AOL EMail Headers.... Need Help Please.
Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: AOL EMail Headers.... Need Help Please.

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    AOL EMail Headers.... Need Help Please.

    Ok.... The situation:

    I am helping a friend try to determine the perpetrator of some fairly heavy duty harrassment of her family's company. The harrassment goes as far as emailing the payroll files of the company to every employee - that's why I call it "heavy duty".

    The suspicion was that it was a terminated employee but I am beginning to have second thoughts about that. The perpetrator has used different "free" email addresses from Yahoo, Hotmail and Netscape so the impression I had was that they weren't entirely stupid.

    I got my hands on a couple of email headers sent from the Netscape address which indicate that the AOL system was used, (Netscape = AOL). There is a header line that reads:-

    X-AOL-IP: XXX.XXX.XXX.XXX

    I have searched around and can find no definitive answer as to what this is. My guess is that it is the IP address that sent the mail originally but the questions I have are:-

    1. Does this mean that the original account is an AOL account, (Dial in to AOL - go to Netscape and send the message), or is this just any address on the net that the email was received from regardless of who the ISP is.
    2. Can this be forged easily or even with difficulty, (i don't mean use a proxy I mean forged)?

    The reason I need to know this is because one of the two addresses is in California and the other is in Jordan..... Yet the suspicion is that the perpetrator _has_ to be in Pennsylvania since some of the files being emailed are unavailable online and a scan of the website indicates a fairly well protected server.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    1. Does this mean that the original account is an AOL account, (Dial in to AOL - go to Netscape and send the message), or is this just any address on the net that the email was received from regardless of who the ISP is.

    Most likely if the IP address is registered to AOL (ARIN REGISTRY) then the user is logged into AOL during the action. I think you should record the IP ADDRESS, DATES, and EXACT TIMES.. Forward these with your problem and copies of the headers to AOL under their TOS subject to boot the user off the ISP.

    Also, keep records for processing criminal action. Record every single e-mail coming in and out regarding this subject.

    2. Can this be forged easily or even with difficulty, (i don't mean use a proxy I mean forged)?

    You can forge a name or an account, but you cannot forge all the data in the header file. That is why it is required in all complaints.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Info: Nope, they aren't registered to AOL..... They are registered to pacbell in the california instance and LINKdotNET, Amman, JOrdan on the other case......

    Either way then, this is not your average pi$$ed of clerical worker managing the harrassment of this company, is it?...... At the minimum they are using open proxies.... Funnily enough the Jordan address hosts an unrelated company's web site.... I'm tempted to scan it for an open proxy right now.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    So, what your saying is. This individual is using host boxes as their method of distributing the information, in such a method as a Spammer would do so?

    If I get this straight, you expect the individual to possibly be from PA, but you are confused because the distributed data is coming from different e-mail addresses and different countries ISP's. Could it be that, either the individual has access to these systems and he is using them as a method to cover his (ask me about it) or could he have other people sending out the data for him?

    I mean, I can offer as much assistance and I can. I just need to get a clear idea of what is going on. I have a decent background in investigations and forensics.

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    OK..... 12/1/03 was a great example 'cos the harrasser screwed up and sent a wrong file noticed the problem and resent the message again.

    Message 1 header:

    Received: from imo-d01.mx.aol.com ([205.188.157.33]) by theirdomain.com with Microsoft SMTPSVC(5.0.2195.4905);
    Mon, 1 Dec 2003 12:44:07 -0500
    Received: from xxxxxxxxxxxxxxxxxx@netscape.net
    by imo-d01.mx.aol.com (mail_out_v36_r1.1.) id t.101.b82077d (16238);
    Mon, 1 Dec 2003 12:44:02 -0500 (EST)
    Received: from netscape.net (mow-m09.webmail.aol.com [64.12.184.137]) by air-in03.mx.aol.com (v97.8) with ESMTP id MAILININ32-3f6e3fcb7de133; Mon, 01 Dec 2003 12:44:01 -0500
    Date: Mon, 01 Dec 2003 12:44:01 -0500
    From: xxxxxxxxxxxxxxxxxx@netscape.net
    To: xxxxxxxxxxxxxxxxxx etc.
    Subject: X's Manifesto
    MIME-Version: 1.0
    Message-ID: <28F210D4.22DD7F65.XXXXXXXX@netscape.net>
    X-Mailer: Atlas Mailer 2.0
    X-AOL-IP: XXX.XXX.XXX.XXX
    Content-Type: multipart/mixed; boundary=-------2914683c22ffd6cd2914683c22ffd6cd
    Content-Transfer-Encoding: 8bit
    Return-Path: xxxxxxxxxxxxxxxxxx@netscape.net
    X-OriginalArrivalTime: 01 Dec 2003 17:44:07.0789 (UTC) FILETIME=[B86331D0:01C3B832]

    The X-AOL-IP address is in California registered to PacBell.net.

    Message 2 Header:

    Received: from imo-d02.mx.aol.com ([205.188.157.34]) by Theirdomain.com with Microsoft SMTPSVC(5.0.2195.4905);
    Mon, 1 Dec 2003 13:18:47 -0500
    Received: from xxxxxxxxxxxxxxxxxx@netscape.net
    by imo-d02.mx.aol.com (mail_out_v36_r1.1.) id t.1b4.8cddc46 (16215);
    Mon, 1 Dec 2003 13:18:34 -0500 (EST)
    Received: from netscape.net (mow-m07.webmail.aol.com [64.12.184.135]) by air-in01.mx.aol.com (v97.8) with ESMTP id MAILININ13-3f573fcb85b83c9; Mon, 01 Dec 2003 13:17:28 -0500
    Date: Mon, 01 Dec 2003 13:18:33 -0500
    From: xxxxxxxxxxxxxxxxxx@netscape.net
    To: xxxxxxxxxxxxxxxxxx etc +1
    Subject: X's Manifesto Oops i did it again
    MIME-Version: 1.0
    Message-ID: <4FA691F0.1787A051.XXXXXXXX@netscape.net>
    X-Mailer: Atlas Mailer 2.0
    X-AOL-IP: XX.XX.XXX.XX
    Content-Type: multipart/mixed; boundary=-------4fc97c3817aa8a994fc97c3817aa8a99
    Content-Transfer-Encoding: 8bit
    Return-Path: xxxxxxxxxxxxxxxxxx@netscape.net
    X-OriginalArrivalTime: 01 Dec 2003 18:18:47.0429 (UTC) FILETIME=[8FF31350:01C3B837]

    The X-AOL-IP is in or near Imman, Jordan registered to a domain other than AOL.

    Note that these two headers, while only being 30 minutes apart are identical for the most part.... Notable changes, (ignoring the fact that it may have been routed through AOL/Netscape differently), are the originating IP Address and the fact that on the second email he added one other person to the recipient list.

    I believe the same person sent both emails but it seems to me like they are switching proxies or something so that the originating IP is not trackable. I NMapped both addresses and they both have numerous ports open including proxied http and socks proxy so it is highly likely that these machines are either open proxies, open relays or, frankly, owned boxes.

    The knowledge and ability required to carry out this kind of deception means it is highly likely that no-one past or present in the company has the ability to carry this off alone.

    The thing I really need other people's feeling on at this point is:

    I'm dealing with someone who knows _exactly_ what they are doing aren't I? I'm not just misreading or misinterpreting something - this person knows how to hide. Am I right?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    Message 1:

    Received: from imo-d01.mx.aol.com ([205.188.157.33]) -AOL-
    Mon, 1 Dec 2003 12:44:07 -0500
    Received: from netscape.net (mow-m09.webmail.aol.com [64.12.184.137]) -AOL-

    Message 2:

    Received: from imo-d02.mx.aol.com ([205.188.157.34]) -AOL-
    Mon, 1 Dec 2003 13:18:47 -0500
    Received: from netscape.net (mow-m07.webmail.aol.com [64.12.184.135]) -AOL-

    NetRange: 205.188.0.0 - 205.188.255.255
    NetName: AOL-DTC

    NetRange: 64.12.0.0 - 64.12.255.255
    NetName: AOL-MTC

    They are being sent and routed via AOL.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Info: Yeah, I got that. But you can log into AOLmail/Netscape/Compuserve etc, (they are all the same system as witnessed by the X-MAILER: Atlas Mailer 2.0 line which is AOL's backend mailer), from any IP address worldwide and send email, it will eventually go through AOL servers for final delivery.

    They just received two more emails today. The headers indicate originating addresses in Tucson and back in California. The Tucson IP has an Aerospace company web page and all.... Along with port 3128 open - Squid Proxy. The other one appears dead to NMap but it appears on a lot of open proxy lists according to Google.

    This confirms what I thought about the perpetrator, (or at least the person helping them). He/she is something of an anonymity "professional" and is taking great care, (3 different, untracable email addresses and at least five IP addresses, four of which have all the characteristics of proxies, (appropriate ports are open).
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member
    Join Date
    Oct 2003
    Posts
    234
    Originally posted here by Info Tech Geek
    You can forge a name or an account, but you cannot forge all the data in the header file. That is why it is required in all complaints.
    I have tried forging E-Mails before on my own box, just to see if I was vulnerable (I have Microsoft IIS), and have been able to forge many things in the header, including but not limited to the Message-ID, Date, and Arrival Time. I have been able to produce an E-Mail that appears to be sent from M$ Outlook in every fashion, except for the fact that nearly all the header data has been forged. The Recieved... header is not so easily forged, though since every server the message goes through will attach one. So, you can never really be sure if a certain field has been forged, but you can usually tell which servers it travelled through. I'm not sure if this works for other mail servers, however, so I may be way of base. Please correct me if I am.

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Republican: Thanks......

    I'm pretty firmly set in my thought that I'm right..... This person is pretty good at hiding themselves. What pisses me off is that I'm going to lose this one..... He's a moving target that I don't see until after he's gone..... Thus there is no way I'm going to hit him....

    I guess I'll pop him an email complimenting him on his skill to see if I can elicit a response..... Probably not..... He knows better I think.....

    Anyone else got any ideas on how to set a trap for a target that is never where he's supposed to be?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Senior Member
    Join Date
    Jun 2003
    Posts
    723
    Your best bet, although it has a slim chance is probably to bait the person and try and strike up a friendship (compliments ,unimportant questions, build trust,stroke the ego...then very subtle questions). It could take some time and effort ,but anything is possible. If it is a bitter employee then play along that you are pissed at the people also. Misery loves company and everyone has an ego.
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •