Claris E-Mailer - under Mail select Show Long Headers.Eudora (before
ver. 3) - Select Tools , Options... , then Fonts & Display then Show
all headers
Eudora (ver. 3.x, 4.x IBM or Macintosh) - Press the BLAH button on the
incoming mail message
HotMail - To expose the full message header, click "Options" on the
Hotmail Navigation Bar on the left side of the page. On the Options
page, click "Preferences." Scroll down to "Message Headers" and select
"Full."
Lotus Notes 4.6.x - From the menu bar, select Actions, then Delivery
Information. Copy the information from the bottom box into your e-mail
report at the top of the spam.
Lotus Notes R5 - From the menu bar, select Actions, then Tools, then
Delivery Information. Copy the information from the bottom box into
your e-mail report at the top of the spam.
MS Outlook - Double click on the email in your inbox. This will bring
the message into a window. Click on View - Options. You can also open
a message then choose File....Properties....Details.
MS Outlook Express - Alt-Enter, or Alt-F then R. MS Outlook Express
- More Detailed: Outlook Express 1- Press CTRL F3 4- Press Alt F4. (At
this point the message is already copied) 5- Open a new message. Right
click and paste or select Edit and paste.
Netscape 3 - In the Netscape Mail window, click View/Document Source.
Netscape 4.xx - Double click on the email in your inbox. Click on View
- Headers -
All. PINE - You have to turn on the header option in setup, then just
hit "h" to get headers.
Example of an individual I am currently
tracking.
I sent the original e-mail to taunt him. It was MEANT to get him to
respond!
:)
From tmenterspection@excite.com
Thu May 18 17:18:40 2000 Received: from [198.3.99.203]
by hotmail.com (3.2) with ESMTP id MHotMailBAEDD262005DD82197E9C60363CBEFD80;
Thu May 18 17:14:26 2000
Received: from almond.excite.com ([199.172.148.82]) by fortune.excite.com
(InterMail vM.4.01.02.39 201-229-119-122) with ESMTP id <20000518231947.BRUR8079.fortune.excite.com@almond.excite.com>
for
online_predator_hunter@hotmail.com ; Thu, 18 May 2000 16:19:47 -0700
Message-ID: <1640881.958691987155.JavaMail.imail@almond.excite.com>
Date: Thu, 18 May 2000 16:19:44 -0700 (PDT)
From: tme tmenterspection@excite.com
To: online_predator_hunter@hotmail.com
Subject: well well well mon ami Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding:
7bit
X-Mailer: Excite Inbox
X-Sender-Ip: 63.16.10.245
>Gentlemen....I say that sarcastically mind you!
> > You have a computer security professional tracking you!
> I will enjoy the hunt...
> Hehehehe greetings, little buddy. one of my friends appears to be
having a problem with you. no need to worry, it's been taken care of.
and oh man has it been taken care of... being a lawyer, i checked out
the content on his computer - everything he has. of it, there was NO
porn. now i'm not sure what country or planet you're from, but nudity
is NOT porn. unlike you, i've been to many many many years of college
and school and have learned everything imaginable. any further problems
from you and i'll be having the last and final laugh. additional quote
from my dear friend:
"i've done nothing wrong, nothing bad, and endless good deeds. if you
think for one second that nudity is wrong, you are DEAD WRONG missy.
porno is not good and i do everything i can to stop it. but when narkers
like yourself try to put blame on the good guys, there is a heavy price
to pay.." have a DANG lovely day
] Jerry, ] Private Lawyers Assoc. of Calif. ]
Alive and working since 1963 p.s. enjoy the e-mails you may be receiving;
compliments of another great friend of mine...
and as you've said: Hehehehe
1. I want to know where this e-mail is from? excite.com
Received: from almond.excite.com
([199.172.148.82]) by fortune.excite.com
(InterMail vM.4.01.02.39 201-229-119-122) with ESMTP id <20000518231947.BRUR8079.fortune.excite.com@almond.excite.com>
for
online_predator_hunter@hotmail.com ; Thu, 18 May 2000 16:19:47 -0700
Message-ID: <1640881.958691987155.JavaMail.imail@almond.excite.com>
2.Who sent it?
tmenterspection@excite.com
3.Where did he send this from? X-Mailer:
Excite.com Inbox X-Sender-Ip:
63.16.10.245
4.What time did he send this e-mail?
Date: Thu, 18 May 2000 16:19:44 -0700 (PDT)
What can I do now?
Examine# 3: See X-Sender-Ip: 63.16.10.245
That magic number is his IP address that he was
given by his Internet Service Provider when he sent that e-mail via
the www.excite.com website.
Any questions, reference RFC 821 RFC
822
Sample Headers are in White with highlighed portions
being discussed
below the sample headers.
Begin Lesson
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)
for techbr@fooway.net id OAA07210; Fri, 11 Apr 1997 14:10:06 -0400
Received: from ifi.foobar.no by o200.fooway.net
via ESMTP (950413.SGI.8.6.12/951211.SGI) for hacker@techbroker.com id
OAA18967; Fri, 11 Apr 1997 14:09:58 -0400
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no [129.xxx.64.230])
by ifi.foobar.no with ESMTP (8.6.11/ifi2.4) id UAA24351@ifi.foobar.no
for hacker@techbroker.com ; Fri, 11 Apr 1997 20:09:56 +0200
From: Vegbar Fubar fooha@ifi.foobar.no
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no
; Fri, 11 Apr 1997 18:09:53 GMT Date: Fri, 11 Apr 1997 18:09:53 GMT
Message-Id: 199704111809.13156.gyllir@ifi.foobar.no
To: hacker@techbroker.com
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for
techbr@fooway.net id OAA07210; Fri, 11 Apr 1997 14:10:06-0400
This line tells us that I downloaded this email
from the POP server at a computer named o200.fooway.net. This was done
on behalf of my account with email address of techbr@fooway.net. The
(950413.SGI.8.6.12/951211.SGI) part identifies the software name and
version running that POP server.
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)
for techbr@fooway.net id OAA07210; Fri, 11 Apr 1997 14:10:06 -0400
Received: from ifi.foobar.no by o200.fooway.net
via ESMTP (950413.SGI.8.6.12/951211.SGI) for hacker@techbroker.com id
OAA18967; Fri, 11 Apr 1997 14:09:58 -0400
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no [129.xxx.64.230])
by ifi.foobar.no with ESMTP (8.6.11/ifi2.4) id UAA24351@ifi.foobar.no
for hacker@techbroker.com ; Fri, 11 Apr 1997 20:09:56 +0200
From: Vegbar Fubar fooha@ifi.foobar.no
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no
; Fri, 11 Apr 1997 18:09:53 GMT Date: Fri, 11 Apr 1997 18:09:53 GMT
Message-Id: 199704111809.13156.gyllir@ifi.foobar.no
To: hacker@techbroker.com
Received: from ifi.foobar.no by o200.fooway.net
via ESMTP (950413.SGI.8.6.12/951211.SGI)for hacker@techbroker.com id
OAA18967; Fri, 11 Apr 1997 14:09:58 -0400
This line tells us that a computer named ifi.foobar.no
passed this email to the POP server on o200.fooway.net for someone with
the email address of hacker@techbroker.com. This is because I am piping
all email to hacker@techbroker.com into the account techbr@fooway.net.
"ESMTP" stands for "extended simple mail transfer protocol." The "950413.SGI.8.6.12/951211.SGI"
designates the program that is handling my email.
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)
for techbr@fooway.net id OAA07210; Fri, 11 Apr 1997 14:10:06 -0400
Received: from ifi.foobar.no by o200.fooway.net via ESMTP (950413.SGI.8.6.12/951211.SGI)
for hacker@techbroker.com id OAA18967; Fri, 11 Apr 1997 14:09:58 -0400
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no
[129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4) id UAA24351@ifi.foobar.no
for hacker@techbroker.com ; Fri, 11 Apr 1997 20:09:56 +0200
From: Vegbar Fubar fooha@ifi.foobar.no
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no
; Fri, 11 Apr 1997 18:09:53 GMT Date: Fri, 11 Apr 1997 18:09:53 GMT
Message-Id: 199704111809.13156.gyllir@ifi.foobar.no
To: hacker@techbroker.com
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no
[129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4) id UAA24351@ifi.foobar.no
for hacker@techbroker.com ; Fri, 11 Apr 1997 20:09:56 +0200
This line tells us that the computer ifi.foobar.no
got this email message from the computer gyllir.ifi.foobar.no. These
two computers appear to be on the same LAN. In fact, note something
interesting. The computer name gyllir.ifi.foobar.no has a number after
it, 129.xxx.64.230. This is the numerical representation of its name.
Received:
by o200.fooway.net (950413.SGI.8.6.12/951211.SGI) for techbr@fooway.net
id OAA07210; Fri, 11 Apr 1997 14:10:06 -0400
Received: from ifi.foobar.no by o200.fooway.net via ESMTP (950413.SGI.8.6.12/951211.SGI)
for hacker@techbroker.com id OAA18967; Fri, 11 Apr 1997 14:09:58 -0400
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no [129.xxx.64.230])
by ifi.foobar.no with ESMTP (8.6.11/ifi2.4) id UAA24351@ifi.foobar.no
for hacker@techbroker.com ; Fri, 11 Apr 1997 20:09:56 +0200
From: Vegbar Fubar fooha@ifi.foobar.no
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no
; Fri, 11 Apr 1997 18:09:53 GMT Date: Fri, 11 Apr 1997 18:09:53 GMT
Message-Id: 199704111809.13156.gyllir@ifi.foobar.no
To: hacker@techbroker.com
From: Vegbar Fubar fooha@ifi.foobar.no Received:
from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no ; Fri, 11
Apr 1997 18:09:53 GMT
This line says the computer gyllir.ifi.foobar.no got this email message
from Vegbar Fubar on the computer "localhost." Now "localhost" is what
a Unix computer calls itself. So when I see that gyllir.ifi.foobar.no
got the email message from "localhost" I assume that means the sender
of this email was logged into a shell account on gyllir.ifi.foobar.no,
and that this computer runs Unix
Apr
1997 18:09:53 GMT
The date this e-mail was sent
Received:
by o200.fooway.net (950413.SGI.8.6.12/951211.SGI) for techbr@fooway.net
id OAA07210; Fri, 11 Apr 1997 14:10:06 -0400
Received: from ifi.foobar.no by o200.fooway.net via ESMTP (950413.SGI.8.6.12/951211.SGI)
for hacker@techbroker.com id OAA18967; Fri, 11 Apr 1997 14:09:58 -0400
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no [129.xxx.64.230])
by ifi.foobar.no with ESMTP (8.6.11/ifi2.4) id UAA24351@ifi.foobar.no
for hacker@techbroker.com ; Fri, 11 Apr 1997 20:09:56 +0200
From: Vegbar Fubar fooha@ifi.foobar.no
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no
; Fri, 11 Apr 1997 18:09:53 GMT Date: Fri, 11 Apr 1997 18:09:53 GMT
Message-Id: 199704111809.13156.gyllir@ifi.foobar.no
To: hacker@techbroker.com
The message ID is the key to tracking down email.
Avoiding the creation of a valid message ID is the key to using email
for criminal purposes. Computer criminals go to a great deal of effort
to find Internet hosts on which to forge email that will leave no trace
of their activities through these message IDs. The first part of this
ID is the date and time. 199704111809 means 1997, April 11, 18:08 (or
6:08 PM).
Some message IDs also include the
time in seconds. Others may leave out the "19" from the year. The 13156
is a number identifying who wrote the email, and gyllir@ifi.foobar.no
refers to the computer, gyllir within the domain ifi.foobar.no, on which
this record is stored. Where on this computer are the records of the
identities of senders of email stored? Now Unix has many variants, so
I'm not going to promise these records will be in a file of the same
name in every Unix box. But often they will be in either the syslog
files or usr/spool/mqueue. Some sysadmins will archive the message IDs
in case they need to find out who may have been abusing their email
system. But the default setting for some systems, for example those
using sendmail, is to not archive. Unfortunately, an Internet host that
doesn't archive these message IDs is creating a potential haven for
email criminals.
This is how you "read" the headers
of an e-mail. The advanced section deals with how to trace Faked/Spoofed
E-mail.
E-mail Tracing Advanced
Any questions, reference RFC 821 RFC
822
Headers are the e-mail's footprints in the sand, and allow
the message to be traced from its origin to destination. Each computer
that the mail passes through will attach identifying information in
a received line, such as where the mail came from, the machines name,
date, and time the mail passed through it. There can be one received
line or there can be many, the newest one is always placed on top. Since
newer headers are placed on top the first 'Received' line will usually
show the message origin. Take a look at the sample header below:
Return-Path: Received: from mail4.sample.net (mail4.sample.net
[200.197.247.2]) by morse.concentric.net (8.8.7/(97/09/12 5.12)) id
IAA10673; Tue, 4 Nov 1997 08:15:37 -0500 (EST) [1-800-745-2747 The Concentric
Network] Errors-To: Received: from mai1.test.com
(mai1.test.com [200.238.107.3]) by mail4.sample.net (8.8.5/8.8.5) with
SMTP id IAA21240 for ; Tue, 4 Nov 1997 08:15:35 -0500 (EST) Message-Id:
<9711048786.AA878649490@mai1.test.com> X-Mailer: ccMail Link to SMTP
R6.00.02 Date: Tue, 04 Nov 97 07:18:09 -0600 From: "Administrator" To:
Subject: NVAM MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
The first Received line tells us that the mail was sent
from (mail.test.com [200.238.107.3]) on Tue, 4
Nov 1997 08:15:35 -0500 (EST). We can check this line against
forgeries by doing an NSLOOKUP on the IP address.
<Use sam spade and do a DNS lookup for Microsoft OS's>
From the UNIX shell you would type: nslookup 200.238.107.3 And get the
following response (Note: the domains and IP addresses used in this
document are false, so you won't really get the following response):
Name: mail.test.com Address: 200.238.107.3
The name should match what is in the parentheses. If it does not, then
that header was forged.
The IP address (200.238.107.3) is very
difficult to forge, and will point back to the originating domain. Which
is where the e-mail actually came from!
