IT Breathes!

Last night I got a request from a friend for help dealing with someone sending harassing emails. He wanted to know how hard it would be to trace back someone’s IP to find out who they are. All I knew was the person used a hotmail address to send the email so I asked for the email headers from the original email. Email headers are a part of every single email and are basically a log of how that email got from that person to you. Luckily Hotmail adds something special to the email headers: X-Originating-IP.

X-Originating-IP: The IP address of the computer on which the email originated.

When you use a web based email service like Hotmail, Yahoo! Or Gmail they add the X-Originating-IP to the email headers. Most people think they can simply create a fake account on one of these web based email services and they are completely anonymous. There are ways to make it anonymous but I’ll get to those later.

With email headers in hand I went to my favorite web resource: Domain Dossier at CentralOps.net. It gives me a wealth of information while keeping my IP out of the logs, it also combines all the tools I would do by hand (nslookup, traceroute, whois, nmap etc) in one click.

<!–[if !vml]–><!–[endif]–>

It takes about 10 seconds to run through the whole search. After reading through the report I saw the person had a web server running on port 80 (Ubuntu if you must know). So the first thing I did was fire up Firefox and see if they have a website. I was hoping they would be hosting their own personal website and that would be the end of this. When the site loaded I was greeted with the words “Holder Page”. No formatting just those words. But having the server running gave me some hope. So I fired up my copy of Backtrack (I have a love hate relationship with Backtrack, see my previous entry) and ran the tool Nikto.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

It gave me a plethora of lovely information. Not much at first but I just let it run for an hour.

<!–[if !vml]–><!–[endif]–>

After waiting for the scan to finish I noticed something interesting. The web server had a folder sitting off of root called pics. I went back to firefox, typed in the IP of our harrassers IP and added /pics/ to the end. Since indexing was still enabled on the server (which should really be turned off people) I was able to get a listing of all the pictures this person was “secretly” sharing with the rest of the world. I saved all the pictures to my hard drive and sent them off to my friend who was able to identify the person sending the harassing emails and confront him with the evidence I put together for him in.

How could all of this been avoided?

Its really simple to avoid this sort of thing and I’m just going to give a quick listing:

Use Tor. Tor, while slow, would have made it impossible to trace back.

Use the library or a school. While it would have given me the persons school or approximate location my searches would have ended there

Don’t run your own webserver on the same connection you’re sending harassing emails from. Doubly so if you’re going to store pictures on that server

Use a webservice that doesn’t log X-Originating-IP. I won’t tell you were you can find these. But Google is a good resource

Don’t send harassing emails to people you know

Update: According to my friend once he brought some of the evidence I sent him to the person who we suspected sent the email he confessed. Mission accomplished!