LISTCRIME
YOUR ONE STOP CYBER
CRIME INFORMATION SHOP
READING & TRACING
E-MAILSListcrime is a one-stop-shop for reliable, up-to-date information about cyber crime, we at Listcrime.com want to give home users and small businesses the advice they need to use the Internet safely. For the most part, references within this web page appear as links to the actual site that the information came from. I revert to customary referencing when citing non-WWW based sources. A bibliography of any sources not linked will appears at the end of this web page.
The speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult, a task which often occurs only after the fact, if at all. If you would like to to find out just who is sending those email love letters, spam, determine the sender of a blackmail message, or just root out the source of a virus emailed to you. There are indeed many such situations where you would like to know who sent a particular email message to you. This web page will teach you how to use "Email Headers" to backtrack and find the original sender's IP address. Understanding the header information can be difficult to the average computer user but unfortunately its one of the only ways to truly trace back the origins of a email.
A great analogy of reading an email headers would be:
It is like a flight ticket: it can tell you who booked it (who sent the email), the departure information (when the email was sent), the route (from where it was sent and how did it arrive to you) and arrival details (who is the receiver and when it was received). As when you would book a flight ticket with a false identity, the same goes for emails: the sender can partially fake these details, pretending that the email was sent from a different account (common practice for spammers or viruses).
There are basically three steps involved in the process of tracking an email: find the IP address in the email header section, look up the location of the IP address, then contact the originating Internet Service Provider to find out who it belongs to.
The hardest and most grueling step is Step #1 so lets began:
Let’s go ahead and take a look at how you would do this. Lets examine Outlook express, GMail, Yahoo Mail, and Outlook since those are the most popular email clients.
Since email programs do not normally display these Headers, we must first learn how to display them. Depending on the program, this is done in a variety of ways.
First, select "Properties" from the "File" Menu, or just press ALT+Enter. Next, select the "Details" tab.
"OUTLOOK EXPRESS".
Here's how to view the Headers in the Microsoft Office version of OUTLOOK:
Open a message.
On the View menu, click Options.
Note:If you do not see the Options command, make sure you click View on the toolbar in an open message window. The View menu on the standard Outlook toolbar does not have the Options command.The Header information appears under the Delivery options in the Internet Headers box.
TIP: Right-click in the 'Internet Headers' field and click on 'Select All' in the popup menu (or type ctrl-A). Then right-click again and click on 'Copy' in the popup menu (or type ctrl-C). Finally, paste all the Internet Headers into your favorite text editor for full examination (such as 'Notepad', included with Windows).
YAHOO MAIL
On Yahoo Mail you need just to click "Full headers" while you see message.
- Click on Options on the top-right corner
- In the Mail Options page, click on General Preferences
- Scroll down to Messages where you have the Headers option
- Make sure that Show all headers on incoming messages is selected
- Click on the Save button
- Sign in to the Windows Live Hotmail website with your Windows Live Id.
- In the left pane, click Mail.
- In the folder list, click Inbox.
- Right-click the message in the message list, and then click View source.
- You should see the email headers now.
Finding IP address in AOL
- Log into your AOL mail with your username and password.
- Click on Inbox or whichever folder you have stored your mail.
- Open the mail.
- Above the Mail Header, a drop down box will be available with "Actions" option selected.
- Select the "View Message Source" and click Go button. A separate window will open, displaying the entire contents of the message, including the full header information.
Know lets try Google's Gmail
GOOGLE GMAIL
1. Log into your account and open the email in question.
2. Click on the down arrow that’s to the right of the Reply link. Choose Show Original from the list.
How to display the full headers in various email programs:
How do I see an email header?It depends on your email client. Here is a comprehensive list of email client programs and methods to see the email headers.
Also try: FTC GetNetWise
Tracing an Internet E-mail
*The most important header field for tracking purposes is the Received header field.
When an internet e-mail message is sent, the user typically controls only the recipient line(s) (To and Bcc) and the Subject line.
Mail software adds the rest of the header information as it is processed.
For tracking purposes, we are most interested in the from and by tokens in the Received header field. In general, you are looking for a pattern similar to:
Received: from BBB (dns-name [ip-address]) by AAA ...
Received: from CCC (dns-name [ip-address]) by BBB ...
Received: from DDD (dns-name [ip-address]) by CCC ...
In other words, mail server AAA received the email from BBB and provides as much information about BBB, including the IP Address BBB used to connect to AAA. This patterns repeats itself on each Received line.
Every time an email moves through a new mail server, a new Received header line (and possibly other header lines, like line 2 above) is added to the beginning of the headers list. This is similar to traveling on an airplane around the world and changing planes at several different cities.
This means that as you read the Received headers from top to bottom, that you are gradually moving closer to the computer/person that sent you the email.
With experience, and/or by consulting various sources, you will learn more about Received lines, and the ways that they can vary. But the basic principle is still to read them from top to bottom, and to understand that each computer which handled the message added one or more Receieved lines
****SPECIAL CASE****
X-Originating-IP: If you are attempting to track down an email received from a Hotmail email account, look for the X-Originating-IP header field, which will tell you the IP Address of the computer that sent the email. Consider:
Reading an E-mail Header:
|
| From Southwest Airlines Tue Apr 8 01:43:12 2008 | |
| X-Apparently-To: | sbullitt@yahoo.com via 68.142.198.133; Tue, 08 Apr 2008 01:43:12 -0700 |
| X-Originating-IP: | [63.169.44.144] |
| Return-Path: | <bounced-lm-2575529063-49700@mail.southwest.com> |
| Authentication-Results: | mta336.mail.mud.yahoo.com from=mail.southwest.com; domainkeys=neutral (no sig) |
| Received: | from 63.169.44.144 (HELO mail04.southwest.com) (63.169.44.144) by mta336.mail.mud.yahoo.com with SMTP; Tue, 08 Apr 2008 01:43:12 -0700 |
| Date: | Tue, 8 Apr 2008 03:43:12 -0500 |
| From: | "Southwest Airlines" <SouthwestAirlines@mail.southwest.com>  Add Mobile Alert |
| To: | sbullitt@yahoo.com |
| Reply-to: | "Southwest Airlines" <SouthwestAirlines@mail.southwest.com> |
| Subject: | Big Sale! With Sale Fares From... |
| Message-ID: | <SWIM-lm-2575529063-49700@mail.southwest.com> |
| Precedence: | bulk |
| MIME-Version: | 1.0 |
| Content-Type: | text/html |
| Content-Length: | 9288 |
-
Line (1) tells other computers who really sent the message and where to send error messages (bounces and warning).
-
Line (2) and (3) show the route the message took from sending to delivery. Each computer that receives this message adds a Received field with its complete address and time stamp; this helps in tracking delivery problems.
-
Line (4) is the Message-ID, a unique identifier for this specific message. This ID is logged, and can be traced through computers on the message route if there is a need to track the mail.
-
Line (5) shows the date, time, and time zone when the message was sent.
-
Line (6) tells the name and e-mail address of the message originator (the "sender").
-
Line (7) shows the name and e-mail address of the primary recipient; the address may be for a:
mailing list,
-
system-wide alias,
-
a personal username.
-
Line (8) lists the names and e-mail addresses of the "courtesy copy" recipients of the message. There may be "Bcc:" recipients as well; these "blind carbon copy" recipients get copies of the message, but their names and addresses are not visible in the headers.
Step #2 Tracking the location of an IP address
Once you get the originating IP address Example: 72.204.154.191, let’s find out where that is! You can do this by perform a location lookup on the IP address. Here are some popular ones:
SamSpade.org ,IP2Location
GeoBytes IP Locator
http://www.hostip.info
http://www.ip-adress.com
http://cqcounter.com
http://www.arin.net
data.com
GeoBytes gave me a big map of New Orleans, LA along with a bunch of other information about the location itself.
IP2Location also gave me the same information pretty much, including the ISP (Cox Communications). Of course, this is correct since this email source lives in New Orleans!
If you want more information, you can do a WHOISdatabase search also. My favorite one is the ARIN WHOIS Database Search. This will give you information on who hosts that IP address and their registration information.
TIP: Practice! Track down the emails received from friends and family. Since you know where they are really located, that will help you to analyze the Internet Headers. You will quickly gain experience and confidence in your ability to track down the computer/person that sent you an email message.
Step #2b Tracking the location of an IP address
To determine the validity of an IP address, you have to use the "traceroute" command of Windows.
Click "Start" at the bottom left, then click "Run".
In the "Open" field, type cmd to bring up a command shell. A black window will appear, then type tracert <the IP address you want to trace>.
So using the bogus IP address as an example, you would type tracert 48.240.68.107, then hit ENTER. Since this is a bogus IP, you will see a bunch of "Request timed out" replies, which means there is really no route to the host.
If you look at the top line of the image, you will see an IP address of 209.191.69.38. This is a publicly published IP address of one of Yahoo's mail servers, and since it is public there was no need to blur it out. You can actually use this IP address to make a successful traceroute. So, repeat the same thing in the command shell, type tracert 209.191.69.38 and you will see the route from your computer to this particular Yahoo server.
The traceroute tool is very handy if you would want to be able trace the IP addresses of the mail servers that sent you email. This will also help you in determining who can report these phishing scams to. In the example above, there was no way to determine the real identity of the scammer's computer but the recipient of the scam did report the email to the administrator of the mail server with the open relay (the one the scammer "hijacked" to send the bogus email). At least this will help them configure the mail server not to allow unauthorized relaying of spam in the future.
If you have identified the offending site and you want to find who their upstream provider is, use the "traceroute" tool. You need to give it the machine name to trace to, for example slime.spammer.com in the above example. If traceroute is accessible to you on your local system, simply invoke "traceroute slime.spammer.com". If not, there are many web->traceroute gateways; searching for "traceroute" in one of the internet search engines should find one. Either way, the output from traceroute will look something like this:
traceroute to slime.spammer.com (127.126.32.23), 30 hops max, 40 byte packets 1 siamese.legit.com (127.39.1.134) 206 ms 177 ms 198 ms 2 persian.legit.com (127.39.1.129) 203 ms 191 ms 188 ms 4 SR1.gotham-city.major.net (127.39.100.73) 174 ms 190 ms 208 ms 5 core4.gomorrah.major.net (127.39.33.133) 180 ms 182 ms 159 ms 6 retrolink-gw.gomorrah.major.net (127.157.77.25) 169 ms 185 ms 189 ms 7 router1.retrolink.net (127.70.1.122) 469 ms 365 ms 239 ms 8 spammer-gw.retrolink.net (127.70.1.122) 429 ms 242 ms 239 ms 9 slime.spammer.com (127.70.3.98) 519 ms 275 ms 309 ms
This means that to get from your site (or the site hosting the web->traceroute gateway) to slime.spammer.com, data first passes through legit.com, then major.net, then retrolink.net, and finally to spammer.com. So if spammer.com is the guilty party then normally you would complain to retrolink.net. If you have reason to believe that retrolink.net is uncooperative then you could escalate by complaining to major.net. This should be done only after repeated attempts to persuade retrolink have been unsuccessful. Even sites with good spam control policies will occasionally get a spammer, so the mere fact that you have received one spam, or a handful of unrelated spams, is not by itself sufficient reason to escalate.
Step#3 Contact the source ISP or host ISP via formal letter or email to try and find more information on that particular IP address.
You can find the email address to complain to by first seeing if the organization in question has a web page with a contact address. Generally you want the network abuse address if there is one, or if not try to figure out what the closest choice is. An alternative is the complaint forwarding service at abuse.net. If none of these seem feasible, you can always try postmaster@<the provider's site>.
If you think any information you receive is illegal, you should report it to the CyberTipline® at www.cybertipline.com or call 1-800-843-5678. Illegal material includes threats to your life or safety, threats to others, pornographic images of children, and evidence of other crimes. NCMEC will refer this report to the appropriate law-enforcement agency.
Step #4 trying to locate people on the internet
- Title
- Description
- Gateway to White Pages, Yellow Pages, Public Records
- Gateway to Directory searches
- Gateway to screening background checks
- Gateway to Research Services, Investigative Information
- Search Engine
- Search Engine
- Gateway to Directory Information
- Gateway to Area Code Listing by Number
- Searchable Database
- Search Engine
- Gateway to Literature
- Gateway to Directory Information
- Searchable Database of biography information
- Gateway to business guide to over 46,290 companies listed in over 208 categories
- Search Engine
- Gateway to Britannica Online — Premier Web Encyclopedia
- Gateway to Address server
- Gateway to City Information
- Search Engine
- Search Engine
- Search Engine
- Gateway to the European Business Directory
- Search Engine
- Gateway; site allows searches for individuals who have donated to congressional and presidential campaigns, query party, and PAC campaign movements
- Gateway to the search engine for search engines
- Search Engine
- Search Engine
- Search Engine
- Gateway to Yellow Pages and People Pages
- Search Engine
- Search Engine
- Gateway to Hotmail Email Account Website
- Gateway to extensive directory of legal resources in the UK, including government agencies, law schools, legal associations, and law publishers
- Gateway to finding people; Places; Business and things
- Gateway to Investigator's Tool Box — Sources of Information
- Search Engine
- Searchable Directory
- Gateway to media search
- Gateway to Business, People, and Email directory searches available
- Search Engine
- Search Engine
- Search Engine
- Search Engine
- Search Engine
- Searches for individuals, even those not on the Internet
- Gateway to Public Records
- Search Engine
- Gateway to bring together former classmates from around the world
- Gateway to list of search engines
- Search Engine
- Gateway to comprehensive people locator
- Searchable directory
- Search Engine
- Search Engine for URLs
- Gateway to Travel and City information
- Gateway to Refdesk.com — Search engine resources
- Search Engine
- Gateway to business and people search
- Search Engine
Zip2 Gateway to find a business and/or person, get direc U.S. News Archives on the Web
NetSmartz411 is parents online resource
Fastest way to find people
Find Free ArticlesDomain Dossier Best whois search. Search engine to investigate a website URL or IP address. Includes trace route feature
Wayback Machine See how websites looked years ago.
Who is" Search for .ORG Domains
Who is" Search for .INFO Domains
Who is" Search for .BIZ Domains
Who is" Search for .US Domains
Asia Pacific "Who is" Search This is the APNIC whois search for domains registered in the Asia Pacific region. Once at this page, scroll down to the search function and click on it and the search for will come up.
European "Who is" Search Operated by RIPE, this is the Regional Internet Registry for Europe and surrounding countries. Learn who a domain name is owned by when from one of these areas.
U.S. Government "Who is" Search Massive whois search for non-military U.S. government domains. (Ie., fdic.gov). Also include user name look up function.
U.S. Military Whois Operated by the Department of Defense, this provides registration information on U.S. military domain names and Internet addresses ending with ".mil".
WIPO Cases WIPO (World Intellectual Property Organization) arbitrates disputes over domain name ownership, often related to cyber-squatting. Cases heard are available in a search at this link. For a ringer, search on gepoints.com
DNS Stuff.com This site will be of interest for those investigating an email address or website. It offers a number of searches to glean information from.
DNS Reapportions to DNS Stuff, offer additional searches.
Abuse.net Database of e-mail addresses to report spam and other abuse. You'll enter the domain name of the offending URL to get contact addresses for reporting abuse.
Instant Message Acronym sHave data from an instant message but don't understand the coded words and abbreviations? OMG!
File Extensions Lookup Found a file during the examination of a computer? Unsure what it does? Run the extension here to find out.
World Email Directory Enter a person's name or a company name to search for their e-mail address. Contains 18 million entries.
ARIN Lookup Need to determine the registrant or ISP behind a numeric Internet address? Check with the American Registry for Internet Numbers. Here's a sample numeric Internet address: 209.218.217.25
The ICQ White Pages Here's a source for locating e-people. The popular ICQ service directory.
Yahoo Membership Directory Search for registered Yahoo members by real name or Yahoo I.D.
For more examples view this webpage source websites below.
Sources
Johnru.com
Yahoo.com
Google.com
Online tech tips.com
IP2location.com
Geobytes.com
arin.net
SamSpade.org
WHOISCONTACT US ABOUT US DISCLAIMER
COPYRIGHT ©LISTCRIME 2008 ALL RIGHTS ®RESERVED