week 6-1 Chapter 9-Kim presentation.ppt - Email Email can...

This preview shows page 1 out of 19 pages.

You've reached the end of this preview.

Unformatted text preview: Email • Email can open doors for attacks Email can be used to Contact/Solicit victims-Nigerian schemes Coax people to provide personal identifiers or visit websites that ask for this info Emails containing malicious code Email Headers • Emails pass through a number of computers and on the way from the sender to the recipient. Emails pick up data at each computer they pass through Email headers can be forged Are read from bottom to top Originating IP can lead back to suspect Email Headers • Anonymizer’s Log into Proxy or use email service that will hide IP Will appear to come from different country, locate inside US or no IP at all • Headers are created by the email servers • • that process messages for delivery. Not every server adds detailed information to the header. – Depends on the email protocol used. A protocol is a system of digital message rules for exchanging messages – SMTP is the protocol for transmitting email across the Internet. Email Tracing • Other common protocols used for email: – Post Office Protocol (POP) – Internet Message Access Protocol (IMAP) • These protocols are used for communication between the user’s email program and the user’s email server. SMTP header information generated. SMTP The Internet Email Users SM TP Email Servers TP M S POP/IMAP Example of common email transmission and use of protocols • SMTP email header structure: – The fields are loosely organized in a layered, bottom-to-top sequence. – First field is on the bottom, subsequent fields added on top, in the order they are written. • The first email server to receive the message via SMTP is the first to add information into the header. • The second email server adds information next. • Then the third email server adds information and so on until the destination is reached. • How many email servers a message will pass through depends on the networks it passes through. 1 2 3… First Email Server The first email server receiving the message via SMTP will create detailed header information of this. SMTP Email User We are sending email to the server via SMTP. First Email Server SMTP Email User Received: from jqs.seadog.org ([192.168.1.143]) by sgisrv1.seadog.org with Microsoft SMTPSVC(5.0.2195.5329); Wed, 23 Oct 2012 18:02:28 -0700 Message-ID: <[email protected]> From: "John Q. Smith" [email protected] To: [email protected] Subject: Kittens for sale Date: Wed, 23 Oct 2012 17:56:38 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="---=_NextPart_000_001C_01C27ABD.890FD900" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 The actual fields added will vary. Step 1: Find the Originating Email Address Microsoft Mail Internet Headers Version 2.0 Received: from SEADOG.ORG ([64.162.18.2]) by sgisrv1.seadog.org with Microsoft SMTPSVC(5.0.2195.3779); Wed, 16 Oct 2012 09:03:22 -0700 Received: from web12608.mail.yahoo.com ([216.136.173.231]) by SEARCH.ORG with SMTP (IOA-IPAD 2.54) id 3548400; Wed, 16 Oct 2012 09:08:38 -0800 Message-ID: <[email protected]> Received: from [207.93.64.85] by web12608.mail.yahoo.com via HTTP; Wed, 16 Oct 2012 09:03:21 PDT Date: Wed, 16 Oct 2012 09:03:21 -0700 (PDT) Line 7 From: John Doe <[email protected]> Subject: Fwd: Free kittens? To: [email protected] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-1242707647-1034784201=:26523" Return-Path: [email protected] X-OriginalArrivalTime: 16 Oct 2012 16:03:22.0330 (UTC) FILETIME=[8D3C1BA0:01C2752D] Begins with “From” Step 2: Find the Originating IP Address Microsoft Mail Internet Headers Version 2.0 Received: from SEARCH.ORG ([64.162.18.2]) by sgisrv1.seadog.org with Microsoft SMTPSVC(5.0.2195.3779); Wed, 16 Oct 2012 09:03:22 -0700 Received: from web12608.mail.yahoo.com ([216.136.173.231]) by SEARCH.ORG with SMTP (IOA-IPAD 2.54) id 3548400; Wed, 16 Oct 2012 09:08:38 -0800 Message-ID: <[email protected]> Received: from [207.93.64.85] by web12608.mail.yahoo.com via HTTP; Wed, 16 Oct 2012 09:03:21 PDT Date: Wed, 16 Oct 2012 09:03:21 -0700 (PDT) From: John Doe <[email protected]> Subject: Fwd: Free kittens? To: [email protected] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-1242707647-1034784201=:26523" Return-Path: [email protected] X-OriginalArrivalTime: 16 Oct 2012 16:03:22.0330 (UTC) FILETIME=[8D3C1BA0:01C2752D] Beginning line Microsoft Mail Internet Headers Version 2.0 Received: from SEARCH.ORG ([64.162.18.2]) by sgisrv1.seadog.org with Microsoft SMTPSVC(5.0.2195.3779); Wed, 16 Oct 2012 09:03:22 -0700 Received: from web12608.mail.yahoo.com ([216.136.173.231]) by SEARCH.ORG with SMTP (IOA-IPAD 2.54) id 3548400; Wed, 16 Oct 2012 09:08:38 -0800 Message-ID: <[email protected]> Received: from [207.93.64.85] by web12608.mail.yahoo.com via HTTP; Wed, 16 Oct 2012 09:03:21 PDT • The first Received line is read as follows: This message was received from a computer identified by the IP address 207.93.64.85 by a computer identified as web12608.mail.yahoo.com on Wednesday, October 16, 2012, at 09:03:21 PDT, according to the clock of the receiving computer. Microsoft Mail Internet Headers Version 2.0 Received: from SEARCH.ORG ([64.162.18.2]) by sgisrv1.seadog.org with Microsoft SMTPSVC(5.0.2195.3779); Wed, 16 Oct 2012 09:03:22 -0700 Received: from web12608.mail.yahoo.com ([216.136.173.231]) by SEARCH.ORG with SMTP (IOA-IPAD 2.54) id 3548400; Wed, 16 Oct 2012 09:08:38 -0800 Message-ID: <[email protected]> Received: from [207.93.64.85] by web12608.mail.yahoo.com via HTTP; Wed, 16 Oct 2012 09:03:21 PDT Email User 207.93.64.85 1st Server web12608 Delivered-To: [email protected] Received: by 10.142.49.14 with SMTP id w14cs214738wfw; Mon, 29 Nov 2010 04:37:49 -0800 (PST) Received: by 10.100.208.11 with SMTP id f11mr4279224ang.93.1291034268320; Mon, 29 Nov 2010 04:37:48 -0800 (PST) Return-Path: <[email protected]> Received: from relay.mail.sohu.com ([61.135.132.136]) by mx.google.com with ESMTP id c30si13144727ana.21.2010.11.29.04.37.44; Mon, 29 Nov 2010 04:37:48 -0800 (PST) Received-SPF: pass (google.com: domain of [email protected] designates 61.135.132.136 as permitted sender) client-ip=61.135.132.136; Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 61.135.132.136 as permitted sender) [email protected] Received: from siamdream777pc (unknown [210.72.13.21]) by relay.mail.sohu.com (Postfix) with ESMTPA id A1DBB3A5C76B for <[email protected]>; Mon, 29 Nov 2010 20:37:28 +0800 (CST) Reply-To: [email protected] From: "[email protected]"<[email protected]> To: "sgainer78"<[email protected]> Subject: Re: New Order Date: Mon, 29 Nov 2010 12:37:39 +0000 Message-Id: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_10112912212598700252415_000" X-Priority: 3 X-Mailer: DreamMail 4.6.8.2 X-SOHU-Antispam-Bayes: 0 Virus/Malware Expert • Kim Grillo Internet security specialist Working for USPIS, FBI, HLS and other agencies Currently with private internet security firm Experience working with various forms of malicious code Determines how the code works and who did it ...
View Full Document

  • Fall '16

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern