Tips
Find out how you can use the SchTasks.exe command-line utility to create, delete, query, change, run, and end scheduled tasks. ... Read more!
You can run Check Disk from the command line or within other utilities. At a command prompt, you can test the integrity of the E drive by typing these commands. ... Read more!
Windows Vista offers built-in support for more control over screenshots. Find out what you can do with the Snipping Tool. ... Read more!
Windows 7 allows you to turn off the various system messages and notifications that pop up on the Taskbar. Find out how. ... Read more!
When you delete a mailbox from a user account, the mailbox is retained as a disconnected mailbox. You can reconnect the mailbox to the original user account or another user account, if necessary. We show you how. ... Read more!
Related Articles
Neetu Rajpal introduces the next generation of Forefront Security for Exchange, a premium anti-malware product that protects e-mail that flows through Exchange server environments. Neetu Rajpal TechNet Magazine May 2009 ... Read more!
In the September 2008 installment of Exchange Queue & A, we answer questions about calculating the number of Global Catalog servers you'll need, changing a server's site membership, and more. Henrik Walther TechNet Magazine September 2008 ... Read more!
Have questions about Exchange Unified Messaging? We've got answers. In this installment of Exchange Queue & A, we focus on Unified Messaging, discussing how you can implement phone and fax features, offer high availability, set up voice prompts, and more. Seema Rahman TechNet Magazine January 2008 ... Read more!
Should you deploy CCR-based mailbox servers in a multi-subnet environment? Can you determine the maximum latency for Outlook clients running in cached mode? Get answers to these Exchange Server questions and more. Henrik Walther TechNet Magazine March 2009 ... Read more!
Secure Multi-Purpose Internet Mail Extensions let you hide information in transit, validate senders, and authenticate messages. Learn how to secure e-mail using digital certificates and how to troubleshoot problems you may encounter on your S/MIME system. Matt Clapham and Blake Hutchinson TechNet Magazine June 2008 ... Read more!
Also by this Author
R'ykandar Korra'ti TechNet Magazine October 2006 ... Read more!
SMTP, the Simple Mail Transfer Protocol, carries the electronic mail of the world. While other message transferring systems exist—some more efficient, some better at specific tasks, some privately owned and some public—none have won the widespread public acceptance of the venerable SMTP, first defined in RFC 821, all the way back in 1982. R'ykandar Korra'ti TechNet Magazine November • December 2005 ... Read more!
Over the previous two issues, I discussed the two most popular Internet message-moving protocols, SMTP and POP3. This month, I will approach the Internet Message Access Protocol Version 4, revision one (IMAP4rev1), often referred to just as IMAP4. R'ykandar Korra'ti TechNet Magazine March • April 2006 ... Read more!
R'ykandar Korra'ti TechNet Magazine February 2007 ... Read more!
In the last issue, I discussed SMTP, the most common protocol for sending e-mail across the Internet. Now I’d like to discuss the other Internet protocol that almost all mail clients support: POP3, which lets users access the e-mail on their mail server. R'ykandar Korra'ti TechNet Magazine January • February 2006 ... Read more!
Popular Articles
Why do attachment sizes increase when sending and receiving e-mail messages? How can you ensure databases on a passive node in a CCR cluster are defragmented during online maintenance? Can you use an external trust between forests? We answer these questions and more. Henrik Walther TechNet Magazine January 2009 ... Read more!
Raymond Chen explains why it is often the developers who have their acts together who end up checking in the final bug fixes to products. Raymond Chen TechNet Magazine January 2009 ... Read more!
Consolidating servers onto fewer physical machines has many advantages, but it is extremely important that you plan for your systems to be highly available. Here’s a guide to using Windows Server 2008 Failover Clustering to bring high availability to your Hyper-V virtual machines. Steven Ekren TechNet Magazine October 2008 ... Read more!
The new Group Policy Preferences feature found in Windows Server 2008 and Windows Vista provides more than 3,000 settings, greatly expanding what administrators can do with Group Policy. Here’s a guide to using Group Policy Preferences to manage your environment. Derek Melber TechNet Magazine January 2009 ... Read more!
Security principals underlie so much of Windows security that it is essential for any administrator to have at least a basic understanding of how the various types of Security principals work and how they are used. Here's what you need to know. Jesper M. Johansson TechNet Magazine January 2009 ... Read more!
Our Blog
NAP monitors the health of specified computers when they attempt to connect to a network and includes a number of mechanisms to enforce health requirements. In this article, Geek of All Trades Greg Shields gives readers an overview of these enforcement mechanisms and, as an example, takes a closer look at setting ...
Read more!
Use Windows PowerShell to Manage Virtual Machines Here are a few examples of how you can use Windows PowerShell scripts to manage virtual machines running on a Server Core installation. Note that these scripts are presented as samples and may need to be customized to work in your environment. Create a New ...
Read more!
Disabling an Unused Part of Group Policy Objects One way to disable a policy is to disable an unused part of the GPO. By disabling part of a policy that isn’t used, the application of GPOs and security will be faster. Administer Windows Server 2008 Server Core from the Command Prompt ...
Read more!
In the August 2008 issue of TechNet Magazine, Paul Randal wrote an article Top Tips for Effective Database Maintenance. It was geared toward "involuntary DBAs" (IT pros who inadvertently wind up responsible for a SQL Server instance). The article had a great response from our readers so Paul has written another ... Read more!
Microsoft Forefront is designed to deliver an integrated security solution that makes it much easier to deploy and manage security across an organization’s IT infrastructure. In this, our annual security issue, we feature two articles that describe how Forefront Security protects instant messaging and e-mail. Protect ...
Read more!
|
How IT Works
E-mail Headers
R'ykandar Korra'ti
As a network administrator, you've just seen fifty copies of the same e-mail virus sent to your users. How do you know which machine is infected? Is it someone inside your own company or someone external you can block?
Often, you can isolate it to a single machine by analyzing the one portion of the header your own e-mail server provides. Figure 1 shows a real-life example (all real names have been changed).
 Figure 1 Analyzing E-mail
Received: from microsoft.net ([69.66.109.194])
by lodestone.microsoft.net with ESMTP
id HAA19424
for <sample@microsoft.net>; Fri, 5 Mar
2004 07:30:22 -0800
From: firstname.lastname@sample.state.ia.us
Message-Id:
<200403051530.HAA19424@lodestone.microsoft.net>
To: sample@microsoft.net
Subject: Re: Your bill
Date: Fri, 5 Mar 2004 09:36:35 -0600
X-Priority: 3
X-MSMail-Priority: Normal
The important data is in the Received: line. Each time a server receives an SMTP message, it is supposed to add a new Received: line at the beginning of the header block. The topmost line will have been added by your server.
My e-mail server added the topmost line in this example; since there are no other Received: lines further below it, it is probably safe to assume that it was delivered directly to my system by an embedded mini-SMTP engine running on an infected machine. Had there been more than one Received: line, the first one might have been a relaying mail server. As servers are not as likely to be infected as clients, you may want to skip down to the second entry.
The Received: line provides information in this format:
Received: from <info supplied by sender—untrustworthy>
(<info provided by our server—trustworthy>)
by <our server> with <protocol>
<message ID> {for <email address>}; <date>
Your concern should lie with the information provided by your server; that's the data in parentheses following the "from" information supplied by the sender. The sender-provided information will almost always be invalid in virus and spam mail, so you can just ignore it.
In this example, the information added by my server consisted only of the IP address of the machine handing me the message—69.66.109.194. That's the least amount of information you'll get. There may also be a machine name before the IP address, but still within the parentheses. If present, it is also trustworthy information and saves you the next step.
Two tools are needed to discover and verify the name of this machine and the owner of its domain: nslookup (host, on some operating systems) and whois. Both nslookup and host provide DNS lookups against hostnames or IP addresses:
C:\>nslookup 69.66.109.194
194.109.66.69.in-addr.arpa domain name pointer
dwtt-00-0194.dsl.cascadiatelecom.net.
I now know the sender is in the domain cascadiatelecom.net. I've already learned that Cascadia Telecom supports reverse-DNS lookups, although not all network providers do. For those that don't, you must apply the whois tool.
To oversimplify a bit, whois provides information about domains rather than individual hosts. This tool is generally used to identify the owner of a particular domain, as shown in Figure 2. Whois can also be used to identify the owner of an IP address, or range of IP addresses, when you don't know the name of the domain. A network of top-level whois servers exists for this purpose. These are whois.apnic.net (Asia-Pacific), whois.arin.net (Americas), and whois.ripe.net (Europe), covering different geographical domains. As a rule of thumb, test against the server your geographical area first; if that fails, keep going until you find one that works. I already know my example is in North America, but if I didn't, that's where I'd start (see Figure 3).
Figure 3 The IP Address Owner
OrgName: Cascadia Telecom
NetRange: 69.66.0.0 - 69.66.255.255
CIDR: 69.66.0.0/16
NetName: CASCADIA-TELECOM
NameServer: AR.CASCADIATELECOM.NET
NameServer: HE.CASCADIATELECOM.NET
OrgTechName: Cascadia Telecom NOC
OrgTechPhone: +1-877-555-1212
OrgTechEmail: noc@cascadiatelecom.net
Figure 2 The Domain Owner
Domain Name: MICROSOFT.COM
Registrar: TUCOWS INC.
Whois Server: whois.opensrs.net
Referral URL: http://domainhelp.tucows.com
Name Server: NS3.MSFT.NET
Name Server: NS1.MSFT.NET
Name Server: NS2.MSFT.NET
Name Server: NS5.MSFT.NET
Name Server: NS4.MSFT.NET
Updated Date: 23-jun-2004
Creation Date: 02-may-1991
Expiration Date: 03-may-2014
With any batch of virus mail received, you'll see a cacophony of sender-provided misinformation. But with a little analysis, you'll often find most of it actually came from one or two infected (and easily blocked and disinfected) machines.
R'ykandar Korra'ti, a glass sculptor, lives in Seattle with her partner Anna, and is postmaster for a small co-op ISP. Having shipped many e-mail products, she retired from Microsoft in 1999 to focus on her art career.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.
|
|