Email tracing has been one of the prime considerations of the authorities. It has been the most basic task of the authorities, in the tracing of a mail, down to the door. And not surprisingly, it is also, the most easy thing to do. Though the amount of information is very limited, but still, this can provide the IP of the sender at the time of the mail sending, and that's no less than an important achievement.
This is accomplished by studying the email headers. If the IP is from a registered network, then we can know the exact location of the sender, along with the street address, but is it a personal internet connection, we can only know the name of the company, which the sender is sending from, that is the ISP(Internet Service Provider).
Now, we get to the real thing. We consider an example email header, from which, we trace the mail back to the sender.
Here's a sample mail header:
This one is the header of a mail from McAfee.
Example 1
| From McAfee Fri Aug 24 04:11:46 2007 | |
| X-Apparently-To: | xtreme_the_great1@yahoo.co.in via 202.43.219.101; Sat, 25 Aug 2007 21:45:41 +0530 |
| X-Originating-IP: | [216.49.92.103] |
| Return-Path: | |
| Authentication-Results: | mta125.mail.in.yahoo.com from=mcafee.com; domainkeys=neutral (no sig) |
| Received: | from 216.49.92.103 (HELO mcafee.com) (216.49.92.103) by mta125.mail.in.yahoo.com with SMTP; Sat, 25 Aug 2007 21:45:40 +0530 |
| X-Mailer: | UnityMail |
| Errors-To: | |
| Originator: | |
| X-Mailer-Version: | 5.1.182 |
| X-UnityID: | <20070823224146.hxfcjbysebaaa3aumail4.xtreme_the_great1@yahoo.co.in@unity4.mcafee.com> |
| X-UnityUser: | McAfee |
| Reply-to: | "McAfee" |
| From: | "McAfee"  Add to Address Book |
| To: | "xtreme_the_great1@yahoo.co.in" |
| Subject: | McAfee Security Brief 08.07: Microsoft Vulnerabilities |
| Date: | Thu, 23 Aug 2007 15:41:46 -0700 |
| MIME-Version: | 1.0 |
| Content-Type: | multipart/alternative; boundary="----=_NextPart_000_0963_01C7E5D6.C90B46F0" |
| Thread-Index: | AcfmEXVgCOCwhz8cS5K6y62QtMC7QQ== |
| Content-Class: | urn:content-classes:message |
| X-MimeOLE: | Produced By Microsoft MimeOLE V6.00.2800.1807 |
| Content-Length: | 19546 |
The X-originating IP is the IP of the mail server, that is the smtp server used in the process. These servers, are the machines, that are used for sending mails in the Internet. In this case, it is 216.49.92.103. The sending machine's IP can also be figured out from the mail header itself. We can figure it out by examining the Received fields, which in this case reads:
Received: from 216.49.92.103 (HELO mcafee.com) (216.49.92.103) by mta125.mail.in.yahoo.com with SMTP; Sat, 25 Aug 2007 21:45:40 +0530
The sending IP here is thus, the same as that of the first mail server used in the process. That is: 216.49.92.103.
But, cases may not be like this.
We consider another case, where there are multiple mail servers used in the process.
Example 2
| X-Apparently-To: | xtreme_the_great1@yahoo.co.in via 202.43.219.149; Sun, 25 Mar 2007 18:02:32 +0530 |
| X-Originating-IP: | [202.43.219.31] |
| Return-Path: | |
| Authentication-Results: | mta135.mail.in.yahoo.com from=yahoo.co.in; domainkeys=pass (ok) |
| Received: | from 202.43.219.31 (HELO web8316.mail.in.yahoo.com) (202.43.219.31) by mta135.mail.in.yahoo.com with SMTP; Sun, 25 Mar 2007 18:02:32 +0530 |
| Received: | (qmail 84649 invoked by uid 60001); 25 Mar 2007 12:32:32 -0000 |
| DomainKey-Signature: | a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.in; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=0s8bAtp2vC7RFSCYSfLno7bSWfAP6ebccb/weUTLZiw/rWfNuCgFdZvZUc9iMyUkgYuxqjz7WX3LqbMS8L8Qpyg4sM+M+BR2YQt50I330raEEFk5kuAjjGCNOZBe8zFphRNtIeAsOFJ8keIEQ+0kzbPdJQ0xuon7g7mDTyJv0Tw=; |
| X-YMail-OSG: | jC_yrKkVM1n7FtpNbkqEXJdYRgDvi3PDe0HUOmSPKTBwyHwm_1crZ.fBVw6xODaYBudsxpwFsOtmkF6_lYfGUTo.FBDkKgfTLsoHun6qK.irkJFE.QqhNsPs2JfHOpVQDVVdACQ4HUZ7A9SFDqR7KA6pTw-- |
| Received: | from [122.168.69.140] by web8316.mail.in.yahoo.com via HTTP; Sun, 25 Mar 2007 13:32:31 BST |
| Date: | Sun, 25 Mar 2007 13:32:31 +0100 (BST) |
| From: | Add to Address Book Yahoo! DomainKeys has confirmed that this message was sent by yahoo.co.in. Learn more |
| Subject: | Proxy Lists by Sooraj E |
| To: | xtreme_the_great1@yahoo.co.in |
| MIME-Version: | 1.0 |
| Content-Type: | multipart/alternative; boundary="0-575879626-1174825951=:84636" |
| Content-Transfer-Encoding: | 8bit |
| Message-ID: | <34533.84636.qm@web8316.mail.in.yahoo.com> |
| Content-Length: | 58637 |
Here, we see the Received fields, and deduce, what we are supposed to deduce.: The IP of the sender, at the time of sending the message. The X-Originating IP is 202.43.219.31, which is the IP of the first mail server in the path. Then we come to the point.
The first Received field says, that the message was obtained from 202.43.219.31 a.k.a. web8316.mail.in.yahoo.com, that is, the computer introduced itself to the mail server mta135.mail.in.yahoo.com as web8316.mail.in.yahoo.com.
The second one says, that the message was obtained from 122.168.69.140 by web8316.mail.in.yahoo.com via HTTP, that is, the sender used a web browser, to send the email.
Then, to find more information about the sender, we lookup the obtained IP 122.168.69.140 with the nslookup command, which returns the following:
Name: ABTS-MP-dynamic-140.69.168.122.airtelbroadband.in
Address: 122.168.69.140
That is the sender's ISP is Airtel broadband, and he is situated in India, in the state Madhya Pradesh (Deduced from the ABTS-MP) and the IP is a dynamic IP address, that is the next time the sender logs on to the ISP, he'll have a new IP.
In the next post, I'll demonstrate how I traced down a sender to his college, and got a phone number, so that I could talk to him! Keep checking. :)
No comments:
Post a Comment