Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

How to trace an e-mail?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Antimatter
Guru
Guru


Joined: 11 Aug 2003
Posts: 463
PostPosted: Thu Dec 23, 2004 7:43 am    Post subject: How to trace an e-mail? Reply with quote
I recieved an e-mail with nothing in the "To:" field and that made me suspectious anyway i opened the extended header and here's the quotation of the extended header, what i want to trace is who this e-mail was all sent to, because i got suspectious because there's no address in the "To:" field nor the "BCC:" fields and i don't see the "CC:" field and i'm trying to figure out how the hell it got e-mailed to me and who else it was e-mailed to, i'm just suspectious of it, anyway here's an header

Quote:

Return-Path: <fake-email@hotmail.com>
Received: from draco.email.starband.net ([unix socket])
by draco (Cyrus v2.2.1-BETA) with LMTP; Sun, 19 Dec 2004 00:46:10 -0500
X-Sieve: CMU Sieve 2.2
Received: from hestia.email.starband.net ([10.78.249.31])
by draco.email.starband.net (8.12.11/8.12.11) with ESMTP id iBJ5kAcA021799
for <my-email@starband.net>; Sun, 19 Dec 2004 00:46:10 -0500
Received: from vms2.rit.edu (vms2.isc.rit.edu [129.21.3.9])
by hestia.email.starband.net (8.12.10/8.12.10) with ESMTP id iBJ5iBwG029499
for <my-email@starband.net>; Sun, 19 Dec 2004 00:44:11 -0500
Received: from ritvax.isc.rit.edu by ritvax.isc.rit.edu (PMDF V6.2-X26 #30843)
id <01LIKB2AJFGYNJT2B5@ritvax.isc.rit.edu> for my-email@starband.net
(ORCPT pjb8774@rit.edu); Sun, 19 Dec 2004 00:44:09 -0500 (EST)
Received: from CONVERSION-DAEMON.ritvax.isc.rit.edu by ritvax.isc.rit.edu
(PMDF V6.2-X26 #30843) id <01LIKB29IJ2ONG8E0U@ritvax.isc.rit.edu> for
pjb8774@ritvax.isc.rit.edu (ORCPT pjb8774@rit.edu); Sun,
19 Dec 2004 00:44:07 -0500 (EST)
Received: from hotmail.com (bay102-f20.bay102.hotmail.com [64.4.61.30])
by ritvax.isc.rit.edu (PMDF V6.2-X26 #30843)
with ESMTP id <01LIKB25P42SNJT4L8@ritvax.isc.rit.edu> for
pjb8774@ritvax.isc.rit.edu (ORCPT pjb8774@rit.edu); Sun,
19 Dec 2004 00:44:06 -0500 (EST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat,
18 Dec 2004 21:44:01 -0800
Received: from 198.248.92.205 by by102fd.bay102.hotmail.msn.com with HTTP; Sun,
19 Dec 2004 05:42:56 +0000 (GMT)
Date: Sat, 18 Dec 2004 23:42:56 -0600
From: Katie Bame <fake-email@hotmail.com>
Subject: Holiday Greetings
X-Originating-IP: [198.248.92.205]
X-Sender: fake-email@hotmail.com
Bcc:
Message-id: <BAY102-F2098D886C063C8D3B18FACC5A10@phx.gbl>
MIME-version: 1.0
Content-type: multipart/mixed; boundary="Boundary_(ID_7RA9j8MNaNR9d9/cHHaoTw)"
X-Originating-Email: [fake-email@hotmail.com]
X-OriginalArrivalTime: 19 Dec 2004 05:44:01.0449 (UTC)
FILETIME=[BE06E990:01C4E58D]
X-Spam-Status: No, hits=0.9 tagged_above=0 required=5 fake-email@hotmail.com, (null)
X-Spam-Flag: NO
X-Spam-Level:
X-Spam-Report: FROM_ENDS_IN_NUMS
X-Virus-Scanned: clamd / ClamAV version 0.67-1, clamav-milter version 0.67a


to protect the person who the e-mail came from ive changed the originating address, but i would like to know the process on how to track it down and how to figure out the CC, and others?

thanks :) i'm just suspectious of the e-mail that's all
Back to top
View user's profile Send private message
adaptr
Watchman
Watchman


Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
PostPosted: Thu Dec 23, 2004 8:52 am    Post subject: Okay, let's trace the sucker. Reply with quote
Quote:
for <my-email@starband.net>; Sun, 19 Dec 2004 00:46:10 -0500

Did you fudge this?
If you want me to seriously look at these headers, then don't - you only make it more difficult.
So far, I'm assuming that this is an actual address you receive mail on.

Quote:
Received: from vms2.rit.edu (vms2.isc.rit.edu [129.21.3.9])
by hestia.email.starband.net (8.12.10/8.12.10) with ESMTP id iBJ5iBwG029499
for <my-email@starband.net>; Sun, 19 Dec 2004 00:44:11 -0500

Received: from ritvax.isc.rit.edu
by ritvax.isc.rit.edu (PMDF V6.2-X26 #30843) id <01LIKB2AJFGYNJT2B5@ritvax.isc.rit.edu>
for my-email@starband.net (ORCPT pjb8774@rit.edu); Sun, 19 Dec 2004 00:44:09 -0500 (EST)

Received: from CONVERSION-DAEMON.ritvax.isc.rit.edu
by ritvax.isc.rit.edu (PMDF V6.2-X26 #30843) id <01LIKB29IJ2ONG8E0U@ritvax.isc.rit.edu>
for pjb8774@ritvax.isc.rit.edu (ORCPT pjb8774@rit.edu); Sun, 19 Dec 2004 00:44:07 -0500 (EST)

Received: from hotmail.com (bay102-f20.bay102.hotmail.com [64.4.61.30])
by ritvax.isc.rit.edu (PMDF V6.2-X26 #30843) with ESMTP id <01LIKB25P42SNJT4L8@ritvax.isc.rit.edu>
for pjb8774@ritvax.isc.rit.edu (ORCPT pjb8774@rit.edu); Sun, 19 Dec 2004 00:44:06 -0500 (EST)

Received: from mail pickup service
by hotmail.com with Microsoft SMTPSVC; Sat, 18 Dec 2004 21:44:01 -0800

Received: from 198.248.92.205
by by102fd.bay102.hotmail.msn.com with HTTP; Sun, 19 Dec 2004 05:42:56 +0000 (GMT)

This is the full trace of the e-mail - in reverse order.
I separated each hop for clarity.

So the last foreign host to forward the mail to you was vms2.isc.rit.edu, and the originating mail server was hotmail (no surprises there!).
The very first trace step is the HTTP connection from which this hotmail was sent, in this case 198.248.92.205.

To be absolutely sure that this trace sequence is genuine, you have to dig up the reverse addresses for every host in between, with host or dig.
If there is already a hostname in the header for that host, then the mail server has done the reverse lookup for you - as a safety check of sorts.
The first hostname is the one given by the connecting mail server - which can obviously be faked.
The one between parentheses is the hostname the MTA got from a reverse lookup on the connecting IP address (between the [brackets]), neither of which can be faked.

Dig is much better than host, but part of the bind-tools package, so not in your standard distribution.

I'll do that for you here:
Code:
host vms2.rit.edu

gets 129.21.3.9 - that checks out.
The ritvax thing in between is an internal mail hub - it doesn't divulge any information like IP address, so not much you can do with that.
The next verifiable fact is the hotmail connection - so we do that:

Code:
host bay102-f20.bay102.hotmail.com

gets 64.4.61.30 - this checks out as well.

The last step of the path is the address from which the mail was actually sent - so we reverse-dig that:
Code:
dig -x 198.248.92.205

and we get tsa205.usd434.org.

If you now do a whois query on the domain, you see that it is registered by the Santa Fe Trail School - an educational or recreational institution of some sort.
But this alone tells you nothing - it is only the domain from which the mail was sent.
While this cannot be faked, it can easily be abused or hijacked in someway.

What you really need is the InterNIC netblock info for the IP address, which we also do with whois:
Code:
whois 198.248.92.205

and we get:
Code:
Kansas Research and Education Network KANREN-CBLK (NET-198-248-0-0-1)    198.248.0.0 - 198.248.255.255
Santa Fe Trail USD434 NET-198-248-92-0-22 (NET-198-248-92-0-1)           198.248.92.0 - 198.248.95.255

So it was indeed sent from a computer owned and operated by them.

Contact and abuse information is in the domain registration info from the whois output.

I hope this sheds some light on your situation.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen
Back to top
View user's profile Send private message
Antimatter
Guru
Guru


Joined: 11 Aug 2003
Posts: 463
PostPosted: Fri Dec 24, 2004 12:16 am    Post subject: Reply with quote
yeah i fudged my private e-mail which is at starband, and the e-mail address at hotmail but that's it.

thanks for the information :) as soon as i get back to my linux pc i'll give this a shot and see what sort of information i can glem from it using your methoid so i can learn it better for furture use. I'm curious how this person covered up the "to:" field there's nothing in there, all i see is a blank, so any chance of recovering that or is that a dead end?

thanks :)
Back to top
View user's profile Send private message
justanothergentoofanatic
Guru
Guru


Joined: 29 Feb 2004
Posts: 337
PostPosted: Fri Dec 24, 2004 2:12 am    Post subject: Reply with quote
The To: field does not really do anything as far as the mail server is concerned. The actual recipient(s) were specified during the SMTP conversation in what is called the mail 'envelope.' All envelope information is lost once the message has been accepted for delivery by the mail server.

My mail server, courier, adds a Delivered-To header specifying the addressee during message processing. I don't know if other mail servers can also be configured to do this.

-Mike
Back to top
View user's profile Send private message
Antimatter
Guru
Guru


Joined: 11 Aug 2003
Posts: 463
PostPosted: Fri Dec 24, 2004 4:04 am    Post subject: Reply with quote
hmmm, because i remember seeing many e-mails in the past that had my name or some other name in the "to:" fields such as those cursed chain letters they would have 20-30 people in the "to" field, so youre telling me there's no way of figuring that out from the information here that its lost?
Back to top
View user's profile Send private message
nobspangle
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1318
Location: Manchester, UK
PostPosted: Fri Dec 24, 2004 7:53 am    Post subject: Reply with quote
I'm pretty sure hotmail doesn't generate to: headers, the reason being an attempt to cut down on viruses that scan text files to find email addresses. The to field in your email program will probably say undisclosed recipient.
Back to top
View user's profile Send private message
adaptr
Watchman
Watchman


Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
PostPosted: Fri Dec 24, 2004 9:16 am    Post subject: Reply with quote
Antimatter wrote:
yeah i fudged my private e-mail which is at starband, and the e-mail address at hotmail but that's it.

thanks for the information :) as soon as i get back to my linux pc i'll give this a shot and see what sort of information i can glem from it using your methoid so i can learn it better for furture use. I'm curious how this person covered up the "to:" field there's nothing in there, all i see is a blank, so any chance of recovering that or is that a dead end?

thanks :)


One very important note I forgot to mention: all of the above is only true if all of the mail servers in between are telling the truth!

If even one of them has been hijacked then you obviously can't trust any of the information in the message.

This doesn't happen a lot, but it does happen.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy