» Home | » Login   » Support | » Site Map   » Contact Us  

    2Macs Web Design and Hosting Inc. with H-Sphere Web Hosting
 

Business Grade
            Hosting Solutions

  

Get your Business Online Today!

» Home | » Hosting | » Web Design » Domains » SEO » Order » Contact Us  

 2Macs Web Design and Hosting Inc. - Since 2001

 

Net Designs For Your Solution!
Web Design & Hosting Solutions!

Tracing Email
 

 

This has become our most popular page. We are glad we can help! And there is one question we are getting quite often: "How can I find out who is sending me email from a certain AOL or Hotmail account?" Well, that is not what this page is about. This page is about how you can find out whether someone faked his email-address and how you can find out from which account that mail really was sent from. If the mails comes from a real, valid email-account and you want to know who the person behind that email-account is, then you most likely will need to serve the internet-provider who is hosting that email-account a court-order.

Sometimes people might send you information or hatemail from a fake address. This can be done quite easily simply by changing the "Sender" and "Return-to" fields to something different. You can do this, since these fields, i.e. your identity, are normally not checked by the mailserver when you send mail, but only when you receive mail.

Every email has a so-called header. The header is the part in which the route the email has taken is being described. Since the header is rather ugly, it is normally hidden by the email program. Every email program can display them, though (look into the "Options" or "Preferences" menu).

The mail we use below is a typical, but not rather sophisticated example of faked email. Fortunately for us, most people are not more sophisticated than this. You should however be aware of the fact, that there are much more sophisticated ways to fake mail. A message sent to the newsgroup alt.security and archived on the web explains one possible way to deal with some of these cases. But for now - back to the "easy cases":

Received: from SpoolDir by IFKW-2 (Mercury 1.31); 13 May 98 15:51:47 GMT +01
Return-path: <kuno@seltsam.com>
Received: from bang.jmk.su.se by ifkw-2.ifkw.uni-muenchen.de (Mercury 1.31) with ESMTP;
13 May 98 15:51:44 GMT +01
Received: from [130.237.155.60] (Lilla_Red_10 [130.237.155.60]) by bang.jmk.su.se (8.7.6/8.6.6) with ESMTP id PAA17265 for <luege-ti@ifkw.uni-muenchen.de>; Wed, 13 May 1998 15:49:09 +0200 (MET DST)
X-Sender: o-pabjen@130.237.155.254
Message-Id: <v03020902b17f551e91dd@[130.237.155.60]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 13 May 1998 15:49:06 +0200
To: luege-ti@ifkw.uni-muenchen.de
From: Kuno Seltsam <kuno@seltsam.com>
Subject: Important Information
X-PMFLAGS: 34078848 0

Let's go through it line by line:

Date: Wed, 13 May 1998 15:49:06 +0200
To: luege-ti@ifkw.uni-muenchen.de
From: Kuno Seltsam <kuno@seltsam.com>
Subject: Important Information

These lines should look quite familiar. They describe who claims to have sent the mail, to whom it was sent and when.

X-PMFLAGS: 34078848 0

This is a number which your email program (in this case Pegasus Mail) might add to the mail to keep track of it on your hard disk.

Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"

States that the message contains normal, plain text without any "fancy" letters like umlauts etc.

Message-Id: <v03020902b17f551e91dd@[130.237.155.60]>

This line contains a tracking-number, which the originating host has assigned to the message. The Message-Id is unique for each message and in this case contains the IP-number of the originating host. If you for some reason doubt that the message really came from someone at "seltsam.com", you can now take this number and have it translated into something more meaningful. For this task you can for example use a simple Ping Program, a small program that tracks IP-packages online and resolves IP-numbers.

Using TJPing we found that the real name of the originating computer is:

Starting lookup on 130.237.155.60 - May 14, 1998 22:01:25
Official Name: L-Red-10.jmk.su.se
IP address: 130.237.155.60

This is actually the originating computer from which the message was sent. Not the mailserver. If the address was at a university, as in this case, this is not a great help, since there are many students using the same computers all day. The situation is very different within companies, though, since employees tend to have their own computers, which no one else uses. If the header doesn't show any further information, you might use this information by calling the companies system-administration and ask "Say, who's sitting at Node 60?". Amazingly often you will get a reply. It is comparatively easy to find out which company you are dealing with. Just cut off the first set of digits from the Official Name (L-Red_10.), add www and type it into your browser. You will see, that www.jmk.su.se is the journalism department of the University of Stockholm.

X-Sender: o-pabjen@130.237.155.254

This line is solid gold! This tells you, who was logged on to the mail-server when the message was sent. Not all email-programs add this line, though. Eudora does, whereas Pegasus Mail doesn't.

So now we know, that the user who sent us the mail is "o-pabjen". The IP-number is that of the mailserver used (checking with TJPing, we learn it's called bang.jmk.su.se). Now you could actually reply to the message by sending a mail to o-pabjen@130.237.155.254 or o-pabjen@bang.jmk.su.se.

But maybe you want to know his real name. In this case you can try to "Finger" the account. Finger is a command which reveals basic information about the account holder. Due to the increased attention to privacy online, more and more servers have disabled it. It is always worth a try, though. Using WSfinger we learn the following:

Login name: o-pabjen In real life: Pabst Jens global

So now you have a name: Jens Pabst. "Global" could be part of the name or be some kind of code added by the system administration for internal purposes.

If you manage to obtain the information we have so far, then you don't actually have to look any further. You have what you want. "Kuno Seltsam <kuno@seltsam.com>" is really Jens Pabst <o-pabjen@bang.jmk.su.se>.

But let's go through the rest of the header anyway:

Received: from [130.237.155.60] (Lilla_Red_10 [130.237.155.60]) by bang.jmk.su.se (8.7.6/8.6.6) with ESMTP id PAA17265 for <luege-ti@ifkw.uni-muenchen.de>; Wed, 13 May 1998 15:49:09 +0200 (MET DST)

These lines state which computer the mailserver has received the message from, when, and that the message is supposed to be sent to luege-ti@ifkw.uni-muenchen.de

Received: from bang.jmk.su.se by ifkw-2.ifkw.uni-muenchen.de (Mercury 1.31) with ESMTP; 13 May 98 15:51:44 GMT +01

Similar to the last part of the header, this tells us from where the recipient's mailserver (ifkw-2.ifkw.uni-muenchen.de) has received the message. We know, that this must be the receipient's mailserver, since it is the last server that receives anything.

Return-path: <kuno@seltsam.com>

It follows the fake return path.

Received: from SpoolDir by IFKW-2 (Mercury 1.31); 13 May 98 15:51:47 GMT +01

And an internal message from the mailserver about where and how it distributed the message within it's system. We know, that "SpoolDir" cannot be the receipient's mailserver, since it lacks an Internet-address (i.e. something like server.somewhere.de).

Brought to you in part by www.usus.org

Support Home | FAQ's
 

Company   TOS/AUP  |   Site Terms   |   Policies   |   Media    


Copyright © 2001-2008  2Macs Web Design and Hosting Inc.   All Rights Reserved
Website Creation and Hosting By 2Macs Web Design and Hosting Inc.