Tip & How-To about Computers & Internet

Backtracking EMAIL Messages

Tracking email back to it's source: Twisted Evil cause I hate spammers... Evil or Very Mad.

Ask most people how they determine who sent them an email message and the response is almost universally, "By the From line." Unfortunately this symptomatic of the current confusion among internet users as to where particular messages come from and who is spreading spam and viruses. The "From" header is little more than a courtesy to the person receiving the message. People spreading spam and viruses are rarely courteous. In short, if there is any question about where a particular email message came from the safe bet is to assume the "From" header is forged.

So how do you determine where a message actually came from? You have to understand how email messages are put together in order to backtrack an email message. SMTP is a text based protocol for transferring messages across the internet. A series of headers are placed in front of the data you can usually backtrack a message to the source network, sometimes the source host. A more detailed essay on reading email headers can be found.

If you are using Outlook or Outlook Express you can view the headers by right clicking on the message and selecting properties or options.

Below are listed the headers of an actual spam message I received. I've changed my email address and the name of my server for obvious reasons. I've also double spaced the headers to make them more readable.

Return-Path:

X-Original-To: davar@example.com

Delivered-To: davar@example.com

Received: from 12-218-172-108.client.mchsi.com
(12-218-172-108.client.mchsi.com [12.218.172.108])
by mailhost.example.com (Postfix) with SMTP id 1F9B8511C7 for ; Sun, 16 Nov 2003 09:50:37 -0800 (PST)

Received: from (HELO 0udjou) [193.12.169.0] by 12-218-172-108.client.mchsi.com with ESMTP id <536806-74276>; Sun, 16 Nov 2003 19:42:31 +0200

Message-ID:

From: "Maricela Paulson"

Reply-To: "Maricela Paulson"

To: davar@example.com

Subject: STOP-PAYING For Your PAY-PER-VIEW, Movie Channels, Mature Channels...isha

Date: Sun, 16 Nov 2003 19:42:31 +0200

X-Mailer: Internet Mail Service (5.5.2650.21)

X-Priority: 3

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"

According to the From header this message is from Maricela Paulson at s359dyxxt@yahoo.com. I could just fire off a message to abuse@yahoo.com, but that would be waste of time. This message didn't come from yahoo's email service.

The header most likely to be useful in determining the actual source of an email message is the Received header. According to the top-most Received header this message was received from the host 12-218-172-107.client.mchsi.com with the ip address of 21.218.172.108 by my server mailhost.example.com. And important item to consider is at what point in the chain does the email system become untrusted? I consider anything beyond my own email server to be an unreliable source of information. Because this header was generated by my email server it is reasonable for me to accept it at face value.

The next Received header (which is chronologically the first) shows the remote email server accepting the message from the host Oudjou with the ip 193.12.169.0. Those of you who know anything about IP will realize that is not a valid host IP address. In addition, any hostname that ends in client.mchsi.com is unlikely to be an authorized email server. This has every sign of being a cracked client system.

Here's is where we start digging. By default Windows is somewhat lacking in network diagnostic tools; however, you can use the tools at to do your own checking.

davar@nqh9k:[/home/davar] $whois 12.218.172.108

AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
Mediacom Communications Corp MEDIACOMCC-12-218-168-0-FLANDREAU-MN (NET-12-218-168-0-1)
12.218.168.0 - 12.218.175.255

# ARIN WHOIS database, last updated 2003-12-31 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

I can also verify the hostname of the remote server by using nslookup, although in this particular instance, my email server has already provided both the IP address and the hostname.

davar@nqh9k:[/home/davar] $nslookup 12.218.172.108

Server: localhost
Address: 127.0.0.1

Name: 12-218-172-108.client.mchsi.com
Address: 12.218.172.108

ok, whois shows that Mediacom Communications owns that netblock and nslookup confirms the address to hostname mapping of the remote server, 12-218-172-108.client.mchsi.com. If I preface a www in front of the domain name portion and plug that into my web browser, http://www.mchsi.com, I get Mediacom's web site.

There are few things more embarrasing to me than firing off an angry message to someone who is supposedly responsible for a problem, and being wrong. By double checking who owns the remote host's Ip address using two different tools (whois and nslookup) I minimize the chance of making myself look like an idiot.

A quick glance at the web site and it appears they are an ISP. Now if I copy the entire message including the headers into a new email message including the headers into a new email message and send it to abuse@mchsi.com with a short message explaining the situation, they may do something about it.

But what about Maricela Paulson? There really is no way to determine who sent a message, the best you can hope for is to find out what host sent it. Even in the case of a PGP signed messages there is no guarantee that one particular person actually pressed the send button. Obviously determining who the actual sender of an email message is much more involved than reading the From header. Hopefully this example may be of some use to other forum regulars.

Good luck!

Posted by on

Computers & Internet Logo

Related Topics:

Related Questions:

1 Answer

Tell me why I'm getting failure notices when I have not sent an email?


First of all, you CAN get a delivery failure notice for emails which you did not send. More than likely a spammer is sending spam emails to multiple recipients and your email address is used by the spammer as the sender. They don't need access to your email to do it - they can spoof any address they like. The bad news is, you really cannot do anything to stop it. The good news is, it usually goes away after several weeks as the spammer stop spoofing your sender address and move on to others.

Mar 31, 2017 | Computers & Internet

2 Answers

To stop spammers, we sometimes ask you to enter characters before sending your message.


not a problem for me --- I hate ' Spam ' myself :-(

c...

Jan 02, 2011 | Vacuums

2 Answers

sending emails out that i did not write NO SUBJECT


What do you mean by "sending emails out that you did not write"? Did somebody inform you that they received an email from you, but you did not actually write it?

If yes, then I believe that you are not the one who sent that email. It is a spammer who did that. This is one of the common tactics of spammers to hide their true origin. But there's no need for you to worry. Because your email address has not been compromised. It's just that the spammer used your email address to spam other people.

However, Yahoo! has a spam filter, and I'm sure that there will come a time that Yahoo! admins will trace these illegal activities.

Thank you and good luck!

Jul 03, 2010 | Yahoo Mail

1 Answer

Someone has gotten all my contacts off my computer and is sending spam and links using my email address, HELP


This is the main reason why you are getting all this spam email. 95% of all junk mail you get is because you gave your email address to somebody, somehow, somewhere.

Ask yourself to whom you gave your email address.

Examples to whom you disclosed your email address

Online Forums
News Groups
Sign-ups software downloads
From IRC and chat rooms
Your homepage
Your business card
White & yellow pages
Your friends!
This list only contains the main sources where you disclose your email address.

Other sources of Spam Email

Through Mail Relaying
Mail Relaying is sending mail to a user that is not local to the server you have connected to. It slows down your email and gives spammers free bandwidth.

Through dictionary attacks
This happens when spammers connect to your server and just trying random address or even stepping through the alphabet. Some servers will block the sending server after X number of failures, some set max recipients per message and others set a delay between recipients to slow down the spammer, causing them to go elsewhere.

Through the selling of e-mail addresses
Companies sell your information to other companies.

Trojans/Script capturing
By using HTML e-mails, spammers can confirm your email address. Best to disable preview window and delete the message. You can disable HTML or even block the email client from communicating on port 80.

Thanks

Have a great day.

Bhautesh

Feb 24, 2010 | Yahoo Mail

1 Answer

Emails not reaching destination although they are in 'sent box'


Hello,
This can be due to your destination server's security settings that are set to reject incoming Yahoo emails, that were largely used by spammers in the past years.
What you can do is call the person you are trying to reach by email, and ask him if there was any security settings set by his company or ISP.
Frequently companies are using "blacklists" in order to block junk mail. You are then in a "false positive" situation that is hard to solve. Try to send from another email adress to see if that still happens.
Hope this helps

Aug 05, 2009 | Yahoo Mail

Not finding what you are looking for?

200 people viewed this tip

Ask a Question

Usually answered in minutes!

Top Computers & Internet Experts

Doctor PC
Doctor PC

Level 3 Expert

7733 Answers

kakima

Level 3 Expert

102366 Answers

David Payne
David Payne

Level 3 Expert

14161 Answers

Are you a Computer and Internet Expert? Answer questions, earn points and help others

Answer questions

Loading...