Author: Mhix

Ok some questions and answers that keep popping up in the blog…

Question: Can Internet Dongles be traced?
Answer: Yes, very easily if you have the equipment and know how. However there are some caveats. If you have an ex with a dongle that you want to trace, no you can’t. However, if the ex has stolen your dongle (or you’re one of the idiots that think they can steal a dongle and get away with it) .. Yes you can. There are 2 serial numbers embedded in the dongle (known as EMSIs) one is programmable, the other is ‘hard coded’ (ie it cannot be changed) If you know the programmable one and not the hardware code, you have to hope the thief has not had it reprogrammed. On the other hand if you have the hard coded one you can trace it. I won’t discuss the details here (or in private questions) as you have to sign paperwork to get that information in most countries, but the one thing I can tell you is, knowing both makes things a hundred times easier.

Question: Can you trace someone using a particular Internet dongle?
Answer: Yes

Question: Can you trace someone via your blog?
Answer: Yes if they keep connecting to it… Depending on your knowledge and control it might take some coding. However, if the person is stupid or careless, they will leave finger prints all over your blog… for example, someone who spends a lot of time in Florida (USA) is going to get a nasty surprise this year of 2012 if they don’t stop “checking up” as they are going to find themselves in court this year on similar charges of gender discrimination as my ex is. (Final warning: you know who you are, I might not be able to take you to court, but the European court will take the matter up themselves and I will just supply the evidence!)

Question: Can you see what people are searching for when they find your blog?
Answer: It’s simple, just check the ‘referrer’ header it will present the last page visited for example:

98.203.109.165 TwDoP0W3HEMAAAOTCbcAAAAB – – [01/Jan/2012:18:11:59 -0500] “GET / HTTP/1.1” 200 75800 “http://www.bing.com/search?q=michelle+sullivan+malta+blog&form=MSNH14&qs=n&sk=&sc=1-28&x=107&y=13” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)”

The ‘q=michelle+sullivan+malta+blog’ shows the person searched for “michelle sullivan malta blog” whilst using ‘Bing’ as the search engine as a matter of interest from Hollywood, Florida, using Windows 7 x64. (Similar things can be seen with Google, and image searches just the line format changes – Webalizer will decode most of them for you if you have trouble working it out.)

Question: If people have linked to your page, can you see where the original link was?
Answer: Yes, and the same thing works for spotting when someone uses some image on your site on their page, or even Facebook links. Again the ‘referrer’ header is the key field, for example a link from Facebook:

46.11.109.216 TwBOhEW3HEAAAArMSsQAAAAB – – [01/Jan/2012:07:16:04 -0500] “GET / HTTP/1.1” 200 75800 “http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.michellesullivan.org%2F&h=2AQElPj30AQHe6mHhKUmRDmzJE9YdYqc8FksLg6ql4Zxynw” “Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7”

and an image used elsewhere linking back to the site (in this case my MySpace page):

70.127.86.50 TwEF00W3HEMAAAOTCt0AAAAB – – [01/Jan/2012:20:18:11 -0500] “GET /GalleryData/2009/July/12/thumbnails/DSC_4258.jpg HTTP/1.1” 200 4431 “http://www.myspace.com/michelle_i_sullivan” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)”

 

Question: I see you have had trouble with a stalker, I think I have a stalker as well, can I use the information to prosecute?
Answer: Yes, but you will need help, if you needed to ask this question you are not someone like myself that has given ‘expert evidence’ in court on multiple occasions so therefore you will need someone to help you gather the evidence. Important: Get advice from the local authorities on the matter as soon as possible if you need to, or think you might, go to court. The first thing you will need to do is turn on forensic logging, this is not as simple as using Apache’s “log_forensic” function, but it is a start. You will also need to dump packet headers from the offenders at a network level and record those packets in a format that is considered ‘untamperable’ (ie once recorded it cannot be altered.) You will also need to be able to follow basic tracing (as described in other articles) as you probably don’t want to record everything that hits your website. Lastly you will need to obtain, or have someone obtain court orders on your behalf, to gain access to the remote connections providers access logs so that you can tie the evidence collected to the offender. Be prepared, such issues are long and involved, and in countries such as Malta, unless you know who to call you rarely get to speak to anyone that actually knows what you’re talking about. You should also note that unless there is a serious crime committed (such as “Criminal Libel”, “Racial Discrimination”, “Gender Discrimination” or “Child Pornography”) you will not get any help from most police forces of the world.

Question: Will you help me trace my stalker?
Answer: I just did by posting this, however if you want someone to be your detective, sorry I don’t do that for others, as I don’t really have the time to waste on it myself, get your self in touch with the Police and if they can’t/won’t help, hire a private investigator to help. Tip: I have used a private investigator myself over the last year to help me as they double checked my ‘evidence’ for forensic ‘soundness’ and at times I just didn’t have the time to do all the work myself. Tracing people is not simple or quick when it comes to getting all the evidence needed for a court case. It’s quick and simple if you just want to ‘know’ without having to ‘prove’ it (also in some cases like mine when the tracing goes international, you either have to visit or get help from someone local – particularly when tracing devices such as dongles to a 50m radius.)

Question: My stalker is using proxies (including the “I’m hiding behind 7 proxies” bulls**t) can they be traced or can I stop them?
Answer: Not as simple as a yes or not because it depends on each proxy and the intent of the person who set each up. Most proxies are accidentally setup ‘open’ and therefore there is no malicious intent, if this is the case it doesn’t matter if there are 100 proxies between the stalker and you, it’s simply a matter of looking for the ‘X-Sent-Via:’ and/or ‘X-Forwarded-For:’ headers in your forensic logs (the latter header is pretty much standardised) if found you will find that all of the IP addresses (including the originators) are presented to you in a nice simple comma separated list.

 

So this is a follow up (as promised) to my previous article on tracing people.  This one takes the different and more requested view of tracing emails and reading headers.

First we will take an example email from one of my inboxes…

Return-path: <katie@sorbs.net>
Received: from [192.168.1.100] (c121-71.i07-31.onvol.net [92.251.121.71])
	by nemesis.sorbs.net
	(iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar  3 2005))
	with ESMTPSA id <0LH100J02CFQR7@nemesis.sorbs.net> for matthew@sorbs.net; Wed,
	23 Feb 2011 06:19:07 +1000 (EST)
Date: Tue, 22 Feb 2011 21:20:05 +0100
From: Katie Crothers <katie@sorbs.net>
To: matthew@sorbs.net
Message-id: <4D641A75.30405@sorbs.net>
MIME-version: 1.0
Content-type: text/plain; format=flowed; charset=ISO-8859-1
Content-transfer-encoding: 7bit
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.13)
	Gecko/20101207 Thunderbird/3.1.7
Original-recipient: rfc822;matthew@sorbs.net

Loved your blog, Matthew.

I wouldn't expect anything less from someone with Multiple Personality
Disorder.

Cheers for the laugh.

So as we can see a fairly abusive email (the sender knows I am no longer called ‘Matthew’, and knew that at the time of sending the email, they also knew that the address is one I keep for legacy only and rarely read it), one that needs tracing to the source. This one is fairly simple as unlike spam it doesn’t contain fake headers… Ok first a few things starting with the most important rule..

1. You can only trust the headers generated by your server (your means your ISPs server or one you own.)
2. Received headers in all modern servers are read from the top down (ie latest goes at the top)

So the headers:

Received: from [192.168.1.100] (c121-71.i07-31.onvol.net [92.251.121.71])
	by nemesis.sorbs.net
	(iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar  3 2005))
	with ESMTPSA id <0LH100J02CFQR7@nemesis.sorbs.net> for matthew@sorbs.net; Wed,
	23 Feb 2011 06:19:07 +1000 (EST)

So in this case we have one header, so for this example, it’s simple.. it was sent directly to my server either by a registered user, or by some trying to send unauthorised emails. In this case I know that Katie Crothers was a registered user (as I am the server administrator) but lets analyse the line a bit more and see what we can gleen in information.

The first part of the line [192.168.1.100] is the command used by the client when connecting to the server and issuing the identifying command HELO in this case it is the correctly formatted IP address of the local host on the local network.  The second part (c121-71.i07-31.onvol.net [92.251.121.71]) is the server checked and logged connection. The IP address 92.251.121.71 is the host that actually connected to the server (in this case a home network/DSL/Cable router) the name c121-71.i07-31.onvol.net is the verified hostname of the connection (as provided by the ISP). Using geo-location services we know the host is a connected Melita Cable modem not far from the Naxxar Police station in Naxxar, Malta.

The second part of the line: by nemesis.sorbs.net (iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar 3 2005)) just identifies the local mail server type and version and is more for debugging purposes than anything.

The third part of the line: ESMTPSA id <0LH100J02CFQR7@nemesis.sorbs.net&gt tells us the connection identifying command was EHLO rather than HELO this is not really useful for our purposes, however <0LH100J02CFQR7@nemesis.sorbs.net&gt is the message ID in the server which is a lot more useful in that it will make finding the log line in the logfiles a lot easier to find.

The forth part of the line: for matthew@sorbs.net tells us the destination email address as the server saw it. This cannot be faked, unlike the one in the To: line further in the headers as it tells the server how and where to deliver the email, where the To: line is for informational purposes with reference to the email reader only.

The rest of the headers are irrelevant for the purposes of this article and should be self explanatory with the exception of the line Original-recipient: rfc822;matthew@sorbs.net which is a copy of the destination email address used to tell the server how to route the email.

Ok on to something a little more realistic for tracing spam:

Return-path: <alison@isux.com>
Received: from catapilla.sorbs.net (catapilla.sorbs.net [113.52.8.151])
	by nemesis.sorbs.net (iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar  3 2005))
	with ESMTP id <0LHA00840VAD00@nemesis.sorbs.net> for michelle@shellsshots.com;
	Mon, 28 Feb 2011 09:44:37 +1000 (EST)
Received: from vampire.isux.com (c190-211.i02-8.onvol.net [213.165.190.211])
	by catapilla.sorbs.net (Postfix) with ESMTP id 5F8B42E0D5 for
	<michelle@shellsshots.com>; Mon, 28 Feb 2011 10:44:35 +1100 (EST)
Received: by vampire.isux.com (Postfix) id E7FF3C23A; Mon,
	28 Feb 2011 10:48:53 +1100 (EST)
Received: from 189-68-86-125.dsl.telesp.net.br (189-68-86-125.dsl.telesp.net.br [189.68.86.125])
	by vampire.isux.com (Postfix) with SMTP id B58F5B901 for <alison@isux.com>;
Mon, 28 Feb 2011 10:48:50 +1100 (EST)
Date: Mon, 28 Feb 2011 10:48:50 +1100 (EST)
From: alison@isux.com
Subject: RE: Your invoice from VIAGRA - #5187
To: alison@isux.com
Message-id: <20110227234852.B58F5B901@vampire.isux.com>
MIME-version: 1.0
Content-type: text/html; charset=ISO-8859-1
Content-transfer-encoding: 7bit
Delivered-to: alison@isux.com
Original-recipient: rfc822;alison@isux.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <
html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8"/>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="width: 896px">
<tr><td align="center" style="font: normal 11px Verdana, sans-serif; color: #333;">
<a href="http://usadoctorpills6.ru" style="text-decoration: none; color: #0099ff;"
>Click here!</td></tr>

<tr><td align="center">
<br/>
<a href="http://usadoctorpills6.ru"><img src="http://usadoctorpills6.ru/1.jpg" 
style="border-width: 0px"/></a></td></tr>
</table>
</body>
</html>

In this case we have more received headers:

Received: from catapilla.sorbs.net (catapilla.sorbs.net [113.52.8.151])
	by nemesis.sorbs.net (iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar  3 2005))
	with ESMTP id <0LHA00840VAD00@nemesis.sorbs.net> for michelle@shellsshots.com;
	Mon, 28 Feb 2011 09:44:37 +1000 (EST)
Received: from vampire.isux.com (c190-211.i02-8.onvol.net [213.165.190.211])
	by catapilla.sorbs.net (Postfix) with ESMTP id 5F8B42E0D5 for
	<michelle@shellsshots.com>; Mon, 28 Feb 2011 10:44:35 +1100 (EST)
Received: by vampire.isux.com (Postfix) id E7FF3C23A; Mon,
	28 Feb 2011 10:48:53 +1100 (EST)
Received: from 189-68-86-125.dsl.telesp.net.br (189-68-86-125.dsl.telesp.net.br [189.68.86.125])
	by vampire.isux.com (Postfix) with SMTP id B58F5B901 for <alison@isux.com>;

In this case the headers are read from the top down, now I own/manage the hosts nemesis.sorbs.net, catapilla.sorbs.net and vampire.isux.com so reading the ‘by’ part of each received line we know we can trust all these headers.  We also know that the headers are ordered as ‘latest first’ from top down, which means the last server that I own in the headers added the last header:

Received: from 189-68-86-125.dsl.telesp.net.br (189-68-86-125.dsl.telesp.net.br [189.68.86.125])
	by vampire.isux.com (Postfix) with SMTP id B58F5B901 for <alison@isux.com>;

The delivering host was 189.68.86.125 which identified itself as the same as it’s official hostname 189-68-86-125.dsl.telesp.net.br (a Brazilian host) again using Geo-location services such as http://www.maxmind.com/ we know the host is located in Sertãozinho, Sao Paulo, Brazil.

I will be posting a follow up article to this at a later date with more technical information.  Feel free to subscribe to the RSS feed to get the updates.