Ethical Hacking and The Hacker Culture

Nowadays most of us have heard the term Ethical Hacker due to ‘hacktivist’ groups like Anonymous gaining popularity in the media. But what exactly is Ethical Hacking? We have a general idea that it means hacking without any malicious intent, or more simply the kind of hacking the ‘good guys’ do. But if we delve deeper, it means more than that, it represents a philosophy and morality popular among the hacker and hacktivist communities.

Definition

Formally Ethical Hacking may be defined as the practice of systematically attempting to break into or penetrate for the purpose of locating weaknesses and vulnerabilities of the computer system by duplicating the actions of malicious black-hat hackers. Actually, what I just said defines Penetration Testing, to be precise ‘Ethical Hacking’ is a term coined by IBM meant to imply a broader category than just penetration testing. Ethical hackers do this ‘penetration testing’ on the request of or by being employed by the owner of the computer system so that he can fix these weaknesses and make the system more secure.

Philosophy

Ethical hackers generally follow a set of moral values and philosophy. They promote sharing of knowledge, they believe that all information should be free. They also believe bureaucracies such as corporates are flawed systems, they promote decentralization so that may lead to freedom of information exchange. They say that hackers shouldn’t be judged by their age, race, or qualifications, they should only by judged by their hacking skill. A common value of community and collaboration is also present among the hackers.

I should emphasize that being an ethical hacker doesn’t necessarily mean having these qualities and following these moral values and philosophies. Hacker ethics are separate from just being a hacker. But these ethics are very popular among the general hacking community and so it may be considered as a trait of the community, maybe not of an individual hacker.

Before concluding I would like to share a small essay written by a hacker by the name (rather pseudo name) of ‘The Mentor’ shortly after being arrested. It’s called ‘The Hacker Manifesto’, and is considered one of the cornerstone of the hacker culture. You can find it here – http://www.phrack.org/issues/7/3.html

Email | Structure and How to Trace it

We all have received fake spam mail telling us that we’ve won million dollars at some point in our life. Maybe one day you receive a threatening email or a simple phishing mail, and you want to find out who did it so that you can hack him in return. To do that you need to know the IP address of the mail server sending the email. In this article I’m gonna show you how to do that, after introducing you to the basics of the structure of an Internet Message or simply, Email.

Email is one of oldest mode of communication through a computer network (usually the Internet) which is still popular today. The Email which we are familiar with was standardized and came into popular usage in the early 1970s, and it has been a core foundation of the Internet since then. Nowadays we all use a fancy web interface or mobile app to send and view received emails, so we don’t have to worry about how is it working. But that isn’t enough for a hacker, is it? If we don’t know the detailed intricacies of its mechanism, how can we exploit it or do something advanced with it? So, keep reading!

The Internet Message Format

The current Email format is defined in RFC 5322. Multimedia Email attachments’ format is defined in RFC 2045 through RFC 2049, and this format is called Multimedia Internet Mail Extensions or simply MIME. You can read those RFC articles to get a fully detailed formal documentation of the structure and format of email, but it’s not necessary as I will discuss it in short here. Nevertheless, if you are interested to learn more, you can check them out after reading this post of mine.

At the most basic level, an email is a series of ASCII characters. It consists of line of characters, lines ending with ASCII ‘CRLF’ (carriage return and line feed). The entire email can be divided into two parts, the Header section and the Body. Let’s see an example email to get an idea of what we are talking about.

Delivered-To: john.doe@gmail.com
Received: by 10.200.55.226 with SMTP id e31csp1128773qtc;
Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
X-Received: by 10.107.131.213 with SMTP id n82mr2118112ioi.125.1476809419401;
Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
Return-Path: 
Received: from o6.em.email.accounts.autodesk.com (o6.em.email.accounts.autodesk.com. [167.89.4.107])
by mx.google.com with ESMTPS id g126si21395826ioa.252.2016.10.18.09.50.19
for 
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounces+1621835-f4d2-john.doe=gmail.com@em.email.accounts.autodesk.com designates 167.89.4.107 as permitted sender) client-ip=167.89.4.107;
Authentication-Results: mx.google.com;
dkim=pass header.i=@email.accounts.autodesk.com;
dkim=pass header.i=@sendgrid.info;
spf=pass (google.com: domain of bounces+1621835-f4d2-john.doe=gmail.com@em.email.accounts.autodesk.com designates 167.89.4.107 as permitted sender) smtp.mailfrom=bounces+1621835-f4d2-john.doe=gmail.com@em.email.accounts.autodesk.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=email.accounts.autodesk.com; h=mime-version:from:to:reply-to:subject:content-type:content-transfer-encoding; s=smtpapi; bh=yheKlMFCWTtON78IXgxVWyAUb78=; b=I8q38u7TFdqinW6Y02 AM+ifHWAvTihYfBs5GSZl8JDnuc1BlMffeS8KUkWyRJjLY+B0ch4uPXBvCHdCZ75 VGkMp0jmmQRyVzQ4hfvAeTYVJ0fDzB89cHKyTzLTpd/ak9D0OAcc+6TJFqCgURMH CSrAzDL/ejxBTOEgepL8Y3Feg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h=mime-version:from:to:reply-to:subject:content-type:content-transfer-encoding:x-feedback-id; s=smtpapi; bh=yheKlMFCWTtON78IXgxVWyAUb78=; b=YK6zoBmBYxE2GRUFIh Qze6EJGuxLw1UtO+NGfdmUgSmtNVLUt8p/N+CS9nPNONFESaVo2Ebk0iV8OBXqs0 EhPaOVOIiAcnSI/fwzd8A/dN+y3gqNquU3ysc9Gyk3kDcFSI8nj9yC4uhAs4fpMv AC/2kWdHjFjHBiTRYcL07C46M=
Received: by filter0958p1mdw1.sendgrid.net with SMTP id filter0958p1mdw1.2775.580652C7AF
2016-10-18 16:50:15.915852162 +0000 UTC
Received: from ECPRID2AWEB004 (ec2-52-4-196-162.compute-1.amazonaws.com [52.4.196.162]) by ismtpd0006p1iad1.sendgrid.net (SG) with ESMTP id aIawJW2DTFi0CgbichcKJg for ; Tue, 18 Oct 2016 16:50:15.917 +0000 (UTC)
MIME-Version: 1.0
From: Autodesk 
To: john.doe@gmail.com
Reply-To: noreply@mail.accounts.autodesk.com
Date: 18 Oct 2016 16:50:15 +0000
Subject: Verify your Autodesk account
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
Message-ID: 
X-SG-EID: iimKsBOu00eJI3OJPONMulw6aZ/yjiemm1SqdEDLcTZBP1eHyN3Qr32i1Vdhd5J7BwflVrWhRCLr0j woo/OKUHaIA1bGmnv8Qd2DfN0OSocqGDQ8DK7afms0hcjbrNUG/S3Bsv7fJWCR15UEaoJ/qfJtpdgG gZSAdl3d07GxUEWB0KHMNBmsfHLUEhfyzWPfn5IBYcQ334wRxcWBQ/eu31XQd8fIXETIiBgrd19ic6 SiLuZKRyxs7mVzCv46+9G/
X-Feedback-ID: 1621835:SZNY+iwS6efjfOV9JjNuzvzTddPNBc3FolKu4zujGFA=:SZNY+iwS6efjfOV9JjNuzvzTddPNBc3FolKu4zujGFA=:SG

PGh0bWw+DQo8aGVhZD4NCjxsaW5rIGhyZWY9Imh0dHA6Ly9mb250cy5nb29nbGVhcGlzLmNvbS9j
c3M/ZmFtaWx5PU9wZW4rU2Fuczo0MDAsMzAwLDcwMCIgcmVsPSJzdHlsZXNoZWV0IiB0eXBlPSJ0
ZXh0L2NzcyIgLz4NCjxzdHlsZT4NCiAgICAgICBAaW1wb3J0IHVybChodHRwOi8vZm9udHMuZ29v
Z2xlYXBpcy5jb20vY3NzP2ZhbWlseT1PcGVuK1NhbnM6NDAwLDMwMCw3MDApOw0KCSAgIFtzdHls
ZSo9Ik9wZW4gU2FucyJdIHsNCiAgICBmb250LWZhbWlseTogJ09wZW4gU2FucycsIEFyaWFsLCBz
YW5zLXNlcmlmICFpbXBvcnRhbnQNCn0NCg0KYXsNCnRleHQtZGVjb3JhdGlvbjpub25lICFpbXBv
cnRhbnQ7DQpjb2xvcjojMDY5NkQ3ICFpbXBvcnRhbnQ7DQp9DQphOmhvdmVyew0KdGV4dC1kZWNv
cmF0aW9uOnVuZGVybGluZSAhaW1wb3J0YW50Ow0KDQp9DQo8L3N0eWxlPg0KPC9oZWFkPg0KICA8
Ym9keSBzdHlsZT0icGFkZGluZzozMnB4IDEwJTsgbWFyZ2luOjBweDsgZm9udC1mYW1pbHk6J09w
ZW4gU2FucycsICdIZWx2ZXRpY2EgTmV1ZScsIEhlbHZldGljYSxBcmlhbCwgU2Fucy1TZXJpZjtj
b2xvcjogIzMzMzsgYmFja2dyb3VuZC1jb2xvcjogI0ZGRkZGRjsiPg0KICAgIDx0YWJsZSAgc3R5
bGU9ImJvcmRlcjoxcHggc29saWQgI2NjYzsiICA+DQogICAgICAgPHRyICA+DQogICAgICAgICA8
dGQgc3R5bGU9InBhZGRpbmc6MHB4O21hcmdpbjozMnB4O21hcmdpbi1ib3R0b206MHB4OyIgYWxp
Z249ImxlZnQiPg0KICAgICAgICAgICAgPGltZyBzdHlsZT0ibWFyZ2luOjMycHg7bWFyZ2luLWJv
dHRvbTowcHgiIHNyYz0iaHR0cHM6Ly9hcGkuYXV0b2Rlc2suY29tL2NvbnRlbnQvaWRlbnRpdHkv
MS4wLjIxMTguMzg4MTU5LjEwMjMvei9Db250ZW50L2ltYWdlcy9sYXlvdXQvYXV0b2Rlc2stZW1h
aWwtbG9nby5wbmciIGFsdD0iQXV0b2Rlc2siLz4NCiAgICAgICAgIDwvdGQ+DQogICAgICA8L3Ry
Pg0KICAgICAgPHRyID4NCiAgICAgICAgPHRkIHN0eWxlPSJwYWRkaW5nOjMycHg7Ij4NCiAgICAg
ICAgICA8dGFibGUgYm9yZGVyPSIwIiBjZWxsc3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjAiIHdp
ZHRoPSIxMDAlIiBzdHlsZT0id2lkdGg6IDEwMCU7Ij4NCiAgICAgICAgICAgIDx0ciBzdHlsZT0i
bWFyZ2luOjMycHg7bWFyZ2luLWxlZnQ6MHB4Ij4NCiAgICAgICAgICAgICAgPHRkPg0KCQkJICAg
IDx0YWJsZSBib3JkZXI9IjAiIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iMCIgc3R5bGU9
ImZvbnQtZmFtaWx5OiAnT3BlbiBTYW5zJywnSGVsdmV0aWNhIE5ldWUnLCBIZWx2ZXRpY2EsQXJp
YWwsIFNhbnMtU2VyaWYiPg0KCQkJCSAgICA8dHI+DQoJCQkJCSAgICA8dGQgIHN0eWxlPSJmb250
LWZhbWlseTogJ09wZW4gU2FucycsJ0hlbHZldGljYSBOZXVlJywgSGVsdmV0aWNhLEFyaWFsLCBT
YW5zLVNlcmlmIj4NCgkJCQkgICAgICAgICAgICA8cCBzdHlsZT0iZm9udC1zaXplOiAyMnB4O21h
cmdpbjowcHg7cGFkZGluZzowcHg7Zm9udC13ZWlnaHQ6NDAwIj4NCgkJCQkgICAgICAgICAgICAg
SGkgU3VtaXQgR2hvc2gsDQoJCQkJICAgICAgICAgICAgPC9wPg0KCQkJCSAgICAgICAgICAgIDxw
IHN0eWxlPSJmb250LXNpemU6IDE0cHg7bWFyZ2luOjBweDtwYWRkaW5nOjBweDttYXJnaW4tdG9w
OjE2cHg7Zm9udC1mYW1pbHk6J09wZW4gU2FucycsJ0hlbHZldGljYSBOZXVlJywgSGVsdmV0aWNh
LGFyaWFsO2ZvbnQtd2VpZ2h0OjQwMDtsaW5lLWhlaWdodDoxLjYiPg0KCQkJCQkgICAgICAgICAg
IFdlbGNvbWUgdG8gQXV0b2Rlc2shDQoJCQkJICAgICAgICAgICAgPC9wPg0KCQkJCQkJCSA8cCBz
dHlsZT0iZm9udC1zaXplOiAxNHB4O2NvbG9yOiMzMzM7dGV4dC1kZWNvcmF0aW9uOm5vbmU7cGFk
ZGluZzowcHg7bWFyZ2luOjBweDtmb250LWZhbWlseTonT3BlbiBTYW5zJywnSGVsdmV0aWNhIE5l
dWUnLCBIZWx2ZXRpY2EsYXJpYWw7Zm9udC13ZWlnaHQ6NDAwO2xpbmUtaGVpZ2h0OjEuNiI+DQoJ
CQkJCSAgICAgICAgICAgUGxlYXNlIGNvbXBsZXRlIHlvdXIgYWNjb3VudCBieSB2ZXJpZnlpbmcg
eW91ciBlbWFpbCBhZGRyZXNzLg0KCQkJCSAgICAgICAgICAgIDwvcD4NCgkJCQkgICAgICAgICAg
ICA8cCA+DQoJCQkJCQkJICA8IS0tW2lmIG1zb10+DQoJCQkJCQkJICAgIDxwIHN0eWxlPSJtYXJn
aW4tdG9wOjE2cHg7bWFyZ2luLWJvdHRvbTozMnB4OyI+DQogICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIDx2OnJvdW5kcmVjdCB4bWxuczp2PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQt
Y29tOnZtbCIgeG1sbnM6dz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIg
aHJlZj0iaHR0cHM6Ly9hY2NvdW50cy5hdXRvZGVzay5jb206NDQzL3VzZXIvdmVyaWZ5ZW1haWwv
MzlkYzYwNjhiYTgwMzc2ZTVhY2ZhN2NiOWE3ZDUwZDM3MTM3NGMyMz9yZWZlcnJlcj1odHRwJTNB
JTJGJTJGd3d3LmF1dG9kZXNrLmNvbSUyRmVkdWNhdGlvbiUyRmZyZWUtc29mdHdhcmUlMkZpbnZl
bnRvci1wcm9mZXNzaW9uYWwmcHJvZHVjdG5hbWU9ZG90Y29tJnVpdHlwZT1lZHVjYXRpb24iIHN0
eWxlPSJoZWlnaHQ6NTBweDt3aWR0aDogMjAwcHg7di10ZXh0LWFuY2hvcjptaWRkbGU7d2lkdGg6
YXV0bzt0ZXh0LXRyYW5zZm9ybTogdXBwZXJjYXNlOyIgYXJjc2l6ZT0iMCUiICBzdHJva2U9ImYi
IGZpbGxjb2xvcj0iIzA2OTZENyI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICA8dzphbmNob3Jsb2NrLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8
Y2VudGVyIHN0eWxlPSJjb2xvcjojZmZmZmZmO2ZvbnQtZmFtaWx5OidPcGVuIFNhbnMnLCdIZWx2
ZXRpY2EgTmV1ZScsIEhlbHZldGljYSxhcmlhbDtmb250LXNpemU6MTlweCI+DQogICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWRVJJRlkgRU1BSUwNCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgPC9jZW50ZXI+DQogICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIDwvdjpyb3VuZHJlY3Q+DQoJCQkJCQkJCSAgIDwvcD4NCiAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgPCFbZW5kaWZdLS0+DQogICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIDwhW2lmICFtc29dPg0KCQkJCQkJCSAgICAgPHRhYmxlIGJvcmRlcj0iMCIgc3R5bGU9Im1h
cmdpbi10b3A6MzJweDttYXJnaW4tYm90dG9tOjQ4cHg7d2lkdGg6IDEwMCU7IiBjZWxsc3BhY2lu
Zz0iMCIgY2VsbHBhZGRpbmc9IjAiIHdpZHRoPSIxMDAlIiA+DQogICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICA8dHIgPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgPHRkID4NCgkJCQkJCQkgICAgICAgICAgPHRhYmxlIGFsaWduPSJsZWZ0IiBzdHlsZT0idGV4
dC1hbGlnbjogY2VudGVyO3ZlcnRpY2FsLWFsaWduOmNlbnRlcjsgY29sb3I6ICNmZmY7IGRpc3Bs
YXk6IGJsb2NrOyI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+DQog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQ+DQogICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgPGEgc3R5bGU9ImNvbG9yOiNmZmYgIWltcG9ydGFudDtwYWRkaW5n
OiAxNnB4O2hlaWdodDo1MHB4OyBiYWNrZ3JvdW5kLWNvbG9yOiMwNjk2RDc7Zm9udC1zaXplOjE5
cHg7dGV4dC1kZWNvcmF0aW9uOm5vbmU7dGV4dC10cmFuc2Zvcm06IHVwcGVyY2FzZTtmb250LWZh
bWlseTogJ09wZW4gU2FucycsJ0hlbHZldGljYSBOZXVlJywgSGVsdmV0aWNhLEFyaWFsLCBTYW5z
LVNlcmlmIiBocmVmPSJodHRwczovL2FjY291bnRzLmF1dG9kZXNrLmNvbTo0NDMvdXNlci92ZXJp
ZnllbWFpbC8zOWRjNjA2OGJhODAzNzZlNWFjZmE3Y2I5YTdkNTBkMzcxMzc0YzIzP3JlZmVycmVy
PWh0dHAlM0ElMkYlMkZ3d3cuYXV0b2Rlc2suY29tJTJGZWR1Y2F0aW9uJTJGZnJlZS1zb2Z0d2Fy
ZSUyRmludmVudG9yLXByb2Zlc3Npb25hbCZwcm9kdWN0bmFtZT1kb3Rjb20mdWl0eXBlPWVkdWNh
dGlvbiI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWRVJJRlkgRU1B
SUwNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvYT4NCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgPC90ZD4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IDwvdHI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPg0KCQkJCQkJCSAg
ICA8L3RkPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4NCiAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgIDwvdGFibGU+DQogICAgICAgICAgICAgICAgICAgICAgICAg
ICA8IVtlbmRpZl0+DQoJCQkJCQkgICA8L3A+DQoJCQkJICAgICAgICAgICANCgkJCQkgICAgICAg
ICAgICA8cCBzdHlsZT0id29yZC13cmFwOmJyZWFrLXdvcmQ7IGRpc3BsYXk6IGJsb2NrO2ZvbnQt
c2l6ZTogMTJweDtmb250LWZhbWlseTogJ09wZW4gU2FucycsJ0hlbHZldGljYSBOZXVlJywgSGVs
dmV0aWNhLEFyaWFsLCBTYW5zLVNlcmlmO2ZvbnQtd2VpZ2h0OjQwMDtsaW5lLWhlaWdodDoxLjYi
Pg0KCQkJCQkgICAgICAgICAgICBJZiB0aGUgbGluayBhYm92ZSBkb2Vzbid0IHdvcmssIHlvdSBj
YW4gY29weSBhbmQgcGFzdGUgdGhlIGZvbGxvd2luZyBpbnRvIHlvdXIgYnJvd3Nlcjo8YnIvPg0K
CQkJCQkgICAgICAgICAgICBodHRwczovL2FjY291bnRzLmF1dG9kZXNrLmNvbTo0NDMvdXNlci92
ZXJpZnllbWFpbC8zOWRjNjA2OGJhODAzNzZlNWFjZmE3Y2I5YTdkNTBkMzcxMzc0YzIzP3JlZmVy
cmVyPWh0dHAlM0ElMkYlMkZ3d3cuYXV0b2Rlc2suY29tJTJGZWR1Y2F0aW9uJTJGZnJlZS1zb2Z0
d2FyZSUyRmludmVudG9yLXByb2Zlc3Npb25hbCZwcm9kdWN0bmFtZT1kb3Rjb20mdWl0eXBlPWVk
dWNhdGlvbg0KCQkJCSAgICAgICAgICAgIDwvcD4NCiAgICAJCQkgICAgICAgIDwvdGQ+DQogICAg
ICAgICAgICAgICAgICAgICAgPC90cj4NCiAgICAgICAgICAgICAgICAgIDwvdGFibGU+DQogICAg
ICAgICAgICAgIDwvdGQ+DQogICAgICAgICAgICA8L3RyPg0KICAgICAgICAgIDwvdGFibGU+DQog
ICAgICAgIDwvdGQ+DQoJPC90cj4NCiAgICA8L3RhYmxlPg0KCTx0YWJsZT4NCgk8dHI+DQogICAg
ICAgIDx0ZCBzdHlsZT0iY29sb3I6ICM5OTk7IGZvbnQtc2l6ZTogMTJweDsgZm9udC1mYW1pbHk6
J09wZW4gU2FucycsICdIZWx2ZXRpY2EgTmV1ZScsIEhlbHZldGljYSxBcmlhbCwgU2Fucy1TZXJp
Zjtmb250LXdlaWdodDo0MDA7bGluZS1oZWlnaHQ6MS42Ij4NCiAgICAgICAgPHAgc3R5bGU9Im1h
cmdpbi10b3A6IDE2cHg7IHBhZGRpbmctdG9wOiAwO21hcmdpbi1ib3R0b206MHB4Ij4NCiAgICAg
ICAgICAgICAgQXV0b2Rlc2sgcmVzcGVjdHMgeW91ciBwcml2YWN5LiAgRm9yIG1vcmUgaW5mb3Jt
YXRpb24sIHBsZWFzZSByZXZpZXcgb3VyIDxhIGhyZWY9Imh0dHA6Ly91c2EuYXV0b2Rlc2suY29t
L3ByaXZhY3kvIj5Qcml2YWN5IFBvbGljeTwvYT4uDQogICAgICAgPC9wPg0KCSAgIDxwICBzdHls
ZT0ibWFyZ2luLXRvcDogMDttYXJnaW4tYm90dG9tOiAwOyBwYWRkaW5nLXRvcDogMDtjb2xvcjog
Izk5OTsgZm9udC1zaXplOiAxMnB4OyBmb250LWZhbWlseTonT3BlbiBTYW5zJywgJ0hlbHZldGlj
YSBOZXVlJywgSGVsdmV0aWNhLEFyaWFsLCBTYW5zLVNlcmlmO2ZvbnQtd2VpZ2h0OjQwMDtsaW5l
LWhlaWdodDoxLjYiPg0KCSAgICA8cCBzdHlsZT0icGFkZGluZzogMDsgbWFyZ2luOiAwOyI+DQog
ICZjb3B5OyBDb3B5cmlnaHQgMjAxNiBBdXRvZGVzaywgSW5jLiBBbGwgcmlnaHRzIHJlc2VydmVk
Lg0KPC9wPgkgICA8L3A+DQogICAgICAgIDwvdGQ+DQogICAgICA8L3RyPg0KCTwvdGFibGU+DQog
IDwvYm9keT4NCjwvaHRtbD4=

The part before the first empty line is the header of this email, and after that the rest is body. Here you can see that the body part looks like some incomprehensible garbage, that’s because it is a MIME message, and the garbage part is actually HTML data encoded by Base64 encoding. You can decode it using any of the Base64 decoder found online and get the HTML data. Anyway, we are going to focus on the header part, because all other critical information resides in there, the body part contains just the message.

We can see the header part consists of header fields, each header field consisting of a field name and field value separated by a colon ‘:’.  for example a header field of this email is

Delivered-To: john.doe@gmail.com

Where ‘Delivered-To’ is the field name and ‘john.doe@gmail.com’ is the field value. Just to be clear, I replaced my original email ID with ‘john.doe@gmail.com’ here.

The header section can contain any number of information in this format, there is no restriction. So there can be different header fields in various emails. But there are certain fields that are mandatory, and those contain the information we need to trace the mail. You can read about various email header fields here on Wikipedia.

Tracing an Email

Now that we know the basics of the Internet Message Format, it’s time we dive into the fun stuff, tracing the email. For that, we need to concentrate on the Trace fields, so to speak. They contain the information needed to trace it, obviously. The trace fields are:

  • Received
  • Return-Path
  • Authentication-Results
  • Received-SPF
  • Auto-Submitted
  • VBR-Info

Among these, the Received field is the most important and most reliable. When an SMTP server receives a message it inserts this header at the top of the message. And as most emails go through several SMTP servers in the journey from the sender to receiver, it contains several Received fields, each one inserted by different SMTP servers. In the example email the Received fields are:

Received: by 10.200.55.226 with SMTP id e31csp1128773qtc;
        Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
X-Received: by 10.107.131.213 with SMTP id n82mr2118112ioi.125.1476809419401;
        Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
Received: from o6.em.email.accounts.autodesk.com (o6.em.email.accounts.autodesk.com. [167.89.4.107])
        by mx.google.com with ESMTPS id g126si21395826ioa.252.2016.10.18.09.50.19
        for 
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 18 Oct 2016 09:50:19 -0700 (PDT)
Received: by filter0958p1mdw1.sendgrid.net with SMTP id filter0958p1mdw1.2775.580652C7AF
        2016-10-18 16:50:15.915852162 +0000 UTC
Received: from ECPRID2AWEB004 (ec2-52-4-196-162.compute-1.amazonaws.com [52.4.196.162]) by ismtpd0006p1iad1.sendgrid.net (SG) with ESMTP id aIawJW2DTFi0CgbichcKJg for ; Tue, 18 Oct 2016 16:50:15.917 +0000 (UTC)

As SMTP servers insert the Received field at the top of the email when they receive it, if we read them from top to bottom we can trace the path through the email has travelled. The field value of the Received header field generally contains the host name or IP address of itself and the host name or IP of the server from which it received the mail.

Another thing to note here, I’ve also listed the X-Received header field. Any field starting with X is a non-standard header and it cannot be trusted. It’s used by mail servers for their own benefit, generally a servers won’t trust X headers inserted by any other server. Anyway, I’ve still included this because it may give us some additional information, keeping in mind that it is not very reliable. So from the Received (and X-Received) fields of the example mail, we can trace the route of the mail, and it would look like this

  • ec2-52-4-196-162.compute-1.amazonaws.com [52.4.196.162]
  • ismtpd0006p1iad1.sendgrid.net
  • filter0958p1mdw1.sendgrid.net
  • o6.em.email.accounts.autodesk.com
  • mx.google.com
  • 10.107.131.213
  • 10.200.55.226

The email went through these servers in this order. So the mail server that actually sent the email is the first one, and if you were after that one for reasons, you can focus on that.

Automating the Tracing of an Email

Although it’s good or maybe essential for a hacker to know how to manually trace an email, you don’t have to do it every time. There are many tools in the Internet that automate this process. You just have to paste the email header in those tools and they will trace the route of it. Just search email header analyser in Google and you’ll get a lot of tools like this. There’s one made by Google itself, you can get it here. Happy hacking!

cheap viagra amoxicillian cialis 20 mg viagra cialis natural viagra alternatives that work amoxicillin rash axoloti cialis on line viagra government funded cialis vs viagra viagra pills amoxicillin 500mg capsules generic viagra 100mg cialis 10 mg viagra canada amoxicillin 500 mg for sinus infection cialis viagra cost axolotyl is viagra government funded revatio vs viagra buy viagra amoxicillin side effects in men amoxicillin tablets amovil viagra 100mg tablets retail price viagra coupons viagra patent expiration viagra from canada viagra dosage cialis generic tadalafil axolotl amoxil 500 mg cilias amoxicilina amoxycillin viamedic cialis utilisation viagra augmentin 875-125 amox-clav 875-125 mg tablet xolotl is viagra federally funded cialis 5 mg levitra vs viagra where to buy viagra amoxicillin for cats cialis canada buy viagra online axoltl free viagra cialis copay card what is amoxicillin used for amoxicillin 500 mg and alcohol side effects of cialis viagra for women viagra side effects female viagra cialis for men viagra government funding cialis price cialis medication viagra ingredients cialis professional cialis effects cialis testimonials amoxicillin medscape cialis tadalafil pfizer viagra viagra generic when will cialis go generic viagra without a doctor prescription generic cialis tadalafil cialis coupon 20 mg viagra alternatives cialis coupon cialis side effects amoxicillin 875 mg canadian viagra wholesale cialis trial viagra sample cialis sample cyalis viagra coupons 75 off amoxicillin generic for cialis cialis otc viagra girls amoxidal how does cialis work mexican salamander viagra pill amox/k clav 875-125 amoxcillin cialis alternative cialis free trial discount cialis cialis coupons 2017 how to take cialis viagra costs cialis from canada cialis savings card discount viagra cost of viagra cialis for women price cialis cealis cialis or viagra cialis patent expiration 2017 is viagra covered by insurance cialis pharmacy prices amoxicillin 250mg cvs pharmacy viagra coupons cialis generic cialis dosage amox-clav 875-125 mexican walking fish viagra dose walgreens viagra substitute is viagra government funded in america erectile dysfunction cialis dosage of amoxicillin amoxicillin uses amox-clav 875-125 mg viagra from amazon online cialis cialis 30 day trial coupon amoxicillin 500 mg viagra single packs inexpensive viagra pills viagra pills for sale sex viagra for women amoxi cialis for daily use cialis canadian pharmacy viagra coupons from pfizer amoxicilin side effects of amoxicillin amoxicillin/clavulanic acid amoxicillin and clavulanate potassium 875 125 cialis pills for sale axolotls amoxicillin 500mg augmentin 500 cialis samples overnight viagra single packs cost cialis patent expiration viagra porn viagra online amox clav 875 cialis dosage strengths viagra substitute axlotl amoxicillan cialis voucher how long does viagra last what is cialis cialis daily viagra best price canadian cialis sildenafil vs viagra cialis coupons non prescribed viagra viagra otc viagra viagra 100mg price walmart cialis for bph cialis 20mg directions liquid cialis amoxicillin dosing pfizer viagra coupons viagra vs cialis natural viagra cialis 20mg amox clav 875-125 viagra vs cialis amoxicillin 500 augmentin drug class amoxicillin side effects best price viagra amoxacilin what is viagra cialis pills amoxillin trimox tamoxifen side effect of amoxicillin amoxil cialas amoxin cialis for sale how does viagra work cialis discount herbal viagra how much does cialis cost cialis 5mg daily cialis online stendra vs viagra healthy man viagra cialis samples online viagra amoxicillin uti daily cialis cialis coupon print viagra prices lowest cialis prices cialis vs viagra amoxicillin dosage sophia viagra cialis 5mg free cialis cialis coupons from manufacturer cialis reviews anadrol cialis or viagra cialis 30 day sample side effects of viagra viagra without prescription viagra price buy cialis online viagra sex side effects of amoxicillin 500 mg generic viagra available in usa what is amoxicillin viagra samples cialis website cialis cost cialis without a doctor’s prescription generic cialis buy cialis cialis trial cialis coupons printable cialis prices female viagra pills amoxicillin side effects in women cialis dosage recommendations is viagra funded by government viagra activate viagra on line no prec viagra without a doctor prescription usa what does viagra do how much does viagra cost generic viagra canada viagra cialis cheap axolot viagra pharmacy order online viagra 200 cialis coupon viagra savings offer viagra vs cialis vs levitra what is anoxia over the counter viagra women viagra does viagra work amoxicillin trihydrate 500mg augmentin dosage moxil amoxil dosage generic for viagra cost of cialis viagra coupon cheap cialis viagra prices without insurance viagra on line amox viagra for sale cialis pricing cialis patent expiration date extended canada cialis amoxicillin clavulanate does the government fund viagra cialis generic availability generic cialis at walmart