Tracking Source of Email
Basic Internet email uses protocols which do not validate the
origination source. Therefore it is extremely easy to ’spoof’. Any
person with any small amount of technical knowledge or posessing a
program can create and send an email that looks like it came from
anywhere. You could receive an email that looks like it is from your
boss, your bank, your friends, your family, even your congressman or
the President that has been completely forged.
If you recieve a forged email, harassing email, spam, etc. you can
track the origination IP address (an IP address is a unique number
assigned to each machine on a network) of the email by viewing
the complete headers of the email. Use your email clients help function
to determine how you can view the headers. In this example we see lots
of information. The true origination IP address is usually found in the
last ‘received’ line. In this case it is 211.116.1.13.
| Viewing Full Header - View message |
| Return-Path: <usenetbot+caf_xxxxx=fln8.com@gmail.com> Received: from admin.virtupresence.com (root@localhost) by fln8.com (8.11.6/8.11.6) with ESMTP id j5J4LJE02231 for <xxxxx@fln8.com>; Sun, 19 Jun 2005 00:21:19 -0400 Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.207]) by admin.virtupresence.com (8.11.6/8.11.6) with ESMTP id j5J4LJo02227 for <xxxxx@fln8.com>; Sun, 19 Jun 2005 00:21:19 -0400 Received: by wproxy.gmail.com with SMTP id 67so260219wri for <xxxxx@fln8.com>; Sat, 18 Jun 2005 21:24:02 -0700 (PDT) Received: by 10.54.44.58 with SMTP id r58mr1874002wrr; Sat, 18 Jun 2005 21:24:01 -0700 (PDT) X-Forwarded-To: xxxxxx@fln8.com X-Forwarded-For: xxxxxx@gmail.com xxxxxxh@fln8.com X-Gmail-Received: 3b4bd820024fdcfe1c99f457354a4cd599bd5b53 Delivered-To: xxxxxx@gmail.com Received: by 10.54.137.10 with SMTP id k10cs18002wrd; Sat, 18 Jun 2005 21:24:01 -0700 (PDT) Received: by 10.36.84.4 with SMTP id h4mr2347815nzb; Sat, 18 Jun 2005 21:24:01 -0700 (PDT) Received: from fln8.com ([216.194.68.129]) by mx.gmail.com with ESMTP id r1si697841nzd.2005.06.18.21.24.01; Sat, 18 Jun 2005 21:24:01 -0700 (PDT) Received-SPF: neutral (gmail.com: 216.194.68.129 is neither permitted nor denied by best guess record for domain of disregards@lipan.com) Received: from admin.virtupresence.com (root@localhost) by fln8.com (8.11.6/8.11.6) with ESMTP id j5J4LHU02223 for <xxxxxxx@fln8.com>; Sun, 19 Jun 2005 00:21:17 -0400 X-ClientAddr: 211.116.1.13 Received: from 211.116.1.13 ([211.116.1.13]) by admin.virtupresence.com (8.11.6/8.11.6) with SMTP id j5J4LFo02219 for <xxxxxxx@fln8.com>; Sun, 19 Jun 2005 00:21:16 -0400 Message-Id: <200506190421.j5J4LFo02219@admin.virtupresence.com> From: <disregards@lipan.com> To: <xxxxxxx@fln8.com> Subject: =?utf-8?q??= Date: Sun, 19 Jun 2005 12:23:23 +0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=”2nHcKqYV87MheFLXwz0″ |
It is important to note that often the sender will try to cover up
their origination IP address by telling the email server that their
machine is located on another machine. For example you would see:
Recieved from: myfakeaddress.com (10.1.5.1). It’s important to pay
attention to the IP address in the brackets or parens as this is the
true IP address.
Another important note is that if the IP address starts with 192. or
10. look to the next received line for the origination information as
these IP address are for internal networks and indicate where the email
originated on an internal (LAN) network, and not the Internet (WAN)
network.
So now that you have found the IP address you will want to locate which
company ‘owns’ that particular IP address. You can do a ‘whois’ to find
the owner. There any many locations that provide this type of
information. In North America the authority that keeps record and
assigned IP addresses is ARIN - American Registry for Internet Numbers.
I did a query using the IP address tool on computer-forensic-technican.com and found this information:
[Redirected to whois.apnic.net][Querying whois.apnic.net][whois.apnic.net]% [whois.apnic.net node-1]% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 211.116.0.0 - 211.116.63.255netname: BORANET-NET-211-116descr: DACOM Corp.descr: Facility-based Telecommunication Service Providerdescr: providing Internet leased-ine, on-line service, BLL etc.country: KRadmin-c: DB50-APtech-c: DB50-APmnt-by: APNIC-HMmnt-lower: MNT-KRNIC-APchanged: hm-changed@apnic.net 20021202status: ALLOCATED PORTABLEsource: APNIC role: DACOM BORANETaddress: DACOM Bldg., 706-1, Yoeksam-dong, Kangnam-ku, Seoulcountry: KRphone: +82-2-2089-7755fax-no: +82-2-2089-0706e-mail: ipadm@nic.bora.nete-mail: abuse@bora.nete-mail: security@bora.netadmin-c: EC115-APtech-c: SIJ1-APnic-hdl: DB50-APmnt-by: MNT-KRNIC-APremarks: IP address administrator group of NIC team, DACOM Corp.remarks: If related with spam, send mail to abuse@bora.netremarks: If related with security, send mail to security@bora.netremarks: Only for whois information correction, send mail to ipadm@nic.bora.netchanged: jeonsi@bora.net 20041105source: APNIC
From this information I found the abuse address abuse@bora.net and
could send an email to that person to complain about the spam email I
received. If the email was threatening, harassing, or requested banking
information (phishing) you can contact your local law enforcement
agency and/or F.B.I. field office for assistance.
APA Citation:
Smith, Nathan. M. (2005). Tracking Source of Email.
Retrieved September 8, 2008, from http://www.computer-forensic-technician.com/wordpress/tracking-source-of-email/.
