Sup,
in the 2nd part from my information gathering postings i want to tell something about Email header analysis and the information you can read from them a.k.a. “how to get IP’s via Emails”.
This is just a translation from my original, German post on J0hnX3r.org.

1. How to see the informations

To see the Email header you have to install a Email client like Thunderbird on your PC.
To see the extended Email informations with Thunderbird:

Flag the Email you want to analyze > View > Message Source code
or
Flag the Email > Strg+U

With every Email client you have to view the Email header on a different way,
but the client won’t change something on the Email header, that will stay same on every used Email client.

2. How is such a Email header build up?

Thanks to montaxx for the email he sent me, I’ll use it here as a test object.

From - Thu Mar 11 20:06:14 2010
X-Account-Key: account2
X-UIDL: UID3-1267740838
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <[email protected]>
Envelope-to: [email protected]
Received: from fmmailgate03.web.de ([217.72.192.234])
by cn04.oleco.net with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1Npnhh-000IxY-FP
for [email protected]; Thu, 11 Mar 2010 20:05:53 +0100
Received: from smtp06.web.de (fmsmtp06.dlan.cinetic.de [172.20.5.172])
by fmmailgate03.web.de (Postfix) with ESMTP id 67A60143B1596
for <[email protected]>; Thu, 11 Mar 2010 20:05:09 +0100 (CET)
Received: from [12.345.67.89] (helo=[192.168.1.100])
by smtp06.web.de with asmtp (TLSv1:AES256-SHA:256)
(WEB.DE 4.110 #314)
id 1Npngy-0006RN-00
for [email protected]; Thu, 11 Mar 2010 20:05:08 +0100
Message-ID: <[email protected]>
Date: Thu, 11 Mar 2010 20:05:10 +0100
From: montaxx <[email protected]>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: [email protected]
Subject: Kostenlose =?ISO-8859-15?Q?Penisverl=E4ngerung?=
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Sender: [email protected]
X-Sender: [email protected]
X-Provags-ID: V01U2FsdGVkX19CYzu4/AFWSFIJvYkOC/wqBg5tdVIQraa4qAVT
7yZOSya/AG1SQ1uObm45gu+bYIFd0bWqfL/BYvUztoDDbE4Kx7
b0jZs0Y4U=
X-Spam-Score: 0.2
X-Spam-Report: 0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in
headers
0.6 J_CHICKENPOX_12 BODY: 1alpha-pock-2alpha
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
2.0 RATWR10_MESSID Message-ID has ratware pattern (HEXHEX.HEXHEX@)
0.0 NO_RDNS2 Sending MTA has no reverse DNS

hi n0va von Thunderbird

3. How to understand the given informations

From - Thu Mar 11 20:06:14 2010
receipt date + time

X-UIDL: UID3-1267740838
UIDL stands for Unique IDentifier Listing, so the client can avoid to load already copied emails.

Return-path: <[email protected]>
The address given from the sender where you have to answer to (may differ from the senders email).

Envelope-to: [email protected]
recipient email address

Received: from fmmailgate03.web.de ([217.72.192.234])
by cn04.oleco.net with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1Npnhh-000IxY-FP
for [email protected]; Thu, 11 Mar 2010 20:05:53 +0100

Tells us that the recipient Mail server cn04.oleco.net received from the sender Mail server fmmailgate03.web.de, (IP Adresse 217.72.192.234) at 11. März 2010 20:05:53 the mail.
+0100 stands for the timezone of the recipient server, ESMTP stands for protocol extension whereby the mail was transmitted.

Received: from smtp06.web.de (fmsmtp06.dlan.cinetic.de [172.20.5.172])
by fmmailgate03.web.de (Postfix) with ESMTP id 67A60143B1596
for <[email protected]>; Thu, 11 Mar 2010 20:05:09 +0100 (CET)
Here you can see the SMTP server and some more informations.

Received: from [12.345.67.89] (helo=[192.168.1.100])
by smtp06.web.de with asmtp (TLSv1:AES256-SHA:256)
(WEB.DE 4.110 #314)
id 1Npngy-0006RN-00
for [email protected]; Thu, 11 Mar 2010 20:05:08 +0100
Where you can see [12.345.67.89], shall be the IP address of the sender (was censored due to privacy reasons). Besides you can see that the server is using ASMTP as protocol.
By the way you can see here my email with the date of reception.

Message-ID: <[email protected]>
Date: Thu, 11 Mar 2010 20:05:10 +0100
The Message-ID is a kind of identification for the emails, so you can identify every email from each other.

From: montaxx <[email protected]>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
Here you can see some interesting details about the sender, for example that he uses Thunderbird version 2.0.0.23 and operating system is windows.
The digits after “Windows/” must be a date, i can tell with big likeliness that the sender uses windows 7.

Subject: Kostenlose =?ISO-8859-15?Q?Penisverl=E4ngerung?=
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
The “Subject:” tells us the subject of the mail (obvious explanation is obvious)
Content-Type: tells us that the email content is in plain text, with the charset charset=ISO-8859-15.

hi n0va von Thunderbird
The actual, visual part of the mail, the content.

In the interwebs you can find some tools that could help you with your email header analysis, like the following:
http://www.mxtoolbox.com/Public/Tools/EmailHeaders.aspx
http://headertool.apelord.com/headers

Just copy in the email and watch.

Further informations:
http://th-h.de/faq/headerfaq.php
http://de.wikipedia.org/wiki/Header_%28E-Mail%29

4. What can i do with the gained informations?

Attackers use the given informations to image the (target)network and to understand it better
Some websites use their own POP and SMTP server, so the target “punchline” gets bigger.
Imagine the POP server is not updated or has got a security flaw, then the owner may get some problems.

Or imagine:
Person A has got a website + domain and use a whois protection, but a private mail address, the POP server was registered with the real name of Person A.
The Attacker X wants to know the real name of Person A. He writes Person A a email with (for example) a question to summon a reply.

Person A answers to the mail and send his own information without even noticing it.
Attacker X makes a whois on Person A’s POP server and gets his desired informations.

FIN