Email header help

I have a header, I need to get as much information as possible from
it. It is from an email sent inter-office off an Exchange 6 server.
What I wanted was the itranet IPs, but it seems they aren't present.
I do think there is a SID...

The question is, is there any way I can convert all the code into
plain text? Certain parts are readable (the content plus the email
to/from address), but I want to know what all the remaining code
refers to.

I need to be able to prove the email was internal and try to track the
exact machine it came from.

One more note; the Exchange server has been rebuilt since this
happened.

Any ideas?

tpeters

In article <>,
says...
> I have a header, I need to get as much information as possible from
> it. It is from an email sent inter-office off an Exchange 6 server.
> What I wanted was the itranet IPs, but it seems they aren't present.
> I do think there is a SID...
>
> The question is, is there any way I can convert all the code into
> plain text? Certain parts are readable (the content plus the email
> to/from address), but I want to know what all the remaining code
> refers to.
>
> I need to be able to prove the email was internal and try to track the
> exact machine it came from.
>
> One more note; the Exchange server has been rebuilt since this
> happened.
>
> Any ideas?
>



I would tell you more, but you left out the header so I don't have
enough informa....


--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

Colonel Flagg

Here you go...the part after the substring info and before the message
content is below.

I tried ASCII and Base64 encoding to figure it out, no luck.



x  LZFuÃ;dÖ

rcpg125‚2
Chtml1
0?


÷
€
¤
ã
chÁ
Àset0 
€ÿ
PVU²ÕQ

Ý×2 ÃÕ3FÙoëãï ÷;Ï05;Ò`c P
d36“`¥4 
*\²
?gp3 <!D OCTYPE H TML PUBL IC "-//WD3C 0DTDD4’.`Tr rti
Ã@ 0EN">ãçÜ19*R"?3€#*ØEAD"Ž
ã %&?dg4ð</%/P5A`<BODY"?9â6*DIV"€ó !ž ,…`É64,oé-rAl?,É
À.‡ï
¢.‡
q"¬0$ñ ?,;ÿ1Èœñ'ß+ß,ï-ÿ8k«8€&nbspã
€:\'a
@8¯0¯ÿ1¿2Ï3ß:ÿ5ÿ79/F/Ð
‘y` be‚l?ve thJ@¶n?J1oFpJ`a@žm ?
*/à f€òk€g *àJ`€»LSK3Iœ€DDw`¨ld 0nOpaKpÝ?sPJ@J
kJBKPþ?;_<o=zM°FpMÀ ŸOpIà ðJRÐ wJp=
*sJq pOpU
pZuyMßDShVpb?UâU*L° € upOÐ÷@JbK f
àJ@MÀLãûM±O3'J1TbOàJp
Àÿ@KP
?L@L
aV¿DS™`ugLñL€soTQß
Y%\*àJ`.>??Oÿ@_AoBC?DŸE¯F¿GÏÿd?Q¯R¿=ÿ`Ïaßbïcÿ¿efg/h?iOvKTJq¨truJ`
 ,M±þa\*
ÑZpK
V"UæL&Æp
`Káms!k/l?_mJ|¿}ÏmJMÀd
'ç@\Ït2knL±UPV*ÿMÀV`@Y

ðy¡V"UPó€V*cu
0L±^¡»`Lp.Ÿ€¯SKSJq÷|"KÑV*jVp@J* €Ï ‚ÿt2OàgopL‡‡_ˆoS<LOL.‘
ÿnop/q?rOs_touÿv?wŸ•ÏŽo?mÏ’“ÿ”/•?–O—_˜o™š?§‹üI'\*„P@Yà qýM±c
‘VpJD€
I“¯O‘KaL
±D`g`Þs?ß?o?ý@'‹¿¥Tþd †PLá L ÿU
‘/*O¡_¢o£¤?¥Ÿÿ¦¯§¿¨Ï¸Ÿ®Ÿ¯¯žÿ´ßÿµï¶ÿ¸¹º/»?¼O½_÷Ê\K1MsÂ/Ã?ÄOÅ_ÿÆoÇÈ?ɟʯ˿ÒO¿ÏÿÀßÁïÎ?ϟЯѿÒÏÓßïÔïÕÿ×äJ pÛÏÜßÿÝïÞÿàáâ/ã?äOå_ÿë¿ÙoÚÛ?çÿéêë/¹œ5*¿Q7)#Ã}ý`
Produced By Microsoft Exchange V6.0.6249.0

On Fri, 14 Nov 2003 22:09:01 -0500, Colonel Flagg
<> wrote:

>In article <>,
> says...
>> I have a header, I need to get as much information as possible from
>> it. It is from an email sent inter-office off an Exchange 6 server.
>> What I wanted was the itranet IPs, but it seems they aren't present.
>> I do think there is a SID...
>>
>> The question is, is there any way I can convert all the code into
>> plain text? Certain parts are readable (the content plus the email
>> to/from address), but I want to know what all the remaining code
>> refers to.
>>
>> I need to be able to prove the email was internal and try to track the
>> exact machine it came from.
>>
>> One more note; the Exchange server has been rebuilt since this
>> happened.
>>
>> Any ideas?
>>
>
>
>
>I would tell you more, but you left out the header so I don't have
>enough informa....

tpeters

In article <>,
says...

> Here you go...the part after the substring info and before the message
> content is below.
>
> I tried ASCII and Base64 encoding to figure it out, no luck.
>
>
>
> x  LZFuÃ;dÖ
>
> rcpg125?2
> Chtml1
> 0?
>
>
> ÷
> ?
> ?
> ã
> chÁ
> Àset0 
> ??
> PVU²ÕQ
>
> Ý×2 ÃÕ3FÙoëãï ÷;Ï05;Ò`c P

> d36?`
¥4 
> *\²
> ?gp3 <!D OCTYPE H TML PUBL IC "-//WD3C 0DTDD4?.`Tr rti


You sure that's the header and not the message body? The header should
be routing information tagged onto it as it was sent/received... course
that could be the way Exchange does it internally... beats me, I use a
real mail server...

How did you obtain this info? Are you viewing the actual message in
Outlook or from a log/spool? If you're viewing in Outlook, you should be
able to right click and view the properties, then the raw header..

~shrugs~



--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

Colonel Flagg

Exchange mail that does not leave the subdomain doesn't get headers
like mail that does; the to/from IPs and any stops inbetween aren't
included.

This data is from a raw extraction, the code behind the email if you
will. The entire extract includes substring data, data pertaining to
the visual aspect of the message, the message content itself and the
data I have included here. While there is to/from data, it only
includes the email addresses since both individuals reside on the same
domain.

I will attach the info as a txt file.

A little history behind all of this, I am a senior sys admin - not an
IT Security person. A friend, out of state, is involved in an issue
where enternal emails from his work address were sent, which were not
good content wise, while he was out of the country.

I did a little friendly consulting for him right after the situation
all blew up and advised his company employ an IT Security firm to do
an investigation and provide a report that would be useable in court.

They did - I am out of the picture.

Later, my friend contacts me again saying the emails do not have any
headers, servers have been reloaded, the situation looks bleak.

Well, pardon my French, but my ass they can't find anything. He
started sending the files and I started looking them over.

I have the whole thing down except for one section of data I can't
figure out. I have taken Exchange 2000 admin and design, neither
class covers this and Microsoft isn't forthcoming about what their
code is written in or pertains to.

Attached is the section of code I am working on.

Thanks,

T

On Sat, 15 Nov 2003 00:57:51 -0500, Colonel Flagg
<> wrote:

>In article <>,
> says...
>
>> Here you go...the part after the substring info and before the message
>> content is below.
>>
>> I tried ASCII and Base64 encoding to figure it out, no luck.
>>
>>
>>
>> x  LZFuÃ;dÖ
>>
>> rcpg125?2
>> Chtml1
>> 0?
>>
>>
>> ÷
>> ?
>> ?
>> ã
>> chÁ
>> Àset0 
>> ??
>> PVU²ÕQ
>>
>> Ý×2 ÃÕ3FÙoëãï ÷;Ï05;Ò`c P
>
>> d36?`
>¥4 
>> *\²
>> ?gp3 <!D OCTYPE H TML PUBL IC "-//WD3C 0DTDD4?.`Tr rti
>
>
>You sure that's the header and not the message body? The header should
>be routing information tagged onto it as it was sent/received... course
>that could be the way Exchange does it internally... beats me, I use a
>real mail server...
>
>How did you obtain this info? Are you viewing the actual message in
>Outlook or from a log/spool? If you're viewing in Outlook, you should be
>able to right click and view the properties, then the raw header..
>
>~shrugs~

tpeters