Sun 17 Dec 2006
Tracing an E-Mail Origin
Posted by datacrush under Techs
On Internet, nothing is without a trace. Things you posted on some website few years ago may still be there on Google cache, long after the original page is taken down.
Today, I’m going to share how you can verify the origin of a suspicious e-mail.
Most e-mail clients filters out the technical portion of an e-mail header by default. This can easily be displayed by selecting an option from the menu bar, usually labeled as message source or message header. In Mozilla Thunderbird, click on an e-mail then press Ctrl+U to bring up the raw message content.
Received: from web50204.mail.yahoo.com ([206.190.38.45]) by mx11.singnet.com.sg (8.13.8/8.13.6) with SMTP id kBH52QBv001595 for <xxxxxxxx@singnet.com.sg>; Sun, 17 Dec 2006 13:02:38 +0800 Received: from [209.240.32.165] by web30311.mail.mud.yahoo.com via HTTP; Sat, 16 Dec 2006 21:02:17 PST From: Alice <yyyyyyyyyyy@yahoo.com> Subject: Re: Merry Xmas To: Bob <xxxxxxxx@singnet.com.sg> Bob, Merry Christmas from down under! - Alice
In the example above, Bob receives an e-mail from Alice who claims to be in Australia, but is she? The first thing Bob does is to run trace route from his console.
> tracert 209.240.32.165 Tracing route to transact.bm [209.240.32.165] over a maximum of 30 hops.
The trace reveals immediately that the message Alice sent originated from Bermuda (ccTLD), over 10,000 miles away from Australia. Maybe someone else is disguising as Alice and faked the sender address then?
Using web based tools to perform IPWHOIS lookup, Bob knows she had logged on to Yahoo Web Mail server in United States (206.190.38.45) to compose and send the e-mail. The e-mail was certainly handled by Yahoo, and unless Alice’s Yahoo credentials had been stolen, there isn’t any evidence of spoofing involved here.
There are two possibilities at this point:
- Alice is lying and she’s really in Bermuda; Or
- Alice is behind a NAT in Australia and connected to a VPN based in Bermuda.
Assuming Bob knows Alice very well, Bob can find out whether the VPN service belongs to the company which Alice is working for. Under normal circumstances, Bob can use Internic WHOIS to lookup for the owner of the domain, but Bermuda doesn’t have a WHOIS server. That’s why it’s good to know that the good government of Bermuda has its own NIC website. Scientia est potentia!
A little disclaimer: All the IP address listed in this post are random and public, meant to serve only as an example for educational purposes. It’s nothing more than what one could gather from an e-mail header and simple network trace, so don’t get cocky.
And hey, taking example of Bob’s e-mail trace, you can also apply the same method to trace blog’s comment!
