Tuesday, December 4, 2007

Tracking down an email

Email tracing has been one of the prime considerations of the authorities. It has been the most basic task of the authorities, in the tracing of a mail, down to the door. And not surprisingly, it is also, the most easy thing to do. Though the amount of information is very limited, but still, this can provide the IP of the sender at the time of the mail sending, and that's no less than an important achievement.

This is accomplished by studying the email headers. If the IP is from a registered network, then we can know the exact location of the sender, along with the street address, but is it a personal internet connection, we can only know the name of the company, which the sender is sending from, that is the ISP(Internet Service Provider).

Now, we get to the real thing. We consider an example email header, from which, we trace the mail back to the sender.

Here's a sample mail header:

This one is the header of a mail from McAfee.
Example 1

From McAfee Fri Aug 24 04:11:46 2007
X-Apparently-To: xtreme_the_great1@yahoo.co.in via; Sat, 25 Aug 2007 21:45:41 +0530
X-Originating-IP: []
Authentication-Results: mta125.mail.in.yahoo.com from=mcafee.com; domainkeys=neutral (no sig)
Received: from (HELO mcafee.com) ( by mta125.mail.in.yahoo.com with SMTP; Sat, 25 Aug 2007 21:45:40 +0530
X-Mailer: UnityMail
X-Mailer-Version: 5.1.182
X-UnityID: <20070823224146.hxfcjbysebaaa3aumail4.xtreme_the_great1@yahoo.co.in@unity4.mcafee.com>
X-UnityUser: McAfee
Reply-to: "McAfee"
From:"McAfee" Add to Address BookAdd to Address Book
Subject: McAfee Security Brief 08.07: Microsoft Vulnerabilities
Date: Thu, 23 Aug 2007 15:41:46 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0963_01C7E5D6.C90B46F0"
Thread-Index: AcfmEXVgCOCwhz8cS5K6y62QtMC7QQ==
Content-Class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
Content-Length: 19546

The X-originating IP is the IP of the mail server, that is the smtp server used in the process. These servers, are the machines, that are used for sending mails in the Internet. In this case, it is The sending machine's IP can also be figured out from the mail header itself. We can figure it out by examining the Received fields, which in this case reads:

Received: from (HELO mcafee.com) ( by mta125.mail.in.yahoo.com with SMTP; Sat, 25 Aug 2007 21:45:40 +0530

The sending IP here is thus, the same as that of the first mail server used in the process. That is:

But, cases may not be like this.

We consider another case, where there are multiple mail servers used in the process.

Example 2

X-Apparently-To: xtreme_the_great1@yahoo.co.in via; Sun, 25 Mar 2007 18:02:32 +0530
X-Originating-IP: []
Authentication-Results: mta135.mail.in.yahoo.com from=yahoo.co.in; domainkeys=pass (ok)
Received: from (HELO web8316.mail.in.yahoo.com) ( by mta135.mail.in.yahoo.com with SMTP; Sun, 25 Mar 2007 18:02:32 +0530
Received: (qmail 84649 invoked by uid 60001); 25 Mar 2007 12:32:32 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.in; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=0s8bAtp2vC7RFSCYSfLno7bSWfAP6ebccb/weUTLZiw/rWfNuCgFdZvZUc9iMyUkgYuxqjz7WX3LqbMS8L8Qpyg4sM+M+BR2YQt50I330raEEFk5kuAjjGCNOZBe8zFphRNtIeAsOFJ8keIEQ+0kzbPdJQ0xuon7g7mDTyJv0Tw=;
X-YMail-OSG: jC_yrKkVM1n7FtpNbkqEXJdYRgDvi3PDe0HUOmSPKTBwyHwm_1crZ.fBVw6xODaYBudsxpwFsOtmkF6_lYfGUTo.FBDkKgfTLsoHun6qK.irkJFE.QqhNsPs2JfHOpVQDVVdACQ4HUZ7A9SFDqR7KA6pTw--
Received: from [] by web8316.mail.in.yahoo.com via HTTP; Sun, 25 Mar 2007 13:32:31 BST
Date: Sun, 25 Mar 2007 13:32:31 +0100 (BST)
From:Send an Instant Message "sooraj elamana" Add to Address BookAdd to Address Book
Yahoo! DomainKeys has confirmed that this message was sent by yahoo.co.in. Learn more
Subject: Proxy Lists by Sooraj E
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-575879626-1174825951=:84636"
Content-Transfer-Encoding: 8bit
Message-ID: <34533.84636.qm@web8316.mail.in.yahoo.com>
Content-Length: 58637

Here, we see the Received fields, and deduce, what we are supposed to deduce.: The IP of the sender, at the time of sending the message. The X-Originating IP is, which is the IP of the first mail server in the path. Then we come to the point.

The first Received field says, that the message was obtained from a.k.a. web8316.mail.in.yahoo.com, that is, the computer introduced itself to the mail server mta135.mail.in.yahoo.com as web8316.mail.in.yahoo.com.

The second one says, that the message was obtained from by web8316.mail.in.yahoo.com via HTTP, that is, the sender used a web browser, to send the email.

Then, to find more information about the sender, we lookup the obtained IP with the nslookup command, which returns the following:

Name: ABTS-MP-dynamic-

That is the sender's ISP is Airtel broadband, and he is situated in India, in the state Madhya Pradesh (Deduced from the ABTS-MP) and the IP is a dynamic IP address, that is the next time the sender logs on to the ISP, he'll have a new IP.

In the next post, I'll demonstrate how I traced down a sender to his college, and got a phone number, so that I could talk to him! Keep checking. :)

No comments: