How To Read Email Headers and Find Internet Hosts
- What is a header
- Why headers are fun
- How to see full headers
- What all that stuff in your headers means
- How to get the names of Internet host computers from your headers
Newbie note: The verb "to fubar" means to obscure email addresses andInternet host addresses by changing them. Ancient tradition holds that it isbest to do so by substituting "foobar" or "fubar" for part of the address.WHAT ARE HEADERS?If you're new to hacking, the headers you are used to seeing may be incomplete. Chances are that when you get email it looks something like this:
From: Cool Guy<email@example.com>Date: Fri, 1 March 2002To: firstname.lastname@example.orgBut if you know the right command, suddenly, with this same email message,we are looking at tons and tons of stuff:
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for email@example.com id OAA07210; Fri, 1 March 2002Received: from ifi.foobar.no by o200.fooway.net via ESMTP(950413.SGI.8.6.12/951211.SGI)for <firstname.lastname@example.org> id OAA18967; Fri, 1 March 2002Received: from gyllir.ifi.foobar.no (email@example.com[129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4)id <UAA24351@ifi.foobar.no> for <firstname.lastname@example.org> ; Fri, 1 March 2002From: Vegbar Fubar <email@example.com>Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no ; Fri,1 March 2002Date: Fri, 1 March 2002Message-Id: <firstname.lastname@example.org>To: email@example.comHey, have you ever wondered why all that stuff is there and what it means? We'll return to this example later in this tutorial. But, first we must consider the burning question of the day: WHY ARE HEADERS FUN?Why bother with those freaking headers? They are boring, right? Wrong!
- Ever hear a wannabe hacker complaining he or she doesn't have the addresses of any good computers to explore? Have you ever used one of those IP scanner programs that find valid Internet Protocol addresses of Internet hosts for you? Well, you can find gazillions of valid addresses without the crutch of one of these programs simply by reading the headers of emails.
- Ever wonder who really mailed that "Make Money Fast" spam? Or, who's that klutz who email bombed you? The first step to learning how to spot email forgeries and spot the culprit is to be able to read headers.
- Want to learn how to convincingly forge email? Do you aspire to write automatic spam or email bomber programs? (I disapprove of spammer and email bomb programs, but let's be honest about the kinds of knowledge their creators must draw upon). The first step is to understand headers.
- Want to attack someone's computer? Find out where best to attack from the headers of their email. I disapprove of this use, too. But, I'm dedicated to telling you the truth about hacking, so like it or not, here it is.
From: Cool Guy<firstname.lastname@example.org>Date: Fri, 1 March 2002To: email@example.comThe information within any header consists of a series of fields separated from each other by a "newline" character. Each field consists of two parts: a field name, which includes no spaces and is terminated by a colon; and the contents of the field. In this case, the only fields that show are "From:," "Date:," and "To:".In every header, there are two classes of fields: the "envelope," which contains only the sender and recipient fields; and everything else, which is information specific to the handling of the message. In this case, the only field that shows which gives information on the handling of the message is the Date field. When we expand to a full header, we're able to see all the fields of the header. We'll now go through this information line by line.
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)firstname.lastname@example.org id OAA07210; Fri, 1 March 2002
This line tells us that I downloaded this email from the POP server at acomputer named o200.fooway.net. This was done on behalf of my account withemail address of email@example.com. The (950413.SGI.8.6.12/951211.SGI) partidentifies the software name and version running that POP server.
Newbie note: POP stands for Post Office Protocol. Your POP server is thecomputer that holds your email until you want to read it. Usually, your theemail program on your home computer or shell account computer will connectto port 110 on your POP server to get your email.
A similar, but more general protocol is IMAP, for Interactive Mail AccessProtocol. Trust me, you'll be a big hit at parties if you can hold forthon the differences between POP and IMAP, you big hunk of a hacker, you!(Hint: for more info, RTFRFCs.)Now, we examine the second line of the header:
Received: from ifi.foobar.no by o200.fooway.net via ESMTP(950413.SGI.8.6.12/951211.SGI)for <firstname.lastname@example.org> id OAA18967; Fri,1 March 2002Well, gee, I didn't promise that this header would be *totally* ordinary. This line tells us that a computer named ifi.foobar.no passed this email to the POP server on o200.fooway.net for someone with the email address of email@example.com. This is because I am piping all email to firstname.lastname@example.org into the account email@example.com.Under Unix this is done by setting up a file in your home directory named ".forward" with the address to which you want your email sent. Now, there's a lot more behind this, but I'm not telling you. Heh, heh. Can any of you evil geniuses out there figure out the whole story? "ESMTP" stands for "extended simple mail transfer protocol." The "950413.SGI.8.6.12/951211.SGI" designates the program that is handling my email.Now, for the next line in the header:
Received: from gyllir.ifi.foobar.no (firstname.lastname@example.org[129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4) id<UAA24351@ifi.foobar.no> for <email@example.com> ; Fri, 1 March 2002This line tells us that the computer ifi.foobar.no got this email message from the computer gyllir.ifi.foobar.no. These two computers appear to be on the same LAN. In fact, note something interesting.The computer name gyllir.ifi.foobar.no has a number after it, 129.xxx.64.230. This is the numerical representation of its name. (I substituted ".xxx." for three numbers in order to fubar the IP address.) But, the computer ifi.foobar.no didn't have a number after its name. How come?If you're working with Windows 95 or a Mac you probably can't figure out this little mystery. But trust me, hacking is all about noticing these little mysteries and probing them (until you find something to break, muhahaha -- only kidding, OK?). But, since I'm trying to be a real hacker, I go to my trusty Unix shell account and give the command:
>nslookup ifi.foobar.noServer: Fubarino.comAddress: 220.127.116.11Non-authoritative answer:Name: ifi.foobar.noAddress: 129.xxx.64.2Notice the different numerical IP addresses between ifi.foobar.no and gyllir.ifi.foobar.no. Hmmm, I begin to think that the domain ifi.foobar.no may be a pretty big deal. Probing around with dig and traceroute leads me to discover lots more computers in that domain. Probing with nslookup in the mode "set type=any" tells me yet more. Thanks,Ali Tabish
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!