E-Mail Tracks

Iskandar Blogger 3:06 AM

E-Mail Tracks

Posted: 13 Jun 2007 01:08 PM CDT

FootprintsA couple of years ago, an organization approached me with an interesting dilemma. One of their employees (let’s call him “Steve”) had taken a vehicle and run off. They were desperate to find him to help him out of the trouble that he had gotten himself into.

The next day, the police found the vehicle about 400 miles away where it had broken down. They believed that he was somewhere in the vicinity and were concentrating their search in that area. They looked for three days without any luck.

Then, this organization got lucky. The CEO received an e-mail from the Steve, apologizing for all the trouble that he caused. The employee used a Hotmail account that he could access from anywhere to send the e-mail. Steve indicated that he was going to be checking his this e-mail account for the next couple of days if we wanted to “talk” with him.

It was at this point that I was called in. Everyone was sure in for a surprise!

The CEO asked me to take a look at the e-mail and see if there was a way I could determine where “Steve” was sending the e-mail from. I immediately went to work.

I was about 30 seconds into my investigation when the CEO came to be with a puzzled look. “Aren’t you going to read the e-mail? All I see is gibberish on the screen! How’s that going to help us?”

I responded, “This ‘gibberish’ is called an e-mail header and it is the equivalent to a GPS trail for the e-mail. It tells the computer, and me, every single system that it went through to get to your computer here. I can then cross-reference this information with registration information on the Internet. I should be able to tell you what city Steve is located in, the Internet provider for the place that he sent the e-mail from, and when he was at that location.”

Sure enough, it took me about two minutes to discover that Steve was nowhere near where he abandoned the car. Rather, he was more than 1,500 miles from that location, half a country away! I provided the information to the police and they got the address from the Internet provider. Within a couple of hours, a worker had positively identified Steve and the process of helping him could now begin.

All because Steve sent an e-mail.

The Importance of Headers

What I had done was really not that difficult. In fact, it is really common practice. They key to doing this is understanding the contents of an e-mail header.

The e-mail header provides all of the technical information that was required to get to your mail inbox. It is built up as it travels through the Internet. My time it gets to you, it is full of information goodness that gives a pretty good history

I’m not going to go through a comprehensive guide on how a header works and all the possible options that are available to the user but I will point you to a couple of really good web pages. Reading Email Headers talks in more detail about decyphering the contents of an e-mail header and Permanent Message Header Field Names is a great resource for everything that may be in an e-mail header.

The important headers to be looking at are:

  • Received - This is probably the most useful header in the entire bunch. This tells you the system that received the e-mail and the system that sent the e-mail. There may be several of these headers, depending on the number of systems the e-mail needed to go through. It also has a number of subfields that help to provide specific information:
    • from - The name and/or the IP address of the system that sent the message during the transaction
    • by - The name an/or the IP address of the system that received the message during the transaction
    • for - This tells you who the e-mail is for. But, more importantly, it tells you the time that this transaction occurred. This helps you to confirm the path the e-mail took.
  • From - This is the e-mail address that sent the message.
  • Reply-To - This is the e-mail address that would receive the response if you hit Reply in your e-mail program.

One thing to note is that e-mail header Received information is generally in reverse chronological order. That means that the last transaction to occur is the first one in the header. This can be confusing because within the transaction itself, the from and by subfields are listed in chronological order of receiving the e-mail.

Useful Online Tools

What I would rather do is provide you with some quick tools that can help you track the e-mail to its origins quickly.

  • Email Graphic Traceroute - A very useful and easy to use tool. Simply paste your header into the web page and it will generate a Google map mashup showing you exactly where the e-mail has gone.
  • Geobytes Free Services - A huge list of useful free services that all rely on being able to associate an IP address to a physical location. These services include:
  • DNS Report - A very comprehensive look at a specific domain name. Also provides an option to check an e-mail address.
  • Network Tools - A lot of very useful IP and DNS tools including:
    • ping
    • lookup
    • trace route
    • whois

Conclusion

To track the average user’s e-mail is a relatively easy process. It can be very useful when you need to figure out where someone is located.

But, be cautioned. It is also relatively trivial for someone who understands how mail systems work to fake almost every header option. So be sure you know who you are tracking first unless you want to become the tracked!



http://www.dailycupoftech.com/