s. has become a primary means of communication. can easily be forged. can be abused

Transcription

1 s has become a primary means of communication. can easily be forged can be abused Spam Aid in committing a crime Threatening ,

2 Challenges to Authenticity Origin & Sender of the Party refutes the s, allege forgery IP Address of sender matches, still the party refute the s Sender accept the mail but challenge attachments coming from Proxy Server

3 tracing Study of Identifying the source system domain, IP Address Tracing the sender Date/time of sending Message / contents Locate the source of & its sender

4 Protocols: program such as outlook is a client application. Needs to interact with an server: Post Office Protocol (POP) Internet Message Access Protocol (IMAP) Simple Mail Transfer Protocol: SMTP

5 Protocols: Post Office Service Protocol Characteristics Stores only incoming messages. Stores all messages Web-based send and receive. POP IMAP MS MAPI Lotus Notes HTTP Investigation must be at the workstation. Copies of incoming and outgoing messages might be stored on the workstation or on the server or on both. Incoming and outgoing messages are stored on the server, but there might be archived or copied messages on the workstation. Easy to spoof identity.

6 Client based s

7 Web based s

8 sending mail to

9 SMTP SMTP, SMTP. POP3 or IMAP4 Rediff Server Internet Gmail Server Naresh Ram SMTP SMTP POP3/IMAP C1 HCU HYD BITS Goa C2

10 HYD Lucknow Jaipur Delhi Rediff Mail SMTP Server 2 SMTP Server 3 Gmail HCU CBI Naresh Ram

11 Click On Click On This Down Arrow

12 Click on Show Original Window Showing Full Header Appears

13 X-Remote-IP: X-REDF-OSEN: Date: 6 Jul :09: Message-ID: < qmail@f4mail rediffmail.com> MIME-Version: 1.0 To: "cyber.nk@gmail.com" <cyber.nk@gmail.com> 3 Received: from unknown by rediffmail.com via HTTP; 06 Jul :09: X-Senderscore: D=0&S=0 Sender: naresh3151@rediffmail.com 1 Subject: =?utf-8?b?twfpbcbmb3igsgvhzgvyiefuywx5c2lz?= From: "Naresh Kumar" <naresh3151@rediffmail.com> Content-Type: multipart/alternative; boundary="=_bbc614545e533ca7186fc46b513e40f5" --=_bbc614545e533ca7186fc46b513e40f5 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" Hi This mail is for testing purpose only. --=_bbc614545e533ca7186fc46b513e40f5 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="utf-8" Hi<br><br>This mail is for testing purpose only.<br><br><br><br> --=_bbc614545e533ca7186fc46b513e40f

14 Delivered-To: 6 Received: by with SMTP id 7csp649857ivj; Tue, 5 Jul :09: (PDT) X-Received: by with SMTP id m24mr pfi ; Tue, 05 Jul :09: (PDT) Return-Path: <naresh3151@rediffmail.com> Received: from rediffmail.com (f4mail rediffmail.com. [ ]) 5 by mx.google.com with ESMTPS id 15si pfx for <cyber.nk@gmail.com> (version=tls1_2 cipher=aes128-gcm-sha256 bits=128/128); Tue, 05 Jul :09: (PDT) Received-SPF: pass (google.com: domain of naresh3151@rediffmail.com designates as permitted sender) client-ip= ; Authentication-Results: mx.google.com; spf=pass (google.com: domain of naresh3151@rediffmail.com designates as permitted sender) smtp.mailfrom=naresh3151@rediffmail.com Received: (qmail invoked by uid 510); 6 Jul :09: Comment: DomainKeys? See DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=redf; d=rediffmail.com; b=jowwdtsl1llu/9tohon/wlscr8zlpxrmyrmaekyhotuauoblwt9klutujtosvj4zcezid8yol5nwqzjilqotyas5aozk974gh3uj Wh5QPJoZsbx9+e8h6lAAJUwgpyOw85s+YEUVbXyaBsotwzUjxkYZWLEKWGTTBerxqZaaPPI= ; x-m-msg: asd54ad564ad7aa6sd5as6d5; a6da7d6asas6dasd77; 5dad65ad5sd;

15 In this example, we have sent an from to 1. Sender: This represent the name and address of the person who send the Received: from unknown by rediffmail.com via HTTP; 06 Jul :09: This is probably the most vital part of the header from investigation point of view. It represents us that - The was sent from a computer having IP address The was sent on 06 Jul :09:15 (GMT).

16 3. To: This represent the name and address of the receiver. Contd 4. Message-ID: Message ID can be broken into the following parts: : Represent the time stamp of the in yyyymmddhhmmss format : This number is the reference number that represents the corresponding which is unique.

17 Contd 5. Received: from rediffmail.com (f4mail rediffmail.com. [ ]) by mx.google.com with ESMTPS id 15si pfx for (version=tls1_2 cipher=aes128-gcm-sha256 bits=128/128); Tue, 05 Jul :09: (PDT) This represent that the was received by an SMTP server at Google Called mx.google.com from Rediffmail server at the given date and time that has the IP Address

18 6. Delivered-To: Contd This shows that the was delivered to the account You have noticed that time and date in the above examples have been mentioned as 06 Jul :09: It means that the time mentioned above i.e. 06:09:15 is in GMT which is 0000 hours. IST time is 05:30 hours ahead of GMT. To calculate time in IST, add 05:30 hours to make it IST.

19 What are we looking for? ? Verification of IP addresses: Regional Internet Registry APNIC (Asia Pacific Network Information Centre). ARIN (American Registry of Internet Numbers). LACNIC Latin American and Caribbean IP address Regional Registry. RIPE NCC (Réseau IP Européens Network Coordination Centre). Whois (whois.apnic.net) Numerous other websites. The best

20 Whois IP % [whois.apnic.net] % Whois data copyright terms % Information related to ' ' inetnum: netname: BHARTI-IN Descr: Bharti Airtel Limited descr: Transport Network Group descr: 234, Okhla Phase III country: IN admin-c: NA40-AP tech-c: NA40-AP status: ALLOCATED NON-PORTABLE mnt-by: MAINT-IN-BBIL mnt-irt: IRT-BHARTI-IN source: APNIC

21 Fake mails We have seen a general flow How do you identify fake mails

22

23 1. From: "Naresh Kumar" 2. Received: from emkei.cz ([2a01:5e0:36:5001::20]) by mx.google.com with ESMTP id uy1si wjb for Tue, 05 Jul :14: (PDT) 3. Delivered-To: 4. Message-Id: Wed, 6 Jul :18: (CEST) Server of Rediffmail is Missing Emkei Server Internet Gmail Server Naresh Ram

24 They are sent using Open relays Compromised systems Self owned servers Proxy Server Hijacked accounts

25 Proxy Gmail Internet Naresh Internet Internet Internet Ram Rediff

26 NeoTracePro Visual IP Trace Visual Route Tracker Pro tracer (from CDAC, India)