Category: Technical

Technical posts

Posted on

Tracing emails and people via them…

So this is a follow up (as promised) to my previous article on tracing people.  This one takes the different and more requested view of tracing emails and reading headers.

First we will take an example email from one of my inboxes…

Return-path: <katie@sorbs.net>
Received: from [192.168.1.100] (c121-71.i07-31.onvol.net [92.251.121.71])
	by nemesis.sorbs.net
	(iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar  3 2005))
	with ESMTPSA id <0LH100J02CFQR7@nemesis.sorbs.net> for matthew@sorbs.net; Wed,
	23 Feb 2011 06:19:07 +1000 (EST)
Date: Tue, 22 Feb 2011 21:20:05 +0100
From: Katie Crothers <katie@sorbs.net>
To: matthew@sorbs.net
Message-id: <4D641A75.30405@sorbs.net>
MIME-version: 1.0
Content-type: text/plain; format=flowed; charset=ISO-8859-1
Content-transfer-encoding: 7bit
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.13)
	Gecko/20101207 Thunderbird/3.1.7
Original-recipient: rfc822;matthew@sorbs.net

Loved your blog, Matthew.

I wouldn't expect anything less from someone with Multiple Personality
Disorder.

Cheers for the laugh.

So as we can see a fairly abusive email (the sender knows I am no longer called ‘Matthew’, and knew that at the time of sending the email, they also knew that the address is one I keep for legacy only and rarely read it), one that needs tracing to the source. This one is fairly simple as unlike spam it doesn’t contain fake headers… Ok first a few things starting with the most important rule..

  1. You can only trust the headers generated by your server (your means your ISPs server or one you own.)
  2. Received headers in all modern servers are read from the top down (ie latest goes at the top)

So the headers:

Received: from [192.168.1.100] (c121-71.i07-31.onvol.net [92.251.121.71])
	by nemesis.sorbs.net
	(iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar  3 2005))
	with ESMTPSA id <0LH100J02CFQR7@nemesis.sorbs.net> for matthew@sorbs.net; Wed,
	23 Feb 2011 06:19:07 +1000 (EST)

So in this case we have one header, so for this example, it’s simple.. it was sent directly to my server either by a registered user, or by some trying to send unauthorised emails. In this case I know that Katie Crothers was a registered user (as I am the server administrator) but lets analyse the line a bit more and see what we can gleen in information.

The first part of the line [192.168.1.100] is the command used by the client when connecting to the server and issuing the identifying command HELO in this case it is the correctly formatted IP address of the local host on the local network.  The second part (c121-71.i07-31.onvol.net [92.251.121.71]) is the server checked and logged connection. The IP address 92.251.121.71 is the host that actually connected to the server (in this case a home network/DSL/Cable router) the name c121-71.i07-31.onvol.net is the verified hostname of the connection (as provided by the ISP). Using geo-location services we know the host is a connected Melita Cable modem not far from the Naxxar Police station in Naxxar, Malta.

The second part of the line: by nemesis.sorbs.net (iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar 3 2005)) just identifies the local mail server type and version and is more for debugging purposes than anything.

The third part of the line: ESMTPSA id <0LH100J02CFQR7@nemesis.sorbs.net&gt tells us the connection identifying command was EHLO rather than HELO this is not really useful for our purposes, however <0LH100J02CFQR7@nemesis.sorbs.net&gt is the message ID in the server which is a lot more useful in that it will make finding the log line in the logfiles a lot easier to find.

The forth part of the line: for matthew@sorbs.net tells us the destination email address as the server saw it. This cannot be faked, unlike the one in the To: line further in the headers as it tells the server how and where to deliver the email, where the To: line is for informational purposes with reference to the email reader only.

The rest of the headers are irrelevant for the purposes of this article and should be self explanatory with the exception of the line Original-recipient: rfc822;matthew@sorbs.net which is a copy of the destination email address used to tell the server how to route the email.

Ok on to something a little more realistic for tracing spam:

Return-path: <alison@isux.com>
Received: from catapilla.sorbs.net (catapilla.sorbs.net [113.52.8.151])
	by nemesis.sorbs.net (iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar  3 2005))
	with ESMTP id <0LHA00840VAD00@nemesis.sorbs.net> for michelle@shellsshots.com;
	Mon, 28 Feb 2011 09:44:37 +1000 (EST)
Received: from vampire.isux.com (c190-211.i02-8.onvol.net [213.165.190.211])
	by catapilla.sorbs.net (Postfix) with ESMTP id 5F8B42E0D5 for
	<michelle@shellsshots.com>; Mon, 28 Feb 2011 10:44:35 +1100 (EST)
Received: by vampire.isux.com (Postfix) id E7FF3C23A; Mon,
	28 Feb 2011 10:48:53 +1100 (EST)
Received: from 189-68-86-125.dsl.telesp.net.br (189-68-86-125.dsl.telesp.net.br [189.68.86.125])
	by vampire.isux.com (Postfix) with SMTP id B58F5B901 for <alison@isux.com>;
Mon, 28 Feb 2011 10:48:50 +1100 (EST)
Date: Mon, 28 Feb 2011 10:48:50 +1100 (EST)
From: alison@isux.com
Subject: RE: Your invoice from VIAGRA - #5187
To: alison@isux.com
Message-id: <20110227234852.B58F5B901@vampire.isux.com>
MIME-version: 1.0
Content-type: text/html; charset=ISO-8859-1
Content-transfer-encoding: 7bit
Delivered-to: alison@isux.com
Original-recipient: rfc822;alison@isux.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <
html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8"/>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="width: 896px">
<tr><td align="center" style="font: normal 11px Verdana, sans-serif; color: #333;">
<a href="http://usadoctorpills6.ru" style="text-decoration: none; color: #0099ff;"
>Click here!</td></tr>

<tr><td align="center">
<br/>
<a href="http://usadoctorpills6.ru"><img src="http://usadoctorpills6.ru/1.jpg" 
style="border-width: 0px"/></a></td></tr>
</table>
</body>
</html>

In this case we have more received headers:

Received: from catapilla.sorbs.net (catapilla.sorbs.net [113.52.8.151])
	by nemesis.sorbs.net (iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar  3 2005))
	with ESMTP id <0LHA00840VAD00@nemesis.sorbs.net> for michelle@shellsshots.com;
	Mon, 28 Feb 2011 09:44:37 +1000 (EST)
Received: from vampire.isux.com (c190-211.i02-8.onvol.net [213.165.190.211])
	by catapilla.sorbs.net (Postfix) with ESMTP id 5F8B42E0D5 for
	<michelle@shellsshots.com>; Mon, 28 Feb 2011 10:44:35 +1100 (EST)
Received: by vampire.isux.com (Postfix) id E7FF3C23A; Mon,
	28 Feb 2011 10:48:53 +1100 (EST)
Received: from 189-68-86-125.dsl.telesp.net.br (189-68-86-125.dsl.telesp.net.br [189.68.86.125])
	by vampire.isux.com (Postfix) with SMTP id B58F5B901 for <alison@isux.com>;

In this case the headers are read from the top down, now I own/manage the hosts nemesis.sorbs.netcatapilla.sorbs.net and vampire.isux.com so reading the ‘by’ part of each received line we know we can trust all these headers.  We also know that the headers are ordered as ‘latest first’ from top down, which means the last server that I own in the headers added the last header:

Received: from 189-68-86-125.dsl.telesp.net.br (189-68-86-125.dsl.telesp.net.br [189.68.86.125])
	by vampire.isux.com (Postfix) with SMTP id B58F5B901 for <alison@isux.com>;

The delivering host was 189.68.86.125 which identified itself as the same as it’s official hostname 189-68-86-125.dsl.telesp.net.br (a Brazilian host) again using Geo-location services such as http://www.maxmind.com/ we know the host is located in Sertãozinho, Sao Paulo, Brazil.

I will be posting a follow up article to this at a later date with more technical information.  Feel free to subscribe to the RSS feed to get the updates.

Posted on

Tracing/Tracking people on the Internet…

You know it never ceases to amaze me now naive some people are. Some people think that doing some thing as simple as browsing a web page is anonymous, that they can use built-in features of things like Firefox to hide all information about themselves, and how little they know about the technical side of the Internet. That said if you are just using Facebook if you use usual ‘safe’ rules to your interaction like refusing all application invites etc, you will stay fairly anonymous… and if you’re really worried you’d use something like ‘ToR’ to hide where you’re coming from etc..

Of course if you access something where the person you are trying to hide from actually controls, without doing anything illegal you can easily be found, tracked, traced and watched. For example.. I own this blog, the server I administer, I set the logging and access controls… From that alone I can without any special equipment or tracking tools I can locate and watch someone following my blog. I can see when they change IP addresses and in some cases even tell when they are accessing the blog from their partners house/internet connection. With a little more information, like the logs of a secured login, I can even tell when they are using a smart phone, or internet dongle, proxy server, ToR service or boyfriends computer to access it…

Even without this information sometimes it is even possible to track the person down to a hotel, pub, cafe, or even their street (depending on how well the internet service at their location is setup, the better the setup the easier it is.) I have been asked a few times about whether I can teach this information to people, well the simple answer is “yes I can”, but but it takes years to really teach it. (I might add the same tracing can be applied to addresses found in headers of emails – which is how I learnt how to do it, and where I most often get asked to teach the skill.)

So very simply, to give an example..

A single log line from my blog…
114.77.xx.xx – – [15/May/2011:14:37:08 -0400] “GET /voodoolulu/banner-ad-75h.jpg HTTP/1.1” 200 30354

(xx.xx replaced to aid privacy as I don’t want to expose anyone)

So what can we know .. well immediately we can perform a “whois” lookup.. which returns…

inetnum: 114.76.0.0 – 114.77.255.255
netname: OPTUSINTERNET-AU
descr: OPTUS INTERNET – RETAIL
descr: INTERNET SERVICES
descr: 1 Lyonpark Road, Macquarie Park, NSW – 2113
country: AU
admin-c: OI3-AP
tech-c: OI3-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-AU-OPTUSINTERNET
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation’s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20080514
source: APNIC

 

… now first thing… for get the “1 Lyonpark Road, Macquarie Park, NSW – 2113” this is the address of the range owner and means nothing in this case, so as the more localised information is not available, trace it and we get…

 

traceroute to 114.77.xx.x (114.77.xx.xx), 64 hops max, 52 byte packets
1 * * *
2 212.56.128.1 (212.56.128.1) 10.116 ms 28.361 ms 9.733 ms
3 g200-south02.csr01.melita.com (212.56.129.100) 10.069 ms 13.749 ms 11.962 ms
4 151.5.142.1 (151.5.142.1) 29.503 ms 18.506 ms 26.223 ms
5 pavb-b01-ge2-0.70.wind.it (151.6.125.194) 18.882 ms 24.529 ms 18.001 ms
6 rmas-t02-gepa-b01-po01.wind.it (151.6.5.13) 39.284 ms 36.969 ms 35.689 ms
7 151.6.3.10 (151.6.3.10) 48.129 ms 49.374 ms 33.130 ms
8 so-7-0-3.mil19.ip4.tinet.net (77.67.66.5) 57.627 ms 46.685 ms 44.753 ms
9 xe-4-1-0.sjc12.ip4.tinet.net (89.149.186.205) 235.392 ms
xe-2-0-0.sjc12.ip4.tinet.net (89.149.183.85) 291.282 ms
xe-4-1-0.sjc12.ip4.tinet.net (89.149.186.205) 237.674 ms
10 singtel-gw.ip4.tinet.net (77.67.79.6) 217.624 ms 226.524 ms 220.423 ms
11 203.208.191.74 (203.208.191.74) 373.297 ms 374.333 ms 374.550 ms
12 sbr5-ge4-0.gw.optusnet.com.au (211.29.126.10) 393.471 ms 389.727 ms 386.396 ms
13 mas2-ge10-1-0-901.gw.optusnet.com.au (211.29.125.17) 406.025 ms 406.293 ms 394.495 ms
14 rdl2-ge5-0-0-904.gw.optusnet.com.au (211.29.125.137) 393.149 ms 391.939 ms 396.495 ms
15 fitzg3-ge3-0-1.cm.optusnet.com.au (198.142.192.118) 389.859 ms 402.673 ms 390.419 ms
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *

 

At this point either the host is offline, or more likely the trace is being blocked.. well there is a nice feature of the TCP/IP protocol for traces.. Just change the packet type and using the same trace method and we get…

 

traceroute to 114.77.xx.xx (114.77.xx.xx), 64 hops max, 72 byte packets
1 * * *
2 212.56.128.1 (212.56.128.1) 12.228 ms 9.862 ms 7.976 ms
3 g200-south02.csr01.melita.com (212.56.129.100) 8.878 ms 10.389 ms 9.747 ms
4 151.5.142.1 (151.5.142.1) 17.765 ms 17.769 ms 18.752 ms
5 pavb-b01-ge2-0.70.wind.it (151.6.125.194) 19.743 ms 18.830 ms 17.517 ms
6 rmas-t02-gepa-b01-po01.wind.it (151.6.5.13) 46.316 ms 37.276 ms 36.122 ms
7 151.6.3.162 (151.6.3.162) 37.250 ms 52.920 ms 35.174 ms
8 so-7-0-3.mil19.ip4.tinet.net (77.67.66.5) 50.062 ms 50.338 ms 43.967 ms
9 xe-2-0-0.sjc12.ip4.tinet.net (89.149.183.85) 223.130 ms 221.214 ms 220.005 ms
10 singtel-gw.ip4.tinet.net (77.67.79.6) 217.295 ms 222.547 ms 216.105 ms
11 203.208.191.74 (203.208.191.74) 380.631 ms 373.394 ms 370.138 ms
12 sbr5-ge4-0.gw.optusnet.com.au (211.29.126.10) 388.697 ms 388.686 ms 387.816 ms
13 mas2-ge10-1-0-901.gw.optusnet.com.au (211.29.125.17) 394.667 ms 395.060 ms 393.294 ms
14 rdl2-ge5-0-0-904.gw.optusnet.com.au (211.29.125.137) 392.353 ms 391.459 ms 390.155 ms
15 fitzg3-ge3-0-1.cm.optusnet.com.au (198.142.192.118) 389.976 ms 390.313 ms 387.935 ms
16 c114-77-xx-xx.fitzg3.qld.optusnet.com.au (114.77.xx.xx) 426.482 ms 400.787 ms 401.850 ms
$

So what has this told us… well basically that the host is still online, and the end point is reachable. It’s also a Queensland Australia service, and with a little extra knowledge (take your guess, if you can’t spot it, then you’ll never get it) it is a host via the Fitzgerald routing point.

So based on the fact I live in Malta, my blog is hosted in the USA, suddenly I know what country, region and very close location to where the person browsed from…

Now if you have access (as I do) to an accurate Geo-Location service (eg

Posted on

Creating an EV Certificate Request in OpenSSL

Quick technical FAQ as it has just taken me over 2 hours to find out how to do this…

When generating a CSR (Certificate Signing Request) for an EV (Extended Validation) certificate there are some required fields. These required fields are very well documented (probably too well) and the problem you will find is trying to generate the EV request often fails with:

Subject Attribute businessCategory has no known NID, skipped
problems making Certificate Request
5478:error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string too long:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_mbstr.c:154:maxsize=2

The solution is to add the oid for businessCategory, some documentation will indicate that this is possible by just using the oid in the subject… Forget it, it doesn’t work. The correct solution is modify your openssl.cnf file ( /usr/local/etc/openssl.cnf /etc/ssl/openssl.cnf and /etc/openssl.cnf are common locations.)

Under the section “new_oids” (create one if it doesn’t exist) add the following:

[ new_oids ]

businessCategory=2.5.4.15
streetAddress=2.5.4.9
stateOrProvinceName=2.5.4.8
countryName=2.5.4.6
jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2
jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1
jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3

Then you can use the following command to generate the CSR and a new key for the server:

openssl req -new -newkey rsa:2048 -out ev-key.csr -subj ‘/CN=<webserver name eg www.michellesullivan.org/O=My Company Ltd/businessCategory=V1.0, Clause 5.(b)/jurisdictionOfIncorporationCountryName=<country code of registration of ‘My Company Ltd’/C=<country>/streetAddress=<business address>/ST=<state>/serialNumber=<company incorporation number for “My Company Ltd”>’

Note: because braces are used you need to use single quotes to surround the subject, also EV certificates cannot be issued to WildCard CNs so don’t waste your time.

Posted on

Facebook does it again…

When will Facebook ever learn…?! (and when will I learn!)

I have a Facebook account to keep in touch with old friends, and to showcase the photos I take at parties and events. I have over 500 people on my profile which probably less than 100 are my friends, the rest are people I have taken pictures of and are usually friends of friends. I have various settings on the account to prevent access to my wall and other information that I want to share with friends, but have always been liberal with the settings as there isn’t any information there that people can’t find out about me with minimal research. My ‘wall’ has always been a bone of contention though as I say things that are on my mind at a particular time (good or bad), and therefore I have always tried to keep that to friends only.

Some one I love used to be linked on my profile, and over the last few days I have been dismayed at how people will not respect my privacy and keep repeating things to that person. I decided to try and put and end to the “he said, she said” and spent a not insignificant amount of time working on the privacy settings Facebook provides to lock down the profile so that my friends can see it and those mutual friends (which include a couple of people that I have in my “true friends” list) and all others that are ‘just there for the photos’ cannot see anything but the photos and basic information about me.

To do this lockdown procedure I found that Facebook provides a convenient interface under ‘Privacy Settings’ – ‘Customize’ which has 2 variable length fields. The first is who you show your information to, the second is whom you hide it from. The interface describes this as “…. can see this, except these …” where the first is something like “Friends only” or “Friends of Friends” and the second is a name of someone, or a group eg “No Access” or “Photos only” in my case.

Now here comes the punch line. It seems if you add a group, Facebook will completely ignore it for at least the status. I haven’t gone further into testing, as I’m sure others will, but now I know how the information I thought I had diligently protected on my profile was getting out to the masses that I had thought that I had blocked.

If any one wants to test this, it’s simple, create a group “No Access”, add one friend to the group, set all your settings to allow ‘Friends only’ except (ie hide from) ‘No Access’ and add a second friend to the “Hide from” (by name not a group). Go back to the privacy page and click ‘Preview my profile’ you should find only a small amount of information (if any) which will be what ‘complete unknown people’ will see. In the top bar you’ll see “Preview my profile as…” where you can put in the name of someone. First select a friend that is not in the ‘No Access’ group, and view your profile, you should see everything that has been set to “Friends Only” next go back and put in the name of the friend you added to the “No Access” group, and the next page… Horror of horrors will show your status (and maybe other stuff.) Finally put the name of the other person you named to “Hide from” and you will find what you expect, they cannot see the information.

Message to Facebook staff: when will you ever get it right?

UPDATE: It seems that someone over Facebook is on the ball, I posted this message to a couple of forums where I know the staff at Facebook hang out, and it’s fixed already.

Posted on

The True Colours of HP Printers…

Well, I’m sure you’ll remember my previous 2 articles (here and here) on HP Printer Cartridges, and their deliberate regionalisation to that anyone who moves country has to throw away a perfectly good printer (even if it’s only a few months old) and how very “Not Green” the whole practice is. Well after my original article where “The Inquirer” picked it up, HP Customer Care contacted me and indicated that the HP363 Cartridges are same as the HP02 Cartridges, just they are localised for use in “Western Europe”.

Yesterday after waiting for 6 weeks for the order, 2 packs of six HP-363 cartridges were made available to me for a not so small sum of