2 Received: from decuac.DEC.COM by TIS.COM (4.1/SUN-5.64)
3 id AA18164; Mon, 14 Jun 93 15:59:28 EDT
4 Received: from TIS.COM by decuac.DEC.COM (5.65/Ultrix-fma)
5 id AA04687; Mon, 14 Jun 93 15:58:25 -0400 XXX
6 Received: from envoy.wl.com by TIS.COM (4.1/SUN-5.64)
7 id AA17274; Mon, 14 Jun 93 15:51:58 EDT
8 From: Little Joe <little.joe@bonanza.org>
9 Date: Mon, 14 Jun 93 15:22:23 GMT
10 Message-Id: <9306141922.AA82912@bonanza.org>
11 To: Fred Avolio <avolio@TIS.COM>
12 Subject: bogus test #1
13
14 test #1
15 real time is Mon Jun 14 15:56:51 EDT 1993
16
17 -- Mr. Cartwright
Lines 1 and 8 indicate that the mail is from a user little.joe, real name
Little Joe at domain bonanza.org. Using nslookup we determine that no such
domain as bonanza.org exists.
% nslookup
Default Server: sol.TIS.COM
Address: 192.33.112.100
> set query=any
> bonanza.org.
Server: sol.TIS.COM
Address: 192.33.112.100
*** sol.TIS.COM can't find bonanza.org.: Non-existent domain
> exit
%
We assume this is a faked From: line and look to the Received: lines.
Received: lines are added, one on top of another, as e-mail passes from one
host to another. Unfortunately, they are not required, and, while most
hosts do, some hosts don�t bother to add them. Think of Received: lines as
postmarks, but postmarks that are added at each post office along the way,
from mailing to delivery.
What we see is that according to the first (bottom) Received: line on lines
6 and 7, the mail originally came from envoy.wl.com into host tis.com at
15:51:58 EDT on Monday, June 14, 1993 . Less than 7 minutes later it was
transferred from tis.com to decuac.dec.com (lines 4 and 5). And finally,
tis.com received it (again) from decuac.dec.com (lines 2 and 3) which took
it for local delivery.
Notice, also, the Date: line might have been faked. The Received: lines
indicate a different time period. (Note, all of these header lines can be
"faked." It is the analysts job to look at them all together, decide what
make the most sense or seem to be correct, and then go forward,
investigating with that data, until proven wrong.)
The next step is check the log files on the other machines. To do this we
must find out who to contact at envoy.wl.com and decuac.dec.com. Again, we
use whois for this.
% whois decuac.dec.com
Digital Equipment Corporation (DEC-DOM)
Western Research Laboratory
250 University Avenue
Palo Alto, CA 94301-1616
Domain Name: DEC.COM
Administrative Contact:
Reid, Brian K. (BKR) reid@PA.DEC.COM
(415) 688-1307
Technical Contact:
Vixie, Paul (PV15) paul@VIX.COM
(415) 858-2736
Zone Contact:
Treese, Win (WT48) treese@CRL.DEC.COM
(617) 621-6615
Record last updated on 07-Jul-92.
Domain servers in listed order:
GATEKEEPER.DEC.COM 16.1.0.2
CRL.DEC.COM 192.58.206.2
DECUAC.DEC.COM 192.5.214.1
Through mail to Brian Reid (the administrative contact), we learned that
the specific contact for decuac.dec.com is Rick Murphy, murphy@cop.dec.com.
We now check wl.com.
% whois emory.wl.com
No match for "EMORY.WL.COM".
% whois wl.com
Warner Lambert / Parke-Davis (WL-DOM)
2800 Plymouth Road
Ann Arbor, MI 48106
Domain Name: WL.COM
Administrative Contact, Technical Contact, Zone Contact:
Leibowitz, Allen K. (AL184) leibowa@WL.COM
(313) 998-3314
Record last updated on 29-Apr-93.
Domain servers in listed order:
ENVOY.WL.COM 162.48.254.3
MERIT.EDU 35.1.1.42
We know the contact information for our own site (tis.com), so now we have
all the mail addresses we need to investigate further.
The next step is to check the log files on the other machines. We sent the
following message:
From: Frederick M Avolio <avolio@tis.com>
X-Organization: Trusted Information Systems, Inc.
X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363
To: murphy@cop.dec.com, Allen Leibowitz <leibowa@wl.com>,
dave@tis.com
Subject: Pls check mail logs and user stats from "last"
Date: Mon, 14 Jun 93 16:55:35 -0400
Sender: avolio@tis.com
I received the following mail that passed through your machines.
Would you check the mail logs on decuac.dec.com for any data
related to this file?
Looking at this, it would seem that someone connected to
tis.com's sendmail process from envoy.wl.com at 15:51:58 EDT. It
would be helpful if you could check the system to see who was
logged in on that machine at that time. If you have any further
data that would help us more closely pinpoint the sender, it
would be appreciated.
On tis.com, if you could check your mail logs and send me any/all
relevant data also, it would be appreciated.
Thx
Fred
------- Forwarded Message
Return-Path: little.joe@bonanza.org
Received: from decuac.DEC.COM by TIS.COM (4.1/SUN-5.64)
d AA18164; Mon, 14 Jun 93 15:59:28 EDT
Received: from TIS.COM by decuac.DEC.COM (5.65/Ultrix-fma)
id AA04687; Mon, 14 Jun 93 15:58:25 -0400 XXX
Received: from envoy.wl.com by TIS.COM (4.1/SUN-5.64)
id AA17274; Mon, 14 Jun 93 15:51:58 EDT
From: Little Joe <little.joe@bonanza.org>
Date: Mon, 14 Jun 93 15:22:23 GMT
Message-Id: <9306141922.AA82912@bonanza.org>
To: Fred Avolio <avolio@TIS.COM>
Subject: bogus test #1
[ Body of message deleted -- Avolio ]
------- End of Forwarded Message
We received back the following messages.
Message from wl.com:
From: Allen Leibowitz <leibowa@wl.com>
To: Frederick M Avolio <avolio@TIS.COM>
Cc: murphy@cop.dec.com, dave@TIS.COM
Subject: Re: Pls check mail logs and user stats from "last"
Date: Mon, 14 Jun 93 17:04:03 -0400
Nothing in our mail log.
This user was logged on:
smith ttyp3 itchy.research.a Mon Jun 14 15:47 - 16:42 (00:54)
Login name: smith In real life: John Smith Directory:
/usr/users/smith Shell: /bin/csh
On since Jun 14 16:59:08 on ttyp3 from itchy.research.a
Message from decuac.dec.com:
To: Frederick M Avolio <avolio@TIS.COM>
Cc: Allen Leibowitz <leibowa@wl.com>, dave@TIS.COM
Subject: Re: Pls check mail logs and user stats from "last"
In-Reply-To: Your message of "Mon, 14 Jun 93 16:55:35 EDT."
<9306142055.AA21666@TIS.COM>
Date: Mon, 14 Jun 93 19:50:04 -0400
From: "Rick Murphy" <murphy@burfle.cop.dec.com>
Relevant entries from the decuac.dec.com logs:
Jun 14 15:58:26 localhost 4687 sendmail: AA04687:
from=<little.joe@bonanza.org>, size=357, class=0,
received from TIS.COM (192.33.112.100)
Jun 14 15:58:29 localhost 4689 sendmail: AA04687:
to=<@decuac.dec.com:avolio@tis.com>, delay=00:00:04,
stat=Sent (tcp tis.com)
It appears that this originated from tis.com.
--Rick
Data from tis.com:
Jun 14 15:59:22 sol sendmail[17274]: AA17274:
from=little.joe@bonanza.org, size=263, class=0
Jun 14 15:59:29 sol sendmail[18164]: AA18164:
from=<little.joe@bonanza.org>, size=462, class=0
In looking at this data, the user John Smith on the wl.com system would
appear to be the sender. While not all situations will be this
straightforward, walking through the mail logs and headers can often get
you close to at least a list of probable suspects.
Compare the log information from decuac.dec.com and tis.com. The data saved
is different between the two sites. Each site can decide what, if anything,
is logged, and to what level. There is still useful information to be
gleaned from a minimal log. For example, the tis.com logs don�t tell us the
machine name from which the mail was received or to whom it was going, but
it does give size information and the message identifier (the names
beginning with "AA" in the log files examples). This information could be
used to follow particular pieces of mail through different systems. (We
must keep in mind, that because of the addition of Received: lines, the
size grows by 100 or so characters, each time a message passes through a
mail gateway.)
Example 3: Other Examples
Of course, not all cases are straightforward. Received: lines can also be
faked. In this example lines 4 and 5 are faked.
1 Return-Path: badguy@bad.place
2 Received: from bad.place (acme.com) by TIS.COM (4.1/SUN-5.64)
3 id AA28388; Tue, 15 Jun 93 10:41:21 EDT
4 Received: by crl.dec.com;
id AA01046; Tue, 15 Jun 93 10:38:33 -0400
5 Received: by quabbin.crl.dec.com;
id AA15488; Tue, 15 Jun 1993 10:33:19 -0400
6 Date: Tue, 15 Jun 93 10:39:51 EDT
7 Message-Id: <9306151440.AA28300@xxx.yyy>
8 From: Bad Guy <badguy@bad.place>
9 To: Fred Avolio <avolio@TIS.COM>
10 Subject: test 4
11
12 test 4
One cannot readily tell that they are faked by looking at them. Notice,
they just indicate when and who received the mail (what time by what
systems). They do not tell who it was received from. This is not a mistake.
Some systems do not report both pieces of information.
In this case, we contact system managers at crl.dec.com and ask them for
information pertaining to messages with the identifier AA01046 and AA15488
on their respective machines. We will find that these don�t lead us
anywhere, but the final Received: line, when the message entered tis.com
from acme.com might prove useful. We could check with the managers of the
system at acme.com (as we did in example 2) and follow the trail that way.
Notice, line 2 indicates that when a connection was made for mail, the
remote system said it was bad.place but when our system did a reverse
lookup on it on the Internet (kind of like "Caller ID"), the Domain Name
System said that it was acme.com.
Example 4: An Analysis of Real Falsified Mail
We at TIS received, on a machine under our management, an example of
falsified or spoofed mail in which someone had made it look as if it came
from a government VIP. This mail did not constitute a threat, nor was it
probably meant to be taken seriously by the recipients. We include this as
a real-life example of a mail message that was received and that needed to
be traced. Analysis was done for demonstration purposes only. We do not
recommend this type of analysis on all forged e-mail of a non-threatening
nature, since the time spent does not justify the benefits gleaned (none).
We received this mail "by accident." The sender intended to mail it to a
group of addresses on a mailing list, but an error condition caused it to
be routed to us, unbeknownst to the sender.
1. The spoofed message as originally sent (complete with typographical
errors) is:
Received: from VIPLAC.GOV (a.b.c.d.e) by
x.b.c.d.e with SMTP id AA00559
(5.65c/IDA-1.4.4 for nnnnnn@x.b.c.d.e);
Thu, 10 Jun 1993 17:02:17 -0400
Date: Thu, 10 Jun 1993 17:02:17 -0400
From: billyboy@viplace.gov
Message-Id: <199306102102.AA00559@x.b.c.d.e>
Apparently-To: nnnnnn@x.b.c.d.e
This is an important message blah blah blah...
Please note the first line. A machine, x.b.c.d.e , received this from
another host. The other host claimed to be VIPLAC.GOV which was almost a
real host name but was intentionally mispelled. Someone � probably on
x.b.c.d.e � decided to play a joke. That someone was probably logged on
a.b.c.d.e (see the hostname in parentheses).
This person probably did the following:
� Connected to the network mail socket on x.b.c.d.e via TELNET.
� Identified itself as VIPLAC.GOV. The mail software took that and
then showed � in parentheses � what it thought the hostname was:
a.b.c.d.e.
� Told the mail server that it had mail for mailing list nnnnnn on
that host and that it was from billyboy@viplace.gov.
� The person then typed in the text of the message. He or she didn�t
do a great job since they didn�t include the (normal but not required)
Subject: line nor did this person include a To: header line (the mail
program adds an Apparently-to: line when no To: line exists).
2. An error condition was encountered on x.b.c.d.e. The error message,
"Options MUST PRECEDE persons", is of no real interest, except that it
caused the message to bounce.
...
From: Mail Delivery Subsystem <MAILER-DAEMON@x.b.c.d.e>
Message-Id: <199306102102.AA00609@x.b.c.d.e>
To: billyboy
Cc: Postmaster@x.b.c.d.e
Subject: Returned mail: unknown mailer error 5
----- Transcript of session follows -----
mail: Options MUST PRECEDE persons
554 nnnnnn@x.b.c.d.e... unknown mailer error 5
----- Unsent message follows -----
...
When it "bounces" with an error it sends it back to the sender. As far as
it can tell the sender is billyboy@viplace.gov . So, it sent it to
Viplace.gov for that user. Errors are sent from MAILER-DAEMON as indicated
on the above From: line.
3. Viplace.gov doesn�t have such a user and bounced the mail back to
the sender: MAILER-DAEMON@x.b.c.d.e.
...
From: MAILER-DAEMON@viplace.gov (Mail Delivery Subsystem)
Subject: Returned mail: User unknown
Message-Id: <9306102105.AA01806@viplace.gov>
To: MAILER-DAEMON@x.b.c.d.e
----- Transcript of session follows -----
550 <billyboy@viplace.gov>... User unknown
----- Recipients of this delivery -----
Bounced, cannot deliver:
<billyboy@viplace.gov>
----- Unsent message follows -----
...
Finally, the same strange error on the Navy machine caused mail from our
MAILER-DAEMON to their MAILER-DAEMON to bounce back to us and so it got to
the system manager on the Viplace.gov machine (which is how we got it).
The entire message as received here follows:
From MAILER-DAEMON@x.b.c.d.e Thu Jun 10 17:06:51 1993
Received: by viplace.gov (5.65/fma/mjr-120691);
id AA01824; Thu, 10 Jun 93 17:06:49 -0400
Received: from x.b.c.d.e/131.158.51.20 via smap
Received: by x.b.c.d.e id AA00630
(5.65c/IDA-1.4.4 for <MAILER-DAEMON@viplace.gov>);
Thu, 10 Jun 1993 17:05:09 -0400
Date: Thu, 10 Jun 1993 17:05:09 -0400
From: Mail Delivery Subsystem <MAILER-DAEMON@x.b.c.d.e>
Message-Id: <199306102105.AA00630@x.b.c.d.e>
To: MAILER-DAEMON
Cc: Postmaster@x.b.c.d.e
Subject: Returned mail: unknown mailer error 5
Status: R
----- Transcript of session follows -----
mail: Options MUST PRECEDE persons
554 root... unknown mailer error 5
----- Unsent message follows -----
Received: from viplace.gov by x.b.c.d.e
with SMTP id AA00628
(5.65c/IDA-1.4.4 for <MAILER-DAEMON@x.b.c.d.e>);
Thu, 10 Jun 1993 17:05:09 -0400
Received: by viplace.gov (5.65/fma/mjr-120691);
id AA01806; Thu, 10 Jun 93 17:05:49 -0400
Date: Thu, 10 Jun 93 17:05:49 -0400
From: MAILER-DAEMON@viplace.gov (Mail Delivery Subsystem)
Subject: Returned mail: User unknown
Message-Id: <9306102105.AA01806@viplace.gov>
To: MAILER-DAEMON@x.b.c.d.e
----- Transcript of session follows -----
550 <billyboy@viplace.gov>... User unknown
----- Recipients of this delivery -----
Bounced, cannot deliver:
<billyboy@viplace.gov>
----- Unsent message follows -----
Received: by viplace.gov (5.65/fma/mjr-120691);
id AA01804; Thu, 10 Jun 93 17:05:49 -0400
Received: from x.b.c.d.e/131.158.51.20 via smap
Received: from VIPLAC.GOV (a.b.c.d.e)
by x.b.c.d.e id AA00609
5.65c/IDA-1.4.4 for <billyboy@viplace.gov>);
Thu, 10 Jun 1993 17:02:17 -0400
Date: Thu, 10 Jun 1993 17:02:17 -0400
From: Mail Delivery Subsystem <MAILER-DAEMON@x.b.c.d.e>
Message-Id: <199306102102.AA00609@x.b.c.d.e>
To: billyboy
Cc: Postmaster@x.b.c.d.e
Subject: Returned mail: unknown mailer error 5
----- Transcript of session follows -----
mail: Options MUST PRECEDE persons
554 nnnnnn@x.b.c.d.e... unknown mailer error 5
----- Unsent message follows -----
Received: from VIPLAC.GOV (a.b.c.d.e)
by x.b.c.d.e with SMTP id AA00559
(5.65c/IDA-1.4.4 for nnnnnn@x.b.c.d.e);
Thu, 10 Jun 1993 17:02:17 -0400
Date: Thu, 10 Jun 1993 17:02:17 -0400
From: billyboy@viplace.gov
Message-Id: <199306102102.AA00559@x.b.c.d.e>
Apparently-To: nnnnnn@x.b.c.d.e
This is an important message blah blah blah...
Summary of Steps in Tracing Electronic Mail
1. Check From: line or Sender: line for mail address.
2. Check Received: lines to see if they match or help the analysis of
the sender.
3. Use whois or nslookup to get information about the computers or
domains used and to get personal contact information.
4. Get mail log and user log information from the relevant computers
through contact with the system managers or other representatives of
the organizations that own the computers.
9) and the Received: lines (lines 2 through 7). The From: line can be
faked, as we will see below, and so is generally not trustworthy, but still
is worth pursuing. (We will look at tracing via the Received: lines in the
next example.)
We can send e-mail to the sender at this point. We might find out more
about wl.com since we may be able to get enough information elsewhere to
provide a way to approach the sender a bit more subtly.
There are two tools we can use on the Internet to give us information about
domain names, people, and organization. The first is the whois service. If
we issue the whois command with the argument wl.com it gives us the
following information.
% whois wl.com
Warner Lambert / Parke-Davis (WL-DOM)
2800 Plymouth Road
Ann Arbor, MI 48106
Domain Name: WL.COM
Administrative Contact, Technical Contact, Zone Contact:
Leibowitz, Allen K. (AL184) leibowa@WL.COM
(313) 998-3314
Record last updated on 29-Apr-93.
Domain servers in listed order:
ENVOY.WL.COM 162.48.254.3
MERIT.EDU 35.1.1.42
The other tool is nslookup. We issue the command to nslookup asking for a
Start of Authority (SOA) record for the domain wl.com.
% nslookup
Default Server: sol.TIS.COM
Address: 192.33.112.100
> set query=soa
> wl.com.
Server: sol.TIS.COM
Address: 192.33.112.100
Non-authoritative answer:
wl.com origin = envoy.wl.com
mail addr = root.wl.com
serial=22, refresh=10800, retry=600, expire=86400, min=86400
Authoritative answers can be found from:
ENVOY.WL.COM inet address = 162.48.254.3 MERIT.EDU inet address =
35.1.1.42 > exit
In this case, using nslookup doesn�t help. Unfortunately, the mail address
returned for the contact is a generic one ("root") and so is not as useful
as the information returned from whois in this case.
At this point, with a phone number, organization, and address, one can
proceed to contact the organization or individual involved. It might also
be worthwhile to gather more data, as if we assumed that the From: line was
faked.
Example 2: Intentional Cover-up
In this example, the mail address of the sender of the mail is suspected
(or known) to have been falsified.
1 Return-Path: little.joe@bonanza.org
2 Received: from decuac.DEC.COM by TIS.COM (4.1/SUN-5.64)
3 id AA18164; Mon, 14 Jun 93 15:59:28 EDT
4 Received: from TIS.COM by decuac.DEC.COM (5.65/Ultrix-fma)
5 id AA04687; Mon, 14 Jun 93 15:58:25 -0400 XXX
6 Received: from envoy.wl.com by TIS.COM (4.1/SUN-5.64)
7 id AA17274; Mon, 14 Jun 93 15:51:58 EDT
8 From: Little Joe <little.joe@bonanza.org>
9 Date: Mon, 14 Jun 93 15:22:23 GMT
10 Message-Id: <9306141922.AA82912@bonanza.org>
11 To: Fred Avolio <avolio@TIS.COM>
12 Subject: bogus test #1
13
14 test #1
15 real time is Mon Jun 14 15:56:51 EDT 1993
16
17 -- Mr. Cartwright
Lines 1 and 8 indicate that the mail is from a user little.joe, real name
Little Joe at domain bonanza.org. Using nslookup we determine that no such
domain as bonanza.org exists.
% nslookup
Default Server: sol.TIS.COM
Address: 192.33.112.100
> set query=any
> bonanza.org.
Server: sol.TIS.COM
Address: 192.33.112.100
*** sol.TIS.COM can't find bonanza.org.: Non-existent domain
> exit
%
We assume this is a faked From: line and look to the Received: lines.
Received: lines are added, one on top of another, as e-mail passes from one
host to another. Unfortunately, they are not required, and, while most
hosts do, some hosts don�t bother to add them. Think of Received: lines as
postmarks, but postmarks that are added at each post office along the way,
from mailing to delivery.
What we see is that according to the first (bottom) Received: line on lines
6 and 7, the mail originally came from envoy.wl.com into host tis.com at
15:51:58 EDT on Monday, June 14, 1993 . Less than 7 minutes later it was
transferred from tis.com to decuac.dec.com (lines 4 and 5). And finally,
tis.com received it (again) from decuac.dec.com (lines 2 and 3) which took
it for local delivery.
Notice, also, the Date: line might have been faked. The Received: lines
indicate a different time period. (Note, all of these header lines can be
"faked." It is the analysts job to look at them all together, decide what
make the most sense or seem to be correct, and then go forward,
investigating with that data, until proven wrong.)
The next step is check the log files on the other machines. To do this we
must find out who to contact at envoy.wl.com and decuac.dec.com. Again, we
use whois for this.
% whois decuac.dec.com
Digital Equipment Corporation (DEC-DOM)
Western Research Laboratory
250 University Avenue
Palo Alto, CA 94301-1616
Domain Name: DEC.COM
Administrative Contact:
Reid, Brian K. (BKR) reid@PA.DEC.COM
(415) 688-1307
Technical Contact:
Vixie, Paul (PV15) paul@VIX.COM
(415) 858-2736
Zone Contact:
Treese, Win (WT48) treese@CRL.DEC.COM
(617) 621-6615
Record last updated on 07-Jul-92.
Domain servers in listed order:
GATEKEEPER.DEC.COM 16.1.0.2
CRL.DEC.COM 192.58.206.2
DECUAC.DEC.COM 192.5.214.1
Through mail to Brian Reid (the administrative contact), we learned that
the specific contact for decuac.dec.com is Rick Murphy, murphy@cop.dec.com.
We now check wl.com.
% whois emory.wl.com
No match for "EMORY.WL.COM".
% whois wl.com
Warner Lambert / Parke-Davis (WL-DOM)
2800 Plymouth Road
Ann Arbor, MI 48106
Domain Name: WL.COM
Administrative Contact, Technical Contact, Zone Contact:
Leibowitz, Allen K. (AL184) leibowa@WL.COM
(313) 998-3314
Record last updated on 29-Apr-93.
Domain servers in listed order:
ENVOY.WL.COM 162.48.254.3
MERIT.EDU 35.1.1.42
We know the contact information for our own site (tis.com), so now we have
all the mail addresses we need to investigate further.
The next step is to check the log files on the other machines. We sent the
following message:
From: Frederick M Avolio <avolio@tis.com>
X-Organization: Trusted Information Systems, Inc.
X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363
To: murphy@cop.dec.com, Allen Leibowitz <leibowa@wl.com>,
dave@tis.com
Subject: Pls check mail logs and user stats from "last"
Date: Mon, 14 Jun 93 16:55:35 -0400
Sender: avolio@tis.com
I received the following mail that passed through your machines.
Would you check the mail logs on decuac.dec.com for any data
related to this file?
Looking at this, it would seem that someone connected to
tis.com's sendmail process from envoy.wl.com at 15:51:58 EDT. It
would be helpful if you could check the system to see who was
logged in on that machine at that time. If you have any further
data that would help us more closely pinpoint the sender, it
would be appreciated.
On tis.com, if you could check your mail logs and send me any/all
relevant data also, it would be appreciated.
Thx
Fred
------- Forwarded Message
Return-Path: little.joe@bonanza.org
Received: from decuac.DEC.COM by TIS.COM (4.1/SUN-5.64)
d AA18164; Mon, 14 Jun 93 15:59:28 EDT
Received: from TIS.COM by decuac.DEC.COM (5.65/Ultrix-fma)
id AA04687; Mon, 14 Jun 93 15:58:25 -0400 XXX
Received: from envoy.wl.com by TIS.COM (4.1/SUN-5.64)
id AA17274; Mon, 14 Jun 93 15:51:58 EDT
From: Little Joe <little.joe@bonanza.org>
Date: Mon, 14 Jun 93 15:22:23 GMT
Message-Id: <9306141922.AA82912@bonanza.org>
To: Fred Avolio <avolio@TIS.COM>
Subject: bogus test #1
[ Body of message deleted -- Avolio ]
------- End of Forwarded Message
We received back the following messages.
Message from wl.com:
From: Allen Leibowitz <leibowa@wl.com>
To: Frederick M Avolio <avolio@TIS.COM>
Cc: murphy@cop.dec.com, dave@TIS.COM
Subject: Re: Pls check mail logs and user stats from "last"
Date: Mon, 14 Jun 93 17:04:03 -0400
Nothing in our mail log.
This user was logged on:
smith ttyp3 itchy.research.a Mon Jun 14 15:47 - 16:42 (00:54)
Login name: smith In real life: John Smith Directory:
/usr/users/smith Shell: /bin/csh
On since Jun 14 16:59:08 on ttyp3 from itchy.research.a
Message from decuac.dec.com:
To: Frederick M Avolio <avolio@TIS.COM>
Cc: Allen Leibowitz <leibowa@wl.com>, dave@TIS.COM
Subject: Re: Pls check mail logs and user stats from "last"
In-Reply-To: Your message of "Mon, 14 Jun 93 16:55:35 EDT."
<9306142055.AA21666@TIS.COM>
Date: Mon, 14 Jun 93 19:50:04 -0400
From: "Rick Murphy" <murphy@burfle.cop.dec.com>
Relevant entries from the decuac.dec.com logs:
Jun 14 15:58:26 localhost 4687 sendmail: AA04687:
from=<little.joe@bonanza.org>, size=357, class=0,
received from TIS.COM (192.33.112.100)
Jun 14 15:58:29 localhost 4689 sendmail: AA04687:
to=<@decuac.dec.com:avolio@tis.com>, delay=00:00:04,
stat=Sent (tcp tis.com)
It appears that this originated from tis.com.
--Rick
Data from tis.com:
Jun 14 15:59:22 sol sendmail[17274]: AA17274:
from=little.joe@bonanza.org, size=263, class=0
Jun 14 15:59:29 sol sendmail[18164]: AA18164:
from=<little.joe@bonanza.org>, size=462, class=0
In looking at this data, the user John Smith on the wl.com system would
appear to be the sender. While not all situations will be this
straightforward, walking through the mail logs and headers can often get
you close to at least a list of probable suspects.
Compare the log information from decuac.dec.com and tis.com. The data saved
is different between the two sites. Each site can decide what, if anything,
is logged, and to what level. There is still useful information to be
gleaned from a minimal log. For example, the tis.com logs don�t tell us the
machine name from which the mail was received or to whom it was going, but
it does give size information and the message identifier (the names
beginning with "AA" in the log files examples). This information could be
used to follow particular pieces of mail through different systems. (We
must keep in mind, that because of the addition of Received: lines, the
size grows by 100 or so characters, each time a message passes through a
mail gateway.)
Example 3: Other Examples
Of course, not all cases are straightforward. Received: lines can also be
faked. In this example lines 4 and 5 are faked.
1 Return-Path: badguy@bad.place
2 Received: from bad.place (acme.com) by TIS.COM (4.1/SUN-5.64)
3 id AA28388; Tue, 15 Jun 93 10:41:21 EDT
4 Received: by crl.dec.com;
id AA01046; Tue, 15 Jun 93 10:38:33 -0400
5 Received: by quabbin.crl.dec.com;
id AA15488; Tue, 15 Jun 1993 10:33:19 -0400
6 Date: Tue, 15 Jun 93 10:39:51 EDT
7 Message-Id: <9306151440.AA28300@xxx.yyy>
8 From: Bad Guy <badguy@bad.place>
9 To: Fred Avolio <avolio@TIS.COM>
10 Subject: test 4
11
12 test 4
One cannot readily tell that they are faked by looking at them. Notice,
they just indicate when and who received the mail (what time by what
systems). They do not tell who it was received from. This is not a mistake.
Some systems do not report both pieces of information.
In this case, we contact system managers at crl.dec.com and ask them for
information pertaining to messages with the identifier AA01046 and AA15488
on their respective machines. We will find that these don�t lead us
anywhere, but the final Received: line, when the message entered tis.com
from acme.com might prove useful. We could check with the managers of the
system at acme.com (as we did in example 2) and follow the trail that way.
Notice, line 2 indicates that when a connection was made for mail, the
remote system said it was bad.place but when our system did a reverse
lookup on it on the Internet (kind of like "Caller ID"), the Domain Name
System said that it was acme.com.
Example 4: An Analysis of Real Falsified Mail
We at TIS received, on a machine under our management, an example of
falsified or spoofed mail in which someone had made it look as if it came
from a government VIP. This mail did not constitute a threat, nor was it
probably meant to be taken seriously by the recipients. We include this as
a real-life example of a mail message that was received and that needed to
be traced. Analysis was done for demonstration purposes only. We do not
recommend this type of analysis on all forged e-mail of a non-threatening
nature, since the time spent does not justify the benefits gleaned (none).
We received this mail "by accident." The sender intended to mail it to a
group of addresses on a mailing list, but an error condition caused it to
be routed to us, unbeknownst to the sender.
1. The spoofed message as originally sent (complete with typographical
errors) is:
Received: from VIPLAC.GOV (a.b.c.d.e) by
x.b.c.d.e with SMTP id AA00559
(5.65c/IDA-1.4.4 for nnnnnn@x.b.c.d.e);
Thu, 10 Jun 1993 17:02:17 -0400
Date: Thu, 10 Jun 1993 17:02:17 -0400
From: billyboy@viplace.gov
Message-Id: <199306102102.AA00559@x.b.c.d.e>
Apparently-To: nnnnnn@x.b.c.d.e
This is an important message blah blah blah...
Please note the first line. A machine, x.b.c.d.e , received this from
another host. The other host claimed to be VIPLAC.GOV which was almost a
real host name but was intentionally mispelled. Someone � probably on
x.b.c.d.e � decided to play a joke. That someone was probably logged on
a.b.c.d.e (see the hostname in parentheses).
This person probably did the following:
� Connected to the network mail socket on x.b.c.d.e via TELNET.
� Identified itself as VIPLAC.GOV. The mail software took that and
then showed � in parentheses � what it thought the hostname was:
a.b.c.d.e.
� Told the mail server that it had mail for mailing list nnnnnn on
that host and that it was from billyboy@viplace.gov.
� The person then typed in the text of the message. He or she didn�t
do a great job since they didn�t include the (normal but not required)
Subject: line nor did this person include a To: header line (the mail
program adds an Apparently-to: line when no To: line exists).
2. An error condition was encountered on x.b.c.d.e. The error message,
"Options MUST PRECEDE persons", is of no real interest, except that it
caused the message to bounce.
...
From: Mail Delivery Subsystem <MAILER-DAEMON@x.b.c.d.e>
Message-Id: <199306102102.AA00609@x.b.c.d.e>
To: billyboy
Cc: Postmaster@x.b.c.d.e
Subject: Returned mail: unknown mailer error 5
----- Transcript of session follows -----
mail: Options MUST PRECEDE persons
554 nnnnnn@x.b.c.d.e... unknown mailer error 5
----- Unsent message follows -----
...
When it "bounces" with an error it sends it back to the sender. As far as
it can tell the sender is billyboy@viplace.gov . So, it sent it to
Viplace.gov for that user. Errors are sent from MAILER-DAEMON as indicated
on the above From: line.
3. Viplace.gov doesn�t have such a user and bounced the mail back to
the sender: MAILER-DAEMON@x.b.c.d.e.
...
From: MAILER-DAEMON@viplace.gov (Mail Delivery Subsystem)
Subject: Returned mail: User unknown
Message-Id: <9306102105.AA01806@viplace.gov>
To: MAILER-DAEMON@x.b.c.d.e
----- Transcript of session follows -----
550 <billyboy@viplace.gov>... User unknown
----- Recipients of this delivery -----
Bounced, cannot deliver:
<billyboy@viplace.gov>
----- Unsent message follows -----
...
Finally, the same strange error on the Navy machine caused mail from our
MAILER-DAEMON to their MAILER-DAEMON to bounce back to us and so it got to
the system manager on the Viplace.gov machine (which is how we got it).
The entire message as received here follows:
From MAILER-DAEMON@x.b.c.d.e Thu Jun 10 17:06:51 1993
Received: by viplace.gov (5.65/fma/mjr-120691);
id AA01824; Thu, 10 Jun 93 17:06:49 -0400
Received: from x.b.c.d.e/131.158.51.20 via smap
Received: by x.b.c.d.e id AA00630
(5.65c/IDA-1.4.4 for <MAILER-DAEMON@viplace.gov>);
Thu, 10 Jun 1993 17:05:09 -0400
Date: Thu, 10 Jun 1993 17:05:09 -0400
From: Mail Delivery Subsystem <MAILER-DAEMON@x.b.c.d.e>
Message-Id: <199306102105.AA00630@x.b.c.d.e>
To: MAILER-DAEMON
Cc: Postmaster@x.b.c.d.e
Subject: Returned mail: unknown mailer error 5
Status: R
----- Transcript of session follows -----
mail: Options MUST PRECEDE persons
554 root... unknown mailer error 5
----- Unsent message follows -----
Received: from viplace.gov by x.b.c.d.e
with SMTP id AA00628
(5.65c/IDA-1.4.4 for <MAILER-DAEMON@x.b.c.d.e>);
Thu, 10 Jun 1993 17:05:09 -0400
Received: by viplace.gov (5.65/fma/mjr-120691);
id AA01806; Thu, 10 Jun 93 17:05:49 -0400
Date: Thu, 10 Jun 93 17:05:49 -0400
From: MAILER-DAEMON@viplace.gov (Mail Delivery Subsystem)
Subject: Returned mail: User unknown
Message-Id: <9306102105.AA01806@viplace.gov>
To: MAILER-DAEMON@x.b.c.d.e
----- Transcript of session follows -----
550 <billyboy@viplace.gov>... User unknown
----- Recipients of this delivery -----
Bounced, cannot deliver:
<billyboy@viplace.gov>
----- Unsent message follows -----
Received: by viplace.gov (5.65/fma/mjr-120691);
id AA01804; Thu, 10 Jun 93 17:05:49 -0400
Received: from x.b.c.d.e/131.158.51.20 via smap
Received: from VIPLAC.GOV (a.b.c.d.e)
by x.b.c.d.e id AA00609
5.65c/IDA-1.4.4 for <billyboy@viplace.gov>);
Thu, 10 Jun 1993 17:02:17 -0400
Date: Thu, 10 Jun 1993 17:02:17 -0400
From: Mail Delivery Subsystem <MAILER-DAEMON@x.b.c.d.e>
Message-Id: <199306102102.AA00609@x.b.c.d.e>
To: billyboy
Cc: Postmaster@x.b.c.d.e
Subject: Returned mail: unknown mailer error 5
----- Transcript of session follows -----
mail: Options MUST PRECEDE persons
554 nnnnnn@x.b.c.d.e... unknown mailer error 5
----- Unsent message follows -----
Received: from VIPLAC.GOV (a.b.c.d.e)
by x.b.c.d.e with SMTP id AA00559
(5.65c/IDA-1.4.4 for nnnnnn@x.b.c.d.e);
Thu, 10 Jun 1993 17:02:17 -0400
Date: Thu, 10 Jun 1993 17:02:17 -0400
From: billyboy@viplace.gov
Message-Id: <199306102102.AA00559@x.b.c.d.e>
Apparently-To: nnnnnn@x.b.c.d.e
This is an important message blah blah blah...
Summary of Steps in Tracing Electronic Mail
1. Check From: line or Sender: line for mail address.
2. Check Received: lines to see if they match or help the analysis of
the sender.
3. Use whois or nslookup to get information about the computers or
domains used and to get personal contact information.
4. Get mail log and user log information from the relevant computers
through contact with the system managers or other representatives of
the organizations that own the computers.