IBM Mainframe

Here I discuss, how to trace an email sender from the email header. I take my MSN account as an example. In some cases, you may want to know the origin of some e-mails:

-> When you are suspicious with a particular e-mail.

-> When a friend asks you about an e-mail you never send. There are two possible explanations: (1) your computer has been hijacked by nasty viruses/worms and sent out e-mails without your knowing; (2) somebody else uses your e-mail address for the e-mails he/she sent. Whatever the case is, you want to know the truth.

-> Someone contacts you for a job offer, and before you want to proceed any further, you may need to know more about this guy.

This short tutorial explains the basic of the e-mail system work and how to this knowledge to trace e-mails. Tracing an e-mail is not as hard as you might think. Let's begin to see how it works.

Viewing Email Header

Some e-mail programs, like Yahoo or Hotmail, have their full headers hidden by default In order to view the full header, you must specifically turn on that option. Some ways of doing this in different e-mail programs follow here:

Viewing full Header in Yahoo and Hotmail
Yahoo

Click Options -> Click Mail Preferences -> Click Show Headers -> Click "All" -> Click "Save"

Hotmail

Click Options -> Click Mail Display Headings (under "Additional Options") -> Click Message Headers -> Click "Full" ->

Click "OK"

Viewing full Header in Email Clients like (Outlook and Eudora etc)

Outlook Express
If you use OE, at least the version I have (5.5), you may not have much luck; it sometimes gives little more information than what you can see in the main window. But here's the application path anyway:
Click File/Properties/Details to find the header information.

Outlook
First, highlight the email in your Incoming window, right-click on it, and select Options. The window that comes up will have the headers at the bottom.

Eudora
Be sure the message is open, then Click the 'Blah, Blah, Blah' button from the Tool Bar, and the headers will appear.

Pegasus
Select Reader/Show All Headers/

Netscape Mail
Select Options/Headers/Show All Headers

Netscape Messenger 4.0 and 4.5
Select View/Headers/All

Now I will discuss the full header in detail:

Headers Created by Sending E-mail Client.

Sender e-mail client software may create some of these headers:

Date: Original sending date
From: Author(s) of the message
Sender: Actual submitter of the message
To: Primary destination
Cc: Secondary destination (Carbon Copy)
Bcc: Blind Carbon Copy. Same with Cc, but e-mail addresses listed here are not forwarded to each recipient.
Reply-To: Address to reply to. Default reply-to address is From, reply-to-author. However, you may specify a different address to reply-to.
Message-Id: A unique identifier for each message. Message-Ids are provided by Sender e-mail client or Sender MTA. Often a message is a response to a previous message, Message-Id is then the identifier for the header References and In-Reply-To.
Organization: Organization the sender affiliated with.
Subject: Subject or summary of the message.
In-Reply-To: Message-Ids of the parent (previous) messages.
References: Message-Ids of other correspondences.
MIME-Version: Version of the Internet message body format standard in use. MIME stands for Multipurpose Internet Mail Extensions.
Content-Type: MIME type of the content is used in the message body. Some common values are:
text/plain, text/html, text/xml, text/enhanced, image/jpeg, image/gif, audio/basic, audio/au, video/mpeg, application/octet-stream, application/postscript, application/ms-word, application/ms-excel, application/rtf, multipart/mixed, multipart/alternative, multipart/parallel, multipart/related, message/rfc822, message/external-body.
Content-Transfer-Encoding: MIME encoding used to represent data in a message for transfer using a mail transport protocol.
Common values include the following:
7bit - Message contains 7-bit un-encoded US-ASCII data (Default).
8bit - Message contains 8-bit un-encoded data.
binary - Message contains an un-encoded octet stream.
quoted-printable - Message contents transformed to 7-bit US-ASCII using quoted-printable encoding algorithm.
base64 - Message contents transformed to 7-bit US-ASCII using Base64 encoding algorithm.
 
Disposition-Notification-To: Indicates that the sender wants a disposition notification when this message is received by its recipients.
Keyword: Rarely used.
Comments: Rarely used.
Resent-*: Headers with prefix Resent- are for forwarded messages
X-*: All headers start with X- are additional features that have not yet made it into standard.
X-Mailer: Information about the sender e-mail client software.
X-Priority: Priority of the message. Values: 1 (Highest), 2 (High), 3 (Normal), 4 (Low), 5 (Lowest). 3 (Normal) is default if the field is omitted.

Headers Created by Mail Transfer Agent (MTA).

A MTA may create one or some of these headers:

Received: This is the most important header created by an MTA. The most used format for this field is:
Received: from * by * with * id * for *; timestamp
from *: sending host
by *: receiving host
with *: link/mail protocol
id *: Message-Id generated or copied by the MTA
for *: destination in the field To
 
Return-Path: It shows the return path of the message, i.e., the address that bounces will be sent to. Final MTA should insert a return-path header containing the envelope sender address when the e-mail arrives at its final destination. Mostly MTAs insert the sender address in Return-Path.
Apparently-To: Rarely inserted by MTA when there is no 'To:' recipient in the original message. Some mailing list hosts insert X-Apparently-To to the mails delivered to members of mailing-lists.
Mailing-List: Mailing List ID or Name. Non-standard. Other mailing-list related headers may follow this header.
Delivered-To: Used mostly for loop detection by many mailing-list hosts and autoresponders.

Headers Created by Mail Delivery Agent (MDA).

Besides MTA headers above, some MDAs may have anti-spam or anti-virus features in their system. These systems may add some specific headers to an e-mail.

Let's trace e-mails

Below is a sample of an e-mail header.

MIME-Version: 1.0
Received: from rwcrmhc11.comcast.net ([204.127.198.35]) by mc7-f12.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 25 Nov 2003 19:56:18 -0800
Received: from pavilion (pcp03530790pcs.mnhwkn01.nj.comcast.net[68.37.24.150]) by comcast.net (rwcrmhc11) with SMTP id <20031126034457013001nk6pe>; Wed, 26 Nov 2003 03:44:57 +0000
X-Message-Info: JGTYoYF78jGkTvdOiviUvHyY85nt7iLD
Message-ID: <000801c3b3cf$a92237a0$96182544 @ mnhwkn01.nj.comcast.net>
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
Disposition-Notification-To: "Leona" <leona6256 @ comcast.net>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Return-Path: leona6256 @ comcast.net
X-OriginalArrivalTime: 26 Nov 2003 03:56:18.0897 (UTC) FILETIME=[3F5AFC10:01C3B3D1]

Let me strip-off the above email header to make the understanding easy. The header is splitted and the two received headers are given below.

Received Header 1:      204.127.198.35 - Tue, 25 Nov 2003 19:56:18 -0800
                                    from rwcrmhc11.comcast.net ([204.127.198.35])
                                    by mc7-f12.hotmail.com
                                    with Microsoft SMTPSVC(5.0.2195.6713)
 

Received Header 2:      68.37.24.150 - Wed, 26 Nov 2003 03:44:57 +0000
                                    from pavilion (pcp03530790pcs.mnhwkn01.nj.comcast.net[68.37.24.150])
                                    by comcast.net (rwcrmhc11)
                                    with SMTP
                                    id <20031126034457013001nk6pe>

The MTAs are "stamped" on the e-mail's header so that the most recent MTA is listed on the top of the header and the first MTA through which the e-mail has passed in listed on the bottom of the header. In the above sample e-mail header, e-mail first passed through 68.37.24.150 (pcp03530790pcs.mnhwkn01.nj.comcast.net), and at last made its way through 204.127.198.35 (rwcrmhc11.comcast.net).

In the Received Header 2, the one marked with red colour "pavilion" is either the domain name of the server from which the email has originated or the name of the computer from which the email has been sent. By doing a DNS query for "pavilion", it is confirmed that it is not a know host name hence, must be the name of the computer from which the mail has originated. "68.37.24.150" is the IP address from which the mail might have originated or it is the IP address of the ISP (Internet Service Provider) to which the user was logged on while sending the mail.

Note: Correct me if I am wrong, most of the time "HELO" is prefixed to the system name from which the mail has originated, but its accuracy is not reliable.

Trace who owns the IP address

Every computers hooked on to internet is assigned with an IP address. Individual users possess a dynamic IP address when they logged on to any ISP to access internet. These IP addresses are assigned by the ISP itself. Organization usually possess static/public  IP address which is stored in a database of registries.

There are three major registries covering different parts of the world. They are

www.arin.net => American Registry of Internet Numbers (ARIN) : It assigns IP addresses for the Americas and for sub Saharan Africa.

www.apnic.net => Asia Pacific Network Information Centre (APNIC) : It covers Asia

www.ripe.net => R?aux IP Europ?s (RIPE NCC) : It covers Europe

Thus, to find out which organization owns a particular IP address, you can make a "WHOIS" query in the database at any of these registries. You do this by typing the IP address into the "WHOIS" box that appears on each of these websites.

"Received Header" will have the IP address of the ISP in case the users has dialed up to the ISP while sending the email. But if the user has send the email from within the corporate then the corporate public/static IP address is logged.

By giving a "WHOIS" query for 68.37.24.150 at www.arin.net, the following result has been displayed:

Comcast Cable Communications, Inc. JUMPSTART-1 (NET-68-32-0-0-1)
                                  68.32.0.0 - 68.63.255.255
Comcast Cable Communications, Inc. NJ-NORTH-14 (NET-68-37-16-0-1)
                                  68.37.16.0 - 68.37.31.255

# ARIN WHOIS database, last updated 2004-02-04 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

From above queries it is found that the IP address (68.37.24.150) is owned "Comcast". By making further queries on "Comcast" it is found that it is the name of the ISP located in NJ, US - 08002. The result of further query is given below:

OrgName:    Comcast Cable Communications, Inc.
OrgID:         CMCS
Address:      3 Executive Campus
Address:      5th Floor
City:            Cherry Hill
StateProv:   NJ
PostalCode:08002
Country:      US

NetRange:   68.32.0.0 - 68.63.255.255
CIDR:       68.32.0.0/11
NetName:    JUMPSTART-1
NetHandle:  NET-68-32-0-0-1
Parent:     NET-68-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS01.JDC01.PA.COMCAST.NET
NameServer: DNS02.JDC01.PA.COMCAST.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2001-11-29
Updated:    2003-11-05

TechHandle: IC161-ARIN
TechName:   Comcast Cable Communications Inc
TechPhone:  +1-856-317-7200
TechEmail:  cips_ip-registration @ cable.comcast.com

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName:   Network Abuse and Policy Observance
OrgAbusePhone:  +1-856-317-7272
OrgAbuseEmail:  abuse @ comcast.net

OrgTechHandle: IC161-ARIN
OrgTechName:   Comcast Cable Communications Inc
OrgTechPhone:  +1-856-317-7200
OrgTechEmail:  cips_ip-registration @ cable.comcast.com

# ARIN WHOIS database, last updated 2004-02-04 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

Now the above case is solved but there are also other cases where the IP address found on the email header may be owned by an organisation or a cyber cafe. Below I have discussed how you can trace the sender in both of these cases.

Case1: THE IP ADDRESS OWNED BY AN ORGANISATION

But in case the IP address found belongs to an organisation then you have to request them to provide information about the user who has send the mail from within the organisation network. They must have user and message logs on their firewall / proxy and can trace each of their computers connected at the given point of time. By supplying the organisation with the e-mail header of the offending e-mail, they can check these logs and hopefully produce information of the user of that machine.

Case 2: THE IP ADDRESS OWNED BY A CYBER-CAFE

In case it is found that the sender has sent the email from a cyber-cafe then it becomes a difficult task to trace him/her. The user may not be a frequent visitor to that cyber-cafe. But let's assume that you receive such mails frequently from that particular cyber-cafe then you can install "key-loggers"  in the computers at the cafe. These programs records user's keystrokes, thus creating a record of everything that was typed at a particular terminal. By reviewing the key-logger logs you may be able to trace the sender in this case.