About
Community
Bad Ideas
Drugs
Ego
Erotica
Fringe
Society
Technology
Hack
Introduction to Hacking
Hack Attack
Hacker Zines
Hacking LANs, WANs, Networks, & Outdials
Magnetic Stripes and Other Data Formats
Software Cracking
Understanding the Internet
Legalities of Hacking
Word Lists
register | bbs | search | rss | faq | about
meet up | add to del.icio.us | digg it

Tracing E-mail

NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.

Sometimes people might send you information or hatemail from a fake address. This can be done quite easily simply by changing the "Sender" and "Return-to" fields to something different. You can do this, since these fields, i.e. your identity, are normally not checked by the mailserver when you send mail, but only when you receive mail.

Every email has a so-called header. The header is the part in which the route the email has taken is being described. Since the header is rather ugly, it is normally hidden by the email programme. Every email programme can display them, though (look into the "Options" or "Preferences" menu).

The mail we use below is a typical, but not rather sophisticated example of faked email. Fortunately for us journalists, most people are not more sophisticated than this. You should however be aware of the fact, that there are much more sophisticated ways to fake mail. A message sent to to the newsgroup alt.security and archived on the web explains one possible way to deal with some of these cases. But for now - back to the "easy cases":

Received: from SpoolDir by IFKW-2 (Mercury 1.31); 13 May 98 15:51:47 GMT +01
Return-path: [email protected]
Received: from bang.jmk.su.se by ifkw-2.ifkw.uni-muenchen.de (Mercury 1.31) with ESMTP;
13 May 98 15:51:44 GMT +01
Received: from [130.237.155.60] (Lilla_Red_10 [130.237.155.60]) by bang.jmk.su.se (8.7.6/8.6.6) with ESMTP id PAA17265 for ([email protected]>; Wed, 13 May 1998 15:49:09 +0200 (MET DST)
X-Sender: [email protected]
Message-Id: (v03020902b17f551e91dd@[130.237.155.60]> Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 13 May 1998 15:49:06 +0200
To: [email protected]
From: Kuno Seltsam ([email protected]>
Subject: Important Information
X-PMFLAGS: 34078848 0

Let's go through it line by line:

Date: Wed, 13 May 1998 15:49:06 +0200
To: [email protected]
From: Kuno Seltsam
Subject: Important Information

These lines should look quite familiar. They describe who claims to have sent the mail, to whom it was sent and when.

X-PMFLAGS: 34078848 0

This is a number which your email programme (in this case Pegasus Mail) might add to the mail to keep track of it on your hard disk.

Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"

States that the message contains normal, plain text without any "fancy" letters like umlauts etc.

Message-Id:

This line contains a tracking-number, which the originating host has assigned to the message. The Message-Id is unique for each message and in this case contains the IP-number of the originating host. If you for some reason doubt that the message really came from someone at "seltsam.com", you can now take this number and have it translated into something more meaningful. For this task you can for example use TJPing, a small programme that tracks IP-packages online and resolves IP-numbers.

Using TJPing we found that the real name of the originating computer is:

Starting lookup on 130.237.155.60 - May 14, 1998 22:01:25
Official Name: L-Red-10.jmk.su.se
IP address: 130.237.155.60

This is actually the originating computer from which the message was sent. Not the mailserver. If the address was at a university, as in this case, this is not a great help, since there are many students using the same computers all day. The situation is very different within companies, though, since employees tend to have their own computers, which no one else uses. If the header doesn't show any further information, you might use this information by calling the companies system-administration and ask "Say, who's sitting at Node 60?". Amazingly often you will get a reply. It is comparatively easy to find out which company you are dealing with. Just cut off the first set of digits from the Official Name (L-Red_10.), add www and type it into your browser. You will see, that www.jmk.su.se is the journalism department of the University of Stockholm.

X-Sender: [email protected]

This line is solid gold! This tells you, who was logged on to the mail-server when the message was sent. Not all email-programmes add this line, though. Eudora does, whereas Pegasus Mail doesn't.

So now we know, that the user who sent us the mail is "o-pabjen". The IP-number is that of the mailserver used (checking with TJPing, we learn it's called bang.jmk.su.se). Now you could actually reply to the message by sending a mail to [email protected] or [email protected].

But maybe you want to know his real name. In this case you can try to "Finger" the account. Finger is a command which reveals basic information about the account holder. Due to the increased attention to privacy online, more and more servers have disabled it. It is always worth a try, though. Using WSfinger we learn the following:

Login name: o-pabjen In real life: Pabst Jens global

So now you have a name: Jens Pabst. "Global" could be part of the name or be some kind of code added by the system administration for internal purposes.

If you manage to obtain the information we have so far, then you don't actually have to look any further. You have what you want. "Kuno Seltsam " is really Jens Pabst .

But let's go through the rest of the header anyway:

Received: from [130.237.155.60] (Lilla_Red_10 [130.237.155.60]) by bang.jmk.su.se (8.7.6/8.6.6) with ESMTP id PAA17265 for ; Wed, 13 May 1998 15:49:09 +0200 (MET DST)

These lines state which computer the mailserver has received the message from, when, and that the message is supposed to be sent to [email protected]

Received: from bang.jmk.su.se by ifkw-2.ifkw.uni-muenchen.de (Mercury 1.31) with ESMTP; 13 May 98 15:51:44 GMT +01

Similar to the last part of the header, this tells us from where the recipient's mailserver (ifkw-2.ifkw.uni-muenchen.de) has received the message. We know, that this must be the receipient's mailserver, since it is the last server that receives anything.

Return-path: ([email protected]>

It follows the fake return path.

Received: from SpoolDir by IFKW-2 (Mercury 1.31); 13 May 98 15:51:47 GMT +01

And an internal message from the mailserver about where and how it distributed the message within it's system. We know, that "SpoolDir" cannot be the receipient's mailserver, since it lacks an Internet-address (i.e. something like server.somewhere.de).

 
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
 

totse.com certificate signatures
 
 
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
Hot Topics
Php
Withstanding an EMP
Good computer destroyer?
Wow, I never thought the navy would be so obvious.
Alternatives Internets to HTTP
Anti-Virus
a way to monitor someones AIM conversation
VERY simple question: browser history
 
Sponsored Links
 
Ads presented by the
AdBrite Ad Network

 

TSHIRT HELL T-SHIRTS