By Rahil Shah 100820131043

What is Email?
Most commonly used & preferred modes of Communication. Transfer important business documents share moments of joy and sorrow

forwards meaningless junks to friends

play pranks and even close cross-continental business deals This all within a matter of seconds.

Adverse effects on Email

Email cracking is a grave concern as the dependency on email increases. Though the recognition of email is increasing, awareness regarding its risks, threats and vulnerabilities remains poor. Security is the main concern nowadays.

Email Hacking
Tracing of Emails

Email Forging
Extended Simple Mail Transfer Protocol (ESMTP) The Post Office Protocol (POP) SPAM Cracking Email Accounts

Securing Email

Email Hacking : Tracing of Email

Email communication is governed by two different protocols:
SMTP (Simple Mail Transfer Protocol Port 25) POP (Post Office Protocol Port 110 )

The SMTP protocol is used to send emails, while the POP protocol is used to receive them.

Travelling of an Email

Sender Outbox - Source Mail Server - Interim Mail Servers - Destination Mail Server Destination Inbox

Email Headers
The most essential part of Email Hacking is Email Headers. Email Headers are automatically generated and embedded into an email message both during composition and transfer between systems.

It represents the exact path taken by the email.

The typical email header looks like:

From: Media Temple user (mt.kb.user@gmail.com) Subject: article: How to Trace a Email Date: January 25, 2011 3:30:58 PM PDT To: user@example.com Return-Path: <mt.kb.user@gmail.com> Envelope-To: user@example.com Delivery-Date: Tue, 25 Jan 2011 15:31:01 -0700 Received: from po-out-1718.google.com ([72.14.252.155]:54907) by cl35.gs01.gridserver.com with esmtp (Exim 4.63) (envelope-from <mt.kb.user@gmail.com>) id 1KDoNH-0000f0-RL for user@example.com; Tue, 25 Jan 2011 15:31:01 0700 Received: by po-out-1718.google.com with SMTP id y22so795146pof.4 for <user@example.com>; Tue, 25 Jan 2011 15:30:58 -0700 (PDT) Received: by 10.141.116.17 with SMTP id t17mr3929916rvm.251.1214951458741; Tue, 25 Jan 2011 15:30:58 -0700 (PDT) Received: by 10.140.188.3 with HTTP; Tue, 25 Jan 2011 15:30:58 -0700 (PDT) Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkeysignature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=+JqkmVt+sHDFIGX5jKp3oP18LQf10VQjAmZAKl1lspY=; b=F87jySDZnMayyitVxLdHcQNL073DytKRyrRh84GNsI24IRNakn0oOfrC2luliNvdea LGTk3adIrzt+N96GyMseWz8T9xE6O/sAI16db48q4Iqkd7uOiDvFsvS3CUQlNhybNw8m CH/o8eELTN0zbSbn5Trp0dkRYXhMX8FTAwrH0= Domainkey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mimeversion:content-type; b=wkbBj0M8NCUlboI6idKooejg0sL2ms7fDPe1tHUkR9Ht0qr5lAJX4q9PMVJeyjWalH 36n4qGLtC2euBJY070bVra8IBB9FeDEW9C35BC1vuPT5XyucCm0hulbE86+uiUTXCkaB 6ykquzQGCer7xPAcMJqVfXDkHo3H61HM9oCQM= Message-Id: <c8f49cec0807011530k11196ad4p7cb4b9420f2ae752@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_3927_12044027.1214951458678" X-Spam-Status: score=3.7 tests=DNS_FROM_RFC_POST, HTML_00_10, HTML_MESSAGE, HTML_SHORT_LENGTH version=3.1.7 X-Spam-Level: ***

From :
This displays who the message is from, however, this can be easily forged and can be the least reliable.

Subject:
This is what the sender placed as a topic of the email content.

Date:
This shows the date and time the email message was composed.

To:
This shows to whom the message was addressed, but may not contain the recipient's address.

Return-Path
The email address for return mail. This is the same as "Reply-To:".

Received:
They form a list of all the servers/computers through which the message traveled in order to reach you. It is read from bottom to up for getting the Source mail Server to Destination mail Server.
For example,

Received: (from root@localhost) by lists.Stanford.EDU (8.12.10/8.12.10) id iAO9gXht000364 for movieleesout5741627; Tue, 28 Sept 2012 01:42:33 +0530 (IST) Received: from smtp2.Stanford.EDU (smtp2.Stanford.EDU [171.67.16.125]) by lists.Stanford.EDU (8.12.10/8.12.10) with ESMTP id iAO9gVNK000358 for movielees@lists.stanford.edu; Tue, 28 Sept 2012 01:42:32 +0530 (IST) Received: from CPQ20500143191.stanford.edu (whoopilaptop.Stanford.EDU [128.12.18.34]) by <smtp2.Stanford.EDU movielees@lists.stanford.edu>; Tue, 28 Sept 2012 01:42:31 +0530 (IST)

Message-ID:
A unique string assigned by the mail system when the message is first created. These can easily be forged.
For example, Message-ID: <Law11-E7a01tpQrQp0000614e@hotmail.com>

Here, OE7a01tpQrQp0000614e Reference number

Mime-Version
Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of email. MIME defines mechanisms for sending other kinds of information in email. These include text in languages other than English using character encodings other than ASCII, and 8-bit binary content such as files containing images, sounds, movies, and computer programs. For example, MIME-Version: 1.0

Content-type:
This header indicates the Internet media type of the message content, consisting of a type and subtype, for example Content-Type: text/plain

X-Mailer:
It shows which Email client is used.
For example, X-Mailer: Microsoft Outlook Express 5.00.2600.0000

To trace an email, refer X-Originating-IP: If this is not mention, then refer to the last RECEIVED line of email header. It contains the IP address. For example, Received: from CPQ20500143191.stanford.edu (whoopilaptop.Stanford.EDU [128.12.18.34]) by <smtp2.Stanford.EDU movielees@lists.stanford.edu>; Tue, 28 Sept 2012 01:42:31 +0530 (IST)

Typically, while tracing a source IP address on the internet, one should try to find out not only the source ISP used by the victim but also geographical information (like continent, country, city, etc.) on the attacker. Techniques:
Reverse DNS Lookup WHOIS Visual Tracing tools

Reverse DNS lookup

Every single IP address on the internet has a corresponding hostname associated with it. This technique will try to convert the suspect ID Address into it corresponding hostname.

The utility available for the reverse DNS lookup is nslookup

WHOIS
WHOIS is a worldwide database maintained by various domain registration companies containing listings of the domains registered at their company or country. One can retrieve information of particular IP Address or domain name entered. whois.apnic.net WHOIS Query

Visual Tracing tools available are:

1. NeoTracePro
2. VisualRoute 3. eMailTrackerPro 4. Samspade

Email threats awareness and understanding is essential nowadays as the popularity of Email is at the peak

References
Email Hacking Even You Can Hack by Ankit Fadia. http://en.wikipedia.org/wiki/MIME http://kb.mediatemple.net/questions/892/Unders tanding+an+email+header

THANK YOU!!