A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle




How To Trace Fake or Anonymous E-mails

How To Trace Fake or Anonymous E-mails

As most of my readers should know it's pretty east to fake an e-mail through an SMTP server. Either telnet to port 25 on a server and do the commands yourself or use a client like Outlook Express or Netscape Messenger and tell it any email address you want. There are also the times when you have to trace down the user of a real e-mail address that was sent using a free service like Yahoo or Hotmail. There are anonymous remailers out there that would make the methods of tracing I will outline in this text useless, but these steps may be handy in a lot of cases. 

Fig1:
As you can see from the graphics to the left I have configured Netscape to use a fake email address (Fig1), but the server preference uses my real info because I need to authenticate to my SMTP server (Fig2). 

With all these option setup I send myself an email. For this tutorial I will be using Microsoft Outlook as my receiving email client, but most clients should work if you read the help/man file and figure out how to view Internet headers. As you can see from Figure 3 the fake mail was sent without a hitch.

 

Fig2:

Fig3:

Now to find out where the mail really came from lets go to View->Options (or however you view headers in your client) and look at the Internet headers.

From here we can see some header information that will be of use, I've pasted it below for easy viewing.

Received: from tux.irongeek.com ([123.123.30.130]) by mail.irongeek.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id D0DN16JW; Sat, 2 Feb 2002 13:48:34 -0500
Received: from hell.org ([123.123.26.29])
by tux.irongeek.com (8.11.6/8.11.6) with ESMTP id g12ItDT13201
for <adrian@irongeek.com>; Sat, 2 Feb 2002 13:55:13 -0500
X-Authentication-Warning: tux.irongeek.com: mail owned process doing -bs
Message-ID: <3C5C3481.2ED1506F@hell.org>
Date: Sat, 02 Feb 2002 13:48:33 -0500
From: Satan <Satan@hell.org>
X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: adrian@irongeek.com
Subject: Hi Boy
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Notice the line in blue, this indicated the real server that delivered the message was tux.irongeek.com but the line in red is the real interesting one. It now appears that the box the mail original came from was 123.123.26.29, this just so happens the be the IP of the box I typed the message on :). Now that you have this IP you can look up all sorts of useful info using our "What can you find out from an IP" tutorial and hopefully find out who really send it.

Fig4:

For the case of an email that was not faked, but sent from a free mail services lets look at the headers below.

Received: from web14407.mail.yahoo.com ([216.136.174.77]) by ig.irongeek.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id D0DN16AL; Sat, 2 Feb 2002 12:59:05 -0500
Message-ID: <20020202175904.15107.qmail@web14407.mail.yahoo.com>
Received: from [123.123.26.29] by web14407.mail.yahoo.com via HTTP; Sat, 02 Feb 2002 09:59:04 PST
Date: Sat, 2 Feb 2002 09:59:04 -0800 (PST)
From:<plato10101010@yahoo.com>
Subject: ya
To: adrian@irongeek.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

Notice that once again  the IP of the box that sent the mail was revealed to us. Happy hunting guys.

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast