So you'd like to to find out just who is sending those email love letters, determine the sender of a blackmail message, or just root out the source of a virus emailed to you. There are indeed many such situations where you would like to know who sent a particular email message to you. This article will teach you how to use "Email Headers" to backtrack and find the original sender's IP address. Don't worry, it's not rocket science. If it were, SPAM would still only be canned meat and an amusing Monty Python skit!
Moreover, just as a postal envelope contains an address, a return address and the cancellation stamp of the post office of origin, an email message in these "Headers" carries with it a history of its journey to your email inbox. Because of this, it's possible to determine the original IP address of the sender.
Since email programs do not normally display these Headers, we must first learn how to display them. Depending on the program, this is done in a variety of ways. The following sequence details the way to do this using the Windows default email program, "Outlook Express".
First, select "Properties" from the "File" Menu, or just press ALT+Enter. Next, select the "Details" tab.
Here's how to view the Headers in the Microsoft Office version of Outlook:
Headers in MS Office See how to show email headers in Yahoo, HotMail, Gmail, and AOL web mail.
As you can see on these pictures, a Header consists of two sections separated by a colon ":". The first part is the Header's name. The second is the Header's data. In the case of postal mail, in principle, it is possible to write any kind of information (c/o, suite or apartment number, etc.) into the address information. Similarly email Headers can include any kind of information also. Usually however, an email Header will contain at least the following basic Header information:
In some cases, a number of these Headers may not be necessary.
To determine the address of origin, special attention must be paid to the 'Received:' Headers. These Headers are selected on our screenshot illustration. 'Received' Headers have the following format:
So, we have observed, it is from the 'Received' Header that we retrieve the IP address or domain name. Using this IP address, Active Whoisis able to look up additional information such as associated postal and email addresses. You can easily select and copy the IP address from the Outlook Internet Headers box by using CTRL-C to place it on the clipboard.
We are faced with an additional problem however. Email messages frequently contain more than one 'Received' Headers. How can we know which of these several Headers contains the originating IP address belonging to the sender? 'Received' Headers are appended to the front of the email message as it travels through the internet to your email inbox. The flow diagram below will show you how these 'Received' Headers are appended to the message as we travel backwards from the receiver to the sender:
There are other possible variations in email routing. Your Email Service Provider (or the provider of the sender) may use several 'pass-through' email servers and these servers can add several 'Received' Headers. Also, if you and the sender use the same server, the message will have only one 'Received' Header.
In this example, symbols such as %RNDDIGIT12 or %RNDLCCHAR15357 seem like instructions to a mass-mailer application to insert RaNDom CHARacters or DIGITS to confuse you as well as your anti-spam filter. In this case, the true sender IP could be in the first 'Received' Header, that is, the one that was inserted by your email service provider's email server, because most spammers send their messages directly to your mailbox without using any intermediate servers. In this case only one of the 'received' Headers can be the one we're looking for. Once we find it, we can conclude that all of the others are fake.
We may safely conclude that since there are often several 'Received' headers in an email message, servers deliver email using a 'chained' process. For that reason the sender indicated in the current 'Received' Header should always correspond directly to the server indicated in the previous Received' Header!
It is also useful to check the DNS of senders by using Active Whois. 'Received:' Headers with random domain names will never resolve to random IP addresses.
While viruses have not yet attained this level of deviousness, you can easily retrieve the IP address administrator email from Active Whois and quickly stem a new virus outbreak by warning the administrator that someone sent numerous viruses to you using his server.
Some additional facts in conclusion:
There is a useful Header: 'X-Mailer' that not only specifies the email program of the sender, but allows you to indicate what message was originally sent by the email bot, and whether this Header is currently missing from the message.
The email address of sender can be easily faked. The SMTP (Simple Mail Transfer Protocol) by which email is handled, allows this deception because it doesn't verify all Headers such as the 'From' Header that contains email address of sender.
Theory...
Email messages, as in the case of their non-electronic cousins, have "envelopes" of a sort. In the case of email the envelope is composed of a series of "Headers". These are just a series of lines of characters which precede the actual email message. Email programs such as Outlook do not normally display these Headers when displaying a message. From these Headers however, the email program is able to extract important information about the message, such as the message encoding method, the creation date, the message subject, the sender and receiver, etc.Moreover, just as a postal envelope contains an address, a return address and the cancellation stamp of the post office of origin, an email message in these "Headers" carries with it a history of its journey to your email inbox. Because of this, it's possible to determine the original IP address of the sender.
Since email programs do not normally display these Headers, we must first learn how to display them. Depending on the program, this is done in a variety of ways. The following sequence details the way to do this using the Windows default email program, "Outlook Express".
First, select "Properties" from the "File" Menu, or just press ALT+Enter. Next, select the "Details" tab.
| |
- Open a message.
- On the View menu, click Options.
Note:If you do not see the Options command, make sure you click View on the toolbar in an open message window. The View menu on the standard Outlook toolbar does not have the Options command. - The Header information appears under the Delivery options in the Internet Headers box.
Headers in MS Office
As you can see on these pictures, a Header consists of two sections separated by a colon ":". The first part is the Header's name. The second is the Header's data. In the case of postal mail, in principle, it is possible to write any kind of information (c/o, suite or apartment number, etc.) into the address information. Similarly email Headers can include any kind of information also. Usually however, an email Header will contain at least the following basic Header information:
| | |
To: | The name and email address of the recipient | To: "John Doe" <JohnDoe@hotmail.com> |
From: | The name and email address of the sender | From: "Alice Smith"<alice123@aol.com> |
Date: | Date the message was created | Date: 1 Nov 2004 22:49:20 -0000 |
Subject: | The subject of the message which follows the Headers | Subject: How are you? |
Return-Path: | The email address for responding to the message | Return-Path: <alice.smith@anydomain.com> |
Received: | Delivery stamp | Received: from [67.66.123.205] by web41013.mail.yahoo.com via HTTP; Sun, 25 Apr 2004 23:13:34 PDT |
To determine the address of origin, special attention must be paid to the 'Received:' Headers. These Headers are selected on our screenshot illustration. 'Received' Headers have the following format:
Sample:
Briefly this means that the server web41013.mail.yahoo.com received the message from the IP address 67.66.123.205 on the 25th of April 2004, at 11:13:34 pm PDT via the HTTP protocol (i.e. through the web). |
We are faced with an additional problem however. Email messages frequently contain more than one 'Received' Headers. How can we know which of these several Headers contains the originating IP address belonging to the sender? 'Received' Headers are appended to the front of the email message as it travels through the internet to your email inbox. The flow diagram below will show you how these 'Received' Headers are appended to the message as we travel backwards from the receiver to the sender:
The Recipient's mailbox receives his message from his POP3 or webmail server. No new 'Received' Header is added at this stage. | | |
The Recipient's email server (POP3, Yahoo, Hotmail, etc.) receives the email message from the original sender's server. (e.g. bay15.hotmail.msn.com)
| Received: from bay15.hotmail.com (HELO hotmail.com) (65.54.185.39) by mail2.aol.com with SMTP; 30 Sep 2004 02:27:02 -0000 | |
The sender's email server receives an email message from the sender's computer.
| Received: from 203.172.49.180 by bay15.hotmail.msn.com with HTTP; Thu, 30 Sep 2004 02:26:37 GMT | |
The Sender sends an email message to his own email server to begin its journey to the receiver. A common Headers strings is created. | From: "John Doe" <JohnDoe@hotmail.com> To: "Alice Smith"<alice123@aol.com> Subject: Nice meeting! Date: Thu, 30 Sep 2004 02:26:37 +0000 |
Practice... or tips for traps
Unfortunately there are those who for various reasons want to conceal their IP address from the message receiver. About 95% of Internet email is composed of spam, viruses and other types of illicit material. Most spammers use clever tricks to hide their true IP address. They can, for example, place fake 'Received' headers into the email headers. They might look something like the following: Received: from %RNDUCCHAR1524 (j236.128.26.76.%RNDLCCHAR15357.ti.yahoo.com 96.208.178.254) by mail08.t.yahoo.com (47.1.777akv719/%RNDDIGIT12.4.50) with SMTP id fwf54N4Wnto%RNDDIGIT15; Wed, 06 Oct 2004 09:22:39 +0500 |
We may safely conclude that since there are often several 'Received' headers in an email message, servers deliver email using a 'chained' process. For that reason the sender indicated in the current 'Received' Header should always correspond directly to the server indicated in the previous Received' Header!
It is also useful to check the DNS of senders by using Active Whois. 'Received:' Headers with random domain names will never resolve to random IP addresses.
While viruses have not yet attained this level of deviousness, you can easily retrieve the IP address administrator email from Active Whois and quickly stem a new virus outbreak by warning the administrator that someone sent numerous viruses to you using his server.
Some additional facts in conclusion:
There is a useful Header: 'X-Mailer' that not only specifies the email program of the sender, but allows you to indicate what message was originally sent by the email bot, and whether this Header is currently missing from the message.
The email address of sender can be easily faked. The SMTP (Simple Mail Transfer Protocol) by which email is handled, allows this deception because it doesn't verify all Headers such as the 'From' Header that contains email address of sender.
No comments:
Post a Comment