Tuesday, April 26, 2005

How E-mail Header Works

As a IT Professional, you've just seen fifty copies of the same e-mail virus sent to you. How do you know which machine is infected? Is it someone inside your own company or someone external you can block?
Often, you can isolate it to a single machine by analyzing the one portion of the header your own e-mail server provides. Figure 1 shows a real-life example (all real names have been changed).

Figure 1 Analyzing E-mail
Received: from techtreaser.net ([10.10.8.112])
by lodestone.techtreaser.net with ESMTP
id HAA19820
for ; Fri, 5 Mar
2005 04:40:22 -0500
From: mailto:firstname.lastname@techteam.state.in
Message-Id:
<200504051530.haa19820@lodestone.techtreaser.net>
To: sample@techtreaser.net
Subject: Re: Your Applicatiom Date: Fri, 4 April 2005 09:36:35 -0600
X-Priority: 3
X-MSMail-Priority: Normal

The important data is in the Received: line. Each time a server receives an SMTP message, it is supposed to add a new Received: line at the beginning of the header block. The topmost line will have been added by your server.

My e-mail server added the topmost line in this example; since there are no other Received: lines further below it, it is probably safe to assume that it was delivered directly to my system by an embedded mini-SMTP engine running on an infected machine. Had there been more than one Received: line, the first one might have been a relaying mail server. As servers are not as likely to be infected as clients, you may want to skip down to the second entry.

Your concern should lie with the information provided by your server.The data in parentheses following the "from" information supplied by the sender. The sender-provided information will almost always be invalid in virus and spam mail, so you can just ignore it.
In this example, the information added by my server consisted only of the IP address of the machine handing me the message—10.10.8.112. That's the least amount of information you'll get. There may also be a machine name before the IP address, but still within the parentheses. If present, it is also trustworthy information and saves you the next step.

Two tools are needed to discover and verify the name of this machine and the owner of its domain: nslookup (host, on some operating systems) and whois. Both nslookup and host provide DNS lookups against hostnames or IP addresses. Figure 2 shows example of nslookup:

Figure 2 Use of nslookup

c:\nslookup 10.10.8.112

server: Name of your mail server

Address: IP Address

Name: Name of sender's mail server

Address: IP Address