±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 1
New Yesterday: 6
Overall: 27392
Visitors: 59

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

X­-Originating­-IP with two IPs ?!?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

X­-Originating­-IP with two IPs ?!?

Post Posted: Wed Jul 16, 2014 3:01 am

Hello!

A Mail Header shows after X­-Originating­-IP two IPs. What does this mean?

Mail-Header:
---snipp---
X­CM­HeaderCharset: UTF­8
X­-Originating-­IP: [95.141.27.41, 176.34.63.150] <-- What does this mean?
Date: Tue, 8 Apr 2014 15:29:04 +0800
---snipp---

regards

K.W.  

wechselberger
Member
 
 
  

Re: X­-Originating­-IP with two IPs ?!?

Post Posted: Wed Jul 16, 2014 7:15 pm

I don't really know for sure, but my guess would be that someone at 95.141.27.41 used a mail client to send mail from a server at 176.34.63.150.  

Passmark
Senior Member
 
 
  

Re: X­-Originating­-IP with two IPs ?!?

Post Posted: Thu Jul 17, 2014 4:09 am

I'm not 100% either, but recently during testing I had two IP addresses turn up elsewhere in the headers. One was the internal IP assigned to my device, the other was the external IP address.  

HexDrugsRockNRoll
Member
 
 
  

Re: X­-Originating­-IP with two IPs ?!?

Post Posted: Sat Jul 19, 2014 1:09 am

- wechselberger
A Mail Header shows after X­-Originating­-IP two IPs. What does this mean?


Whatever the MTA (or MUA or firewall or application proxy or ...) that created it means. (It needn't come from an MTA: it could theoretically have come from the mail client or any other point of network transmission that the message passed through. MTAs that don't recognize that particular header will probably just pass it on.)

RFC 822 (which is now obsolete) allowed 'extension fields', following the format of 'X-...' in mail messages. The current specification RFC 2822 does not so, and RFC 6648 / BCP 178 deprecates the use of 'X-...' type headers. Thus, it's nonstandard today.

As far as RFC 822 goes, extensions field may have been registered, but as it now is obsolete, I suspect any such registrations may have become obsolete as well. You may want to check with the registrar, mentioned in RFC822 (SRI International) for any records.


Apart from that, as it is a nonstandard header, you can't trust it to mean anything in general. If you are able to identify the source of it, you might be able to attach a meaning to it.

You could start by examining any X-Mailer: or similar headers -- do those programs add this kind of header? And what semantics to they associate with it, i.e. what assertations can safely be made on the basis of that particular header?

The reason BCP 178 depractes the use of extension fields is that they usually cause more problems than they solve. Which is more or less what you have discovered.

Added: In highly configurable and scriptable mail environments, the contents of extension fields could also be misconfigurations. For example, if Exchange allows the mail admin to add this field to outgoing messages, it could be that the mail admin added information useful for his own environment, but which may not make sense elsewhere. In such cases, you clearly need to find that mail admin to interpret the header...  

athulin
Senior Member
 
 
  

Re: X­-Originating­-IP with two IPs ?!?

Post Posted: Thu Jul 31, 2014 8:35 am

Assuming you are not dealing with a forged header, you may be able to identify the application that generated the X header entry using entries that surround it. You can then use the documentation from that application to determine how it is using X­-Originating­-IP. Even then, you will still want the server logs from the servers in the mail chain so you can provide supporting information showing where and when the mail traversed what server.  

InfoSecCow
Newbie
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1