Join Us!

Notifications
Clear all

Checkmate Zine  

  RSS
debaser_
(@debaser_)
Active Member

I found this on securityfocus forum. It looks to be fairly well put together from what ive read. I think it may be worth checking out.

http//www.niiconsulting.com/checkmate/

Quote
Posted : 01/03/2006 1:34 am
keydet89
(@keydet89)
Community Legend

Hhhmmm…no new articles or editions since I blogged about it…

Harlan

ReplyQuote
Posted : 01/03/2006 2:44 am
youcefb9
(@youcefb9)
Junior Member

The email tracing article is not accurate. The author claims that the email originated from the Gateway (because this is the first box that shows an IP address, but in fact the email was bounced to the gateway from a possibly internal mail server (thus the localhost).

Indeed the internal mail server looks to be properly hardened not to emit any tracing information that could help in network mapping (like showing the intenal - non routable - IP addresses used in the corporate).

ReplyQuote
Posted : 01/03/2006 3:39 am
debaser_
(@debaser_)
Active Member

The email tracing article is not accurate. The author claims that the email originated from the Gateway (because this is the first box that shows an IP address, but in fact the email was bounced to the gateway from a possibly internal mail server (thus the localhost).

Indeed the internal mail server looks to be properly hardened not to emit any tracing information that could help in network mapping (like showing the intenal - non routable - IP addresses used in the corporate).

I guess I should have read them all before posting. I just skimmed through them and it seemed worth a shot. Sorry.

ReplyQuote
Posted : 01/03/2006 7:40 am
keydet89
(@keydet89)
Community Legend

Don't be sorry…it's good that you pointed it out, for two reasons. One is that you wouldn't want someone quoting that as gospel. The other is that now someone like youcefb9 has a chance to do a better job…

Harlan

ReplyQuote
Posted : 01/03/2006 5:01 pm
cinux
(@cinux)
New Member

Hi everybody,
Thanks for the feedback. You are indeed right in pointing out that the IP is the not the real IP of the sender but the IP of mail gateway i.e gateway1.verisign.com [65.205.251.51] which is running a sendmail program v8.12.8. It has been mentioned in the conclusion that most often while tracing, the investigator would be able to reach the first hop the email's journey which could be a corporate mail server, an open proxy or a dial-up port of an ISP. Still, I would make appropriate changes so that the concept is not misunderstood! In any caes, an update to the article is in the line where we discuss about anonymous networks, open proxy servers and the email headers in details.
We are ready with the next issue of checkmate which should be out in a few days. Any critical feedback/suggestion is keenly awaited.
"Checkmate" is an initiative by NII to spread awareness about the domain of Computer Forensics. if you would like to contribute to the magazine in any way, you are most welcome.
Thanks again for your support and time.
Chetan Gupta
Forensic Analyst, NII Consulting

ReplyQuote
Posted : 08/03/2006 2:16 pm
Share: