I received an email from an user in my company with a trojan in it.
Unfortunately I can't track him because the email's header doesn't
contain his IP and he obviously used a fake non-existant email
address.

I want to know: HOW DID HE SEND IT without his IP being tracked by the
company SMTP he used (that always log my IP when I use it!)?


Header syntax is like this:
Received: from <ip address> by <SMTP ip address>



This is an example (the server names and ip are not those of my case)
of the normal situation:

Received: (from majordomo@localhost)
	by postal.sdsc.edu (8.11.6/8.11.6/server/38) id g42J7lH25129
	for contactsw-out; Thu, 2 May 2002 12:07:47 -0700 (PDT)
Received: from mail1.winona.msus.edu (mail1.winona.edu
[199.17.131.28])
	by postal.sdsc.edu (8.11.6/8.11.6/server/38) with ESMTP id
g42J7jn25124;
	Thu, 2 May 2002 12:07:46 -0700 (PDT)
Received: from jfrancioni ([10.4.10.7])
          by mail1.winona.msus.edu (Lotus Domino Release 5.0.7)
          with ESMTP id 2002050214062309:13360 ;
          Thu, 2 May 2002 14:06:23 -0500 


What happened in his message is that the third (last) "Received"
block, with his IP (10.4.10.7 in the example) didn't come up!
The last (first chronologically) SMTP server (mail1.winona.msus.edu in
the example) in my real case is a Lotus Domino Release 5.0.7 ESMTP too
and it is in Finland so it's impossibile that he had phisically access
to that server.

I tried to install and use an SMTP daemon on my PC but the company
SMTP (any of the chain) track my IP (the IP of my SMTP daemon) down.

I suppose it hacked that Lotus Domino 5.0.7 ESMTP not to put the
"Received" block.

With the answer I must be able to reproduce what the "hacker" could
have done to hide his IP.

Thanks

---

Request for Question Clarification by calebu2-ga on 24 Jul 2002 12:45 PDT

diego,

Was there anything unusual about the intermediate steps of the
process?

Eg. the second step in your example was :
Received: from mail1.winona.msus.edu (mail1.winona.edu
[199.17.131.28]) by postal.sdsc.edu (8.11.6/8.11.6/server/38) with
ESMTP id g42J7jn25124;

If the 199.17.131.28 or mail1.winona.edu part did not tie in with what
the original part of the header says, then they probably used a fake
mail server to send the email.

All that happens at each step of the email forwarding is that the next
server takes the original message and header, prepends it's own server
information and routing information and forwards it along the chain.

So somebody could easily make up a fake header and get a fake mail
server to forward it - but where it should show up (if the mail
servers closest to you are working) is as a bad/phony IP address on
one of the "received from lines".

Let me know if that is the kind of suggestion you were looking for. If
not, i'll pass and let one of the super-guru's have their $0.02 on it

Regards

calebu2-ga

---

Clarification of Question by diegosala-ga on 24 Jul 2002 13:31 PDT

> Was there anything unusual about the intermediate steps of
> the process?

It doesn't seem so.

> If the 199.17.131.28 or mail1.winona.edu part did not tie in
> with what the original part of the header says, then they probably
> used a fake mail server to send the email.

I don't understand what you mean.
In the real message the first two "Received" blocks are recorded by
two public (not fake) and TESTED WORKING company' SMTP. The third
block, where normally the SMTP you used records your IP, is
missing(!).
 
> So somebody could easily make up a fake header and get a fake mail
> server to forward it - but where it should show up (if the mail
> servers closest to you are working) is as a bad/phony IP address on
> one of the "received from lines".

The fact is that if he used a fake mail server, the last
(chronologically) smtp (or pop3?) server would have recorded the fake
mail server IP anyway. (Or not?)
I tried the fake mail server but i had my fake mail server (my PC) IP
tracked down on the first "Received" block.
 
> Let me know if that is the kind of suggestion you were looking for.

I'm searching for a more resolutive advice. Thanks anyway for trying.

Diego

Lotus Domino uses a proprietary protocol (like Microsoft Exchange
does) for the connection from the Mail Use Agent (MUA) to the server.

It is entirely possible to open a Lotus Domino session from anywhere
on the Internet, and the only IP address you will know if the first
SMTP hop (the Lotus server).  The Lotus system (as well as exchange)
do not provide the address of the original server in the headers.

There are also some older SMTP servers that will not track the IP
address of the original sender, and spammers lobe those.  See
www.mail-abuse.org/tsi/ar-fix.html for details on Lotus spam
weaknesses and features.

> Lotus Domino uses a proprietary protocol (like Microsoft Exchange
> does) for the connection from the Mail Use Agent (MUA) to the
server.

I think it has a proprietary protocol AND a regular SMTP too.
Infact I used it by entering "telnet <ip> 25" at the command prompt.
 
> It is entirely possible to open a Lotus Domino session from anywhere
> on the Internet, and the only IP address you will know is the first
> SMTP hop (the Lotus server).  The Lotus system (as well as exchange)
> do not provide the address of the original server in the headers.

Do you mean the original person's PC IP or the original Lotus server
IP?
Does "Entirely possible" mean that it's a default setting or that it's
possible in some specific configurations?

Diego