Tuesday, December 4, 2007
Tracking down an email
Email tracing has been one of the prime considerations of the authorities. It has been the most basic task of the authorities, in the tracing of a mail, down to the door. And not surprisingly, it is also, the most easy thing to do. Though the amount of information is very limited, but still, this can provide the IP of the sender at the time of the mail sending, and that's no less than an important achievement.
This is accomplished by studying the email headers. If the IP is from a registered network, then we can know the exact location of the sender, along with the street address, but is it a personal internet connection, we can only know the name of the company, which the sender is sending from, that is the ISP(Internet Service Provider).
Now, we get to the real thing. We consider an example email header, from which, we trace the mail back to the sender.
Here's a sample mail header:
This one is the header of a mail from McAfee.
The X-originating IP is the IP of the mail server, that is the smtp server used in the process. These servers, are the machines, that are used for sending mails in the Internet. In this case, it is 220.127.116.11. The sending machine's IP can also be figured out from the mail header itself. We can figure it out by examining the Received fields, which in this case reads:
Received: from 18.104.22.168 (HELO mcafee.com) (22.214.171.124) by mta125.mail.in.yahoo.com with SMTP; Sat, 25 Aug 2007 21:45:40 +0530
The sending IP here is thus, the same as that of the first mail server used in the process. That is: 126.96.36.199.
But, cases may not be like this.
We consider another case, where there are multiple mail servers used in the process.
Here, we see the Received fields, and deduce, what we are supposed to deduce.: The IP of the sender, at the time of sending the message. The X-Originating IP is 188.8.131.52, which is the IP of the first mail server in the path. Then we come to the point.
The first Received field says, that the message was obtained from 184.108.40.206 a.k.a. web8316.mail.in.yahoo.com, that is, the computer introduced itself to the mail server mta135.mail.in.yahoo.com as web8316.mail.in.yahoo.com.
The second one says, that the message was obtained from 220.127.116.11 by web8316.mail.in.yahoo.com via HTTP, that is, the sender used a web browser, to send the email.
Then, to find more information about the sender, we lookup the obtained IP 18.104.22.168 with the nslookup command, which returns the following:
That is the sender's ISP is Airtel broadband, and he is situated in India, in the state Madhya Pradesh (Deduced from the ABTS-MP) and the IP is a dynamic IP address, that is the next time the sender logs on to the ISP, he'll have a new IP.
In the next post, I'll demonstrate how I traced down a sender to his college, and got a phone number, so that I could talk to him! Keep checking. :)