Forensics
RE: message-id formatting Mar 30 2007 07:02AM
Glenn Dardick (gdardick dardick net)
All,

My apologies, I thought I had sent out the following to the list, but it
only went to Santiago.

It is a summary of what we found. Also, the famkruithof.net links were
very informative as well as Wiki entries on UUIDs and GUIDs

Regards,
Glenn

=================================================

Thanks Santiago (and Scott Talkovic, Chuck Swiger, and everyone else)

SUMMARY
-------
It's interesting. The examples of the mac.com webmail server-created
message-id's that you (Santiago) sent use a time based version 1 UUID,
whereas the Mac client-created message-id's use a random based version 4
UUID (http://www.famkruithof.net/guid-uuid-make.html).

This question originated because of two emails with suspect
message-id's. None of the messages were recorded in the mail logs of the
receiving email server, but were none-the-less in the user's IMAP email
account.

However, one of the two message-id's did appear previously in the
receiving email server's log files. All UUID's are supposed to be
unique.

It would appear that the message-id in the email headers for one of the
bogus emails was copied from a previous email and the second was either
user generated (http://www.famkruithof.net/uuid/uuidgen) or copied.
Since the emails do not show up in the receiving email server's logs, it
would further appear that they were placed by the user into the IMAP
inbox folder.

Glenn

-----Original Message-----
From: Santiago Barahona [mailto:sant-bar (at) dsv.su (dot) se [email concealed]]
Sent: Tuesday, March 20, 2007 4:26 AM
To: Glenn Dardick
Subject: Re: message-id formatting

Take a look:

These IDs are generated by the webmail servers,

27945F5D-0111-1000-A5C1-5D2B1F2782EA-Webmail-10022 (at) mac (dot) com [email concealed]
E08DEE5D-0111-1000-AEAD-1D90B73E1CC1-Webmail-10009 (at) mac (dot) com [email concealed]
E08DEE5D-0111-1000-AEB5-1D90B73E1CC1-Webmail-10009 (at) mac (dot) com [email concealed]
E08DEE5D-0111-1000-AEBC-1D90B73E1CC1-Webmail-10009 (at) mac (dot) com [email concealed]
E08DEE5D-0111-1000-AEB9-1D90B73E1CC1-Webmail-10009 (at) mac (dot) com [email concealed]
E08DEE5D-0111-1000-AEBF-1D90B73E1CC1-Webmail-10009 (at) mac (dot) com [email concealed]
E08DEE5D-0111-1000-AEC2-1D90B73E1CC1-Webmail-10009 (at) mac (dot) com [email concealed]
CFBAAF5C-0111-1000-B048-7E750C8E852F-Webmail-10016 (at) mac (dot) com [email concealed]
CFBAAF5C-0111-1000-B04B-7E750C8E852F-Webmail-10016 (at) mac (dot) com [email concealed]
CFBAAF5C-0111-1000-B04E-7E750C8E852F-Webmail-10016 (at) mac (dot) com [email concealed]
CFBAAF5C-0111-1000-B056-7E750C8E852F-Webmail-10016 (at) mac (dot) com [email concealed]
CFBAAF5C-0111-1000-B04E-7E750C8E852F-Webmail-10016 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B0C3-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B0E9-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B0EC-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B0EF-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B0F2-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B109-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B10E-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B118-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B11F-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B127-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B137-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B13F-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B143-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B145-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]
F30B185C-0111-1000-B14F-2E7CE27455B3-Webmail-10020 (at) mac (dot) com [email concealed]

These by the client:

5B2DCFA0-DE9E-4D2D-8E83-4F75AC6A6FB4 (at) mac (dot) com [email concealed]
6AA2C198-48A8-4C9D-9D76-5C2F58A9DB08 (at) mac (dot) com [email concealed]
B35E3779-C18D-4320-B171-6C7E4BBE5974 (at) mac (dot) com [email concealed]
B7780243-9BE2-4D22-969C-6E9C77776792 (at) mac (dot) com [email concealed]
C996B503-4286-414B-A1AF-369966A5918A (at) mac (dot) com [email concealed]
EAE7F921-CE33-41AD-A40B-9A20D3313DBA (at) mac (dot) com [email concealed]
74DA4FAE-F23A-4893-9C13-84A844B6321F (at) mac (dot) com [email concealed]
EE0A30F3-A95B-4145-9BA9-1213B00A7759 (at) mac (dot) com [email concealed]
652A524B-7DFC-4BCD-A97D-6051907C0CF6 (at) mac (dot) com [email concealed]
7EE3F3BC-45A8-46EA-A48E-B2138BEAEC8F (at) mac (dot) com [email concealed]
2AA5693C-0E45-4FB6-A99F-B4659A2AD6F6 (at) mac (dot) com [email concealed]

which seem to fit the description of rfc2822 or rfc 2352?
this seems to follow the absolute date and time and content id hash
don't you think?

regards

On 19 Mar 07, at 23:47, Glenn Dardick wrote:

I believe the second one may be spoofed - not the first.

Glenn

-----Original Message-----
From: Santiago Barahona [mailto:sant-bar (at) dsv.su (dot) se [email concealed]]
Sent: Monday, March 19, 2007 4:42 PM
To: Glenn Dardick
Cc: forensics (at) securityfocus (dot) com [email concealed]
Subject: Re: message-id formatting

It is weird... in deed they use alpha-numeric account names but as
far as I know they are limited to 12 o 16 characters... (i'll check
it and comeback to you with that)...

are you sure it is not a spoofed "mac.com"??

On 16 Mar 07, at 07:14, gdardick (at) dardick (dot) net [email concealed] wrote:

I am trying to find the format of mac.com message-ids. The following
are examples of message-id's received in emails from mac.com.

F39DF6D4-4C64-4C78-91E1-EB9EF83F492A (at) MAC (dot) COM [email concealed]
11DF7440-1BAC-4E05-9A6D-5F13C3DA7A53 (at) MAC (dot) COM [email concealed]

Any ideas?

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus