

   SIMPLISTIC EMAIL TRACING



   Don't you ever run into that occasional user that pisses you off so bad you just
   want to strangle the bastard?  Well now through this special blizzard of oz offer
   you might be able to.  Most people think email tracing is a complicated procedure
   only an admin can perform correctly, not the case if you can use a web browser 
   you can trace email.


   So here's the gig.  All email sent and recieved has a header.  The header has the 
   i.p.'s of all the smtp servers which sent, relayed, and recieved a message.  So
   here's an actual mail header sent from and recieved by actual people using netscape
   navigator with "show all header information" turned on slightly reformatted and broken 
   down in easy to read form.  


  
Received: 
          from mail.webchoice.net (webchoice.net.6.240.24.in-addr.arpa [24.240.6.14] (may be
          forged)) by services.computerland.net (8.8.7/8.8.7) with ESMTP id MAA2667933 for
         <kbooth@computerland.net>; Wed, 26 Jan 2000 12:33:29 -0600 (CST)
           
             << mail.webchoice.net aka 24.240.6.14 is the sending mail server the may be 
                forged line was inserted automatically since it is possible to forge the
                sending server.  services.computerland.net is the receiving mail server
                running extened simple mail transfer protocol (ESMTP) ver. 8.8.7 plus
                the esmtp id, which isn't of much use to you unless your a sys admin on
                that mail server, and then the address it was implemented for, which would
                be the pop account - kbooth. >>


Received: 
         from logan (unverified [208.18.8.3]) by mail.webchoice.net (Rockliffe SMTPRA 3.2.0) with
         SMTP id <B0000471457@mail.webchoice.net> for <kbooth@computerland.net>; Wed, 26
         Jan 2000 12:36:45 -0600
                 
             <<  the webchoice mail server got the request to nab this message off the server
                 from "logan" @ 208.18.8.3 which would be the place the pop3 server was logged
                 into from.  there's another smtp id we don't need and the date. >>


Message-ID: 
         <388F3F12.7DB2@webchoice.net>

            << only useful to the admin of the smtp server >>

            
X-Mailer: 
          Mozilla 3.04 (Win95; I)
          MIME-Version: 
                        1.0
             << the o/s and mail client used to mail >>


Reply To:

         logan@webchoice.net



      I snipped the last 5 entries or so since thier pretty useless for tracing purposes really.
      So the bulk of the information we need is in the first header.  First things first, we
      need to identify the server the mail was sent from.  Which is webchoice.net, next we
      need to know the user name which is anything before the @ in the reply to address. Which
      would be logan.  So it looks like the mail was sent from a user named "logan" through
      the webchoice.net smtp server.  But what was logan's point of origin? Check out the
      second recieve header - from logan at 208.18.8.3 by webchoice.  That ip isn't even
      close the webchoice smtp server's. So "logan" wasn't getting his internet service from
      the webchoice dial-up server.  A quick scan on 208.18.8.3 will tell you that that ip 
      has a firewall, which means someone has a reason for hiding behind it and that would
      have to be a business of some sort possibly a corporation. So that's all great but we
      need more information.  


      At this point it would be in our best interest to make a WHOIS query.  What is a whois
      query?  Every domain on the net has to be registered through internic, internic by law
      is required to make those records public information searchable through a database.
      There are a ton of whois servers out there and so i'm just gonna name a few that I have
      had good luck with.


      www.arin.net - American Registy for Internet #'s really excellent. 5 star service.
      www.apnic.net - good for getting info on asian pacific servers.
      www.aunic.net - good for getting info on australian servers.
      www.nic.mil -  all you ever wanted to know about military servers-beware monitoring.
      www.nic.gov - secrets of the government revealed.
      www.ripe.net - good for european servers.
      samspade.org/t/ - more than just whois excellent set of tools.

      So I plug in 24.240.6.14 to the whois server windows and hit go:


      High Speed Access Corp (NETBLK-HSACORP-2BLK) HSACORP-2BLK
                                                        24.240.0.0 - 24.240.127.255
     HSA Corporation (NETBLK-HSA-COLUMBIA1) HSA-COLUMBIA1 24.240.6.0 - 24.240.6.255


      Interesting,  webchoice's t-whatever block is served to them by HSA Corporation.
      Useful, you could take superscan and work up the whole ip block and the cross
      reference webchoice to the ip's and query that ip but i think we can do better.
      Skip over to samspade.org/t/ and plugin webchoice.net to the address digger and
      check the whois box.  Put webchoice.net in the box and stand back cuz' its about 
      to get messy.


      Registrant:
   Capital International Holdings (WEBCHOICE3-DOM)
   7777 Bonhomme Ave. Suite 1715
   St. Louis, MO 63105
   US

   Domain Name: WEBCHOICE.NET

   Administrative Contact:
      Meier, Mary  (MM10406)  mmcap@AOL.COM
      314 726 0099 (FAX) 314 726 4880
   Technical Contact, Zone Contact:
      Ruthenberg, Mark  (MR15519)  noc@WEBCHOICE.NET
      573-875-0396 (FAX) 573-875-3007
   Billing Contact:
      Meier, Mary  (MM10406)  mmcap@AOL.COM
      314 726 0099 (FAX) 314 726 4880

   Record last updated on 19-Jan-2000.
   Record created on 16-Dec-1997.
   Database last updated on 26-Jan-2000 14:15:01 EST.

   Domain servers in listed order:

   DNS1.WEBCHOICE.NET           24.240.6.9
   DNS2.WEBCHOICE.NET           24.240.7.9


    That's more like it.  These are the people that registered the webchoice domain.  A look
    at www.webchoice.net will tell you the home office is in columbia, mo so we want to find
    which one of these contact #'s is columbia based.  Well the 314 area-code is St. Louis
    so we'll search on the 573.875.3007 #.  Over to www.phoneloser.org/pi.html for an area
    code and prefix search and KABLAM.  We now have a contact name and number to social engineer
    details about the account.  Using the number on the homepage is always an option but the 
    numbers here are upper administration if we can't weasal any info about logan out of Mark
    Ruthenburg we can just as easily call up the home office in St. Louis and talk to our new
    friend Mary.  The conversation would go a little something like this.


   Hello this is Mark can I help you?

   Yea, this is (name of admin) for computerland internet services and we received a message
   from your mail server using an account called "logan" and would like to contact the owner
   of the message concerning it's content.  Could you tell me the name on the account?

   Well, Im sorry to hear that one of our users is misusing thier account, Ill get that 
   information for you just one minute << one minute  later >> Yea that account is 
   registered to Chad Logan and he didn't leave a phone #.

   Thank you very much, SUCKAH, I mean Mark. Have a fantastic day.


    It really is that easy usually.  Back over the phoneloser's pi page with a person search
    for columbia,mo and here's mr. chad logan who due to the fact he didn't sign up to have
    his # unlisted has made his address and phone # public record.  So now you know without
    a question the owner of the acount's full name, address, and telephone number.  Now if
    we could just figure out where he works at.  A quick call the Columbia Utility office 
    pretending to be chad wanting to check his current billing address and work information
    will tell us his place of employment.  Lucky for us Mr. Logan has a job at mbs books 
    who has a website www.mbsbooks.com by taking the info from a search on arin.net for
    208.18.8.3 and mbsbooks.com you can see that mbsbooks domain server is server via sprintlink
    as is the 208.* ip address.  So it looks the firewall at mbs gave up the identity of the
    user at the terminal the mail was sent from.  KABLAM. Another piece of the puzzle now 
    we know the sender where the sender works where the sender was at when the message was
    sent the date and time.  You still want more information?  Well let's say this Chad 
    Logan clown is an underground kingpin and you cant take him on alone.  Call up his
    work and make up something halfway beleivable and more than likely they'll tell you 
    his SS# over the phone.  Then you will own the chadster.  Every service he is subscribed
    to, every loan, every traffic ticket, every credit card transaction can be exploited to
    it's full extent.  I dont have enough room here to cover all that but in future issues
    watch for it.  


    So now you know the basic fundamentals of tracing down an email message.  There are a few
    services which are going to be tough to trace through like hotmail, flashemail, and yahoo.
    It can be done,  but it will require a little advanced social engineering and some mad
    technique since they specifically safeguard against things like that.  The only real problem
    in tracing email, like tracing anything it dosen't do you any good to trace something to 
    the source if the source isn't the place the person is at or they are using a hacked account
    and dialing in anonymously, since most isp's aren't gonna cough it up for ANI2 these people
    are invisible.  If thier thinking ahead anyway they wont dialup from home to send a message
    they dont want traced.  So a word to the wise be careful where you send your mail it's
    really not that hard to pinpoint exactly where it came from.    


     