Sunday, April 5, 2009

Module 2 Email Tasks - 1

In the words of Gloria Gaynor, "I am back, from outer space!". I have baulked at this module because of the email tasks. Web based mail has been my choice after all the pain of maintaining .pst file backups from within Outlook and the hassle of migrating isp's (and therefore email addresses).

Yahoo has been my primary mail account for years. Today I have finally buckled down and set up an additional mail address on my isp's server, set up Outlook and my shiny new Iphone with this new mail account. Of course everything was easy, except the Telstra part.

Now over to the Blackboard to do the "Email Tutorial". Back soon.

Task 1 : What information about a user's email, the origin of the message and the path it took can you glean from an email message?

This task seemed simple on the surface but needed a bit of reading to complete.

http;//www.visualware.com/resources/tutorials/email.html

http://www.sendmail.org/dkim/technicalOverview.html

These are the two sources that quickly and clearly explained the syntax used in the headers, but I also read wiki entries and other pages that gave partial information. The email header convention is like html headers, they are slighlty different btween versions and systems.. Header content depends on application used to create the message (plus deliberate spoofing) and the mailserver systems passed through.

For this task I sent myself a message from Yahoo to my new Bigpond address. Then in Outlook, right click on the message in the Inbox. Select Options from the menu, Internet headers.



Return-Path:
Received: from nskntingx07p.mx.bigpond.com ([66.163.178.121])
by nskntmtas06p.mx.bigpond.com with ESMTP
id <20090406003140.hnm57.nskntmtas06p.mx.bigpond.com@nskntingx07p.mx.bigpond.com>
for ; Mon, 6 Apr 2009 00:31:40 +0000
Received: from web34206.mail.mud.yahoo.com ([66.163.178.121])
by nskntingx07p.mx.bigpond.com with SMTP
id <20090406003139.dbli17747.nskntingx07p.mx.bigpond.com@web34206.mail.mud.yahoo.com>
for ; Mon, 6 Apr 2009 00:31:39 +0000
Received: (qmail 12471 invoked by uid 60001); 6 Apr 2009 00:31:37 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1238977897; bh=WQQeqrN9VMa1DV024/4J/HQCl+gGBcPoUDZpkwg1pWU=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=oG+o3CAFfXV46okSpfreGb4h5MBk66iEnxaUhq335YMRcginKddhSlqhbRW/zd64i7e3lG7LXnqKBpto/L02Giqr0PNkkwCKuojpjurvX4LaScaUj/sDGJBWiMzKF3f9K3lc59T0VgO2OXDN1PwQBqZAm0AeBKNyLIFMl6wliTs=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=UsmafdJMrygFdl54dqTYkZvoY4it/VtZW2cXeSsoH9G+AKuI1NBQp3w6bDaINdmU8XscZUs0HX2CT+8L5Tm7tgOj8117JSUFqJ6eTiPmotHA2S9vtyKrIqGcRQr4wKOk598RH81KMNHd/ZsFF8W5/Zj+vvd9HM4Cx+3MBA/9J4E=;
Message-ID: <292351.8925.qm@web34206.mail.mud.yahoo.com>
X-YMail-OSG: InYFs7gVM1l78.2oqOmdVfJXaTNoqcZEI0ysXA4dWbNx7d9z6wlFfSur3GlUkLjfQdJK7ueh3fyLfpziELrSjiHNUXZPKSRB51YXeb_qYPx7OCWhNMSVYZpfBRpBdPg7NgLGilc7hzjnVXF3cwRZKZ56EydeC2uuMRRYoaXaovVXNQW7urEhDR2NXKfgWv4yGt5H9IWh81tq7pLHbxyQMc8fi.Wz.VM.RDK1r0BsYZDkmQVFT5C9uoonvKpg.hSuAcdQFoCDJfrh5Qfj.MlRw.DZQIXODQQO.WzY9k0.evYKPIsKiqXP78e51SMNQDJNIRINQBcp4lNMcNIyO75soZhhPNGreLVmKo7Rpa90h2Y-
Received: from [121.218.223.76] by web34206.mail.mud.yahoo.com via HTTP; Sun, 05 Apr 2009 17:31:37 PDT
X-Mailer: YahooMailWebService/0.7.289.1
Date: Sun, 5 Apr 2009 17:31:37 -0700 (PDT)
From: Jason Radich
Subject: test
To: jason_radich@bigpond.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1432617849-1238977897=:8925"
X-RPD-ScanID: Class unknown; VirusThreatLevel unknown, RefID str=0001.0A150202.49D94D6C.0015,ss=1,fgs=0

From top to bottom this header text contains:

  • Return-Path: reply address. Can be spoofed.
  • Received: As messages move through mail servers, a new Received header line is added to the beginning of the headers list. Each of these lines contain tokens, being: (from), (by), (id), (for) and (;)

    So the first received line can be broken down thus:

    from nskntingx07p.mx.bigpond.com ([66.163.178.121])
    by nskntmtas06p.mx.bigpond.com with ESMTP
    id 20090406003140.hnm57.nskntmtas06p.mx.bigpond.com@nskntingx07p.mx.bigpond
    .com>
    for ; Mon, 6 Apr 2009 00:31:40 +0000
This is the information relating to the Bigpond mail server which is the last server in the chain. Note the ip address, there can be multiple Received lines and by checking the dns name in the From and By tokens, against the ip addresses in the chain you can see if someone is spoofing.

  • DKIM-Signature : DomainKeys Identified Mail is a domain level authentication for email using public key cryptography.
  • X-Mailer : sender's mailer software, in this case Yahoo web mail.
Then we have the header lines that are visible in most email messages, being:
  • Date
  • From
  • Subject
Then there are references to the encoding (in this case MIME 1.0) and the content which could be plain/text ascii, but in this case is multipart/alternative, probably due to some coding in the signature as it is from Yahoo.

In summary the information we can glean from this email's header regarding, the user's email, the origin of a message and the path it took is as follows.

The email was written by Jason Radich using Yahoo mail web application. Using Network Tools to check the DNS against the IP address, the origin is confirmed as Yahoo. The message has three Received lines, but only seems to have gone through two mail servers, Yahoo and Bigpond. The first Received line I think is internal at Yahoo, as it doesn't have a full set of Tokens.

Probably went into overkill on this question having been away from my blog for nearly a month, but it seemed to require more investigation than the simplicity of the question implied. Very interesting to look at this metadata.


Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)