[ Pobierz całość w formacie PDF ]
.foobar.no may be a pretty big deal.Probing around with dig and traceroute leads meto discover lots more computers in that domain.Probing with nslookup in the mode  set type=any tells meyet more.Say, what does that .no mean, anyhow? A quick look at the International Standards Organization (ISO)records of country abbreviations, I see  no stands for Norway.Aha, it looks like Norway is an arctic landof fjords, mountains, reindeer, and lots and lots of Internet hosts.A quick search of the mailing list forHappy Hacker reveals that some 5% of its almost 4,000 email addresses have the.no domain.So now weknow that this land of the midnight sun is also a hotbed of hackers! Who said headers are boring?On to the next line, which has the name and email address of the sender:From: Vegbar FubarReceived: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no ; Fri, 11 Apr 1997 18:09:53 GMTI m going to do some guessing here.This line says the computer gyllir.ifi.foobar.no got this email messagefrom Vegbar Fubar on the computer  localhost. Now  localhost is what a Unix computer calls itself.Whilein a Unix shell, try the command  telnet localhost. You ll get a login sequence that gets you right back intoyour own account.So when I see that gyllir.ifi.foobar.no got the email message from  localhost I assume that means thesender of this email was logged into a shell account on gyllir.ifi.foobar.no, and that this computer runs Unix.I quickly test this hypothesis:> telnet gyllir.ifi.foobar.noTrying 129.xxx.64.230.Connected to gyllir.ifi.foobar.no.Escape character is '^]'.IRIX System V.4 (gyllir.ifi.foobar.no)Now Irix is a Unix-type operating system for Silicon Graphics Inc.(SGI) machines.This fits with the name ofthe POP server software on ifi.foobar.no in the header of (950413.SGI.8.6.12/951211.SGI).So, wow, we arelooking at a large network of Norwegian computers that includes SGI boxes.We could find out just howmany SGI boxes with patience, scanning of neighboring IP addresses, and use of the Unix dig and nslookupcommands.Now you don t see SGI boxes just every day on the Internet.SGI computers are optimized for graphics andscientific computing.So I m really tempted to learn more about this domain.Oftentimes an ISP will have a Web page that is foundby directing your browser to its domain name.So I try out http://ifi.foobar.no.It doesn t work, so I tryhttp://www.ifi.foobar.no.I get the home page for the University of Oslo Institutt for Informatikk.TheInformatikk division has strengths in computer science and image processing.Now wonder people withifi.foobar.no get to use SGI computers.Next I check out www.foobar.no and learn the University of Oslo has some 39,000 students.No wonder wefind so many Internet host computers under the ifi.foobar.no domain!But let s get back to this header.The next line is pretty simple, just the date:Date: Fri, 11 Apr 1997 18:09:53 GMTBut now comes the most fascinating line of all in the header, the message ID:Message-Id:The message ID is the key to tracking down forged email.Avoiding the creation of a valid message ID is thekey to using email for criminal purposes.Computer criminals go to a great deal of effort to find Internet hostson which to forge email that will leave no trace of their activities through these message IDs.The first part of this ID is the date and time.199704111809 means 1997, April 11, 18:08 (or 6:08 PM).Somemessage IDs also include the time in seconds.Others may leave out the  19 from the year.The 13156 is anumber identifying who wrote the email, and gyllir@ifi.foobar.no refers to the computer, gyllir within thedomain ifi.foobar.no, on which this record is stored.Where on this computer are the records of the identities of senders of email stored? Now Unix has manyvariants, so I m not going to promise these records will be in a file of the same name in every Unix box.Butoften they will be in either the syslog files or usr/spool/mqueue.Some sysadmins will archive the messageIDs in case they need to find out who may have been abusing their email system.But the default setting forsome systems, for example those using sendmail, is to not archive.Unfortunately, an Internet host thatdoesn t archive these message IDs is cre ating a potential haven for email criminals.Now we will leave the University of Norway and move on to a header that hides a surprise.Received: from NIH2WAAF (mail6.foo1.csi.com [149.xxx.183.75]) by Fubarino.com (8.8.3/8.6.9) with ESMTPid XAA20854 for ; Sun, 27 Apr 1997 23:07:01 GMTReceived: from CISPPP - 199.xxx.193.176 by csi.com with Microsoft SMTPSVC; Sun, 27 Apr 1997 22:53:36 -0400Message-Id:X-Sender: cmeinel@fubar.comX-Mailer: Windows Eudora Pro Version 2.2 (16)Mime-Version: 1.0Content-Type: text/plain; charset="us-ascii"To: galfina@Fubarino.comFrom: "Carolyn P.Meinel"Subject: Sample headerDate: 27 Apr 1997 22:53:37 -0400Let s look at the first line:Received: from NIH2WAAF (mail6.foo1.csi.com [149.xxx.183.75]) by Fubarino.com (8.8.3/8.6.9) with ESMTPid XAA20854 for ; Sun, 27 Apr 1997 23:07:01 GMTThis first line tells us that it was received by the email account  galfina@Fubarino.com.That s the  for part.The Internet host computer that sent the email to galfina wasmail6.foo1.csi.com [149.xxx.183.75].This computer name is given first in a form easily (ha, hah!) read byhumans followed by the version of its name that a computer can more easily translate into the 0 s and 1 sthat computers understand. Galfina is my user name.I chose it in order to irritate G.A.L.F.(Gray Areas Liberation Front). Fubarino.com (8.8.3/8.6.9) is the name of the computer that received the email for my galfina account.Butnotice it is a very partial computer name.All we get is a domain name and not the name of the computer fromwhich I download my email.We can guess that Fubarino.com is not the full name because Fubarino is a bigenough ISP to have several computers on a LAN to serve all its users [ Pobierz całość w formacie PDF ]