27.1.08

Backtracking EMAIL Messages(read PS)


Backtracking EMAIL Messages

Many times when you get some funny(?) anonymous email all you wish is to strangle the
sender hidden behind some far away computer. No i wont assist you in strangling anybody
but i can atleast help to trace his/her guilt back him/her and i'll leave rest on your own judgment.

First let me ask you how do you determine the sender of an email message?
By looking at the "FROM" header ,right?
Unfortunately this is but half truth. The "From" header is nothing more than sender's address
on a postcard(postcard? whats that?). Just as much easily the senders address can be forged.
If you dont know the sender then the header is forged as simple as that.

i know what you are thinking now.
"OK, now you have told all this and i know the header is forged,it will be really hard to trace
back to orginil sender, wont it?"

No my friends if you can type then its the easiest and most addictive thing you can do.

For that first you have to understand how email messages are put together in order to backtrack an email message.
SMTP (simple mail transfer protocol) is a text based protocol for transferring messages across the internet. A series of headers are placed in front of the data portion of the message.
By examining the headers you can easily backtrack a message to the source
network, sometimes even to the source host.

If you are using Yahoo or Rediffmail you can viewing of headers from options menu.
i have shown how to for yahoo in above image.

The headers to be considered are as follows.

Return-Path:

X-Original-To:
Delivered-To:

Received: from
by mailhost.example.com (Postfix) with SMTP id
date and time
for

Received: from with ESMTP id

Message-ID:

From: "

Reply-To: "

To:

Subject:

date

X-Mailer:

X-Priority:

MIME-Version:

Content-Type:


According to the "From" header the message may be from "yahooawards@yahoo.com"
(in my case) if i just complain to abuse@yahoo.com, the reply will will be "we dont have such
service". So i will just try to find out the sender myself.

1.The header most useful in determining the original source of an email message is
the "Received header".

2.If you just look at the topmost header host "X" with the ip address of "Y" by my
server mail.yahoo.com.

3.The most important point to consider is at what point in the chain does the email system become suspicious?

4.My advise is to consider anything beyond your own email server to be an unreliable
source of information. Because this header was generated by my email server
it is reasonable for me to accept that it can be trusted .

5.The next Received header shows the remote email server accepting the message from
the host "X1" . Here is something required from your side.You should atleast be able to
determine whether an IP address is real. Thats all and here onwards only typing skills.

6. So here we have got something in our hand like a thread to pull.As usual Windows is somewhat lacking in network diagnostic tools; however, you can use the tools at to do
your own checking.

ARIN WHOIS database, is the place where you should look for that IP address.
you can also enter " ? " for additional hints on searching ARIN's WHOIS database if you are stuck so i wont get into details here.

You can also verify the hostname of the remote server by using nslookup,

SO , whois shows that "SOME ISP" owns that netblock and nslookup confirms the address
to hostname mapping of the remote server "X1".
If you add " www" in front of the domain name portion and plug that into my web browser, "SOME ISP'S " website.

Wait dont send any flame to that site.
There is nothing things more embarrassing than accusing someone who is supposedly responsible for a problem, and being wrong.
Here you should recheck remote host's IP address using two different tools (whois and nslookup) and minimize the chance of making any mistake.

Only by looking at the web site and it you will deduce that they are an ISP.
Now if you just copy the entire message including the headers into a new email message and send it to abuse@SOMEISP.com and explain them the situation they may do something
about it.

but even now you have not determined who the actual sender of an email message is?
Elementary!

All you gotta do is employ FBI and they will be able to tell you all you want to know.

After finding "SOME ISP" my advice is to rely on their discretion and hope you have
stopped some spammer or hate mailer.

PS:
one of my friends told me that he tried above and it didnt work for him.
Actually i assumed that after failing at "ARIN" you will try at "APNIC" and thats what
you should do. Coz to find some information at "www" you have to be creative.

No comments :