Glenn Greenwald is currently in the midst of a running commentary regarding a WingNut-ish piece of email he received from someone claiming to be Col. Steve Boylan. Please read Glenn’s entry cited above for background.
What follows is my contribution to the issue, in response to Glen's request for assistance verifying the origin of the email
UPDATE:klondike correctly pointed out the following:
Received: from 02exbhizn02.iraq.centcom.mil (02exbhizn02.iraq.centcom.mil [214.13.200.111]) by rich.salon.com (8.12.11/8.12.11) with ESMTP id l9SBFSff004148 for <ggreenwald@salon.com>; Sun, 28 Oct 2007 04:15:36 -0700
the receiving mail server doesn't take any of this sender information "on faith". When I say I received an email from 10.0.0.1 (my.domain.com) I pulled that IP address from a lower layer of the protocol (infinitely harder to fake) and then reverse dns-ed it to my.domain.com
In the ensuing exchange of emails between Glennn and the REAL Colonel with whom he had previously exchanged emails, the REAL Colonel implied that he was not the writer of the said email in question. This, in spite of the distinct similarities in the writing styles of both the REAL Colonel and the apparent impostor, and the fact that the originating email address and the return address in both this email, and the ones the REAL Colonel had previously (and subsequently) sent to Glenn are identical. Glenn, lacking the technical wherewithal to prove anything to the contrary, then asks for help in finding where the truth lies.
Did the Colonel send the email in question, or has there been a security breach that we ought to be worried about?
What follows is my attempt to establish whether or not the email in question can be deemed to have originated from the REAL Colonel, or whether we should all now be worried sick about a possible compromise of Department of Defence email and other electronic infrastructure. Given that the fingerprints (headers) of this email match those of the other emails the REAL Colonel had sent before (and has since sent AFTER) this email in question, I will not attempt to establish similarities here. For that exercise, go read this.
A little primer on internet communication and IP addresses:
- Every computer on the internet communicate using the TCP/IP Protocol
- Every computer that communicates on the internet has an Internet Protocol Address (IP address)
- An IP address (or a chunk/block of IP addresses) is usually assigned by various internet administrative authorities to a specific entity. Your ISP has a block of addresses assigned to it, and from this bucket, it gives you one (or more) whenever you connect to the internet.
- There are classes of IP addresses that are not used on the internet. They cannot be used on the internet because they have been specifically reserved by the internet administrative authorities for various reasons. One of these reasons is so that these addresses can be used INTERNAL by ANYONE who has a network. These addresses are non-routable IP addresses. It means that, if you assign them to your computer and try to talk on the internet, nobody will talk to you because your communication won’t get "routed" to the rest of the internet.
- It is possible to have one IP address, but have multiple computers use that address as their IP when they go out to the internet. This is usually called proxying, among other technical terms.
- It is possible to forge an IP so that your computer can say it’s IP address is someone else’s. This is not a trivial undertaking, and if it should happen, it is considered a serious breach of security. I will come back to this later.
Now, having given you a little crash-course in internet communication, let’s take our knowledge and go look at the email under discussion and determine how likely it is that our REAL Colonel sent it and, if he didn’t, how distressed and concerned we must be at the apparent breach of security at our DoD.
Here is the header/signature/fingerprint/DNA of the email in question:
Return-Path: steven.boylan@iraq.centcom.mil
Please pay no particular attention to the Return-Path above. This is one of the most easily- and frequently-forged part of an email message. I will now proceed to excise all other parts of the headers that have no relevance to our purpose.
....
Received: from rich.salon.com (rich.salon.com [206.80.4.124]) by mailer.salon.com (8.13.6/8.13.6) with ESMTP id l9SBFgrP024411 for <ggreenwald@mailhost.salon.com>; Sun, 28 Oct 2007 04:15:43 -0700
Received: from 02exbhizn02.iraq.centcom.mil (02exbhizn02.iraq.centcom.mil [214.13.200.111]) by rich.salon.com (8.12.11/8.12.11) with ESMTP id l9SBFSff004148 for <ggreenwald@salon.com>; Sun, 28 Oct 2007 04:15:36 -0700
Here we see many things happening, three of which are of interest to us:
Salon’s email server (whose name is rich.salon.com) has an IP address of 206.80.4.124
Salon’s email server received a piece of email for ggreenwald@salon.com FROM a mail server (whose name is 02exbhizn02.iraq.centcom.mil) that has the IP address of 214.12.200.111.
Salon email server delivered the received email to ggreenwald’s mailbox.
Let’s keep moving....
Received: from INTZEXEBHIZN01.iraq.centcom.mil ([10.70.20.11]) by 02exbhizn02.iraq.centcom.mil with Microsoft SMTPSVC(6.0.3790.3959);Sun, 28 Oct 2007 14:15:05 +0300
Received: from INTZEXEVSIZN02.iraq.centcom.mil ([10.70.20.16]) by INTZEXEBHIZN01.iraq.centcom.mil with Microsoft SMTPSVC(6.0.3790.3959);Sun, 28 Oct 2007 14:15:05 +0300
Content-class: urn:content-classes:messageMIME-Version: 1.0Content-Type: text/plain; charset="us-ascii"Subject: The growing link between the U.S. military and right-wing media and blogsX-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Sun, 28 Oct 2007 14:15:05 +0300
From the lines above, we see some interesting facts. Let’s translate this from bottoms up:
On Sunday October 28, 2007 at 14:15:05, an email message was created on a computer located in a GMT + 3 Time Zone. Iraq is in this timezone.
The title of the email message was The growing link between the U.S. military and right-wing media and blogs
The email was then sent to an INTERNAL email server named INTZEXEVSIZN02.iraq.centcom.mil. This email server has a non-routable IP address (10.70.20.16), so it cannot deliver the message directly on its own. This email server runs Microsoft Exchange Server 2003(aka Microsoft Exchange V6.5).
This email server then sends this email to another INTERNAL mail server named INTZEXEBHIZN01.iraq.centcom.mil, and which has another non-routable IP of 10.70.20.11. INTZEXEBHIZN01.iraq.centcom.mil runs Microsoft Exchange Server 2000 (aka Microsoft SMTPSVC(6.0.3790.3959)
NOTE: By the way, transferring mails between internal servers is NORMAL. In large organization spread over multiple geographic location, there are multiple non-internet-connected email servers that take emails directly from internal clients and hand them off to other internal servers. The reason for doing this is multi-faceted and we won’t get into it here because it has no bearing on our discussion.
Lastly INTZEXEBHIZN01.iraq.centcom.mil handed off the email (ostensibly after running it through various anti-virus and "Acceptable Usage Policies" and other internal protocols) to the real server which has the ability to directly deliver the email to the internet. This server is named 02exbhizn02.iraq.centcom.mil. THIS IS THE SERVER THAT HANDED OFF THE EMAIL TO SALON.COM’s SERVER ABOVE. 02exbhizn02.iraq.centcom.mil runs Microsoft Exchange Server 2000 (aka Microsoft SMTPSVC(6.0.3790.3959)
The last piece of information we extract from the header is as follows:
From: "Boylan, Steven COL MNF-I CMD GRP CG PAO" <steven.boylan@iraq.centcom.mil>To: <ggreenwald@salon.com>
I highlighted this to draw attention to the fact that this is meaningless. It is easily forged, so we can’t really rely on it to say "aha! He sent it!". But, we can use that information to prove something. Let's keep going for now.....
We have, so far, established the following:
A mail server claiming to be 02exbhizn02.iraq.centcom.mil received a piece of email addressed to ggreenwald@salon.com and dutifully handed it over to Salon.com’s email server for onward delivery to ggreenwald@salon.com.
- So, WhoIs 02exbhizn02.iraq.centcom.mil?
- And is it truly communicating on the "InterTube" with an IP address of 214.13.200.111?
- If so, it this its real IP?
- If yeah, could it be truly linked to Iraq.centcom.mil?
- Just in case we are lucky, is this server located in Iraq by any chance?
- And, to be doubly and incorrigibly optimistic, will it actually be able to receive emails addressed to a mailbox with the email address of steven.boylan@iraq.centcom.mil?
Let’s see...
To find out who own the IP address of 214.13.200.111, we go to one of the internet authorities and ask. In our case, we asked ARIN (American Registry of Internet Numbers). Here’s what they tell us:
OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
NetRange: 214.0.0.0 - 214.255.255.255
CIDR: 214.0.0.0/8
According to ARIN, DoD is allocated a huge chunk (notice the /8 in the CIDR? That’s a boat-load of IP addresses).
The IP address of the server that delivered the email to Salon’s email server is within that range.
There is no way anyone else could have stolen that IP without there having been a serious breach of security that jeopardizes national security.
So, we know that the IP belongs to DoD. But then, what if someone actually stole it and was masquerading as a DoD server? What if there really is no 02exbhizn02.iraq.centcom.mil and this was all the work of a malicious lunatic trying to get our good Colonel in trouble?
OK, let’s see who the REAL email servers for Iraq.centcom.mil are (which is the domain from which the email originated.
Let’s ask, say, one of Cisco’s DNS servers.
C:\ >nslookup
Default Server: ns1.cisco.com
Address: 128.107.241.185
> set q=mx
> iraq.centcom.mil
Server: ns1.cisco.com
Address: 128.107.241.185
Non-authoritative answer:
iraq.centcom.mil MX preference = 20, mail exchanger = victexbhizn05.iraq.centcom.mil
iraq.centcom.mil MX preference = 30, mail exchanger = 02exnlbizn.iraq.centcom.mil
iraq.centcom.mil MX preference = 99, mail exchanger = victexbhizn06.iraq.centcom.mil
iraq.centcom.mil MX preference = 40, mail exchanger = 02exbhizn01.iraq.centcom.mil
iraq.centcom.mil MX preference = 99, mail exchanger = victexbhizn02.iraq.centcom.mil
iraq.centcom.mil MX preference = 40, mail exchanger = 02exbhizn02.iraq.centcom.mil
iraq.centcom.mil MX preference = 20, mail exchanger = victexbhizn01.iraq.centcom.mil
victexbhizn05.iraq.centcom.mil internet address = 214.13.138.213
02exnlbizn.iraq.centcom.mil internet address = 214.13.200.109
victexbhizn06.iraq.centcom.mil internet address = 214.38.138.214
02exbhizn01.iraq.centcom.mil internet address = 214.13.200.110
victexbhizn02.iraq.centcom.mil internet address = 214.13.138.181
02exbhizn02.iraq.centcom.mil internet address = 214.13.200.111
victexbhizn01.iraq.centcom.mil internet address = 214.13.138.180
Look at that! There is our friend, 02exbhizn02.iraq.centcom.mil in all its infamy, and its IP address just happens to be the same one we are looking for. And it just also happens to be one of the email servers authoritative for the Iraq.centcom.mil domain. Coincidence? Maybe.
But it must be said that it is nigh impossible for two different servers on two different networks to simultaneously advertise the same IP address on the internet.
Now that we have a live server, is it the REAL thing? Does it have a mailbox with an email address that matches the address of our REAL Colonel, and will this server receive email on behalf of our REAL Colonel?
Why don’t we ask the server?
telnet 02exbhizn02.iraq.centcom.mil 25
We are just asking to talk to the mail server.
220 02exbhizn02.iraq.centcom.mil This is a Department Of Defense Computer System. DoD computer systems may be monitored for all lawful purposes. Mon, 29 Oct 2007 11:43:29 +0300
Ooooohhhh, oodles of love. This is a DoD mail server, it is located in a GMT +3 time zone, and because it is dutifully monitored, perhaps they will one day tell us whether an impostor is besmirching one of their Colonels. Until then, let’s move on....
Helo
This is me, just introducing myself to the server after it greeted me.
250 02exbhizn02.iraq.centcom.mil Hello [my-IP-Address]
The server said "hi" back at me and displayed my public IP address. This is how computers on the internet know whom they are communicating with (see out internet primer above)
mail from:nothing-to-do@idleminds.something
"I want to send an email, and my email address is nothing-to-do@idleminds.something", I said. Remember what I said about how easy it is to forge this FROM address? There you go.
250 2.1.0 nothing-to-do@idleminds.something....Sender OK
The server says "go ahead". So, I went ahead.
rcpt to:qasdwutdshgfds.ewsdsdsd044@blahblah.net550 5.7.1 Unable to relay for qasdwutdshgfds.ewsdsdsd044@blahblah.net
rcpt to:dkossleuth@iraq.centcom.mil
550 5.1.1 User unknown
rcpt to:steven.boylan@iraq.centcom.mil
250 2.1.5 steven.boylan@iraq.centcom.mil
Look at the sequence of commands above very closely. In the first line, we asked the server to take a message for a mailbox located in the domain "blahblah.net". In the next line, the server said "Nice try. I don’t take emails for domains that I am not responsible for, especially since you don’t have an account in any domain I am responsible for". This is a little difficult to explain to a lay-person, but the server is essentially saying "FU" to me because I was trying to use it as an open relay. ALL modern Microsoft Exchange Server products do this.
In the next line, I said "OK, how about the mailbox dkossleuth@iraq.centcom.mil?"
In its response, the server indicated that, while it is true that it is responsible for the Iraq.centcom.mil domain, it cannot accept my email because there is no mailbox called dkossleuth in that domain.
So, I asked it to accept email for our friend steven.boylan@iraq.centcom.mil, and it said "that I can do".
Then, just to be thorough, I pretended that I am Steve Boylan, and then asked the server to let me send an email to Glenn Greenwald at salon dot com.
Here’s the exchange:
250 2.1.0 steven.boylan@iraq.centcom.mil....Sender OK
The server says "go ahead". So, I went ahead.
rcpt to:ggreenwald@salon.com
550 5.7.1 Unable to relay for ggreenwald@salon.com
Again, the server says "FU". This shows that the server cannot be tricked into sending emails to another server, using an email account for which the server is responsible. The Sender has to authenticate with the server in order to send emails to someone OUTSIDE.
My Conclusion:
- We established that the same mailserver that sent the hate mail to Glenn’s salon.com mailbox is a DoD server.
- This server is located in Iraq, and it is authoritative for the Iraq.centcom.mil email domain.
- It has the same IP address and runs the same email server product.
- It has a mailbox for steven.boylan@iraq.centcom.mil
- The server is NOT mis-configured, at least not in the way that it will permit external parties to send emails through it to another mailserver.
- We know that, even if you forged the FROM address, the server will still not let you relay email messages unless you are authenticated.
- What we do not know is whether or not someone internal to Centcom/DoD is impersonating the good Colonel and sending hate mails in his name.
- What we also do not know is whether or not some people with better skills than I have employed here have found a way to route emails through centcom/DoD’s servers without the requisite authentication.
- Perhaps, since the good Colonel indicated that he had been a victim of identity theft, someone had also been able to compromise his electronic identity and is now using it to misuse Centcom/DoD’s electronic resources.
- Whatever it may be, IF the good Colonel continues to deny that he sent the email in question, and IF we must believe him (him being a Colonel and
all), then the Colonel is telling us that he (or his electronic access to DoD’s network) has been compromised. In which case, I think it will be prudent for the Colonel to proactively ask for a thorough investigation of this possibility.
The Colonel, I am sure, is an honorable person and has the best interest of our nation in mind in everything he does.
Or, maybe Glenn forged all of this, including all the headers of all the other emails he says the REAL Colonel had previously sent to him, and the ones he has subsequently sent thereafter.