How IT WorksE-mail Headers
R'ykandar Korra'ti
As a network administrator, you've just seen fifty copies of the same e-mail virus sent to your users. How do you know which machine is infected? Is it someone inside your own company or someone external you can block?
Often, you can isolate it to a single machine by analyzing the one portion of the header your own e-mail server provides. Figure 1 shows a real-life example (all real names have been changed).
Figure 1 Analyzing E-mail
Received: from microsoft.net ([69.66.109.194])
by lodestone.microsoft.net with ESMTP
id HAA19424
for <sample@microsoft.net>; Fri, 5 Mar
2004 07:30:22 -0800
From: firstname.lastname@sample.state.ia.us
Message-Id:
<200403051530.HAA19424@lodestone.microsoft.net>
To: sample@microsoft.net
Subject: Re: Your bill
Date: Fri, 5 Mar 2004 09:36:35 -0600
X-Priority: 3
X-MSMail-Priority: Normal
The important data is in the Received: line. Each time a server receives an SMTP message, it is supposed to add a new Received: line at the beginning of the header block. The topmost line will have been added by your server.
My e-mail server added the topmost line in this example; since there are no other Received: lines further below it, it is probably safe to assume that it was delivered directly to my system by an embedded mini-SMTP engine running on an infected machine. Had there been more than one Received: line, the first one might have been a relaying mail server. As servers are not as likely to be infected as clients, you may want to skip down to the second entry.
The Received: line provides information in this format:
Received: from <info supplied by sender—untrustworthy>
(<info provided by our server—trustworthy>)
by <our server> with <protocol>
<message ID> {for <email address>}; <date>
Your concern should lie with the information provided by your server; that's the data in parentheses following the "from" information supplied by the sender. The sender-provided information will almost always be invalid in virus and spam mail, so you can just ignore it.
In this example, the information added by my server consisted only of the IP address of the machine handing me the message—69.66.109.194. That's the least amount of information you'll get. There may also be a machine name before the IP address, but still within the parentheses. If present, it is also trustworthy information and saves you the next step.
Two tools are needed to discover and verify the name of this machine and the owner of its domain: nslookup (host, on some operating systems) and whois. Both nslookup and host provide DNS lookups against hostnames or IP addresses:
C:\>nslookup 69.66.109.194
194.109.66.69.in-addr.arpa domain name pointer
dwtt-00-0194.dsl.cascadiatelecom.net.
I now know the sender is in the domain cascadiatelecom.net. I've already learned that Cascadia Telecom supports reverse-DNS lookups, although not all network providers do. For those that don't, you must apply the whois tool.
To oversimplify a bit, whois provides information about domains rather than individual hosts. This tool is generally used to identify the owner of a particular domain, as shown in Figure 2. Whois can also be used to identify the owner of an IP address, or range of IP addresses, when you don't know the name of the domain. A network of top-level whois servers exists for this purpose. These are whois.apnic.net (Asia-Pacific), whois.arin.net (Americas), and whois.ripe.net (Europe), covering different geographical domains. As a rule of thumb, test against the server your geographical area first; if that fails, keep going until you find one that works. I already know my example is in North America, but if I didn't, that's where I'd start (see Figure 3).
Figure 3 The IP Address Owner
OrgName: Cascadia Telecom
NetRange: 69.66.0.0 - 69.66.255.255
CIDR: 69.66.0.0/16
NetName: CASCADIA-TELECOM
NameServer: AR.CASCADIATELECOM.NET
NameServer: HE.CASCADIATELECOM.NET
OrgTechName: Cascadia Telecom NOC
OrgTechPhone: +1-877-555-1212
OrgTechEmail: noc@cascadiatelecom.net
Figure 2 The Domain Owner
Domain Name: MICROSOFT.COM
Registrar: TUCOWS INC.
Whois Server: whois.opensrs.net
Referral URL: https://domainhelp.tucows.com
Name Server: NS3.MSFT.NET
Name Server: NS1.MSFT.NET
Name Server: NS2.MSFT.NET
Name Server: NS5.MSFT.NET
Name Server: NS4.MSFT.NET
Updated Date: 23-jun-2004
Creation Date: 02-may-1991
Expiration Date: 03-may-2014
With any batch of virus mail received, you'll see a cacophony of sender-provided misinformation. But with a little analysis, you'll often find most of it actually came from one or two infected (and easily blocked and disinfected) machines.
R'ykandar Korra'ti, a glass sculptor, lives in Seattle with her partner Anna, and is postmaster for a small co-op ISP. Having shipped many e-mail products, she retired from Microsoft in 1999 to focus on her art career.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.