I've spent the week looking at email headers and figuring out just how much information can be gleaned from them. To solicit an email from the target a bounce email could be sent, thats where an email is sent to a know bad address on the target domain in order to receive an NDR. depending on the system in question the headers of an NDR will contain some useful juicy info, it depends on how much the admin has locked down the system as it is possible to exclude the network topology. Or you can send to a known good address and hope for a reply. It is also possible to forge parts of the email header, I'll cover that in a separate post.
Below is a standard header from an email sent out from Microsoft regarding Security Bulletins. First lets look at the header before we dissect it.
Microsoft Mail Internet Headers Version 2.0
Received: from mail83.messagelabs.com ([195.245.231.83]) by InternalMailServer.adomain.co.uk with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 29 Aug 2007 21:34:25 +0100
X-VirusChecked: Checked
X-Env-Sender: Microsoft@newsletters.microsoft.com
X-Msg-Ref: server-10.tower-83.messagelabs.com!1188419662!42820977!1
X-StarScan-Version: 5.5.12.14.2; banners=-,-,adomain.co.uk
X-Originating-IP: [207.46.248.41]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG,
UPPERCASE_25_50
Received: (qmail 12350 invoked from network); 29 Aug 2007 20:34:22 -0000
Received: from delivery2.pens.microsoft.com (HELO delivery2.pens.microsoft.com) (207.46.248.41)
by server-10.tower-83.messagelabs.com with SMTP; 29 Aug 2007 20:34:22 -0000
Received: from TK2MSFTDDSQ16 ([10.40.249.23]) by delivery2.pens.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 29 Aug 2007 13:34:21 -0700
Thread-Topic: Microsoft Security Bulletin Minor Revisions
thread-index: Acfqe/rmKWoBBju4SVuJfVqKEPkgrg==
Reply-To: "Microsoft" <20_82825_tzyyvxkag0ov6+9tfqfqkq@newsletters.microsoft.com>
From: "Microsoft"
To:
Subject: Microsoft Security Bulletin Minor Revisions
Date: Wed, 29 Aug 2007 13:34:21 -0700
Message-ID: <5d9601c7ea7b$fae90480$17f9257a@phx.gbl>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
Return-Path: Microsoft@newsletters.microsoft.com
X-OriginalArrivalTime: 29 Aug 2007 20:34:21.0513 (UTC) FILETIME=[FAEE0B90:01C7EA7B]
Firstly, headers are often read from the bottom up. This way you can identify the path the message took to get to the destination.
1. Thread-Topic: Microsoft Security Bulletin Minor Revisions
2. thread-index: Acfqe/rmKWoBBju4SVuJfVqKEPkgrg==
3. Reply-To: "Microsoft" <20_82825_tzyyvxkag0ov6+9tfqfqkq@newsletters.microsoft.com>
4. From: "Microsoft"
5. To:
6. Subject: Microsoft Security Bulletin Minor Revisions
7. Date: Wed, 29 Aug 2007 13:34:21 -0700
8. Message-ID: <5d9601c7ea7b$fae90480$17f9257a@phx.gbl>
9. MIME-Version: 1.0
10. Content-Type: text/plain;
11. charset="iso-8859-1"
12. Content-Transfer-Encoding: 7bit
13. X-Mailer: Microsoft CDO for Windows 2000
14. Content-Class: urn:content-classes:message
15. Importance: normal
16. Priority: normal
17. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
18. Return-Path: Microsoft@newsletters.microsoft.com
19. X-OriginalArrivalTime: 29 Aug 2007 20:34:21.0513 (UTC) FILETIME=[FAEE0B90:01C7EA7B]
I will pick out the interesting information that may be of use to an inquisitive person or an attacker.
Line 18 displays the email address of the sender.
Line 17 displays details of the software used to create the message.
Line 13 details software that the message passed through, in this case CDO for Windows 2000. It's important to note that CDOSYS.dll has had vulnerabilities that allows remote code execution. also it may indicate that this server may be running Windows 2000.
Line 8 details the Message-ID. This ID is unique to the message and can be used to track the massage with the Message Tracking service.
Lines 7, 6, 5, 4, 3 detail the time the message was sent, the subject, where the reply will go to and who the email was to. Also note that we have picked up a possible username (Microsoft) and sub-domain (newsletters.microsoft.com) here.
The next part of the header gives us some interesting information.
Received: from TK2MSFTDDSQ16 ([10.40.249.23]) by delivery2.pens.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 29 Aug 2007 13:34:21 -0700
This information seems to tell us that a internal mail server at Microsoft (TK2MSFTDDSQ16 ([10.40.249.23])) sends to what is probably a mail gateway (delivery2.pens.microsoft.com) with the IP Address of 207.46.248.41 running Microsoft SMTPSVC(6.0.3790.1830) which after some googling around appears to be Microsoft 2003 Advanced Edition SP 2. A useful site for finding information on a particular file and version (in this case SMTPSVC.dll) is www.fileproperties.com. i'm looking for other sites and methods to validate this also.
By Googling the intenal server name TK2MSFTDDSQ16 and then amending it slightly to TK2MSFTDDSQ17 & TK2MSFTDDSQ18 you are able to discover other internal servers and IP addresses from headers sent to other people.
The next part of the header gives us some interesting information also.
1. X-VirusChecked: Checked
2. X-Env-Sender: Microsoft@newsletters.microsoft.com
3. X-Msg-Ref: server-10.tower-83.messagelabs.com!1188419662!42820977!1
4. X-StarScan-Version: 5.5.12.14.2; banners=-,-,adomain.co.uk
5. X-Originating-IP: [207.46.248.41]
6. X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG,
UPPERCASE_25_50
7. Received: (qmail 12350 invoked from network); 29 Aug 2007 20:34:22 -0000
8. Received: from delivery2.pens.microsoft.com (HELO delivery2.pens.microsoft.com) (207.46.248.41)
by server-10.tower-83.messagelabs.com with SMTP; 29 Aug 2007 20:34:22 -0000
Line 8 shows that delivery2.pens.microsoft.com sent the message to server-10.tower-83.messagelabs.com. This is not the target network which is indicative of the use of a filtering service (MessageLabs evident from the next lines also). We also see here from the time stamp that the Filtering service and the sender are in a different time zone. Also, if encryption was in use we would expect to see ESMTP used as oppose to SMTP.
Line 7 shows that MessageLabs is using qmail, a popular SMTP Server. according to secunia qmail has unpatched remote code execution vulnerabilties.
Line 6 displays the spam filter settings and how the sent message rated against those filter settings.
Line 4 details the scanning software in use and the version number (StarScan-Version: 5.5.12.14.2)
Line 1 tells us that the message was checked for viruses also by MessageLabs.
And lastly the headers tell us about recipients network.
1. Microsoft Mail Internet Headers Version 2.0
2. Received: from mail3.messagelabs.com ([195.248.231.83]) by InternalMailServer.adomain.co.uk with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 29 Aug 2007 21:34:25 +0100
Line 2 tells us that Messagelabs external server(mail83.messagelabs.com ([195.245.231.83])) sent the message to InternalMailServer.adomain.co.uk (internal server name) which is running SMTPSVC(6.0.3790.3959) which is used in Exchange 2003
Whats also very useful to note here is the AD domain name for this domain is adomain.co.uk which is the root of the entire network that the sender must authenticate to in order to gain access to network resources.
From this i would assume the following mail routing environment.
Sender -> Internal Mail Server -> Mail Gateway -> -> Filtering Service for Recipient ->Recipient Mail Server -> Recipient
So to recap we have found the following:
- Network topologies and geographic information
- Mail client software in use
- Server versions and Service pack levels
- SMTP server versions
- Encryption levels
- Mail Filtering settings
- Software in use in the mail route
- Internal server names and IP Addressing schemes
- External server names and IP Addresses
- Root domain name
- Subdomains
- Possible usernames
Other parts of a header to look out for which can provide useful info are:
The X-WSS-ID is and acronym for Windows Server System ID:
X-WSS-ID: 657782L8189979-01-01
Indicates the sender sent this message form Windows 2003 server.
Received: from 195.20.67.34 by mgw01.youmail.com over TLS secured channel with ESMTP (SMTP Relay);
we can see here that the email was encrypted by TLS protocol and was relayed through a secure channel. Where abouts in the header this appears will identify at which point the mail was encrypted.
It's also useful to note that "X-" headers are non-standard, they are only provided for information. Although often violated any non-standard informative header should be given a name starting with "X-".
I am aware that there are parts of the header that may also provide useful information so any comments would be welcomed.
