How To Read Email Headers And Find

Internet Hosts
Leave A Reply

Now some of you may think that headers are too simple
or boring to waste time on. However, a few weeks ago I
asked the 3000+ readers of the Happy Hacker list if
anyone could tell me exactly what email tricks I was
playing in the process of mailing out the Digests. But not
one person replied with a complete answer -- or even
75% of the answer -- or even suspected that for months
almost all Happy Hacker mailings have doubled as
protests. The targets: ISPs offering download sites for
email bomber programs. Conclusion: it is time to talk
headers!
In this Guide we will learn:
what is a header
why headers are fun
how to see full headers
what all that stuff in your headers means
how to get the names of Internet host computers from
your headers
the foundation for understanding the forging of email
and Usenet posts, catching the people who forge
headers, and the theory behind those email bomber
programs that can bring an entire Internet Service
Provider (ISP) to its knees
This is a Guide you can make at least some use of without
getting a shell account or installing some form of Unix on
your home computer. All you need is to be able to send
and receive email, and you are in business. However, if
you do have a shell account, you can do much more with

deciphering headers. Viva Unix!

Headers may sound like a boring topic. Heck, the Eudora
email program named the button you click to read full
headers "blah blah blah." But all those guys who tell you
headers are boring are either ignorant -- or else afraid
you'll open a wonderful chest full of hacker insights. Yes,
every email header you check out has the potential to
unearth a treasure hidden in some back alley of the
Internet.Now headers may seem simple enough to be a
topic for one of our Beginners' Series Guides. But when I
went to look up the topic of headers in my library of
manuals, I was shocked to find that most of them don't
even cover the topic. The two I found that did cover
headers said almost nothing about them. Even the
relevant RFC 822 is pretty vague. If any of you supervigilant readers looking for flame bait happen to know of
any literature that *does* cover headers in detail, please
include that information in your tirades!Lacking much
help from manuals, and finding that RFC 822 didn't
answer all my questions, the main way I researched this
article was to send email back and forth among some of
my accounts, trying out many variations in order to see
what kinds of headers they generated. Hey, that's how
real hackers are supposed to figure out stuff when RTFM
(read the fine manual) or RTFRFC
(read the fine RFC)doesn't tell us as much as we want to
know. Right?One last thing. People have pointed out to
me that every time I put an email address or domain
name in a Guide to (mostly) Harmless Hacking, a zillion
newbies launch botched hacking attacks against these.
All email addresses and domain names below have been
fubarred.

Newbie note: The verb "to fubar" means to obscure email

addresses and
Internet host addresses by changing them. Ancient
tradition holds that it is
best to do so by substituting "foobar" or "fubar" for part
of the address.
WHAT ARE HEADERS?
If you are new to hacking, the headers you are used to
seeing may be incomplete. Chances are that when you
get email it looks something like this:
From: Cool Guy<coolguy@ifi.foobar.no>
Date: Fri, 1 March 2002
To: hacker@techbroker.com
But if you know the right command, suddenly, with this
same email message,
we are looking at tons and tons of stuff:
Received: by o200.fooway.net
(950413.SGI.8.6.12/951211.SGI)
for techbr@fooway.net id OAA07210; Fri, 1 March
2002
Received: from ifi.foobar.no by o200.fooway.net via
ESMTP
(950413.SGI.8.6.12/951211.SGI)
for <hacker@techbroker.com> id OAA18967; Fri, 1
March 2002
Received: from gyllir.ifi.foobar.no
(2234@gyllir.ifi.foobar.no
[129.xxx.64.230]) by ifi.foobar.no with ESMTP
(8.6.11/ifi2.4)
id <UAA24351@ifi.foobar.no> for
<hacker@techbroker.com> ; Fri, 1 March 2002
From: Vegbar Fubar <fooha@ifi.foobar.no>

Received: from localhost (Vegbarha@localhost) by

gyllir.ifi.foobar.no ; Fri,
1 March 2002
Date: Fri, 1 March 2002
Message-Id: <199704111809.13156.gyllir@ifi.foobar.no>
To: hacker@techbroker.com
Hey, have you ever wondered why all that stuff is there
and what it means? We'll return to this example later in
this tutorial. But first we must consider the burning
question of the day:
WHY ARE HEADERS FUN?
Why bother with those "fucking" headers? They are
boring, right? Wrong!
1) Ever hear a wannabe hacker complaining he or she
doesn't have the addresses of any good computers to
explore? Have you ever used one of those IP scanner
programs that find valid Internet Protocol addresses of
Internet hosts for you? Well, you can find gazillions of
valid addresses without the crutch of one of these
programs simply by reading the headers of emails.
2) Ever wonder who really mailed that "Make Money Fast"
spam? Or who is that klutz who email bombed you? The
first step to learning how to spot email forgeries and spot
the culprit is to be able to read headers.
3) Want to learn how to convincingly forge email? Do you
aspire to write automatic spam or email bomber
programs? (I disapprove of spammer and email bomb
programs, but let's be honest about the kinds of
knowledge their creators must draw upon.) The first step
is to understand headers.
4) Want to attack someone's computer? Find out where
best to attack from the headers of their email. I
disapprove of this use, too. But I'm dedicated to telling

you the truth about hacking, so like it or not, here it is.

HOW CAN YOU SEE FULL HEADERS?
So you look at the headers of your email and it doesn't
appear have any good stuff whatsoever. Want to see all
the hidden stuff? The way you do this depends on what
email program you are using.The most popular email
program today is Eudora. To see full headers in Eudora,
just click the "blah, blah, blah" button on the far left end
of the tool bar.
The Netscape web browser includes an email reader. To
see full headers, click on Options, then click the "Show All
Headers" item.Sorry, I haven't looked into how to do that
with Internet Explorer. Oh, no, I can see the flames
coming, how dare I not learn the ins and outs of IE mail!
But, seriously, IE is a dangerously insecure Web browser
because it is actually a Windows shell. So no matter how
often Microsoft patches its
security flaws, chances are you will be hurt by it one of
these days. Just say "no" to IE.Another popular email
program is Pegasus. Maybe there is an easy way to see
full headers in Pegasus, but I haven't found it. The hard
way to see full headers in Pegasus -- or IE -- or any email
program -- is to open your mail folders with Wordpad. It is
included in the Windows 95 operating system and is the
best Windows editing program I have found for handling
documents with lots of embedded control characters and
other oddities.
The Compuserve 3.01 email program automatically shows
full headers. Bravo,
Compuserve!
WHAT DOES ALL THAT STUFF IN YOUR HEADERS
MEAN?

We'll start by taking a look at a mildly interesting full

header. Then we'll examine two headers that reveal some
interesting shenanigans. Finally we will look at a forged
header.OK, let us return to that fairly ordinary full header
we looked at above. We will decipher it piece by piece.
First we look at the simple version:
From: Cool Guy<coolguy@ifi.foobar.no>
Date: Fri, 1 March 2002
To: hacker@techbroker.com
The information within any header consists of a series of
fields separated from each other by a "newline"
character. Each field consists of two parts: a field name,
which includes no spaces and is terminated by a colon;
and the contents of the field. In this case the only fields
that show are "From:," "Date:," and "To:".
In every header there are two classes of fields: the
"envelope," which contains only the sender and recipient
fields; and everything else, which is information specific
to the handling of the message. In this case the only
field that shows which gives information on the handling
of the message is the Date field.When we expand to a full
header, we are able to see all the fields of the header. We
will now go through this information line by line.
Received: by o200.fooway.net
(950413.SGI.8.6.12/951211.SGI)for
techbr@fooway.net id OAA07210; Fri, 1 March 2002
This line tells us that I downloaded this email from the
POP server at a
computer named o200.fooway.net. This was done on
behalf of my account with
email address of techbr@fooway.net. The

(950413.SGI.8.6.12/951211.SGI) part
identifies the software name and version running that
POP server.
Newbie note: POP stands for Post Office Protocol. Your
POP server is the
computer that holds your email until you want to read it.
Usually your the
email program on your home computer or shell account
computer will connect
to port 110 on your POP server to get your email.
A similar, but more general protocol is IMAP, for
Interactive Mail Access
Protocol. Trust me, you will be a big hit at parties if you
can hold forth
on the differences between POP and IMAP, you big hunk
of a hacker, you!
(Hint: for more info, RTFRFCs.)
Now we examine the second line of the header:
Received: from ifi.foobar.no by o200.fooway.net via
ESMTP
(950413.SGI.8.6.12/951211.SGI)for
<hacker@techbroker.com> id OAA18967; Fri,
1 March 2002
Well, gee, I didn't promise that this header would be
*totally* ordinary. This line tells us that a computer
named ifi.foobar.no passed this email to the POP server
on o200.fooway.net for someone with the email address
of hacker@techbroker.com. This is because I am piping all
email to hacker@techbroker.com into the account
techbr@fooway.net. Under Unix this is done by setting up

a file in your home directory named ".forward" with the

address to which you want your email sent. Now there is
a lot more behind this, but I'm not telling you. Heh, heh.
Can any of you evil geniuses out there figure out the
whole story?"ESMTP" stands for "extended simple mail
transfer protocol." The "950413.SGI.8.6.12/951211.SGI"
designates the program that is handling my email.Now
for the next line in the header:
Received: from gyllir.ifi.foobar.no
(2234@gyllir.ifi.foobar.no
[129.xxx.64.230]) by ifi.foobar.no with ESMTP
(8.6.11/ifi2.4) id
<UAA24351@ifi.foobar.no> for
<hacker@techbroker.com> ; Fri, 1 March 2002
This line tells us that the computer ifi.foobar.no got this
email message from the computer gyllir.ifi.foobar.no.
These two computers appear to be on the same LAN. In
fact, note something interesting. The computer name
gyllir.ifi.foobar.no has a number after it, 129.xxx.64.230.
This is the numerical representation of its name. (I
substituted ".xxx." for three numbers in order to fubar the
IP address.) But the computer ifi.foobar.no
didn't have a number after its name. How come?Now if
you are working with Windows 95 or a Mac you probably
can't figure out this little mystery. But trust me, hacking is
all about noticing these little mysteries and probing them
(until you find something to break, muhahaha -- only
kidding, OK?)But since I am trying to be a real hacker, I
go to my trusty Unix shell account and give the
command:

>nslookup ifi.foobar.no
Server: Fubarino.com
Address: 198.6.71.10
Non-authoritative answer:
Name: ifi.foobar.no
Address: 129.xxx.64.2
Notice the different numerical IP addresses between
ifi.foobar.no and gyllir.ifi.foobar.no. Hmmm, I begin to
think that the domain ifi.foobar.no may be a pretty big
deal. Probing around with dig and traceroute leads me to
discover lots more computers in that domain. Probing
with nslookup in the mode "set type=any" tells me yet
more.
Author:- Tabish Ali Rizvi (tab_here@hotmail.com)
Nick:-

Neo

UNKNOWN COMPILATION