Wednesday, November 15, 2006

E-mail investigation

This is article is intended for some of my class mates to do their Computer Forensics Investigation


The sender: Lines and subject line

The original email was sent by uklotterygames12@mail.ru who gives his real name as uk lottery and the email was addressed to same address which it was originated from. Together with the Reply-To: line, address is aimed at directing all bouncing messages and angry replies to same address. And the original email was composed at 12:56:07 on Tuesday, march 2006. The message id has been given to identify it. The message was sent from a program called mPOP Web-Mail (version 2.19) and at the time of this message was originated the uklotterygames12@mail.ru use IP address 81.199.40.20 which is assigned to RIPE Network Coordination Centre, Amsterdam (Netherlands). Next, the Subject: contain information which should not be existed “pound; 2,500,000 (GBP)!!” which is also a trap from spammer to attract legitimate customer to attract and show it was real.

The Received: Lines

The oldest received line indicates the email handoff from 81.199.40.20 to win.mail.ru; this handoff happens at the same time when it was send from uklotterygames12@mail.ru computer. Next handoff from win.mail.ru to f7.mail.ru; message was originated from a local computer in same date and time that it was originated. Next received line: host name f7.mail.ru with IP address 194.67.57.37 sends it to mx4.mail.ru is running POP mail version (mPOP.Fallback_MX). The receiving host assigned the ID number to the message.

The final header indicates the message was received by xxxxxun.com from a server named mx4.mail.ru on 21 March which is 8 hours before the universal clock time. It also shows the host mx4.mail.ru has IP address of 194.67.57.1. Using who is we know that this IP address is registered to the RIPE NCC, Amsterdam. From here it shows the email was forged from this local machine xxxxxx@xxxxxun.com and if the mail is valid then the same IP address should be appeared as originated in the first header. The first header is always added to the top of the message and check anyone own the address as it’s mentioned. The first invalid header means that it must be spoofed mail.

Email body: Lines

When we analyzed further into this mail no genuine website address is motioned in it. The receiver has no guarantee and unable to check the validity of it by going to their website and checking whether his her mail address was listed on their site by giving credentials if so necessary and if available. Together in the content body to file clients claim the spammer or hacker mentioned a non-existing or faked Yahoo! Mail account. If the receiver send a reply or click it may take all the necessary information by its hidden values.

5 Comments:

At 11:28 AM, Blogger M said...

Our beloved Micro$oft is not that keen on following RFCs either. This gives rise to a lot of invalid everything in emails going through their softwares. Since forensics may assume that atleast the servers were goody goody entities, I thought of expressing my 2 laari worth after the headache of integrating a couple of such email systems.

 
At 8:18 PM, Anonymous Anonymous said...

E-mail investigation is nothing much related to investigating people from outer space. despite the fact this really help me a lot mate. Thanks for your work..

 
At 9:11 AM, Anonymous Anonymous said...

How do i know whether this is correct without source e-mail. It would be more completed if you give a link to visit the actual mail you investigated.

But anyway this article is nice and thanks for your work

 
At 6:42 PM, Anonymous Anonymous said...

Hello. Facebook takes a [url=http://casino2013.webs.com/]blackjack[/url] venture on 888 casino apportion: Facebook is expanding its efforts to institute real-money gaming to millions of British users after announcing a wrestle with with the online gambling found search for 888 Holdings.And Bye.

 
At 11:55 PM, Anonymous Anonymous said...

Hello. Facebook takes a [url=http://www.onlinebaccarat.gd]casino[/url] lash on 888 casino transport: Facebook is expanding its efforts to institute real-money gaming to millions of British users after announcing a carry out with the online gambling companions 888 Holdings.And Bye.

 

Post a Comment

<< Home



The AnalyXer © 2007 | Contact | About Me