Tracing an EmailTracing an Email

by Amin Pathanby Amin Pathan

The first step is to use an e-mail analysis tool like eMailTrackerPro, which will automatically analyze an e-mail and its headers and provide graphical results similar to the following:

Using eMailTrackerProUsing eMailTrackerPro

� If you do not have an actual e-mail, but If you do not have an actual e-mail, but only have an e-mail address, you can use only have an e-mail address, you can use the the eMailTrackereMailTracker tool in tool in VisualRouteVisualRoute to to track the user to their e-mail server. track the user to their e-mail server.

� An added benefit is that you are able to An added benefit is that you are able to see what SMTP software the mail server see what SMTP software the mail server is running (many times with version is running (many times with version information as well). information as well).

� In most cases, using an e-mail tracking In most cases, using an e-mail tracking tool like tool like eMailTrackerProeMailTrackerPro is your best is your best option. But, if you want to understand how option. But, if you want to understand how these tracking tools work, continue these tracking tools work, continue reading...reading...

e-mail Internet Headerse-mail Internet Headers

Every received e-mail has Every received e-mail has Internet Headers. Using Internet Headers. Using Microsoft Outlook as an Microsoft Outlook as an example (other mail example (other mail programs are very similar), programs are very similar), just follow these steps to just follow these steps to view the headers:view the headers:

�

� 1. Right-click on the mail message1. Right-click on the mail message that is still in your Outlookthat is still in your Outlook Inbox Inbox � 2. Select 'Options...' from the2. Select 'Options...' from the resulting popup menu resulting popup menu � 3. Examine the 'Internet Headers’3. Examine the 'Internet Headers’ in the resulting ‘Messagein the resulting ‘Message Options’ dialog boxOptions’ dialog box

When your full header is notWhen your full header is notvisible on your email:visible on your email:

� Some email programs like Some email programs like Hotmail or Yahoo have their Hotmail or Yahoo have their full headers hidden by default. full headers hidden by default.

� In order to view the full In order to view the full header, you must specifically header, you must specifically turn on that option. turn on that option.

YahooYahoo� 1. Click Options1. Click Options� 2. Click Mail Preferences2. Click Mail Preferences� 3. Click “Show Headers”3. Click “Show Headers”� 4. Click “All”4. Click “All”� 5. Click Save5. Click Save

HotmailHotmail� 1. Click Options1. Click Options� 2. Click Mail Display Headings (under2. Click Mail Display Headings (under “ “Additional Options”)Additional Options”)� 3. Click “Message Headers”3. Click “Message Headers”� 4. Click “Full”4. Click “Full”� 5. Click OK5. Click OK

ExampleExample

What you see when you view theWhat you see when you view themessage headers will be very message headers will be very

similar tosimilar tothe following:the following:

1: Received: from tes1a623.OneMail.com.sg 1: Received: from tes1a623.OneMail.com.sg ([203.127.89.129]) ([203.127.89.129])

by visualroute.com (8.11.6) id f9CIVSk24480; Fri, 12 by visualroute.com (8.11.6) id f9CIVSk24480; Fri, 12 Oct Oct

2001 12:31:29 -0600 (MDT)2001 12:31:29 -0600 (MDT) 2: Message- 2: Message- Id:<200110121831.f9CIVSk24480@s2.domain.com>Id:<200110121831.f9CIVSk24480@s2.domain.com> 3: Received: from drb.com (IIM1608 [203.127.89.138]) by 3: Received: from drb.com (IIM1608 [203.127.89.138]) by tes1a623.OneMail.com.sg with SMTP (Microsoft tes1a623.OneMail.com.sg with SMTP (Microsoft

ExchangeExchange Internet Mail Service Version 5.5.2448.0)Internet Mail Service Version 5.5.2448.0) 4: id 4XNK9ATR; Sat, 13 Oct 2001 01:19:10 +08004: id 4XNK9ATR; Sat, 13 Oct 2001 01:19:10 +0800 5: From: paylesslongdistance@somedomain.com5: From: paylesslongdistance@somedomain.com 6: To: <>6: To: <> 7: Subject: Long Distance - 4.9 cents per min - NO FEES!7: Subject: Long Distance - 4.9 cents per min - NO FEES! 8: Date: Fri, 12 Oct 2001 13:24:26 -04008: Date: Fri, 12 Oct 2001 13:24:26 -0400 9: X-Sender: paylesslongdistance@yahoo.com9: X-Sender: paylesslongdistance@yahoo.com 10: X-Mailer: QUALCOMM Windows Eudora Pro Version 10: X-Mailer: QUALCOMM Windows Eudora Pro Version

4.14.1 11: Content-Type: text/plain; charset="us-ascii"11: Content-Type: text/plain; charset="us-ascii" 12: X-Priority: 312: X-Priority: 3 13: X-MSMail-Priori ty: Normal13: X-MSMail-Priori ty: Normal 14: X-UIDL: 8`Y!!0GR!!"?H"!k:O!!14: X-UIDL: 8`Y!!0GR!!"?H"!k:O!! 15: Status: U15: Status: U

‘‘Received’ HeaderReceived’ Header The most important header The most important header

field for tracking purposes is field for tracking purposes is the Received header field, the Received header field, which usually has a syntax which usually has a syntax similar to:similar to:

Received:Received: from ? from ? by ? by ? via ? via ? with ?with ?

id ? id ? for ? for ?

date-timedate-time

Sender’s IP AddressSender’s IP Address

What is crucial for tracking, is to pay What is crucial for tracking, is to pay attention to the trail of IP-address in the attention to the trail of IP-address in the fromfrom tokens and not necessarily the tokens and not necessarily the host name provided to us in the host name provided to us in the byby tokens:tokens:

Received:Received:� fromfrom tes1a623.OneMail.com.sg ([ tes1a623.OneMail.com.sg ([203.127.89.129203.127.89.129])])� byby visualroute.com (8.11.6) visualroute.com (8.11.6) � idid f9CIVSk24480; f9CIVSk24480; � FriFri, 12 Oct 2001 12:31:29 -0600 (MDT), 12 Oct 2001 12:31:29 -0600 (MDT)

Track the IP AddressTrack the IP Address� Use Use eMailTrackerProeMailTrackerPro to track the IP to track the IP

Address! Track down the person! The Address! Track down the person! The resulting trace will look somewhat like resulting trace will look somewhat like the following generic trace: the following generic trace:

ConclusionConclusion

As a result, by using As a result, by using eMailTrackerProeMailTrackerPro and analyzing email message headers, and analyzing email message headers, you are fully capable of tracing that you are fully capable of tracing that mysterious email. You can now take mysterious email. You can now take action and rest easy.action and rest easy.

THE ENDTHE END