E-mail Tracing & Tracking - Private Investigator, Private Detective, CT, MA, RI, NY, NYC

The following is from the FAQ titled "Figuring Out Fake Email & Posts" (189KB) from the alt.spam USENET group which deals with tracking down spammers. It is only one section, titled "Tracing An Email Message," and is included here as an extension to the page on how to Find Email Addresses. Only the format has been altered. All links in the text will open a new window.

To trace the email you have to look at the header. Most mail readers do not show the header because it contains information that is for computer to computer routing. The information you usually see from the header is the subject, date and the "From" / "Return" address. About the only thing in an email header that can't be faked is the "Received" portion referencing your computer (the last received).

You will need to take a look at the headers on the message as follows (Thanks to Michael, Piers and others) :

Claris E-Mailer - under Mail select Show Long Headers.

Eudora (before ver. 3) - Select Tools , Options... , then Fonts & Display then Show all headers.

Eudora (ver. 3.x, 4.x IBM or Macintosh) - Press the BLAH button on the incoming mail message.

HotMail - To expose the full message header, click "Options" on the Hotmail Navigation Bar on the left side of the page. On the Options page, click "Preferences." Scroll down to "Message Headers" and select "Full."

For Lotus Notes 4.6.x - From the menu bar, select Actions, then Delivery Information. Copy the information from the bottom box into your email report at the top of the spam.

For Lotus Notes R5 - From the menu bar, select Actions, then Tools, then Delivery Information. Copy the information from the bottom box into your email report at the top of the spam.

MS Outlook - Double click on the email in your inbox. This will bring the message into a window. Click on View - Options. You can also open a message then choose File....Properties....Details.

MS Outlook Express - Alt-Enter, or Alt-F then R.

MS Outlook Express - More Detailed: To look for, copy and send headers In Outlook Express:

Press CTRL F3
Press CTRL A
Press CTRL C
Press Alt F4. (At this point the message is already copied)
Open a new message. Right click and paste or select Edit and paste.

Netscape 3 - In the Netscape Mail window, click View/Document Source.

Netscape 4.xx - Double click on the email in your inbox. Click on View - Headers - All.

PINE - You have to turn on the header option in setup, then just hit "h" to get headers.

Programs that do not comply with any Internet standards (like cc-Mail, Beyond Mail, VAX VMS) throw away the headers. You will not be able to get headers from these email messages.

Aussie tells us that in Pegasus to view the full headers for each message, use CTRL-H. This will show the full headers for the particular message, but will not add them to any reply or forward. You need to cut/paste the message into the reply/forward to send these headers.

Richard tells us with Nettamer, a MS DOS based email and USENET group reader you must save the message as an ASCII file, then the full header will be displayed when you open the saved file with your favorite ASCII editor.

At this point if you are "pushing the envelope" on your ability to figure out how to get that complaint to the correct person, I would suggest joining the Usenet group alt.spam or news.admin.net-abuse.email and post the message with a title like "Please help me decipher this header". Unfortunately there is no "single" place to complain to about spam (or Unsolicited Commercial Email). Complaints have to be directed to the correct ISP (Internet Service Provider) that the spam originated from. See the below section entitled "Reporting spam".

A URL to help you figure out how to look at the headers:

http://www.concentric.net/~Nvam

A little different description of headers:

http://help.mindspring.com/features/emailheaders/index.htm
http://help.mindspring.com/features/emailheaders/extended.htm
http://www.mcs.net/~jcr/junkemaildeal.html - Another Header Analysis
http://www.stopspam.org/email/headers/headers.html - In depth header analysis

There is spamming software that sends the email directly to your computer. This makes only one received line in the email making your life many times easier. The computer that is not your computer is the spamming computer.

Also, please look through the body of the message for email addresses to reply to. Complain to the postmasters of those sites also (see below for a list of complaint addresses).

Gregory tells us that assuming a reasonably standard and recent sendmail setup, a Received line that looks like :

Received: from host1 (host2 [ww.xx.yy.zz]) by host3

(8.7.5/8.7.3) with SMTP id MAA04298; Thu, 18 Jul 1996 12:18:06 -0600

shows four pieces of useful information (reading from back to front, in order of decreasing reliability):

The host that added the Received line (host3).
The IP address of the incoming SMTP connection (ww.xx.yy.zz).
The reverse-DNS lookup of that IP address (host2).
The name the sender used in the SMTP HELO command when they connected (host1).

Looking below we see 6 received lines. Received lines are like links in a chain. The message is passed from one computer to the next with no breaks in the chain. The received lines indicate that it ended up at ddi.digital.net (my computer) from mail.bestnetpc.com. It was received at mail.bestnetpc.com from unknown (HELO paul-s.-aiello) ([205.160.183.123]). The last three lines suggests that it was received at in2.|bm.net from mh.tomsurl|.com and from reb50.rs41|1date.net. Since none of these computers are in the first two received lines then we can ignore these lines and every received entry after this line (this UCE had 4 or 5 more faked Received lines in it that were deleted for this example). We also know that these lines are faked because no domain name has a "|" character in the name. Domain names only have alphabetic or numeric characters in the name.

Do not get confused by the "Received: from unknown" portion. The word "unknown" can be *anything* and should be ignored, this is whatever the spammer put in the SMTP HELO command when they connected to the SMTP server.

Received: from mail.bestnetpc.com (IDENT:qmailr@mail.bestnetpc.com [205.160.183.3]) by ddi.digital.net (8.9.1a/8.9.1) with SMTP id CAA10768 for gandalf@digital.net; Thu, 26 Nov 1998 02:55:11 -0500 (EST)
Received: (qmail 25259 invoked from network); 26 Nov 1998 08:05:49 -0000
Received: from unknown (HELO paul-s.-aiello) ([205.160.183.123]) by mail.bestnetpc.com with SMTP; 26 Nov 1998 08:05:49 -0000
Received: (from uudp@lcl|lhost) by in2.|bm.net (8.6.9/8.6.9) id CFF569794 for suppressed; Thursday, November 26, 1998
Received: from tomsurl|.com (mh.tomsurl|.com [100.257.57.69]) by m4.tomsurl|.com (8.6.12/8.6.12) with ESMTP id PAA21932 Thursday, November 26, 1998
Received: from reb50.rs41|1date.net (root@reb50.rs41|1date.net [256.36.1.176]) by tomsurl|.com (8.6.12/8.6.12) with ESMTP id PBA023891 for suppressed;

So we complain to whomever owns unknown (HELO paul-s.-aiello) ([205.160.183.123]). Make sure that you do a nslookup (or use http://samspade.org/t/, put the address in the section "address digger", click on Whois IP block and Traceroute and click on "do stuff") on the IP address's. I try to verify 205.160.183.123 is paul-s.-aiello. Indeed paul-s.-aiello does not even exist and 205.160.183.123 does not resolve to a name when I do a NSLookup. Next would be a traceroute. See further below for more in-depth tracking on resolving an IP.

IP portion = 205.160.183.123

Traceroute 205.160.183.123 gives us:

Step Host IP

Find route from: 0.0.0.0 to: 205.160.183.123 (205.160.183.123), Max 30 hops, 40 byte packets

snip

13 acsi-sw-gw.customer.alter.net. (157.130.128.26 ): 235ms

14 atlant-ga-2.espire.net. (206.222.97.24 ): 272ms

15 206.222.104.37 (206.222.104.37 ): 279ms

16 orland-fl-1-a5-0.espire.net. (206.222.99.7 ): 362ms

17 iag.net.orland-fl-1.espire.net. (206.222.106.6 ): 195ms

18 d1.s0.gw.dayb.fl.iag.net. (207.30.70.38 ): 230ms

19 s0.gw.bestnetpc.net. (207.30.70.254 ): 231ms

20 * * *

21 205.160.183.123 (205.160.183.123): 372ms

See the traceroute section below for how to interpret the "*" (and other codes) that are returned from a traceroute.

Note - if you see something like the following realize that the only portion you can trust is within the "([" and the "])". The spammer put in the (faked) portion "mail.zebra.net (209.12.13.2)" :

Received: from mail.zebra.net (209.12.13.2) ([209.12.69.42])

Kamiel tells us that you might also want to make sure that the IP is not hosted by an intermediary site. Check it out at:

http://www.arin.net

You should complain to the abuse@ or postmaster@Last Two or Three words at the end of the name. I would complain to abuse@iag.net OR abuse@espire.net (but NOT both sites) since after looking below at the list of complaint addresses in this FAQ there are no alternate addresses for iag.net or espire.net. Unless it is a "major provider" (someone in the below complaint list) I usually complain to the upstream provider rather than risk the chance of complaining to the spammer and being ignored. If you go too far up the chain, however, it may take quite some time for the complaint to filter down to the correct person.

Louise tells us that you are entitled to make an 'alleged' accusation but to prevent yourself from being libel, prefix your statement with:-

"Without prejudice: I suspect you are the culprit of such and such."

The constitutional and legal boundary of 'Without prejudice' exempts Politician's opinions being spoken publicly and this prefix is often adopted by Solicitors (English) or Lawyers/Attorneys (USA).

I use :

abuse@XXXXX - Without prejudice I submit to you this Unsolicited Commercial Email is from your user XXXX. UCE is unappreciated because it costs my provider (and ultimately myself) money to process just like an unsolicited FAX. Please look into this. Thank you.

BE SURE to verify the IP address. Windows '95 machines place the name of the machine as the "name" and place the real IP address after the name, meaning a spammer can give a legitimate "name" of someone else to get someone innocent in trouble. A spammer at cyberpromo changed their SMTP HELO so that it claimed to be from Compuserve. The Received line looked like the below, but a quick verification of the IP address 208.9.65.20 showed it was indeed from cyberpromo :

Received: from dub-img-4.compuserve.com (cyberpromo.com [208.9.65.20]) by karpes.stu.rpi.edu

The below email was passed to me thru a "mule" (un1.satlink.com [200.9.212.3]). The Spammer hijacked an open SMTP port to reroute email to me:

Received: from un1.satlink.com (un1.satlink.com [200.9.212.3]) by ddi.digital.net (8.9.1a/8.9.1) with ESMTP id GAA06372; Fri, 27 Nov 1998 06:53:20 -0500 (EST)

Received: from usa.net ([209.86.128.234]) by un1.satlink.com (Netscape Messaging Server 3.54) with SMTP id AAT2FEA; Fri, 27 Nov 1998 08:46:07 -0200

A NSLookup on 209.86.128.234 resolves to user38ld07a.dialup.mindspring.com, so after I complain to mindspring.com I also send the postmaster of the open SMTP port the following:

postmaster@XXXXX - Your SMTP mail server XXXXX was used as a mule to pass (and waste your system resources) this email on to me. You can stop your SMTP port from allowing rerouting of email back outside of your domain if you wish to. FYI only. Info on how to block your server, see:

http://maps.vix.com/tsi/

Test for server vulnerability :

http://www.abuse.net/relay.html

http://samspade.org/t/

There are some systems that "claim" to "cloak" email. It is not true. If you receive one that looks like the following :

Received: from relay4.ispam.net (root@[207.124.161.39]) by ddi.digital.net (8.8.5/8.8.5) with ESMTP id KAA28969 for gandalf@digital.net; Thu, 26 Jun 1997 10:41:46 -0400 (EDT)

Received: from --- CLOAKED! ---

Received: from cerberus.njsmu.com ([204.142.120.2]) by ddi.digital.net (8.8.5/8.8.5) with ESMTP id HAA06250 for gandalf@digital.net; Mon, 25 Jan 1999 07:11:18 -0500 (EST)

From: hostme39@aol.com

Received: from The.sender.of.this.untracable.email.used.MAILGOD.by.IMI

It is still broken down as follows :

- The route the email took originated from one of the systems above the line marked "cloaked" or the line "untraceable" (in fact this makes it even easier to trace). There is no magic to it. Complain to that provider. If you get no response from the site that spammed, you should ask your provider to no longer allow the above site [207.124.161.39] to connect to your system.

It has been kindly pointed out to me that there is a "feature" (read "bug") in the UNIX mail spool wherein the person emailing you a message can append a "message" (with the headers) to the end of their message. It makes the mail reader think you have 2 messages when the joker that sent the original message only sent one message (with a fake message appended). If the headers look *really* screwy, you might look at the message before the screwy message and consider if it may not be a "joke" message.

There are also IBM mainframes and misconfigured Sun Sendmail machines (SMI-8.6/SMI-SVR4) that do not include the machine that they received the SMTP traffic from. You have to route the message (with headers) back to the postmaster at that system and ask them to tell you what the IP of the machine is that hooked into their system for that message.

An example of a Microsoft Exchange server that the "HELO" transaction is taken as the "From" portion (and is completely false) :

Received: from dpi.dpi-conseil.fr (dpi.dpi-conseil.fr [195.115.136.1]) by ddi.digital.net (8.9.3/8.9.3) with ESMTP id KAA06614 for gandalf@ddi.digital.net; Thu, 26 Aug 1999 10:51:31 -0400 (EDT)

Received: from FIREWALL ([192.168.0.254]) by dpi.dpi-conseil.fr with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id QW11TJV1; Thu, 26 Aug 1999 16:44:38 +0200

It has also been pointed out that someone on your server can telnet back to the mail port and send you mail. This also makes the forgery virtually untraceable by you, but as always your admin should be able to catch the telnet back to the server. If they telnet to a foreign SMTP server and then use the "name" of a user on that system, it may appear to you that the message came from that user. Be very careful when making assumptions about where the email came from.

Note for AOL users when looking at headers:

If you get double headers at the end of a message (like the below) the spammer has tacked on a extra set of headers to confuse the issue. Ignore everything except the last set of headers. These are the *real* headers.

------------------ Headers --------------------------------

Return-Path: Gloria@me.net

Received: from rly-za05.mx.aol.com (rly-za05.mail.aol.com [172.31.36.101]) byair-za04.mail.aol.com (v51.16) with SMTP; Mon, 16 Nov 1998 19:16:02 1900

Received: from mailb.telia.com (mailb.telia.com [194.22.194.6]) by rly-za05.mx.aol.com (8.8.8/8.8.5/AOL-4.0.0) with ESMTP id TAA05189;

Mon, 16 Nov 1998 19:15:53 -0500 (EST)

From: Gloria@me.net

Received: from signal.dk ([194.255.7.40]) by mailb.telia.com (8.8.8/8.8.8) with SMTP id BAA14174; Tue, 17 Nov 1998 01:15:50 +0100 (CET)

Received: from 194.255.7.40 by signal.dk viaSMTP(950413.SGI.8.6.12/940406.SGI.AUTO) id AAA28586; Tue, 17 Nov 1998 00:53:13 +0100

Message-Id: 199811162353.AAA28586@signal.dk

Date: Mon, 16 Nov 98 18:27:19 EST

To: Gloria@papa.fujisankei-g.com.jp

Subject: ATTENTION SMOKERS - QUIT SMOKING IN JUST 7 DAYS

Reply-To: Gloria@papa.fujisankei-g.com.jp

------------------- Headers --------------------------------

Return-Path: lifeplanner@zcities.com

Received: from rly-yd04.mx.aol.com (rly-yd04.mail.aol.com [172.18.150.4]) by air-yd02.mx.aol.com (v56.14) with SMTP; Mon, 11 Jan 1999 23:54:48 -0500

Received: from phone.net ([207.18.137.42])

by rly-yd04.mx.aol.com (8.8.8/8.8.5/AOL-4.0.0)

with SMTP id XAA01327;

Mon, 11 Jan 1999 23:51:03 -0500 (EST)

From: lifeplanner@zcities.com

To: Someone@aol.com

Date: Tue, 15 Dec 1998 20:54:19 -0600

Message-ID: 13653344018870252@phone.net

Subject: Life insurance, do you have it?

Mime-Version: 1.0

Content-Type: text/html

Content-Transfer-Encoding: quoted-printable