• Article

How IT WorksE-mail Headers

R'ykandar Korra'ti

As a network administrator, you've just seen fifty copies of the same e-mail virus sent to your users. How do you know which machine is infected? Is it someone inside your own company or someone external you can block?

Often, you can isolate it to a single machine by analyzing the one portion of the header your own e-mail server provides. Figure 1 shows a real-life example (all real names have been changed).

Figure 1 Analyzing E-mail

Received: from microsoft.net ([69.66.109.194])
        by lodestone.microsoft.net with ESMTP
        id HAA19424
        for <sample@microsoft.net>; Fri, 5 Mar 
        2004 07:30:22 -0800
From: firstname.lastname@sample.state.ia.us
Message-Id: 
  <200403051530.HAA19424@lodestone.microsoft.net>
To: sample@microsoft.net
Subject: Re: Your bill
Date: Fri, 5 Mar 2004 09:36:35 -0600
X-Priority: 3
X-MSMail-Priority: Normal

The important data is in the Received: line. Each time a server receives an SMTP message, it is supposed to add a new Received: line at the beginning of the header block. The topmost line will have been added by your server.

My e-mail server added the topmost line in this example; since there are no other Received: lines further below it, it is probably safe to assume that it was delivered directly to my system by an embedded mini-SMTP engine running on an infected machine. Had there been more than one Received: line, the first one might have been a relaying mail server. As servers are not as likely to be infected as clients, you may want to skip down to the second entry.

The Received: line provides information in this format:

Received: from <info supplied by sender—untrustworthy>
(<info provided by our server—trustworthy>) 
by <our server> with <protocol> 
<message ID> {for <email address>}; <date>

Your concern should lie with the information provided by your server; that's the data in parentheses following the "from" information supplied by the sender. The sender-provided information will almost always be invalid in virus and spam mail, so you can just ignore it.

In this example, the information added by my server consisted only of the IP address of the machine handing me the message—69.66.109.194. That's the least amount of information you'll get. There may also be a machine name before the IP address, but still within the parentheses. If present, it is also trustworthy information and saves you the next step.

Two tools are needed to discover and verify the name of this machine and the owner of its domain: nslookup (host, on some operating systems) and whois. Both nslookup and host provide DNS lookups against hostnames or IP addresses:

C:\>nslookup 69.66.109.194

194.109.66.69.in-addr.arpa domain name pointer 
dwtt-00-0194.dsl.cascadiatelecom.net.

I now know the sender is in the domain cascadiatelecom.net. I've already learned that Cascadia Telecom supports reverse-DNS lookups, although not all network providers do. For those that don't, you must apply the whois tool.

To oversimplify a bit, whois provides information about domains rather than individual hosts. This tool is generally used to identify the owner of a particular domain, as shown in Figure 2. Whois can also be used to identify the owner of an IP address, or range of IP addresses, when you don't know the name of the domain. A network of top-level whois servers exists for this purpose. These are whois.apnic.net (Asia-Pacific), whois.arin.net (Americas), and whois.ripe.net (Europe), covering different geographical domains. As a rule of thumb, test against the server your geographical area first; if that fails, keep going until you find one that works. I already know my example is in North America, but if I didn't, that's where I'd start (see Figure 3).

Figure 3 The IP Address Owner

OrgName:    Cascadia Telecom
NetRange:   69.66.0.0 - 69.66.255.255
CIDR:       69.66.0.0/16
NetName:    CASCADIA-TELECOM
NameServer: AR.CASCADIATELECOM.NET
NameServer: HE.CASCADIATELECOM.NET
OrgTechName:   Cascadia Telecom NOC
OrgTechPhone:  +1-877-555-1212
OrgTechEmail:  noc@cascadiatelecom.net

Figure 2 The Domain Owner

Domain Name: MICROSOFT.COM
   Registrar: TUCOWS INC.
   Whois Server: whois.opensrs.net
   Referral URL: https://domainhelp.tucows.com
   Name Server: NS3.MSFT.NET
   Name Server: NS1.MSFT.NET
   Name Server: NS2.MSFT.NET
   Name Server: NS5.MSFT.NET
   Name Server: NS4.MSFT.NET
   Updated Date: 23-jun-2004
   Creation Date: 02-may-1991
   Expiration Date: 03-may-2014

With any batch of virus mail received, you'll see a cacophony of sender-provided misinformation. But with a little analysis, you'll often find most of it actually came from one or two infected (and easily blocked and disinfected) machines.

R'ykandar Korra'ti, a glass sculptor, lives in Seattle with her partner Anna, and is postmaster for a small co-op ISP. Having shipped many e-mail products, she retired from Microsoft in 1999 to focus on her art career.

© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.