Backtracking EMAIL Messages

Backtracking EMAIL Messages  


Tracking email back to its source: Twisted Evil
cause i hate spammers... Evil or Very Mad

Ask most people how they determine who sent them an email message and the response is almost universally, "By the From line." Unfortunately this symptomatic of the current confusion among internet users as to where particular messages come from and who is spreading spam and viruses. The "From" header is little more than a courtesy to the person receiving the message. People spreading spam and viruses are rarely courteous. In short, if there is any question about where a particular email message came from the safe bet is to assume the "From" header is forged.

So how do you determine where a message actually came from? You have to understand how email messages are put together in order to backtrack an email message. SMTP is a text based protocol for transferring messages across the internet. A series of headers are placed in front of the data portion of the message. By examining the headers you can usually backtrack a message to the source network, sometimes the source host. A more detailed essay on reading email headers can be found .

If you are using Outlook or Outlook Express you can view the headers by right clicking on the message and selecting properties or options.

Below are listed the headers of an actual spam message I received. I've changed my email address and the name of my server for obvious reasons. I've also double spaced the headers to make them more readable.


Return-Path: <s359dyxtt@yahoo.com>

X-Original-To: davar@example.com

Delivered-To: davar@example.com

Received: from 12-218-172-108.client.mchsi.com (12-218-172-108.client.mchsi.com [12.218.172.108])
by mailhost.example.com (Postfix) with SMTP id 1F9B8511C7
for <davar@example.com>; Sun, 16 Nov 2003 09:50:37 -0800 (PST)

Received: from (HELO 0udjou) [193.12.169.0] by 12-218-172-108.client.mchsi.com with ESMTP id <536806-74276>; Sun, 16 Nov 2003 19:42:31 +0200

Message-ID: <n5-l067n7z$46-z$-n@eo2.32574>

From: "Maricela Paulson" <s359dyxtt@yahoo.com>

Reply-To: "Maricela Paulson" <s359dyxtt@yahoo.com>

To: davar@example.com

Subject: STOP-PAYING For Your PAY-PER-VIEW, Movie Channels, Mature Channels...isha

Date: Sun, 16 Nov 2003 19:42:31 +0200

X-Mailer: Internet Mail Service (5.5.2650.21)

X-Priority: 3

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"


According to the From header this message is from Maricela Paulson at s359dyxxt@yahoo.com. I could just fire off a message to abuse@yahoo.com, but that would be waste of time. This message didn't come from yahoo's email service.

The header most likely to be useful in determining the actual source of an email message is the Received header. According to the top-most Received header this message was received from the host 12-218-172-108.client.mchsi.com with the ip address of 21.218.172.108 by my server mailhost.example.com. An important item to consider is at what point in the chain does the email system become untrusted? I consider anything beyond my own email server to be an unreliable source of information. Because this header was generated by my email server it is reasonable for me to accept it at face value.

The next Received header (which is chronologically the first) shows the remote email server accepting the message from the host 0udjou with the ip 193.12.169.0. Those of you who know anything about IP will realize that that is not a valid host IP address. In addition, any hostname that ends in client.mchsi.com is unlikely to be an authorized email server. This has every sign of being a cracked client system.


Here's is where we start digging. By default Windows is somewhat lacking in network diagnostic tools; however, you can use the tools at to do your own checking.

davar@nqh9k:[/home/davar] $whois 12.218.172.108

AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
Mediacom Communications Corp MEDIACOMCC-12-218-168-0-FLANDREAU-MN (NET-12-218-168-0-1)
12.218.168.0 - 12.218.175.255

# ARIN WHOIS database, last updated 2003-12-31 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

I can also verify the hostname of the remote server by using nslookup, although in this particular instance, my email server has already provided both the IP address and the hostname.

davar@nqh9k:[/home/davar] $nslookup 12.218.172.108

Server: localhost
Address: 127.0.0.1

Name: 12-218-172-108.client.mchsi.com
Address: 12.218.172.108

Ok, whois shows that Mediacom Communications owns that netblock and nslookup confirms the address to hostname mapping of the remote server,12-218-172-108.client.mchsi.com. If I preface a www in front of the domain name portion and plug that into my web browser, http://www.mchsi.com, I get Mediacom's web site.

There are few things more embarrassing to me than firing off an angry message to someone who is supposedly responsible for a problem, and being wrong. By double checking who owns the remote host's IP address using two different tools (whois and nslookup) I minimize the chance of making myself look like an idiot.

A quick glance at the web site and it appears they are an ISP. Now if I copy the entire message including the headers into a new email message and send it to abuse@mchsi.com with a short message explaining the situation, they may do something about it.

But what about Maricela Paulson? There really is no way to determine who sent a message, the best you can hope for is to find out what host sent it. Even in the case of a PGP signed messages there is no guarantee that one particular person actually pressed the send button. Obviously determining who the actual sender of an email message is much more involved than reading the From header. Hopefully this example may be of some use to other forum regulars.

72 comments

Australia Women vs India Women 2nd T20 Match Prediction Who Will Win
Australia Women vs India Women 3rd T20 Match Prediction Who Will Win
Australia Women vs India Women 1st ODI Match Prediction Who Will Win
Australia Women vs India Women 2nd ODI Match Prediction Who Will Win
Australia Women vs India Women 3rd ODI Match Prediction Who Will Win
Pakistan Super League 2016
Pakistan Super League 2016 Prediction Who Will Win
Islamabad United vs Quetta Gladiators 1st Match Prediction Who Will Win
Karachi Kings vs Lahore Qalandars 2nd Match Prediction Who Will Win
Peshawar Zalmi vs Islamabad United 3rd Match Prediction Who Will Win
Quetta Gladiators vs Karachi Kings 4th Match Prediction Who Will Win
Lahore Qalandars vs Peshawar Zalmi 5th Match Prediction Who Will Win
Quetta Gladiators vs Peshawar Zalmi 7th Match Prediction Who Will Win
Islamabad United vs Karachi Kings 6th Match Prediction Who Will Win
Lahore Qalandars vs Quetta Gladiators 8th Match Prediction Who Will Win
Islamabad United vs Lahore Qalandars 9th Match Prediction Who Will Win
Karachi Kings vs Peshawar Zalmi 10th Match Prediction Who Will Win
Islamabad United vs Quetta Gladiators 11th Match Prediction Who Will Win
Karachi Kings vs Lahore Qalandars 12th Match Prediction Who Will Win
Peshawar Zalmi vs Islamabad United 13th Match Prediction Who Will Win
Quetta Gladiators vs Karachi Kings 14th Match Prediction Who Will Win
Lahore Qalandars vs Peshawar Zalmi 15th Match Prediction Who Will Win
Islamabad United vs Karachi Kings 16th Match Prediction Who Will Win

Reply

Thanks for sharing. Check out the awesome iPhone 8 releasing soon

Reply

You’ve written nice post, thanks for the information. I actually appreciate your own position. Have a look on exciting Samsung Galaxy S8 features

Reply

I really thank you for the valuable info on this great subject and look forward to more great posts. Check FAB NEWZ for daily update of different news.

Reply

Want to watch the host nation taking on Iceland in the 4th quarter final live from your home,just check out France Vs Iceland Live Streaming

Reply

Ganesh Chaturthi 2016 SMS
Diwali 2016 SMS
top 10
498a
Dog boarding in bangalore
happy new year 2017 SMS Images
Dussehra 2016


http://top10reviewz.in/jamshedpur-must-visit-places/
http://menvictims498a.in/anticipatory-bail-498a/
http://swearondog.in/#service
http://www.happydiwali2015smshd.in/2015/09/happy-diwali-2015-hd-lakshmi-ganesha.html
http://www.ganeshchaturthi2015sms.in/2015/08/happy-ganesh-chaturthi-2015-latest.html
http://www.happydussehra2015smshd.in/2015/08/we-are-in-month-of-festival-october-and.html
http://www.happynewyear2016smshd.in/2015/08/happy-new-year-2016-latest-hindi-sms.html

Reply


Have you heard about National Black Cat Day which is two days prior to National Cat Day.
Check out my blog to get all the latest information about it and stay updated.

Reply

Know about most significant changes on the new iPhone8 include an upgraded camera, a new and attractive features.
Visit our blog http://www.idroidwarz.com/apple-iphone-7-rumors-specs

Reply

You get all informations about Veterans Day 2016 here.

Reply


Eid Mubarak SMS in Hindi most recent of 2017 which can’t be discovered anyplace on net. You can duplicate these Eid SMS and send to your Parents, Relatives and companions.
eid mubarak images
eidimages.com

Reply

This is really very nice blog and so informative


Happy Fathers Day 2017 Images

Reply

Father's Day is celebrated for a special person of the family - father. All the sun and daughter are express love feeling with their dad and make a day extremely special. If you want to celebrate this Father Day with your father, then you need to some Beautiful Fathers Day Images, Fathers day Wallpapers, and Fathers Day GIF. Here we collect best Fathers Day Quotes Images for you. fathers day greetings Father's Day is celebrated in all over the world on the different days.

Reply

Here we collect best Fathers Day Quotes Images for you. Thank you for sharing Father greeting wishes.This blog is very Nice For sharing Information .....

<a/ ahref= "http://www.govtjobsforall.in/ibps-rrb-cwe-vi-notification-2017-apply-online-14192-office-assistant-officer-vacancies-www-ibps/"/<a IBPSC Recruitment /<a

Reply

Hello sir, your web site is lovingly serviced and saved as much as date. So it should be, thanks for sharing this with us.
i also found some helpful sites like yours.


iphone Imei Tracker
Imei Tracker
Imei Number Tracker
Track Imei
Imei Tracking
Imei number Tracking
track phone using imei
Imei Number
Track Imei Number


Reply

Post a Comment