Anyway, back on track… On the subject of establishing whether an end IP number in the extended header chain is a proxy, other than pinging the IP on port 8080, and waiting for the reply, is there any other method people use?
Andy
Andy,
Inbound mail from ISPs comes in as POP3 mail on TCP port 110.
I'm not sure where port 8080 comes in except to say that some people run http over port 8080 rather than port 80. Ping does not accept a port number as a parameter.
When you ping a host, you can ping either by ip address or domain name.
Probably a more useful command under these circumstances is 'tracert'.
This will trace the ip/domain name back to its origin. That is usually where the trail runs cold. If the destination is an ISP, then almost certainly the originator of the email is using NAT (Network Address Translation) which converts his/her internal IP addresses to Public facing addresses owned by the ISP.
e.g. tracert 200.223.238.2
tracert is the Windows command, use traceroute on Unix.
You can also try 'arin' -
owner: Comite Gestor da Internet no Brasil
ownerid: BR-CGIN-LACNIC
responsible: Frederico A C Neves
address: Av. das Nações Unidas, 11541, 7° andar
address: 04578-000 - São Paulo - SP
This probably doesn't help you too much though.
Harlan and Craig, you are both right……Craig I got the same trace as you.
But what I was trying to establish is this – if someone is using a web based email client such as Yahoo or Hotmail, or in the example spammer scenario ‘zipmail’ (also web based) to commit a crime, then how do we tell if they have used a proxy server to access their web mail accounts and send the offending email. If a suspect sends an email from this web page through a proxy, then the IP number in the final ‘received from’ field will reflect the proxy servers IP. And depending on how anonymous or remote the proxy is will dictate how possible or impossible it is to get access to their logs – to identify an offenders true IP. With most anonymous proxies, it’s simply not possible…. The pop3 scenario is not applicable in this case.
Harlan identifies that a proxy could be some kind of ‘zombie’ having been possibly compromised through vulnerabilities. In this set of circumstances it simply isn’t worth pursuing.
Or simply a regular proxy using some other port (81, 3128, 1080, and even 80 are favourites). The nmap solution seems the best.
Plus it is possible to daisy-chain proxies through IE, making tracking even more difficult.
The reason I posted the original example is because I often get requests to track email, some of which have IP’s that are obviously not from the purported location. In my example Nigeria and Brazil. My conclusion is that the sender has utilised a proxy server to access his web mail and send the spam.
Andy
Andy,
curiously email spoofing is possible on 200.221.11.147 as port 25 is open and accepting input, this is very unusual.
Last login: Sun Apr 24 23:51:51 on ttyp1
Welcome to Darwin!
craig:~ craigcameron$ telnet 200.223.238.2 25
Trying 200.223.238.2…
telnet: connect to address 200.223.238.2: Connection refused
telnet: Unable to connect to remote host
craig:~ craigcameron$ telnet 200.221.11.147 25
Trying 200.221.11.147…
Connected to smtp.zipmail.com.br.
Escape character is '^]'.
220
With port 25 open, it is possible to send email which would appear to originate from any email address you choose.
Also strange (obviously), if there is a firewall in front of this server (one would assume there is) it is allowing telnet through! If I was a hacker I would…..
Correction…..
the domain is common to both servers. One server doesn't accept telnet, the other does.
That would imply that the server accepting telnet is outside the firewall, assuming there is one. One could also assume that since this server is 'in the wild' with no security, it has been compromised to the high 'kahunas'. Therefore anything is possible!
Craig
With port 25 open, it is possible to send email which would appear to originate from any email address you choose.
Is that correct? I know its a simple matter to spoof the email address but the originating IP is another matter. I thought spoofing extended header IP information (although possible) was difficult - as they say 'non-trivial'. An email sent even through an insecure smtp server (telnet & port 25) uses TCP packets and not UDP - therefore a 'connection' is required for the process to complete (the syn-ack 'handshake' described briefly by Harlan). So even if you access an open smtp port on an insecure server, any emails sent will have your IP number in the extended header.
Andy
P.S. have you seen the animation 'warriors of the web'? Its a brilliant animation explaining the way TCP/IP works. If I can find a link I will post it (I know its a little off topic - but one of the best training aids I've ever seen).
Like I say, dealing with an insecure server, anything is possible!
if someone is using a web based email client such as Yahoo or Hotmail, or in the example spammer scenario ‘zipmail’ (also web based) to commit a crime, then how do we tell if they have used a proxy server to access their web mail accounts and send the offending email. If a suspect sends an email from this web page through a proxy, then the IP number in the final ‘received from’ field will reflect the proxy servers IP.
Well, this won't work for Yahoo or GMail. Yahoo uses an entry called "X-Originator" or something similar.
An email I received from an MSN user has the "X-Originating-IP" entry in the header.
I have yet to verify it, but I was told this morning that GMail is under fire from anti-spam folks for *not* providing this kind of information.
But you're right…if the user is using a browser to access the web-based mail site via a proxy, the "X-Originating-IP" *may* be the IP address of the proxy. You will want to verify this by doing some of your own testing, though.
Harlan identifies that a proxy could be some kind of ‘zombie’ having been possibly compromised through vulnerabilities. In this set of circumstances it simply isn’t worth pursuing.
Is there any particular reason why not?
My conclusion is that the sender has utilised a proxy server to access his web mail and send the spam.
Andy, you'll have to excuse me…I've read back through the entire thread several times, even through your "gob" post…and for the life of me, I just can't seem to find anything that would support that conclusion.
Sure, I can see that the person signed the email as someone from Nigeria, and the email seems to have originated from Brazil…but that's not definitive proof that a proxy was used. There are too many assumptions at play here. For example, perpetrators of the "419" or Nigerian scams have been arrested in the UK and other countries:
There are other cases, as well, that are easily tracked via Google. My point is that you don't actually have to be in Nigeria to perpetrate the Nigerian/419 scam. Just b/c the email illustrates such a scam and seems to have originated in Brazil, it doesn't definitively prove that a proxy was used.
If you've got some other information that hasn't been presented here, I'd be more than happy to see it and be proven wrong on this.
Thanks,
H. Carvey
"Windows Forensics and Incident Recovery"
Andy,
What's the problem, dude? Snotty rebuke? I'm asking how you came to the conclusion that a proxy was used…after all, you'd said:
"My conclusion is that the sender has utilised a proxy server to access his web mail and send the spam."
To me, this sounds like a…well, you know…a conclusion, not a question. I'm interested in learning what I'm missing here, that's all.
I'm trying to further the discussion in this thread, exploring this issue of tracing email…nothing more.
I'm sorry if you've taken any of my questions as snotty or grating.
H. Carvey
"Windows Forensics and Incident Recovery"
Is there any particular reason why not?
I was agreeing with you, perhaps it was too subtle.
In any case the fact of the matter is…. if I knew the definitive answer to the question I initially posted (how can we tell if a proxy server has been used with a web mail email?), then I would not have posted it in the first place. Infosec is not my forte, but I am a quick learner, and by asking questions and listening to answers I tend to increase my knowledge and better myself.
I was hoping for guidance and hopefully enlightenment not a snotty rebuke. Sorry Harlan, but it’s just the way I perceive your posts – you come across a little caustic at times.
There is another saying (not one of my mums this time) it goes something like this “the most stupid question is the one never askedâ€. I do not wish to be frightened of posting questions or opening topics only to be flamed, its not what I’m here for.
Perhaps my EQ is higher than my IQ.
Andy
Andy,
You said:
"My conclusion is that the sender has utilised a proxy server to access his web mail and send the spam."
I've asked how you came to that conclusion several times now…none of which you've answered. Instead you've said that I'm snotty and caustic, and that you don't want to be afraid of posting. I'm no trying to flame you…I'm simply trying to engage you in discussion.
I would sincerely and honestly like to know how you reached your conclusion.
H. Carvey
"Windows Forensics and Incident Recovery"