Email header help

Discussion in 'Computer Security' started by tpeters, Nov 14, 2003.

  1. tpeters

    tpeters Guest

    I have a header, I need to get as much information as possible from
    it. It is from an email sent inter-office off an Exchange 6 server.
    What I wanted was the itranet IPs, but it seems they aren't present.
    I do think there is a SID...

    The question is, is there any way I can convert all the code into
    plain text? Certain parts are readable (the content plus the email
    to/from address), but I want to know what all the remaining code
    refers to.

    I need to be able to prove the email was internal and try to track the
    exact machine it came from.

    One more note; the Exchange server has been rebuilt since this
    happened.

    Any ideas?
    tpeters, Nov 14, 2003
    #1
    1. Advertising

  2. In article <>,
    says...
    > I have a header, I need to get as much information as possible from
    > it. It is from an email sent inter-office off an Exchange 6 server.
    > What I wanted was the itranet IPs, but it seems they aren't present.
    > I do think there is a SID...
    >
    > The question is, is there any way I can convert all the code into
    > plain text? Certain parts are readable (the content plus the email
    > to/from address), but I want to know what all the remaining code
    > refers to.
    >
    > I need to be able to prove the email was internal and try to track the
    > exact machine it came from.
    >
    > One more note; the Exchange server has been rebuilt since this
    > happened.
    >
    > Any ideas?
    >




    I would tell you more, but you left out the header so I don't have
    enough informa....


    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Nov 15, 2003
    #2
    1. Advertising

  3. tpeters

    tpeters Guest

    Here you go...the part after the substring info and before the message
    content is below.

    I tried ASCII and Base64 encoding to figure it out, no luck.



    x  LZFuÃ;dÖ

    rcpg125‚2
    Chtml1
    0?


    ÷

    ¤
    ã
    chÁ
    Àset0 
    €ÿ
    PVU²ÕQ

    Ý×2 ÃÕ3FÙoëãï ÷;Ï05;Ò `c P
    d36“` ¥4 
    *\²
    ?gp3 <!D OCTYPE H TML PUBL IC "-//WD3C 0DTDD4’.`Tr rti
    Ã@ 0EN">ãçÜ19 R"?3€# ØEAD"Ž
    ã %&?dg4ð</%/P5A`<BODY"?9â6 DIV"€ó !ž ,…`É64,oé-rAl?,É
    À.‡ï
    ¢.‡
    q"¬0$ñ ?,;ÿ1Èœñ'ß+ß,ï-ÿ8k«8€&nbspã
    €:\'a
    @8¯0¯ÿ1¿2Ï3ß:ÿ5ÿ7:?9/F/Ð
    ‘y` be‚l?ve thJ@¶n?J1oFpJ`a@žm ?
     /à f€òk €g  àJ` €»LSK3Iœ€DDw`¨ld 0nOpaKpÝ?sPJ@J
    kJBKPþ?;_<o=zM°FpMÀ ŸOpIà ðJRÐ wJp=
     sJq pOpU
    pZuyMßDShVpb?UâU L° € upOÐ÷@JbK f
    àJ@MÀLãûM±O3'J1TbOàJp
    Àÿ@KP
    ?L@L
    aV¿DS™ `ugLñL€soTQß
    Y%\ àJ`.>??Oÿ@_AoBC?DŸE¯F¿GÏÿd?Q¯R¿=ÿ`Ïaßbïcÿ¿efg/h?iOvKTJq¨truJ`
     ,M±þa\ 
    ÑZpK
    V"UæL&Æp
    `Káms!k/l?_mJ|¿}ÏmJMÀd
    'ç@\Ït2knL±UPV ÿMÀV`@Y

    ðy¡V"UPó €V cu
    0L±^¡»`Lp.Ÿ€¯SKSJq÷|"KÑV jVp@J  €Ï ‚ÿt2OàgopL‡‡_ˆoS<LOL.‘
    ÿnop/q?rOs_touÿv?wŸ•ÏŽo?mÏ’“ÿ”/•?–O—_˜o™š?§‹üI'\ „P@Yà qýM±c
    ‘VpJD €
    I“¯O‘KaL
    ±D`g `Þs?ß?o?ý@'‹¿¥Tþd †PLá L ÿU
    ‘/ O¡_¢o£¤?¥Ÿÿ¦¯§¿¨Ï¸Ÿ®Ÿ¯¯žÿ´ßÿµï¶ÿ¸¹º/»?¼O½_÷Ê\K1MsÂ/Ã?ÄOÅ_ÿÆoÇÈ?ɟʯ˿ÒO¿ÏÿÀßÁïÎ?ϟЯѿÒÏÓßïÔïÕÿ×ä JpÛÏÜßÿÝïÞÿàáâ/ã?äOå_ÿë¿ÙoÚÛ?çÿéêë/¹œ58)*¿Q7)#Ã}ý`
    Produced By Microsoft Exchange V6.0.6249.0

    On Fri, 14 Nov 2003 22:09:01 -0500, Colonel Flagg
    <> wrote:

    >In article <>,
    > says...
    >> I have a header, I need to get as much information as possible from
    >> it. It is from an email sent inter-office off an Exchange 6 server.
    >> What I wanted was the itranet IPs, but it seems they aren't present.
    >> I do think there is a SID...
    >>
    >> The question is, is there any way I can convert all the code into
    >> plain text? Certain parts are readable (the content plus the email
    >> to/from address), but I want to know what all the remaining code
    >> refers to.
    >>
    >> I need to be able to prove the email was internal and try to track the
    >> exact machine it came from.
    >>
    >> One more note; the Exchange server has been rebuilt since this
    >> happened.
    >>
    >> Any ideas?
    >>

    >
    >
    >
    >I would tell you more, but you left out the header so I don't have
    >enough informa....
    tpeters, Nov 15, 2003
    #3
  4. In article <>,
    says...

    > Here you go...the part after the substring info and before the message
    > content is below.
    >
    > I tried ASCII and Base64 encoding to figure it out, no luck.
    >
    >
    >
    > x  LZFuÃ;dÖ
    >
    > rcpg125?2
    > Chtml1
    > 0?
    >
    >
    > ÷
    > ?
    > ?
    > ã
    > chÁ
    > Àset0 
    > ??
    > PVU²ÕQ
    >
    > Ý×2 ÃÕ3FÙoëãï ÷;Ï05;Ò `c P


    > d36?`

    ¥4 
    > *\²
    > ?gp3 <!D OCTYPE H TML PUBL IC "-//WD3C 0DTDD4?.`Tr rti



    You sure that's the header and not the message body? The header should
    be routing information tagged onto it as it was sent/received... course
    that could be the way Exchange does it internally... beats me, I use a
    real mail server... :)

    How did you obtain this info? Are you viewing the actual message in
    Outlook or from a log/spool? If you're viewing in Outlook, you should be
    able to right click and view the properties, then the raw header..

    ~shrugs~



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Nov 15, 2003
    #4
  5. tpeters

    tpeters Guest

    Re: Email header help - pro_003.txt (0/1)

    Exchange mail that does not leave the subdomain doesn't get headers
    like mail that does; the to/from IPs and any stops inbetween aren't
    included.

    This data is from a raw extraction, the code behind the email if you
    will. The entire extract includes substring data, data pertaining to
    the visual aspect of the message, the message content itself and the
    data I have included here. While there is to/from data, it only
    includes the email addresses since both individuals reside on the same
    domain.

    I will attach the info as a txt file.

    A little history behind all of this, I am a senior sys admin - not an
    IT Security person. A friend, out of state, is involved in an issue
    where enternal emails from his work address were sent, which were not
    good content wise, while he was out of the country.

    I did a little friendly consulting for him right after the situation
    all blew up and advised his company employ an IT Security firm to do
    an investigation and provide a report that would be useable in court.

    They did - I am out of the picture.

    Later, my friend contacts me again saying the emails do not have any
    headers, servers have been reloaded, the situation looks bleak.

    Well, pardon my French, but my ass they can't find anything. He
    started sending the files and I started looking them over.

    I have the whole thing down except for one section of data I can't
    figure out. I have taken Exchange 2000 admin and design, neither
    class covers this and Microsoft isn't forthcoming about what their
    code is written in or pertains to.

    Attached is the section of code I am working on.

    Thanks,

    T

    On Sat, 15 Nov 2003 00:57:51 -0500, Colonel Flagg
    <> wrote:

    >In article <>,
    > says...
    >
    >> Here you go...the part after the substring info and before the message
    >> content is below.
    >>
    >> I tried ASCII and Base64 encoding to figure it out, no luck.
    >>
    >>
    >>
    >> x  LZFuÃ;dÖ
    >>
    >> rcpg125?2
    >> Chtml1
    >> 0?
    >>
    >>
    >> ÷
    >> ?
    >> ?
    >> ã
    >> chÁ
    >> Àset0 
    >> ??
    >> PVU²ÕQ
    >>
    >> Ý×2 ÃÕ3FÙoëãï ÷;Ï05;Ò `c P

    >
    >> d36?`

    >¥4 
    >> *\²
    >> ?gp3 <!D OCTYPE H TML PUBL IC "-//WD3C 0DTDD4?.`Tr rti

    >
    >
    >You sure that's the header and not the message body? The header should
    >be routing information tagged onto it as it was sent/received... course
    >that could be the way Exchange does it internally... beats me, I use a
    >real mail server... :)
    >
    >How did you obtain this info? Are you viewing the actual message in
    >Outlook or from a log/spool? If you're viewing in Outlook, you should be
    >able to right click and view the properties, then the raw header..
    >
    >~shrugs~
    tpeters, Nov 15, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. uglyvan

    TB email header confusion

    uglyvan, Mar 22, 2006, in forum: Firefox
    Replies:
    4
    Views:
    458
  2. uglyvan
    Replies:
    1
    Views:
    1,259
    Ralph Fox
    Mar 24, 2006
  3. Len Berkstresser

    Email being delayed, decipher header?

    Len Berkstresser, Nov 23, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    1,111
    °Mike°
    Nov 24, 2003
  4. ErmYouKnow

    Can someone help me decipher this email header

    ErmYouKnow, Jan 9, 2004, in forum: Computer Support
    Replies:
    8
    Views:
    2,072
    °Mike°
    Jan 10, 2004
  5. Need Help with a Spam Email Header

    , Feb 7, 2006, in forum: Computer Support
    Replies:
    2
    Views:
    352
    Beauregard T. Shagnasty
    Feb 7, 2006
Loading...

Share This Page