IP forensics

Receiving a message from your friend joe.average@webmail.com is often evidence enough that it was Joe Average with an account at webmail.com who sent you the email. Unfortunately this may be untrue as sender's credentials can easily be faked on the Internet.


Exercise: send yourself a spoofed email from http://emkei.cz/

email spoofing


Sending a fake email is possible since the SMTP protocol (the technical standards that route email on the Internet) require a valid TO: address but do not really care about where the email is FROM. The sender's name and address can be easily faked. As explained in the video, the only way to find out who had really sent you the emaill address is to inspect the message's headers (in Gmail this is called 'Show Original' and is accessible under the 'More' drop-down menu to the top right-hand corner of the message).


Delivered-To: dmitri@vitaliev.info Received: by 10.220.151.69 with SMTP id b5csp114879vcw; Sun, 28 Oct 2012 20:05:50 -0700 (PDT) Received: by 10.14.216.193 with SMTP id g41mr47392166eep.37.1351479949985; Sun, 28 Oct 2012 20:05:49 -0700 (PDT) Return-Path: <joe.average@webmail.com> Received: from emkei.cz ([2a01:5e0:36:5001::20]) by mx.google.com with ESMTP id z46si13229132eeo.136.2012.10.28.20.05.49; Sun, 28 Oct 2012 20:05:49 -0700 (PDT) Received-SPF: neutral (google.com: 2a01:5e0:36:5001::20 is neither permitted nor denied by best guess record for domain of joe.average@webmail.com) client-ip=2a01:5e0:36:5001::20; Authentication-Results: mx.google.com; spf=neutral (google.com: 2a01:5e0:36:5001::20 is neither permitted nor denied by best guess record for domain of joe.average@webmail.com) smtp.mail=joe.average@webmail.com Received: by emkei.cz (Postfix, from userid 33) id 8423ED5A2D; Mon, 29 Oct 2012 04:05:48 +0100 (CET) To: dmitri@vitaliev.info Subject: long time no see From: "Joe Average" <joe.average@webmail.com> X-Priority: 3 (Normal) Importance: Normal Errors-To: joe.average@webmail.com Reply-To: joe.average@webmail.com Content-Type: text/plain; charset=utf-8 Message-Id: <20121029030548.8423ED5A2D@emkei.cz> Date: Mon, 29 Oct 2012 04:05:48 +0100 (CET)

Reading the message from the bottom up, look for telling signs of the real server where the message was sent from. You will see right away that this particular email is being sent from the @emkei.cz domain and not webmail.com

There are more sophisticated ways to spoof an email message, whereby the fake domain will not be disclosed. However, the headers will always contain the IP address of the server used to send the message from.

You will need to use the online IP validation and tracing tools mentioned above to verify who owns those addresses and whether the email sender is likely to be using one of those addresses. For example, if you friend is located in the Czech Republic and the sender's IP address is registered in Australia – it could be a hoax, or your friend could be on vacation.

IP Forensics

As discussed in Lesson 2, every user on the Internet and every website is identified by a unique IP address. This address is assigned to a user by their Internet Service Provider and may change as the user shifts from one Internet location to another. A website usually maintains the same IP address – and this is linked to its name and listed in the DNS records.

An IP address can usually be traced to a geographic location or to an Internet Service Provider that owns this particular address or subset of addresses.

Exercise:

  1. Go to http://hostip.info to view your current IP address and location.
  2. Type in the name of a website into the given search box to view this website's IP address and the location of the server it is hosted on.
  3. View the IP owner's information in the RIPE Internet Registry database https://apps.db.ripe.net/search/query.html.

You can also route the path taken on the Internet to reach a desired IP address (and therefore find its country of origin) from http://whatismyipaddress.com/traceroute-tool or http://www.yougetsignal.com/tools/visual-tracert/

Exercise: Install the Firefox web browser and the http://toolbar.netcraft.com/ toolbar to easily view a website's physical location.

Last modified on 27 May 2014, at 20:03