GUIDE TO (mostly) HARMLESS HACKING
Vol 3 Number 4
How to Read Email Headers and Find Internet
Hosts
Warning: flamebait enclosed!
OK, OK, you 31337 haxors win. I'm finally releasing the next
in our series of Guides oriented toward the intermediate hacker.
Now some of you may think that headers are too simple or boring
to waste time on. However, a few weeks ago I asked the 3000+
readers of the Happy Hacker list if anyone could tell me exactly
what email tricks I was playing in the process of mailing out
the Digests. But not one person replied with a complete answer
-- or even 75% of the answer -- or even suspected that for months
almost all Happy Hacker mailings have doubled as protests. The
targets: ISPs offering download sites for email bomber programs.
Conclusion: it is time to talk headers!
In this Guide we will learn:
· what is a header
· why headers are fun
· how to see full headers
· what all that stuff in your headers means
· how to get the names of Internet host computers from
your headers
· the foundation for understanding the forging of email
and Usenet posts, catching the people who forge headers, and
the theory behind those email bomber programs that can bring
an entire Internet Service Provider (ISP) to its knees.
This is a Guide you can make at least some use of without
getting a shell account or installing some form of Unix on your
home computer. All you need is to be able to send and receive
email, and you are in business. However, if you do have a shell
account, you can do much more with deciphering headers. Viva
Unix!
Headers may sound like a boring topic. Heck, the Eudora email
program named the button you click to read full headers "blah
blah blah." But all those guys who tell you headers are
boring are either ignorant -- or else afraid you'll open a wonderful
chest full of hacker insights. Yes, every email header you check
out has the potential to unearth a treasure hidden in some back
alley of the Internet.
Now headers may seem simple enough to be a topic for one of
our Beginners' Series Guides. But when I went to look up the
topic of headers in my library of manuals, I was shocked to find
that most of them don't even cover the topic. The two I found
that did cover headers said almost nothing about them. Even the
relevant RFC 822 is pretty vague. If any of you super-vigilant
readers looking for flame bait happen to know of any literature
that *does* cover headers in detail, please include that information
in your tirades!
*********************************************
Technical tip: Information relevant to headers may be extracted
from Requests for Comments (RFCs) 822 (best), as well as 1042,
1123, 1521 and 1891 (not a complete list). To read them, take
your Web browser to http://altavista.digital.com and search for
"RFC 822" etc.
*********************************************
Lacking much help from manuals, and finding that RFC 822 didn't
answer all my questions, the main way I researched this article
was to send email back and forth among some of my accounts, trying
out many variations in order to see what kinds of headers they
generated. Hey, that's how real hackers are supposed to figure
out stuff when RTFM (read the fine manual) or RTFRFC (read the
fine RFC)doesn't tell us as much as we want to know. Right? One
last thing. People have pointed out to me that every time I put
an email address or domain name in a Guide to (mostly) Harmless
Hacking, a zillion newbies launch botched hacking attacks against
these. All email addresses and domain names below have been fubarred.
************************************************
Newbie note: The verb "to fubar" means to obscure email
addresses and Internet host addresses by changing them. Ancient
tradition holds that it is best to do so by substituting "foobar"
or "fubar" for part of the address.
************************************************
WHAT ARE HEADERS?
If you are new to hacking, the headers you are used to seeing
may be incomplete. Chances are that when you get email it looks
something like this:
From: Vegbar Fubar <fooha@ifi.foobar.no>
Date: Fri, 11 Apr 1997 18:09:53 GMT
To: <script language="JavaScript"><!--
var name = "cmeinel";
var domain = "techbroker.com";
document.write('<a href=\"mailto:' + name + '@' + domain + '\">');
document.write(name + '@' + domain + '</a>');
// --></script>
But if you know the right command, suddenly, with this same
email message, we are looking at tons and tons of stuff:
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)
for techbr@fooway.net id OAA07210; Fri, 11 Apr 1997 14:10:06
-0400
Received: from ifi.foobar.no by o200.fooway.net via ESMTP
(950413.SGI.8.6.12/951211.SGI) for <>
id OAA18967; Fri, 11 Apr 1997 14:09:58 -0400
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no
[129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4)
id <UAA24351@ifi.foobar.no> for <>
; Fri, 11 Apr 1997 20:09:56 +0200
From: Vegbar Fubar <fooha@ifi.foobar.no>
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no
; Fri, 11 Apr 1997 18:09:53 GMT
Date: Fri, 11 Apr 1997 18:09:53 GMT
Message-Id: <199704111809.13156.gyllir@ifi.foobar.no>
To: <script language="JavaScript"><!--
var name = "cmeinel";
var domain = "techbroker.com";
document.write('<a href=\"mailto:' + name + '@' + domain + '\">');
document.write(name + '@' + domain + '</a>');
// --></script>
Hey, have you ever wondered why all that stuff is there and
what it means? We'll return to this example later in this tutorial.
But first we must consider the burning question of the day:
WHY ARE HEADERS FUN?
Why bother with those "blah blah blah" headers?
They are boring, right? Wrong! 1) Ever hear a wannabe hacker
complaining he or she doesn't have the addresses of any good
computers to explore? Have you ever used one of those IP scanner
programs that find valid Internet Protocol addresses of Internet
hosts for you? Well, you can find gazillions of valid addresses
without the crutch of one of these programs simply by reading
the headers of emails.
2) Ever wonder who really mailed that "Make Money Fast"
spam? Or who is that klutz who email bombed you? The first step
to learning how to spot email forgeries and spot the culprit
is to be able to read headers.
3) Want to learn how to convincingly forge email? Do you aspire
to write automatic spam or email bomber programs? (I disapprove
of spammer and email bomb programs, but let's be honest about
the kinds of knowledge their creators must draw upon.) The first
step is to understand headers.
4) Want to attack someone's computer? Find out where best to
attack from the headers of their email. I disapprove of this
use, too. But I'm dedicated to telling you the truth about hacking,
so like it or not, here it is.
HOW CAN YOU SEE FULL HEADERS?
So you look at the headers of your email and it doesn't appear
have any good stuff whatsoever. Want to see all the hidden stuff?
The way you do this depends on what email program you are using.
The most popular email program today is Eudora. To see full headers
in Eudora, just click the "blah, blah, blah" button
on the far left end of the tool bar.
The Netscape web browser includes an email reader. To see
full headers, click on Options, then click the "Show All
Headers" item. Sorry, I haven't looked into how to do that
with Internet Explorer. Oh, no, I can see the flames coming,
how dare I not learn the ins and outs of IE mail! But, seriously,
IE is a dangerously insecure Web browser because it is actually
a Windows shell. So no matter how often Microsoft patches its
security flaws, chances are you will be hurt by it one of these
days. Just say "no" to IE.
Another popular email program is Pegasus. Maybe there is an
easy way to see full headers in Pegasus, but I haven't found
it. The hard way to see full headers in Pegasus -- or IE -- or
any email program -- is to open your mail folders with Wordpad.
It is included in the Windows 95 operating system and is the
best Windows editing program I have found for handling documents
with lots of embedded control characters and other oddities.
The Compuserve 3.01 email program automatically shows full
headers. Bravo, Compuserve!
Pine is the most popular email program used with Unix shell
accounts. Since in order to be a real hacker you will sooner
or later be using Unix, now may be a great time to start using
Pine.
*************************************************
Newbie note: Pine stands for Pine Is No longer Elm, a tribute
to the really, truly ancient Elm email program (which is still
in use). Both Pine and Elm date back to ARPAnet, the US Defense
Advanced Research Projects Agency computer network that eventually
mutated into today's Internet.
*************************************************
If you have never used Pine before, you may find it isn't
as easy to use as those glitzy Windows email programs. But aside
from its amazing powers, there is a really good reason to learn
to compose email in Pine: you get practice using pico editor
commands. If you want to be a real hacker, you will be using
the pico editor (or another editor that uses similar commands)
someday when you are writing programs in a Unix shell.
To bring up Pine, at the cursor in your Unix shell simply
type in "pine." In Pine, while viewing an email message,
you may be able to see full headers by simply hitting the "h"
key. If this doesn't work, you will have to go into the Setup
menu to enable this command. To do this, go to the main menu
and give the command "s" for Setup. Then in the Setup
menu choose "c" for Config. On the second page of the
Config menu you will see something like this:
PINE 3.91 SETUP CONFIGURATION Folder: INBOX 2 Messages
[ ] compose-rejects-unqualified-addrs
[ ] compose-sets-newsgroup-without-confirm
[ ] delete-skips-deleted
[ ] enable-aggregate-command-set
[ ] enable-alternate-editor-cmd
[ ] enable-alternate-editor-implicitly
[ ] enable-bounce-cmd
[ ] enable-flag-cmd
[X] enable-full-header-cmd
[ ] enable-incoming-folders
[ ] enable-jump-shortcut
[ ] enable-mail-check-cue
[ ] enable-suspend
[ ] enable-tab-completion
[ ] enable-unix-pipe-cmd
[ ] expanded-view-of-addressbooks
[ ] expanded-view-of-folders
[ ] expunge-without-confirm
[ ] include-attachments-in-reply
? Help E Exit Config P Prev - PrevPage
X [Set/Unset] N Next Spc NextPage W WhereIs
You first highlight the line that says "enable-full-header-command"
and then press the "x" key. The give "e"
to exit saving the change. Once you have done this, when you
are reading your email you will be able to see full headers by
giving the "h" command.
Elm is another Unix email reading program. It actually gives
slightly more detailed headers than Pine, and automatically shows
full headers.
WHAT DOES ALL THAT STUFF IN YOUR HEADERS MEAN?
We'll start by taking a look at a mildly interesting full
header. Then we'll examine two headers that reveal some interesting
shenanigans. Finally we will look at a forged header.
OK, let us return to that fairly ordinary full header we looked
at above. We will decipher it piece by piece. First we look at
the simple version:
From: Vegbar Fubar <fooha@ifi.foobar.no>
Date: Fri, 11 Apr 1997 18:09:53 GMT
To: <script language="JavaScript"><!--
var name = "cmeinel";
var domain = "techbroker.com";
document.write('<a href=\"mailto:' + name + '@' + domain + '\">');
document.write(name + '@' + domain + '</a>');
// --></script>
The information within any header consists of a series of
fields separated from each other by a "newline" character.
Each field consists of two parts: a field name, which includes
no spaces and is terminated by a colon; and the contents of the
field. In this case the only fields that show are "From:,"
"Date:," and "To:".
In every header there are two classes of fields: the "envelope,"
which contains only the sender and recipient fields; and everything
else, which is information specific to the handling of the message.
In this case the only field that shows which gives information
on the handling of the message is the Date field.
When we expand to a full header, we are able to see all the
fields of the header. We will now go through this information
line by line.
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for
techbr@fooway.net id OAA07210; Fri, 11 Apr 1997 14:10:06-0400
This line tells us that I downloaded this email from the POP
server at a computer named o200.fooway.net. This was done on
behalf of my account with email address of techbr@fooway.net.
The (950413.SGI.8.6.12/951211.SGI) part identifies the software
name and version running that POP server.
********************************************
Newbie note: POP stands for Post Office Protocol. Your POP server
is the computer that holds your email until you want to read
it. Usually your the email program on your home computer or shell
account computer will connect to port 110 on your POP server
to get your email. A similar, but more general protocol is IMAP,
for Interactive Mail Access Protocol. Trust me, you will be a
big hit at parties if you can hold forth on the differences between
POP and IMAP, you big hunk of a hacker, you! (Hint: for more
info, RTFRFCs.)
********************************************
Now we examine the second line of the header:
Received: from ifi.foobar.no by o200.fooway.net via ESMTP
(950413.SGI.8.6.12/951211.SGI)for <>
id OAA18967; Fri, 11 Apr 1997 14:09:58 -0400
Well, gee, I didn't promise that this header would be *totally*
ordinary. This line tells us that a computer named ifi.foobar.no
passed this email to the POP server on o200.fooway.net for someone
with the email address of . This is because
I am piping all email to into the account
techbr@fooway.net. Under Unix this is done by setting up a file
in your home directory named ".forward" with the address
to which you want your email sent. Now there is a lot more behind
this, but I'm not telling you. Heh, heh. Can any of you evil
geniuses out there figure out the whole story?
"ESMTP" stands for "extended simple mail transfer
protocol." The "950413.SGI.8.6.12/951211.SGI"
designates the program that is handling my email.
Now for the next line in the header:
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no
[129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4)
id
<UAA24351@ifi.foobar.no> for <>
; Fri, 11 Apr 1997 20:09:56 +0200
This line tells us that the computer ifi.foobar.no got this
email message from the computer gyllir.ifi.foobar.no. These two
computers appear to be on the same LAN. In fact, note something
interesting. The computer name gyllir.ifi.foobar.no has a number
after it, 129.xxx.64.230. This is the numerical representation
of its name. (I substituted ".xxx." for three numbers
in order to fubar the IP address.) But the computer ifi.foobar.no
didn't have a number after its name. How come?
Now if you are working with Windows 95 or a Mac you probably
can't figure out this little mystery. But trust me, hacking is
all about noticing these little mysteries and probing them (until
you find something to break, muhahaha -- only kidding, OK?)
But since I am trying to be a real hacker, I go to my trusty
Unix shell account and give the command:
>nslookup ifi.foobar.no
Server: Fubarino.com
Address: 198.6.71.10
Non-authoritative answer:
Name: ifi.foobar.no
Address: 129.xxx.64.2
Notice the different numerical IP addresses between ifi.foobar.no
and gyllir.ifi.foobar.no. Hmmm, I begin to think that the domain
ifi.foobar.no may be a pretty big deal. Probing around with dig
and traceroute leads me to discover lots more computers in that
domain. Probing with nslookup in the mode "set type=any"
tells me yet more. Say, what does that ".no" mean,
anyhow? A quick look at the International Standards Organization
(ISO) records of country abbreviations, I see "no"
stands for Norway. Aha, it looks like Norway is an arctic land
of fjords, mountains, reindeer, and lots and lots of Internet
hosts. A quick search of the mailing list for Happy Hacker reveals
that some 5% of its almost 4,000 email addresses have the .no
domain. So now we know that this land of the midnight sun is
also a hotbed of hackers! Who said headers are boring?
On to the next line, which has the name and email address
of the sender:
From: Vegbar Fubar <fooha@ifi.foobar.no>
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no
; Fri, 11 Apr 1997 18:09:53 GMT
I'm going to do some guessing here. This line says the computer
gyllir.ifi.foobar.no got this email message from Vegbar Fubar
on the computer "localhost." Now "localhost"
is what a Unix computer calls itself. While in a Unix shell,
try the command "telnet localhost." You'll get a login
sequence that gets you right back into your own account. So when
I see that gyllir.ifi.foobar.no got the email message from "localhost"
I assume that means the sender of this email was logged into
a shell account on gyllir.ifi.foobar.no, and that this computer
runs Unix. I quickly test this hypothesis:
> telnet gyllir.ifi.foobar.no
Trying 129.xxx.64.230...
Connected to gyllir.ifi.foobar.no.
Escape character is '^]'.
IRIX System V.4 (gyllir.ifi.foobar.no)
Now Irix is a Unix-type operating system for Silicon Graphics
Inc. (SGI) machines. This fits with the name of the POP server
software on ifi.foobar.no in the header of (950413.SGI.8.6.12/951211.SGI).
So, wow, we are looking at a large network of Norwegian computers
that includes SGI boxes. We could find out just how many SGI
boxes with patience, scanning of neighboring IP addresses, and
use of the Unix dig and nslookup commands. Now you don't see
SGI boxes just every day on the Internet. SGI computers are optimized
for graphics and scientific computing. So I'm really tempted
to learn more about this domain. Oftentimes an ISP will have
a Web page that is found by directing your browser to its domain
name. So I try out http://ifi.foobar.no. It doesn't work, so
I try http://www.ifi.foobar.no. I get the home page for the University
of Oslo Institutt for Informatikk. The Informatikk division has
strengths in computer science and image processing. Now wonder
people with ifi.foobar.no get to use SGI computers.
Next I check out www.foobar.no and learn the University of
Oslo has some 39,000 students. No wonder we find so many Internet
host computers under the ifi.foobar.no domain!
But let's get back to this header. The next line is pretty
simple, just the date:
Date: Fri, 11 Apr 1997 18:09:53 GMT
But now comes the most fascinating line of all in the header,
the message ID:
Message-Id: 199704111809.13156.gyllir@ifi.foobar.no
The message ID is the key to tracking down forged email. Avoiding
the creation of a valid message ID is the key to using email
for criminal purposes. Computer criminals go to a great deal
of effort to find Internet hosts on which to forge email that
will leave no trace of their activities through these message
IDs.
The first part of this ID is the date and time. 199704111809
means 1997, April 11, 18:08 (or 6:08 PM). Some message IDs also
include the time in seconds. Others may leave out the "19"
from the year. The 13156 is a number identifying who wrote the
email, and gyllir@ifi.foobar.no refers to the computer, gyllir
within the domain ifi.foobar.no, on which this record is stored.
Where on this computer are the records of the identities of
senders of email stored? Now Unix has many variants, so I'm not
going to promise these records will be in a file of the same
name in every Unix box. But often they will be in either the
syslog files or usr/spool/mqueue. Some sysadmins will archive
the message IDs in case they need to find out who may have been
abusing their email system. But the default setting for some
systems, for example those using sendmail, is to not archive.
Unfortunately, an Internet host that doesn't archive these message
IDs is creating a potential haven for email criminals.
Now we will leave the University of Norway and move on to
a header that hides a surprise.
Received: from NIH2WAAF (mail6.foo1.csi.com [149.xxx.183.75])
by
Fubarino.com (8.8.3/8.6.9) with ESMTP id XAA20854 for
<galfina@Fubarino.com>; Sun, 27 Apr 1997 23:07:01 GMT
Received: from CISPPP - 199.xxx.193.176 by csi.com with Microsoft
SMTPSVC; Sun, 27 Apr 1997 22:53:36 -0400
Message-Id: <2.2.16.19970428082132.2cdf544e@fubar.com>
X-Sender: cmeinel@fubar.com
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: galfina@Fubarino.com
From: "Carolyn P. Meinel" <>
Subject: Sample header
Date: 27 Apr 1997 22:53:37 -0400
Let's look at the first line:
Received: from NIH2WAAF (mail6.foo1.csi.com [149.xxx.183.75])
by Fubarino.com (8.8.3/8.6.9) with ESMTP id XAA20854 for <galfina@Fubarino.com>;
Sun, 27 Apr 1997 23:07:01 GMT
This first line tells us that it was received by the email
account "galfina@Fubarino.com". That's the "for
<galfina@Fubarino.com>" part. The Internet host computer
that sent the email to galfina was mail6.foo1.csi.com [149.xxx.183.75].
This computer name is given first in a form easily (ha, hah!)
read by humans followed by the version of its name that a computer
can more easily translate into the 0's and 1's that computers
understand. "Galfina" is my user name. I chose it in
order to irritate G.A.L.F. (Gray Areas Liberation Front).
"Fubarino.com (8.8.3/8.6.9)" is the name of the
computer that received the email for my galfina account. But
notice it is a very partial computer name. All we get is a domain
name and not the name of the computer from which I download my
email. We can guess that Fubarino.com is not the full name because
Fubarino is a big enough ISP to have several computers on a LAN
to serve all its users.
**************************************************
Evil genius tip: Want to find out the names of some of the computers
on your ISP's LAN? Commands that can dredge some of them up include
the Unix commands traceroute, dig, and who. For example, I explored
the Fubarino.com LAN and found free.Fubarino.com (from command
"dig Fubarino.com"); and then dialin.Fubarino.com and
milnet.Fubarino.com (from "who" given while logged
in my galfina account) Then using the numerical addresses given
from the dig command with these names of Fubarino.com computers
I then was able, by checking nearby numbers, to find a whole
bunch more names of Fubarino.com computers.
**************************************************
The number after Fubarino.com is not a numerical IP address.
It is the designation of the version of the mail program it runs.
We can guess from these numbers 8.8.3/8.6.9 that it refers to
the Sendmail program. But just to make sure, we try the command
"telnet Fubarino.com 25." This gives us the answer:
220 Fubarino.com ESMTP Sendmail 8.8.3/8.6.9 ready at Mon,
28 Apr 1997 09:55:58 GMT
So from this we know Fubarino.com is running the Sendmail
program.
**************************************************
Evil genius tip: Sendmail is notorious for flaws that you can
use to gain root access to a computer. So even though Fubarino.com
is using a version of sendmail that has been fixed from its most
recently publicized security holes, if you are patient a new
exploit will almost certainly come out within the next few months.
The cure for this problem may possibly be to run qmail, which
so far hasn't had embarrassing problems.
**************************************************
OK, now let's look at the next "received" line in
that header:
Received: from CISPPP - 199.xxx.193.176 by csi.com with Microsoft
SMTPSVC; Sun, 27 Apr 1997 22:53:36 -0400
CISPPP stands for Compuserve Information Services point to
point protocol (PPP) connection. This means that the mail was
sent from a PPP connection I set up through Compuserve. We also
see that Compuserve uses the Microsoft SMTPSVC mail program.
However, we see from the rest of the header that the sender (me)
didn't use the standard Compuserve mail interface:
Message-Id: 2.2.16.19970428082132.2cdf544e@fubaretta.com
The number 2.2.16. was inserted by Eudora, and means I am
using Eudora Pro 2.2, 16-bit version. The 19970428082132 means
the time I sent the email, in order of year (1997), month (04),
day (28) and time (08:31:32). The portion of the message ID "2cdf544e@fubaretta.com"
is the most important part. That is provided by the Internet
host where a record of my use of fubaretta's mail server has
been stored.
Did you notice this message ID was not stored with Compuserve,
but rather with fubaretta.com? This is, first of all, because
the message ID is created with the POP server that I specified
with Eudora. Since Compuserve does not yet offer POP servers,
I can only use Eudora to send email over a Compuserve connection
but not to receive Compuserve email. So, heck, I can specify
an arbitrary POP server when I send email over Compuserve from
Eudora. I picked the Fubaretta ISP. So there!
If I were to have done something bad news with that email
such as spamming, extortion or email bombing, the sysadmin at
fubaretta.com would look up that message ID and find information
tying that email to my Compuserve account. That assumes, of course,
that fubaretta.com is archiving message IDs.
So when you read this part of the header you might think that
the computer where I pick up my email is with the Fubaretta.com
ISP. But all this really means is that I specified to Eudora
that I was using a mail account at Fubar. But if I had put a
different account name there, then I would have generated a different
message ID. Did I need to have an account at Fubaretta? No. The
mail server did not ask for a password. In fact, I don't have
an account at Fubaretta. The rest of the header is information
provided by Eudora:
X-Sender: cmeinel@fubar.com
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
The "X-Mailer" information tells you I was using
the 16 bit version of Windows Eudora Pro Version 2.2. Some people
have asked me why I don't use the 32 bit version (which runs
on Win 95) instead of the 16 bit version. Answer: better error
handling! That's the same reason I don't normally use Pegasus.
Also, Eudora lets me get away with stuph:) Mime (Multipurpose
Internet Mail Extensions)is a protocol to view email. Those of
you who got lots of garbage when I sent out GTMHH and Digest
can blame it on Mime. If your email program doesn't use Mime,
you get lots of stuff like "=92" instead of what I
tried to send. But this time I turned off the "printed quotable"
feature in Eudora. So this time I hope I sent all you guys plain,
friendly ASCII. Please email me if what you got was still messed
up, OK? The character set "us-ascii" tells us what
character set this email will use. Some email uses ISO ascii
instead, generally if it originates outside the US.
Now let's look at a slightly more exciting header. In fact,
this is a genuine muhahaha header. Remember that war I declared
on Web sites that provide downloads of email bombing programs?
You know, those Windows 95 for lusers programs that run from
a few mouse clicks? Here's a header that reveals my tiny contribution
toward making life unpleasant for the ISPs that distribute these
programs. It's from the Happy Hacker Digest, April 12, 1997,
from a copy that reached a test email address I had on the list:
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for
techbr@fooway.net id MAA07059; Mon, 14 Apr 1997 12:05:25 -0400
Date: Mon, 14 Apr 1997 12:05:22 -0400
Received: from mocha.icefubarnet.com by o200.fooway.net via ESMTP
(950413.SGI.8.6.12/951211.SGI) for <pettit@techbroker.com>
id MAA06380; Mon, 14 Apr 1997 12:05:20 -0400
Received: from cmeinel (hd14-211.foo.compuserve.com [206.xxx.205.211])
by mocha.icefubarnet.com (Netscape Mail Server v2.01) with SMTP
id AAP3428; Mon, 14 Apr 1997 08:51:02 -0700
Message-Id: <2.2.16.19970414100122.4387d20a@mail.fooway.net>
X-Sender: techbr@mail.fooway.net (Unverified)
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
To: (Recipient list suppressed)
From: "Carolyn P. Meinel" <>
Subject: Happy Hacker Digest April 12, 1997
Now let's examine the first field:
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for
techbr@fooway.net id MAA07059; Mon, 14 Apr 1997 12:05:25 -0400
Date: Mon, 14 Apr 1997 12:05:22 -0400
We already looked at this computer o200.fooway.net above.
But, heck, let's probe a little more deeply. Since I suspect
this is a POP server, I'm going to telnet to port 110, which
is normally the POP server port.
> telnet o200.fooway.net 110
Trying 207.xxx.192.57...
Connected to o200.fooway.net.
Escape character is '^]'.
+OK QUALCOMM Pop server derived from UCB (version 2.1.4-R3) at
mail starting.
Now we know more about Fooway Technology's POP server. If
you have ever run one of those hacker "strobe" type
programs that tell you what programs are running on each port
of a computer, there is really no big deal to it. They just automate
the process that we are doing here by hand. But in my humble
opinion you will learn much more by strobing ports by hand the
same way I am doing here. Now we could do lots more strobing,
but I'm getting bored. So we check out the second field in this
header:
Date: Mon, 14 Apr 1997 12:05:22 -0400
That -0400 is a time correction. But to what is it correcting?
Let's see the next field in the header:
Received: from mocha.icefubarnet.com by o200.fooway.net via
ESMTP (950413.SGI.8.6.12/951211.SGI) for <>
id MAA06380; Mon, 14 Apr 1997 12:05:20 -0400
Hmmm, why is mocha.icefubarnet.com in the header? If this
header isn't forged, it means this mail server was handling the
Happy Hacker Digest mailing. So where is mocha.icefubarnet.com
located? A quick use of the whois command tells us:
> whois icefubarnet.com
ICEFUBARNET INTERNET, INC (ICEFUBARNET-DOM)
2178 Fooway
North Bar, Oregon 97xxx
USA
Now this is located four time zones earlier than the computer
o200.fooway.net. So this explains the time correction notation
of -0400.
Next field on the header tells us:
Received: from cmeinel (hd14-211.foo.compuserve.com [206.xxx.205.211])
by mocha.icefubarnet.com (Netscape Mail Server v2.01) with SMTP
id AAP3428; Mon, 14 Apr 1997 08:51:02 -0700
This tells us that the Happy Hacker Digest was delivered to
the mail server (SMPT stands for simple mail transport protocol)
at mocha.icefubarnet.com by Compuserve. But, and this is very
important to observe, once again I did not use the Compuserve
mail system. This merely represents a PPP session I set up with
Compuserve. How can you tell? Playing with nslookup shows that
the numerical representation of my Compuserve connection isn't
an Internet host. But you can't learn much more easily because
Compuserve has great security -- one reason I use it. But take
my word for it, this is another way to see a Compuserve PPP session
in a header.
Now we get to the biggie, the message ID:
Message-Id: 2.2.16.19970414100122.4387d20a@mail.fooway.net
Whoa, how come that ID is at the computer mail.fooway.net?
It's pretty simple. In Eudora I specified my POP server as mail.fooway.net.
But if you were to do a little stobing, you would discover that
while fooway.net has a POP server, it doesn't have an SMPT or
ESMPT server. You can get mail from Fooway, but you can't mail
stuff out from Fooway. But the marvelous workings of the Internet
combined with the naivete of the Eudora Pro 2.2 program sent
my message ID off to mail.fooway.net anyhow.
On the message ID, the "2.2.16" was inserted by
Eudora. That signifies it is the 2.2 version for a 16 bit operating
system. The remaining fields of the header were all inserted
by Eudora:
X-Sender: techbr@mail.fooway.net (Unverified)
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
To: (Recipient list suppressed)
From: "Carolyn P. Meinel" <>
Subject: Happy Hacker Digest April 12, 1997
Notice Eudora does let us know that techbr@mail.fooway.net
is unverified as sender. And in fact, it definitely is not the
sender. This is a very important fact. The message ID of an email
is not necessarily stored with the computer that sent it out.
So how was I able to use Icefubarnet Internet's mail server
to send out the Happy Hacker Digest? Fortunately Eudora's naivete
makes it easy for me to use any mail server that has an open
SMTP or ESMTP port. You may be surprised to discover that there
are uncountable Internet mail servers that you may easily commandeer
to send out your email -- if you have the right program -- or
if you know how to telnet to port 25 (which runs using the SMTP
or ESMTP protocols) and give the commands to send email yourself.
Why did I use Icefubarnet? Because at the time it was hosting
an ftp site that was being used to download email bomber programs
(http://www.icefubarnet.com/~astorm/uy4beta1.zip). Last time
I checked the owner of the account from which he was offering
this ugly stuff was unhappy because Icefubarnet Internet had
made him take it down.
But -- back to how to commandeer mail servers while sending
your message Ids elsewhere. In Eudora, just specify your victim
mail server under the hosts section of the options menu (under
tools). Then specify the computer to which you want to send your
message ID under "POP Server." But if you try any of
this monkey business with Pegasus, it gives a nasty error message
accusing you of trying to forge email. Of course you can always
commandeer mail servers by writing your own program to commander
mail servers. But that will be covered in the upcoming GTMHH
on shell programming.
*********************************************
Newbie note: Shell programming? What the heck izzat? It means
writing a program that uses a sequence of commands available
to you in your Unix shell. If you want to be a real hacker, you
*must* learn Unix! If you are serious about continuing to study
these GTMHHs, you *must* either get a shell account or install
some form of Unix on your home computer. You may find places
where you can sign up for shell accounts through http://www.celestin.com/pocia/.
Or email haxorshell@techbroker.com for information on how to
sign up with a shell account that is friendly to hackers and
that you may securely telnet into from your local ISP PPP dialup.
*********************************************
Happy Hacking, and be good!
_________________________________________________________
Want to see back issues of Guide to (mostly) Harmless Hacking?
See either
http://www.cs.utexas.edu/users/matt/hh.html (the official Happy
Hacker
archive site)
http://www.geocities.com/TimesSquare/Arcade/4594
http://www.silitoad.org
http://base.kinetik.org
http://www.anet-chi.com/~dsweir
http://www.tacd.com/zines/gtmhh/
http://ra.nilenet.com/~mjl/hacks/codez.htm
http://www.ilf.net/brotherhood/index2.html
http://www.magnum44.com/orion/entry.htm
http://www.geocities.com/NapaValley/1613/main.html
Want to share some kewl stuph with the Happy Hacker list? Correct
mistakes? To send
me confidential email (please, no discussions of illegal activities)
use and be sure to state in your message
that you want me to keep this confidential. If you wish your
message posted anonymously, please say so! Direct flames to dev/null@techbroker.com.
Happy hacking! © 1997 Carolyn P. Meinel. You may forward
or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site
as long as you leave this notice at the end.
