Now some of you may think that headers are too simple or boring to waste
time on. However, a few weeks ago I asked the 3000+ readers of the Happy
Hacker list if anyone could tell me exactly what email tricks I was playing
in the process of mailing out the Digests. But not one person replied with a
complete answer -- or even 75% of the answer -- or even suspected that for
months almost all Happy Hacker mailings have doubled as protests. The
targets: ISPs offering download sites for email bomber programs. Conclusion:
it is time to talk headers!
In this Guide we will learn:
· what is a header
· why headers are fun
· how to see full headers
· what all that stuff in your headers means
· how to get the names of Internet host computers from your headers
· the foundation for understanding the forging of email and Usenet posts,
catching the people who forge headers, and the theory behind those email
bomber programs that can bring an entire Internet Service Provider (ISP) to
its knees
This is a Guide you can make at least some use of without getting a shell
account or installing some form of Unix on your home computer. All you need
is to be able to send and receive email, and you are in business. However,
if you do have a shell account, you can do much more with deciphering
headers. Viva Unix!
Headers may sound like a boring topic. Heck, the Eudora email program named
the button you click to read full headers "blah blah blah." But all those
guys who tell you headers are boring are either ignorant -- or else afraid
you'll open a wonderful chest full of hacker insights. Yes, every email
header you check out has the potential to unearth a treasure hidden in some
back alley of the Internet.
Now headers may seem simple enough to be a topic for one of our Beginners'
Series Guides. But when I went to look up the topic of headers in my library
of manuals, I was shocked to find that most of them don't even cover the
topic. The two I found that did cover headers said almost nothing about
them. Even the relevant RFC 822 is pretty vague. If any of you
super-vigilant readers looking for flame bait happen to know of any
literature that *does* cover headers in detail, please include that
information in your tirades!
*********************************************
Technical tip: Information relevant to headers may be extracted from
Requests for Comments (RFCs) 822 (best), as well as 1042, 1123, 1521 and
1891 (not a complete list). To read them, take your Web browser to
http://altavista.digital.com and search for "RFC 822" etc.
*********************************************
Lacking much help from manuals, and finding that RFC 822 didn't answer all
my questions, the main way I researched this article was to send email back
and forth among some of my accounts, trying out many variations in order to
see what kinds of headers they generated. Hey, that's how real hackers are
supposed to figure out stuff when RTFM (read the fine manual) or RTFRFC
(read the fine RFC)doesn't tell us as much as we want to know. Right?
One last thing. People have pointed out to me that every time I put an email
address or domain name in a Guide to (mostly) Harmless Hacking, a zillion
newbies launch botched hacking attacks against these. All email addresses
and domain names below have been fubarred.
************************************************
Newbie note: The verb "to fubar" means to obscure email addresses and
Internet host addresses by changing them. Ancient tradition holds that it is
best to do so by substituting "foobar" or "fubar" for part of the address.
************************************************
WHAT ARE HEADERS?
If you are new to hacking, the headers you are used to seeing may be
incomplete. Chances are that when you get email it looks something like this:
From: Vegbar Fubar <fooha@ifi.foobar.no>
Date: Fri, 11 Apr 1997 18:09:53 GMT
To: hacker@techbroker.com
But if you know the right command, suddenly, with this same email message,
we are looking at tons and tons of stuff:
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)
for techbr@fooway.net id OAA07210; Fri, 11 Apr 1997 14:10:06 -0400
Received: from ifi.foobar.no by o200.fooway.net via ESMTP
(950413.SGI.8.6.12/951211.SGI)
for <hacker@techbroker.com> id OAA18967; Fri, 11 Apr 1997 14:09:58 -0400
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no
[129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4)
id <UAA24351@ifi.foobar.no> for <hacker@techbroker.com> ; Fri, 11 Apr 1997
20:09:56 +0200
From: Vegbar Fubar <fooha@ifi.foobar.no>
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no ; Fri,
11 Apr 1997 18:09:53 GMT
Date: Fri, 11 Apr 1997 18:09:53 GMT
Message-Id: <199704111809.13156.gyllir@ifi.foobar.no>
To: hacker@techbroker.com
Hey, have you ever wondered why all that stuff is there and what it means?
We'll return to this example later in this tutorial. But first we must
consider the burning question of the day:
WHY ARE HEADERS FUN?
Why bother with those "blah blah blah" headers? They are boring, right? Wrong!
1) Ever hear a wannabe hacker complaining he or she doesn't have the
addresses of any good computers to explore? Have you ever used one of those
IP scanner programs that find valid Internet Protocol addresses of Internet
hosts for you? Well, you can find gazillions of valid addresses without the
crutch of one of these programs simply by reading the headers of emails.
2) Ever wonder who really mailed that "Make Money Fast" spam? Or who is that
klutz who email bombed you? The first step to learning how to spot email
forgeries and spot the culprit is to be able to read headers.
3) Want to learn how to convincingly forge email? Do you aspire to write
automatic spam or email bomber programs? (I disapprove of spammer and email
bomb programs, but let's be honest about the kinds of knowledge their
creators must draw upon.) The first step is to understand headers.
4) Want to attack someone's computer? Find out where best to attack from the
headers of their email. I disapprove of this use, too. But I'm dedicated to
telling you the truth about hacking, so like it or not, here it is.
HOW CAN YOU SEE FULL HEADERS?
So you look at the headers of your email and it doesn't appear have any good
stuff whatsoever. Want to see all the hidden stuff? The way you do this
depends on what email program you are using.
The most popular email program today is Eudora. To see full headers in
Eudora, just click the "blah, blah, blah" button on the far left end of the
tool bar.
The Netscape web browser includes an email reader. To see full headers,
click on Options, then click the "Show All Headers" item.
Sorry, I haven't looked into how to do that with Internet Explorer. Oh, no,
I can see the flames coming, how dare I not learn the ins and outs of IE
mail! But, seriously, IE is a dangerously insecure Web browser because it is
actually a Windows shell. So no matter how often Microsoft patches its
security flaws, chances are you will be hurt by it one of these days. Just
say "no" to IE.
Another popular email program is Pegasus. Maybe there is an easy way to see
full headers in Pegasus, but I haven't found it. The hard way to see full
headers in Pegasus -- or IE -- or any email program -- is to open your mail
folders with Wordpad. It is included in the Windows 95 operating system and
is the best Windows editing program I have found for handling documents with
lots of embedded control characters and other oddities.
The Compuserve 3.01 email program automatically shows full headers. Bravo,
Compuserve!
Pine is the most popular email program used with Unix shell accounts. Since
in order to be a real hacker you will sooner or later be using Unix, now may
be a great time to start using Pine.
*************************************************
Newbie note: Pine stands for Pine Is No longer Elm, a tribute to the really,
truly ancient Elm email program (which is still in use). Both Pine and Elm
date back to ARPAnet, the US Defense Advanced Research Projects Agency
computer network that eventually mutated into today's Internet.
*************************************************
If you have never used Pine before, you may find it isn't as easy to use as
those glitzy Windows email programs. But aside from its amazing powers,
there is a really good reason to learn to compose email in Pine: you get
practice using pico editor commands. If you want to be a real hacker, you
will be using the pico editor (or another editor that uses similar commands)
someday when you are writing programs in a Unix shell.
To bring up Pine, at the cursor in your Unix shell simply type in "pine."
In Pine, while viewing an email message, you may be able to see full headers
by simply hitting the "h" key. If this doesn't work, you will have to go
into the Setup menu to enable this command. To do this, go to the main menu
and give the command "s" for Setup. Then in the Setup menu choose "c" for
Config. On the second page of the Config menu you will see something like this:
PINE 3.91 SETUP CONFIGURATION Folder: INBOX 2 Messages
[ ] compose-rejects-unqualified-addrs
[ ] compose-sets-newsgroup-without-confirm
[ ] delete-skips-deleted
[ ] enable-aggregate-command-set
[ ] enable-alternate-editor-cmd
[ ] enable-alternate-editor-implicitly
[ ] enable-bounce-cmd
[ ] enable-flag-cmd
[X] enable-full-header-cmd
[ ] enable-incoming-folders
[ ] enable-jump-shortcut
[ ] enable-mail-check-cue
[ ] enable-suspend
[ ] enable-tab-completion
[ ] enable-unix-pipe-cmd
[ ] expanded-view-of-addressbooks
[ ] expanded-view-of-folders
[ ] expunge-without-confirm
[ ] include-attachments-in-reply
? Help E Exit Config P Prev - PrevPage
X [Set/Unset] N Next Spc NextPage W WhereIs
You first highlight the line that says "enable-full-header-command" and then
press the "x" key. The give "e" to exit saving the change. Once you have
done this, when you are reading your email you will be able to see full
headers by giving the "h" command.
Elm is another Unix email reading program. It actually gives slightly more
detailed headers than Pine, and automatically shows full headers.
WHAT DOES ALL THAT STUFF IN YOUR HEADERS MEAN?
We'll start by taking a look at a mildly interesting full header. Then we'll
examine two headers that reveal some interesting shenanigans. Finally we
will look at a forged header.
OK, let us return to that fairly ordinary full header we looked at above. We
will decipher it piece by piece. First we look at the simple version:
From: Vegbar Fubar <fooha@ifi.foobar.no>
Date: Fri, 11 Apr 1997 18:09:53 GMT
To: hacker@techbroker.com
The information within any header consists of a series of fields separated
from each other by a "newline" character. Each field consists of two parts:
a field name, which includes no spaces and is terminated by a colon; and the
contents of the field. In this case the only fields that show are "From:,"
"Date:," and "To:".
In every header there are two classes of fields: the "envelope," which
contains only the sender and recipient fields; and everything else, which is
information specific to the handling of the message. In this case the only
field that shows which gives information on the handling of the message is
the Date field.
When we expand to a full header, we are able to see all the fields of the
header. We will now go through this information line by line.
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for
techbr@fooway.net id OAA07210; Fri, 11 Apr 1997 14:10:06 -0400
This line tells us that I downloaded this email from the POP server at a
computer named o200.fooway.net. This was done on behalf of my account with
email address of techbr@fooway.net. The (950413.SGI.8.6.12/951211.SGI) part
identifies the software name and version running that POP server.
********************************************
Newbie note: POP stands for Post Office Protocol. Your POP server is the
computer that holds your email until you want to read it. Usually your the
email program on your home computer or shell account computer will connect
to port 110 on your POP server to get your email.
A similar, but more general protocol is IMAP, for Interactive Mail Access
Protocol. Trust me, you will be a big hit at parties if you can hold forth
on the differences between POP and IMAP, you big hunk of a hacker, you!
(Hint: for more info, RTFRFCs.)
********************************************
Now we examine the second line of the header:
Received: from ifi.foobar.no by o200.fooway.net via ESMTP
(950413.SGI.8.6.12/951211.SGI)for <hacker@techbroker.com> id OAA18967; Fri,
11 Apr 1997 14:09:58 -0400
Well, gee, I didn't promise that this header would be *totally* ordinary.
This line tells us that a computer named ifi.foobar.no passed this email to
the POP server on o200.fooway.net for someone with the email address of
hacker@techbroker.com. This is because I am piping all email to
hacker@techbroker.com into the account techbr@fooway.net. Under Unix this is
done by setting up a file in your home directory named ".forward" with the
address to which you want your email sent. Now there is a lot more behind
this, but I'm not telling you. Heh, heh. Can any of you evil geniuses out
there figure out the whole story?
"ESMTP" stands for "extended simple mail transfer protocol." The
"950413.SGI.8.6.12/951211.SGI" designates the program that is handling my email.
Now for the next line in the header:
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no
[129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4) id
<UAA24351@ifi.foobar.no> for <hacker@techbroker.com> ; Fri, 11 Apr 1997
20:09:56 +0200
This line tells us that the computer ifi.foobar.no got this email message
from the computer gyllir.ifi.foobar.no. These two computers appear to be on
the same LAN. In fact, note something interesting. The computer name
gyllir.ifi.foobar.no has a number after it, 129.xxx.64.230. This is the
numerical representation of its name. (I substituted ".xxx." for three
numbers in order to fubar the IP address.) But the computer ifi.foobar.no
didn't have a number after its name. How come?
Now if you are working with Windows 95 or a Mac you probably can't figure
out this little mystery. But trust me, hacking is all about noticing these
little mysteries and probing them (until you find something to break,
muhahaha -- only kidding, OK?)
But since I am trying to be a real hacker, I go to my trusty Unix shell
account and give the command:
>nslookup ifi.foobar.no
Server: Fubarino.com
Address: 198.6.71.10
Non-authoritative answer:
Name: ifi.foobar.no
Address: 129.xxx.64.2
Notice the different numerical IP addresses between ifi.foobar.no and
gyllir.ifi.foobar.no. Hmmm, I begin to think that the domain ifi.foobar.no
may be a pretty big deal. Probing around with dig and traceroute leads me to
discover lots more computers in that domain. Probing with nslookup in the
mode "set type=any" tells me yet more.
Say, what does that ".no" mean, anyhow? A quick look at the International
Standards Organization (ISO) records of country abbreviations, I see "no"
stands for Norway. Aha, it looks like Norway is an arctic land of fjords,
mountains, reindeer, and lots and lots of Internet hosts. A quick search of
the mailing list for Happy Hacker reveals that some 5% of its almost 4,000
email addresses have the .no domain. So now we know that this land of the
midnight sun is also a hotbed of hackers! Who said headers are boring?
On to the next line, which has the name and email address of the sender:
From: Vegbar Fubar <fooha@ifi.foobar.no>
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no ; Fri,
11 Apr 1997 18:09:53 GMT
I'm going to do some guessing here. This line says the computer
gyllir.ifi.foobar.no got this email message from Vegbar Fubar on the
computer "localhost." Now "localhost" is what a Unix computer calls itself.
While in a Unix shell, try the command "telnet localhost." You'll get a
login sequence that gets you right back into your own account.
So when I see that gyllir.ifi.foobar.no got the email message from
"localhost" I assume that means the sender of this email was logged into a
shell account on gyllir.ifi.foobar.no, and that this computer runs Unix. I
quickly test this hypothesis:
> telnet gyllir.ifi.foobar.no
Trying 129.xxx.64.230...
Connected to gyllir.ifi.foobar.no.
Escape character is '^]'.
IRIX System V.4 (gyllir.ifi.foobar.no)
Now Irix is a Unix-type operating system for Silicon Graphics Inc. (SGI)
machines. This fits with the name of the POP server software on
ifi.foobar.no in the header of (950413.SGI.8.6.12/951211.SGI). So, wow, we
are looking at a large network of Norwegian computers that includes SGI
boxes. We could find out just how many SGI boxes with patience, scanning of
neighboring IP addresses, and use of the Unix dig and nslookup commands.
Now you don't see SGI boxes just every day on the Internet. SGI computers
are optimized for graphics and scientific computing.
So I'm really tempted to learn more about this domain. Oftentimes an ISP
will have a Web page that is found by directing your browser to its domain
name. So I try out http://ifi.foobar.no. It doesn't work, so I try
http://www.ifi.foobar.no. I get the home page for the University of Oslo
Institutt for Informatikk. The Informatikk division has strengths in
computer science and image processing. Now wonder people with ifi.foobar.no
get to use SGI computers.
Next I check out www.foobar.no and learn the University of Oslo has some
39,000 students. No wonder we find so many Internet host computers under the
ifi.foobar.no domain!
But let's get back to this header. The next line is pretty simple, just the
date:
Date: Fri, 11 Apr 1997 18:09:53 GMT
But now comes the most fascinating line of all in the header, the message ID:
Message-Id: <199704111809.13156.gyllir@ifi.foobar.no>
The message ID is the key to tracking down forged email. Avoiding the
creation of a valid message ID is the key to using email for criminal
purposes. Computer criminals go to a great deal of effort to find Internet
hosts on which to forge email that will leave no trace of their activities
through these message IDs.
The first part of this ID is the date and time. 199704111809 means 1997,
April 11, 18:08 (or 6:08 PM). Some message IDs also include the time in
seconds. Others may leave out the "19" from the year. The 13156 is a number
identifying who wrote the email, and gyllir@ifi.foobar.no refers to the
computer, gyllir within the domain ifi.foobar.no, on which this record is
stored.
Where on this computer are the records of the identities of senders of email
stored? Now Unix has many variants, so I'm not going to promise these
records will be in a file of the same name in every Unix box. But often they
will be in either the syslog files or usr/spool/mqueue. Some sysadmins will
archive the message IDs in case they need to find out who may have been
abusing their email system. But the default setting for some systems, for
example those using sendmail, is to not archive. Unfortunately, an Internet
host that doesn't archive these message IDs is creating a potential haven
for email criminals.
Now we will leave the University of Norway and move on to a header that
hides a surprise.
Received: from NIH2WAAF (mail6.foo1.csi.com [149.xxx.183.75]) by
Fubarino.com (8.8.3/8.6.9) with ESMTP id XAA20854 for
<galfina@Fubarino.com>; Sun, 27 Apr 1997 23:07:01 GMT
Received: from CISPPP - 199.xxx.193.176 by csi.com with Microsoft SMTPSVC;
Sun, 27 Apr 1997 22:53:36 -0400
Message-Id: <2.2.16.19970428082132.2cdf544e@fubar.com>
X-Sender: cmeinel@fubar.com
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: galfina@Fubarino.com
From: "Carolyn P. Meinel" <cmeinel@techbroker.com>
Subject: Sample header
Date: 27 Apr 1997 22:53:37 -0400
Let's look at the first line:
Received: from NIH2WAAF (mail6.foo1.csi.com [149.xxx.183.75]) by
Fubarino.com (8.8.3/8.6.9) with ESMTP id XAA20854 for
<galfina@Fubarino.com>; Sun, 27 Apr 1997 23:07:01 GMT
This first line tells us that it was received by the email account
"galfina@Fubarino.com". That's the "for <galfina@Fubarino.com>" part. The
Internet host computer that sent the email to galfina was mail6.foo1.csi.com
[149.xxx.183.75]. This computer name is given first in a form easily (ha,
hah!) read by humans followed by the version of its name that a computer can
more easily translate into the 0's and 1's that computers understand.
"Galfina" is my user name. I chose it in order to irritate G.A.L.F. (Gray
Areas Liberation Front).
"Fubarino.com (8.8.3/8.6.9)" is the name of the computer that received the
email for my galfina account. But notice it is a very partial computer name.
All we get is a domain name and not the name of the computer from which I
download my email. We can guess that Fubarino.com is not the full name
because Fubarino is a big enough ISP to have several computers on a LAN to
serve all its users.
**************************************************
Evil genius tip: Want to find out the names of some of the computers on your
ISP's LAN? Commands that can dredge some of them up include the Unix
commands traceroute, dig, and who.
For example, I explored the Fubarino.com LAN and found free.Fubarino.com
(from command "dig Fubarino.com"); and then dialin.Fubarino.com and
milnet.Fubarino.com (from "who" given while logged in my galfina account)
Then using the numerical addresses given from the dig command with these
names of Fubarino.com computers I then was able, by checking nearby numbers,
to find a whole bunch more names of Fubarino.com computers.
**************************************************
The number after Fubarino.com is not a numerical IP address. It is the
designation of the version of the mail program it runs. We can guess from
these numbers 8.8.3/8.6.9 that it refers to the Sendmail program. But just
to make sure, we try the command "telnet Fubarino.com 25." This gives us the
answer:
220 Fubarino.com ESMTP Sendmail 8.8.3/8.6.9 ready at Mon, 28 Apr 1997
09:55:58 GMT
So from this we know Fubarino.com is running the Sendmail program.
**************************************************
Evil genius tip: Sendmail is notorious for flaws that you can use to gain
root access to a computer. So even though Fubarino.com is using a version of
sendmail that has been fixed from its most recently publicized security
holes, if you are patient a new exploit will almost certainly come out
within the next few months. The cure for this problem may possibly be to run
qmail, which so far hasn't had embarrassing problems.
**************************************************
OK, now let's look at the next "received" line in that header:
Received: from CISPPP - 199.xxx.193.176 by csi.com with Microsoft SMTPSVC;
Sun, 27 Apr 1997 22:53:36 -0400
CISPPP stands for Compuserve Information Services point to point protocol
(PPP) connection. This means that the mail was sent from a PPP connection I
set up through Compuserve. We also see that Compuserve uses the Microsoft
SMTPSVC mail program.
However, we see from the rest of the header that the sender (me) didn't use
the standard Compuserve mail interface:
Message-Id: <2.2.16.19970428082132.2cdf544e@fubaretta.com>
The number 2.2.16. was inserted by Eudora, and means I am using Eudora Pro
2.2, 16-bit version. The 19970428082132 means the time I sent the email, in
order of year (1997), month (04), day (28) and time (08:31:32).
The portion of the message ID "2cdf544e@fubaretta.com" is the most important
part. That is provided by the Internet host where a record of my use of
fubaretta's mail server has been stored.
Did you notice this message ID was not stored with Compuserve, but rather
with fubaretta.com? This is, first of all, because the message ID is created
with the POP server that I specified with Eudora. Since Compuserve does not
yet offer POP servers, I can only use Eudora to send email over a Compuserve
connection but not to receive Compuserve email. So, heck, I can specify an
arbitrary POP server when I send email over Compuserve from Eudora. I picked
the Fubaretta ISP. So there!
If I were to have done something bad news with that email such as spamming,
extortion or email bombing, the sysadmin at fubaretta.com would look up that
message ID and find information tying that email to my Compuserve account.
That assumes, of course, that fubaretta.com is archiving message IDs.
So when you read this part of the header you might think that the computer
where I pick up my email is with the Fubaretta.com ISP. But all this really
means is that I specified to Eudora that I was using a mail account at
Fubar. But if I had put a different account name there, then I would have
generated a different message ID.
Did I need to have an account at Fubaretta? No. The mail server did not ask
for a password. In fact, I don't have an account at Fubaretta.
The rest of the header is information provided by Eudora:
X-Sender: cmeinel@fubar.com
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
The "X-Mailer" information tells you I was using the 16 bit version of
Windows Eudora Pro Version 2.2. Some people have asked me why I don't use
the 32 bit version (which runs on Win 95) instead of the 16 bit version.
Answer: better error handling! That's the same reason I don't normally use
Pegasus. Also, Eudora lets me get away with stuph:)
Mime (Multipurpose Internet Mail Extensions)is a protocol to view email.
Those of you who got lots of garbage when I sent out GTMHH and Digest can
blame it on Mime. If your email program doesn't use Mime, you get lots of
stuff like "=92" instead of what I tried to send. But this time I turned off
the "printed quotable" feature in Eudora. So this time I hope I sent all you
guys plain, friendly ASCII. Please email me if what you got was still messed
up, OK?
The character set "us-ascii" tells us what character set this email will
use. Some email uses ISO ascii instead, generally if it originates outside
the US.
Now let's look at a slightly more exciting header. In fact, this is a
genuine muhahaha header. Remember that war I declared on Web sites that
provide downloads of email bombing programs? You know, those Windows 95 for
lusers programs that run from a few mouse clicks? Here's a header that
reveals my tiny contribution toward making life unpleasant for the ISPs that
distribute these programs. It's from the Happy Hacker Digest, April 12,
1997, from a copy that reached a test email address I had on the list:
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for
techbr@fooway.net id MAA07059; Mon, 14 Apr 1997 12:05:25 -0400
Date: Mon, 14 Apr 1997 12:05:22 -0400
Received: from mocha.icefubarnet.com by o200.fooway.net via ESMTP
(950413.SGI.8.6.12/951211.SGI) for <pettit@techbroker.com> id MAA06380; Mon,
14 Apr 1997 12:05:20 -0400
Received: from cmeinel (hd14-211.foo.compuserve.com [206.xxx.205.211]) by
mocha.icefubarnet.com (Netscape Mail Server v2.01) with SMTP id AAP3428;
Mon, 14 Apr 1997 08:51:02 -0700
Message-Id: <2.2.16.19970414100122.4387d20a@mail.fooway.net>
X-Sender: techbr@mail.fooway.net (Unverified)
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
To: (Recipient list suppressed)
From: "Carolyn P. Meinel" <cmeinel@techbroker.com>
Subject: Happy Hacker Digest April 12, 1997
Now let's examine the first field:
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for
techbr@fooway.net id MAA07059; Mon, 14 Apr 1997 12:05:25 -0400
Date: Mon, 14 Apr 1997 12:05:22 -0400
We already looked at this computer o200.fooway.net above. But, heck, let's
probe a little more deeply. Since I suspect this is a POP server, I'm going
to telnet to port 110, which is normally the POP server port.
> telnet o200.fooway.net 110
Trying 207.xxx.192.57...
Connected to o200.fooway.net.
Escape character is '^]'.
+OK QUALCOMM Pop server derived from UCB (version 2.1.4-R3) at mail starting.
Now we know more about Fooway Technology's POP server. If you have ever run
one of those hacker "strobe" type programs that tell you what programs are
running on each port of a computer, there is really no big deal to it. They
just automate the process that we are doing here by hand. But in my humble
opinion you will learn much more by strobing ports by hand the same way I am
doing here.
Now we could do lots more strobing, but I'm getting bored. So we check out
the second field in this header:
Date: Mon, 14 Apr 1997 12:05:22 -0400
That -0400 is a time correction. But to what is it correcting? Let's see the
next field in the header:
Received: from mocha.icefubarnet.com by o200.fooway.net via ESMTP
(950413.SGI.8.6.12/951211.SGI) for <hacker@techbroker.com> id MAA06380; Mon,
14 Apr 1997 12:05:20 -0400
Hmmm, why is mocha.icefubarnet.com in the header? If this header isn't
forged, it means this mail server was handling the Happy Hacker Digest
mailing. So where is mocha.icefubarnet.com located? A quick use of the whois
command tells us:
> whois icefubarnet.com
ICEFUBARNET INTERNET, INC (ICEFUBARNET-DOM)
2178 Fooway
North Bar, Oregon 97xxx
USA
Now this is located four time zones earlier than the computer
o200.fooway.net. So this explains the time correction notation of -0400.
Next field on the header tells us:
Received: from cmeinel (hd14-211.foo.compuserve.com [206.xxx.205.211]) by
mocha.icefubarnet.com (Netscape Mail Server v2.01) with SMTP id AAP3428;
Mon, 14 Apr 1997 08:51:02 -0700
This tells us that the Happy Hacker Digest was delivered to the mail server
(SMPT stands for simple mail transport protocol) at mocha.icefubarnet.com by
Compuserve. But, and this is very important to observe, once again I did not
use the Compuserve mail system. This merely represents a PPP session I set
up with Compuserve. How can you tell? Playing with nslookup shows that the
numerical representation of my Compuserve connection isn't an Internet host.
But you can't learn much more easily because Compuserve has great security
-- one reason I use it. But take my word for it, this is another way to see
a Compuserve PPP session in a header.
Now we get to the biggie, the message ID:
Message-Id: <2.2.16.19970414100122.4387d20a@mail.fooway.net>
Whoa, how come that ID is at the computer mail.fooway.net? It's pretty
simple. In Eudora I specified my POP server as mail.fooway.net. But if you
were to do a little stobing, you would discover that while fooway.net has a
POP server, it doesn't have an SMPT or ESMPT server. You can get mail from
Fooway, but you can't mail stuff out from Fooway. But the marvelous workings
of the Internet combined with the naivete of the Eudora Pro 2.2 program sent
my message ID off to mail.fooway.net anyhow.
On the message ID, the "2.2.16" was inserted by Eudora. That signifies it is
the 2.2 version for a 16 bit operating system.
The remaining fields of the header were all inserted by Eudora:
X-Sender: techbr@mail.fooway.net (Unverified)
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
To: (Recipient list suppressed)
From: "Carolyn P. Meinel" <cmeinel@techbroker.com>
Subject: Happy Hacker Digest April 12, 1997
Notice Eudora does let us know that techbr@mail.fooway.net is unverified as
sender. And in fact, it definitely is not the sender. This is a very
important fact. The message ID of an email is not necessarily stored with
the computer that sent it out.
So how was I able to use Icefubarnet Internet's mail server to send out the
Happy Hacker Digest? Fortunately Eudora's naivete makes it easy for me to
use any mail server that has an open SMTP or ESMTP port. You may be
surprised to discover that there are uncountable Internet mail servers that
you may easily commandeer to send out your email -- if you have the right
program -- or if you know how to telnet to port 25 (which runs using the
SMTP or ESMTP protocols) and give the commands to send email yourself.
Why did I use Icefubarnet? Because at the time it was hosting an ftp site
that was being used to download email bomber programs
(http://www.icefubarnet.com/~astorm/uy4beta1.zip). Last time I checked the
owner of the account from which he was offering this ugly stuff was unhappy
because Icefubarnet Internet had made him take it down.
But -- back to how to commandeer mail servers while sending your message Ids
elsewhere. In Eudora, just specify your victim mail server under the hosts
section of the options menu (under tools). Then specify the computer to
which you want to send your message ID under "POP Server."
But if you try any of this monkey business with Pegasus, it gives a nasty
error message accusing you of trying to forge email.
Of course you can always commandeer mail servers by writing your own program
to commander mail servers. But that will be covered in the upcoming GTMHH on
shell programming.
*********************************************
Newbie note: Shell programming? What the heck izzat? It means writing a
program that uses a sequence of commands available to you in your Unix
shell. If you want to be a real hacker, you *must* learn Unix! If you are
serious about continuing to study these GTMHHs, you *must* either get a
shell account or install some form of Unix on your home computer. You may
find places where you can sign up for shell accounts through
http://www.celestin.com/pocia/. Or email haxorshell@techbroker.com for
information on how to sign up with a shell account that is friendly to
hackers and that you may securely telnet into from your local ISP PPP dialup.
*********************************************