Tuesday, July 22, 2008

Tracing an e-mail

Let's discuss, how to trace an email sender from the email header.

Viewing Email Header

Every e-mail comes with information attached to it that tells the recipient of its history. This information called a header. The below is the Full header of email .All this information comes with the email. The header contains the information essential to tracing an e-mail. The main components to look for in the header are the lines beginning with "From:" and "Received:" However, it might be instructive to look at what various different lines in the header mean.

Some e-mail programs, like Yahoo or Hotmail, have their full headers hidden by default In order to view the full header, you must specifically turn on that option. Some ways of doing this in different e-mail programs follow here:

Viewing full Header in Yahoo and Hotmail
Yahoo

Click Options -> Click Mail Preferences -> Click Show Headers -> Click "All" -> Click "Save"

Hotmail

Click Options -> Click Mail Display Headings (under "Additional Options") -> Click Message Headers -> Click "Full" ->Click "OK"

Viewing full Header in Email Clients like (Outlook and Eudora etc)
Outlook Express
If you use OE, you may not have much luck; it sometimes gives little more information than what you can see in the main window. But here's the application path anyway:

Click File/Properties/Details to find the header information.

Outlook
First, highlight the email in your Incoming window, right-click on it, and select Options. The window that comes up will have the headers at the bottom.

Eudora
Be sure the message is open, then Click the 'Blah, Blah, Blah' button from the Tool Bar, and the headers will appear.

Pegasus
Select Reader/Show All Headers/

Netscape Mail
Select Options/Headers/Show All Headers

Netscape Messenger 4.0 and 4.5
Select View/Headers/All

Full header in detail:

Message ID:

It is used to identify the system from which the the message has originated (I.e. from the system the sender has logged in). However, this is too easy to forge, and is consequently not reliable.

X-Headers:

X- headers are user defined headers. They are inserted by email client programs or applications that use email. Here from the X- headers inserted into the email by the email client it is clear that the sender has used Microsoft Outlook Express 6.00.2800.1106 to send this email.

X-Priority: 3

X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106

MIME-Version:

MIME stands for Multipurpose Internet Mail Extension. It tells the recipient what types of attachments are included in email. It is a format that allows people to send attachments that do not contain Standard English Words, but rather graphics, sounds, and e-mails written with other characters. The Mime-Version field merely confirms that the version of MIME used corresponds to the standard version (which is currently 1.0).

From:

Form is useless in tracing an e-mail. It consists of the email of the sender but this can be obviously be a fake. One can use any fake-mailer to fake the sender's name.

Content-Type:

This line tells the receiving e-mail client exactly what MIME type or types are included in the e-mail message. If the Content–Type is text/plain; charset="us-ascii" just tells us that the message contains a regular text message that uses English characters. ASCII is the American Standard Code for Information Interchange and is the system used to convert numbers to English characters.

Return-Path:

It is the address to which your return e-mail will be sent. Different e-mail programs use other variations of Return-Path:. These might include Return-Errors-To: or Reply-To etc.

Received:

This field is the key to find out the source of any e-mail. Like a regular letter, e-mails gets postmarked with information that tells where it has been. However, unlike a regular letter, an e-mail might get "postmarked" any number of times as it makes its way from its source through a number of mail transfer agents (MTAs). The MTAs are responsible for properly routing messages to their destination.

Let me strip-off the above email header to make the understanding easy. The header is splitted and the two received headers are given below.

Received Header 1:
204.127.198.35 - Tue, 25 Nov 2003 19:56:18 -0800
from rwcrmhc11.comcast.net ([204.127.198.35])
by mc7-f12.hotmail.com
with Microsoft SMTPSVC(5.0.2195.6713)

Received Header 2:
68.37.24.150 - Wed, 26 Nov 2003 03:44:57 +0000
from pavilion (pcp03530790pcs.mnhwkn01.nj.comcast.net[68.37.24.150])
by comcast.net (rwcrmhc11)
with SMTP
id <20031126034457013001nk6pe>

The MTAs are "stamped" on the e-mail's header so that the most recent MTA is listed on the top of the header and the first MTA through which the e-mail has passed in listed on the bottom of the header. In the above sample e-mail header, e-mail first passed through 68.37.24.150 (pcp03530790pcs.mnhwkn01.nj.comcast.net), and at last made its way through 204.127.198.35 (rwcrmhc11.comcast.net).

In the Received Header 2, the one marked as "pavilion" is either the domain name of the server from which the email has originated or the name of the computer from which the email has been sent. By doing a DNS query for "pavilion", it is confirmed that it is not a know host name hence, must be the name of the computer from which the mail has originated. "68.37.24.150" is the IP address from which the mail might have originated or it is the IP address of the ISP (Internet Service Provider) to which the user was logged on while sending the mail.

Trace who owns the IP address
Every computers hooked on to internet is assigned with an IP address. Individual users possess a dynamic IP address when they logged on to any ISP to access internet. These IP addresses are assigned by the ISP itself. Organization usually possess static/public IP address which is stored in a database of registries.

There are three major registries covering different parts of the world. They are

www.arin.net => American Registry of Internet Numbers (ARIN) : It assigns IP addresses for the Americas and for sub Saharan Africa.

www.apnic.net => Asia Pacific Network Information Centre (APNIC) : It covers Asia

www.ripe.net => Réseaux IP Européens (RIPE NCC) : It covers Europe

Thus, to find out which organization owns a particular IP address, you can make a "WHOIS" query in the database at any of these registries. You do this by typing the IP address into the "WHOIS" box that appears on each of these websites.

"Received Header" will have the IP address of the ISP in case the users has dialed up to the ISP while sending the email. But if the user has send the email from within the corporate then the corporate public/static IP address is logged.

By giving a "WHOIS" query for 68.37.24.150 at www.arin.net, the following result has been displayed:

Comcast Cable Communications, Inc. JUMPSTART-1 (NET-68-32-0-0-1)
68.32.0.0 - 68.63.255.255
Comcast Cable Communications, Inc. NJ-NORTH-14 (NET-68-37-16-0-1)
68.37.16.0 - 68.37.31.255

# ARIN WHOIS database, last updated 2004-02-04 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

From above queries it is found that the IP address (68.37.24.150) is owned "Comcast". By making further queries on "Comcast" it is found that it is the name of the ISP located in NJ, US - 08002. The result of further query is given below:

OrgName: Comcast Cable Communications, Inc.
OrgID: CMCS
Address: 3 Executive Campus
Address: 5th Floor
City: Cherry Hill
StateProv: NJ
PostalCode:08002
Country: US

NetRange: 68.32.0.0 - 68.63.255.255
CIDR: 68.32.0.0/11
NetName: JUMPSTART-1
NetHandle: NET-68-32-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: DNS01.JDC01.PA.COMCAST.NET
NameServer: DNS02.JDC01.PA.COMCAST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-11-29
Updated: 2003-11-05

TechHandle: IC161-ARIN
TechName: Comcast Cable Communications Inc
TechPhone: +1-856-317-7200
TechEmail: cips_ip-registration@cable.comcast.com

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail: abuse@comcast.net

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200
OrgTechEmail: cips_ip-registration@cable.comcast.com

# ARIN WHOIS database, last updated 2004-02-04 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

Now since the IP address found belongs to an ISP, it is clear that the sender has dialed up to this ISP while sending the email. For further enquiry we can then request the ISP to provide us with details of the user who has dialed up to them at that given point of time (Wed, 26 Nov 2003 03:44:57 +0000). If the ISP cooperates, they will check their user and message logs to see who was logged into that particular IP address at that time and date. This will reveals the sender's telephone number from which he/she has dialed to the ISP. Now once we have the telephone number we can easily retrieve the name and address of the sender.

Now the above case is solved but there are also other cases where the IP address found on the email header may be owned by an organisation or a cyber cafe.

Cases1: THE IP ADDRESS OWNED BY AN ORGANISATION

But in case the IP address found belongs to an organisation then you have to request them to provide information about the user who has send the mail from within the organisation network. They must have user and message logs on their firewall / proxy and can trace each of their computers connected at the given point of time. By supplying the organisation with the e-mail header of the offending e-mail, they can check these logs and hopefully produce information of the user of that machine.

Cases2: THE IP ADDRESS OWNED BY A CYBER-CAFE

In case it is found that the sender has sent the email from a cyber-cafe then it becomes a difficult task to trace him/her. The user may not be a frequent visitor to that cyber-cafe. But let's assume that you receive such mails frequently from that particular cyber-cafe then you can install "key-loggers" in the computers at the cafe. These programs records user's keystrokes, thus creating a record of everything that was typed at a particular terminal. By reviewing the key-logger logs you may be able to trace the sender in this case.

Note: These methods would aid greatly in identifying an e-mail sender, they also would impinge on the rights of others using the computers to conduct their personal business. Such a conflict defines the ongoing struggle between the fight against terrorism over the Internet and the right to privacy, which will continue to evolve in the years ahead.

enjoy.....Sump

0 comments:

Visitors