E-Mail Tracks
A couple of years ago, an organization approached me with an interesting dilemma. One of their employees (let’s call him “Steve”) had taken a vehicle and run off. They were desperate to find him to help him out of the trouble that he had gotten himself into.
The next day, the police found the vehicle about 400 miles away where it had broken down. They believed that he was somewhere in the vicinity and were concentrating their search in that area. They looked for three days without any luck.
Then, this organization got lucky. The CEO received an e-mail from the Steve, apologizing for all the trouble that he caused. The employee used a Hotmail account that he could access from anywhere to send the e-mail. Steve indicated that he was going to be checking his this e-mail account for the next couple of days if we wanted to “talk” with him.
It was at this point that I was called in. Everyone was sure in for a surprise!
The CEO asked me to take a look at the e-mail and see if there was a way I could determine where “Steve” was sending the e-mail from. I immediately went to work.
I was about 30 seconds into my investigation when the CEO came to be with a puzzled look. “Aren’t you going to read the e-mail? All I see is gibberish on the screen! How’s that going to help us?”
I responded, “This ‘gibberish’ is called an e-mail header and it is the equivalent to a GPS trail for the e-mail. It tells the computer, and me, every single system that it went through to get to your computer here. I can then cross-reference this information with registration information on the Internet. I should be able to tell you what city Steve is located in, the Internet provider for the place that he sent the e-mail from, and when he was at that location.”
Sure enough, it took me about two minutes to discover that Steve was nowhere near where he abandoned the car. Rather, he was more than 1,500 miles from that location, half a country away! I provided the information to the police and they got the address from the Internet provider. Within a couple of hours, a worker had positively identified Steve and the process of helping him could now begin.
All because Steve sent an e-mail.
The Importance of Headers
What I had done was really not that difficult. In fact, it is really common practice. They key to doing this is understanding the contents of an e-mail header.
The e-mail header provides all of the technical information that was required to get to your mail inbox. It is built up as it travels through the Internet. My time it gets to you, it is full of information goodness that gives a pretty good history
I’m not going to go through a comprehensive guide on how a header works and all the possible options that are available to the user but I will point you to a couple of really good web pages. Reading Email Headers talks in more detail about decyphering the contents of an e-mail header and Permanent Message Header Field Names is a great resource for everything that may be in an e-mail header.
The important headers to be looking at are:
- Received - This is probably the most useful header in the entire bunch. This tells you the system that received the e-mail and the system that sent the e-mail. There may be several of these headers, depending on the number of systems the e-mail needed to go through. It also has a number of subfields that help to provide specific information:
- from - The name and/or the IP address of the system that sent the message during the transaction
- by - The name an/or the IP address of the system that received the message during the transaction
- for - This tells you who the e-mail is for. But, more importantly, it tells you the time that this transaction occurred. This helps you to confirm the path the e-mail took.
- From - This is the e-mail address that sent the message.
- Reply-To - This is the e-mail address that would receive the response if you hit Reply in your e-mail program.
One thing to note is that e-mail header Received information is generally in reverse chronological order. That means that the last transaction to occur is the first one in the header. This can be confusing because within the transaction itself, the from and by subfields are listed in chronological order of receiving the e-mail.
Useful Online Tools
What I would rather do is provide you with some quick tools that can help you track the e-mail to its origins quickly.
- Email Graphic Traceroute - A very useful and easy to use tool. Simply paste your header into the web page and it will generate a Google map mashup showing you exactly where the e-mail has gone.
- Geobytes Free Services - A huge list of useful free services that all rely on being able to associate an IP address to a physical location. These services include:
- DNS Report - A very comprehensive look at a specific domain name. Also provides an option to check an e-mail address.
- Network Tools - A lot of very useful IP and DNS tools including:
- ping
- lookup
- trace route
- whois
Conclusion
To track the average user’s e-mail is a relatively easy process. It can be very useful when you need to figure out where someone is located.
But, be cautioned. It is also relatively trivial for someone who understands how mail systems work to fake almost every header option. So be sure you know who you are tracking first unless you want to become the tracked!
If you found this post useful, why don't you buy me a cup of coffee to show your gratitude?
| Trackback link - http://www.dailycupoftech.com/2007/06/13/e-mail-tracks/trackback/ |
|
10 Responses to “E-Mail Tracks”
-
Technology At Hand Says:
November 30th, 1999 at 12:00 amE-Mail could be track using the Email Header. I tried to understand this thing and stopspam.org helps a lot also to understand how it can be done. You can also see some useful information regarding the anatomy of the email
-
The Fieldhouse Says:
November 30th, 1999 at 12:00 amup security week, I though that I would just highlight some of the security related articles that I have written in the past so that you may stumble on something interested that you may not have read before: FOSS for SecurityProtect Your USB Drives NOW!E-Mail TracksSecurity Is About Being UnattractiveI Think I Have A Virus: Now What?Tech Blog of the Week: Schneier on SecurityA More Secure Home WiFi DesignThe Anatomy of a VirusHigh End Router, Low End HardwareRemotely Accessing Computers
-
JoeAtTrends Says:
June 13th, 2007 at 3:49 pmI found the X-Originating-IP header element the most helpful in finding the true location of a hotmail email I sent myself. This appears to be added by hotmail itself before the mail is sent from its servers (found in redmond,WA of course) I am not certain but I have found similar things in html headers too, I think X is used to prefix a custom header name that is added by the program in control of it at the time, (Aim used this in the AIM Today window back when it had one, to send the user information and various program information to websites.)
Could Hotmail be tricked though, by proxies, I know they aren’t always guaranteed to hide your ip, but if he took the time could he have gotten away?
-
John May Says:
June 13th, 2007 at 5:25 pmIn order to track “Steve” down to an ISP, wouldn’t you have to contact Hotmail and have them tell you the IP he logged into the Hotmail account from? Otherwise, all you would be able to do is tell that he used a Hotmail account and at what time.
-
Tim Fehlman Says:
June 13th, 2007 at 7:45 pmJohn May,
One of the header fields contains the public IP address of the network gateway used by the system. This is traceable to an ISP and the time stamp provides a way for the ISP to determine an address.
Tim
-
Tim Fehlman Says:
June 13th, 2007 at 7:54 pmJoeAtTrends,
It is definitely possible to trick a mail server into thinking that you are coming from somewhere else. Some ideas off the top of my head include:
1) Running through the tor network
2) Remotely controlling a system from a different location
3) Spoofing the headersThis is why this will only work on an average user. Any truly technical person worth their salt should be able to hide themselves when sending e-mail.
Tim
-
Butterfat Says:
June 14th, 2007 at 8:33 pmWow, did you use the “email graphic traceroute” to trace “Steve”? It’s just a toy.
-
ThomasT Says:
June 18th, 2007 at 2:13 pmAs Joe sort of points out, the story you relate has little to do with the (still interesting) details of standard mail headers and tracking through Received: headers.
The IP address of the machine (or its gateway) that Steve connected to Hotmail from was in a non-standard header (yes, X-headers are non-standard but permitted extended headers placed by mail clients or servers) that Hotmail inserts into the message, and that’s what allowed you to solve the puzzle, not the Received: headers, right? There is nothing in the mail standards that requires the Received: headers to give away the user’s IP address, and for many Web mail systems, it wouldn’t be there.
Neither AOL, Yahoo nor Gmail puts the sending user’s IP address into the headers, so a totally average user of those services would be essentially impossible to track down without the cooperation of the mail service (which almost certainly logs IPs, but doesn’t give them up easily).
-
Daily Cup of Tech » E-Mail Tracks Says:
July 4th, 2007 at 8:47 pm[…] E-Mail TracksTrackback Categories: System Administration, Support, Security Posted on Wednesday, June 13, 2007 by Tim Fehlman […]
-
How E-mail being track « DM2K Says:
January 8th, 2008 at 4:05 am[…] track the location of the e-mail. Until I found out a post from Daily Cup of Tech that E-Mail could be track using the Email Header. I tried to understand this thing and stopspam.org helps a lot also to […]
