How To Trace Fake or Anonymous E-mails
As most of my readers should know it's pretty east to fake an e-mail through an SMTP server. Either telnet to port 25 on a server and do the commands yourself or use a client like Outlook Express or Netscape Messenger and tell it any email address you want. There are also the times when you have to trace down the user of a real e-mail address that was sent using a free service like Yahoo or Hotmail. There are anonymous remailers out there that would make the methods of tracing I will outline in this text useless, but these steps may be handy in a lot of cases.
||As you can see from the graphics to the left I have configured Netscape to use a fake email address (Fig1), but the server preference uses my real info because I need to authenticate to my SMTP server (Fig2).|
With all these option setup I send myself an email. For this tutorial I will be using Microsoft Outlook as my receiving email client, but most clients should work if you read the help/man file and figure out how to view Internet headers. As you can see from Figure 3 the fake mail was sent without a hitch.
|Now to find out where the mail really came from lets go to
View->Options (or however you view headers in your client) and look at
the Internet headers.
From here we can see some header information that will be of use, I've pasted it below for easy viewing.
tux.irongeek.com ([18.104.22.168]) by
mail.irongeek.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
Notice the line in blue, this indicated the real server that delivered the message was tux.irongeek.com but the line in red is the real interesting one. It now appears that the box the mail original came from was 22.214.171.124, this just so happens the be the IP of the box I typed the message on :). Now that you have this IP you can look up all sorts of useful info using our "What can you find out from an IP" tutorial and hopefully find out who really send it.
For the case of an email that was not faked, but sent from a free mail services lets look at the headers below.
Received: from web14407.mail.yahoo.com ([126.96.36.199]) by
ig.irongeek.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
Notice that once again the IP of the box that sent the mail was revealed to us. Happy hunting guys.