Wednesday, November 15, 2006

E-mail investigation

This is article is intended for some of my class mates to do their Computer Forensics Investigation


The sender: Lines and subject line

The original email was sent by uklotterygames12@mail.ru who gives his real name as uk lottery and the email was addressed to same address which it was originated from. Together with the Reply-To: line, address is aimed at directing all bouncing messages and angry replies to same address. And the original email was composed at 12:56:07 on Tuesday, march 2006. The message id has been given to identify it. The message was sent from a program called mPOP Web-Mail (version 2.19) and at the time of this message was originated the uklotterygames12@mail.ru use IP address 81.199.40.20 which is assigned to RIPE Network Coordination Centre, Amsterdam (Netherlands). Next, the Subject: contain information which should not be existed “pound; 2,500,000 (GBP)!!” which is also a trap from spammer to attract legitimate customer to attract and show it was real.

The Received: Lines

The oldest received line indicates the email handoff from 81.199.40.20 to win.mail.ru; this handoff happens at the same time when it was send from uklotterygames12@mail.ru computer. Next handoff from win.mail.ru to f7.mail.ru; message was originated from a local computer in same date and time that it was originated. Next received line: host name f7.mail.ru with IP address 194.67.57.37 sends it to mx4.mail.ru is running POP mail version (mPOP.Fallback_MX). The receiving host assigned the ID number to the message.

The final header indicates the message was received by xxxxxun.com from a server named mx4.mail.ru on 21 March which is 8 hours before the universal clock time. It also shows the host mx4.mail.ru has IP address of 194.67.57.1. Using who is we know that this IP address is registered to the RIPE NCC, Amsterdam. From here it shows the email was forged from this local machine xxxxxx@xxxxxun.com and if the mail is valid then the same IP address should be appeared as originated in the first header. The first header is always added to the top of the message and check anyone own the address as it’s mentioned. The first invalid header means that it must be spoofed mail.

Email body: Lines

When we analyzed further into this mail no genuine website address is motioned in it. The receiver has no guarantee and unable to check the validity of it by going to their website and checking whether his her mail address was listed on their site by giving credentials if so necessary and if available. Together in the content body to file clients claim the spammer or hacker mentioned a non-existing or faked Yahoo! Mail account. If the receiver send a reply or click it may take all the necessary information by its hidden values.

5 Your Views II Bookmark The Analyzer



The AnalyXer © 2007 | Contact | About Me