Backtracking Emails

Most of us believe that the email message sent to them is determined by "FROM" header,but it cannot be denied that most of the times it's forged(Learn How).

The question then arises how to determine where the email came from? You have to understand how email messages are put together in order to backtrack an email message. SMTP is a text based protocol for transferring messages across the internet. A series of headers are placed in front of the data portion of the message. By examining the headers you can usually backtrack a message to the source network, sometimes the source host.

If you are using Outlook or Outlook Express you can view the headers by right clicking on the message and selecting properties or options.If you are using Gmail you need to click on "show original"(click on down arrow next to reply while reading a mail).For Yahoo:In the full message view,"View Full Header" option is placed under the "Actions" tab.

Now Let's Start actual work.Let's Take an example

Delivered-To: example@gmail.com

Received: by 10.216.71.71 with SMTP id q49cs56051wed;

        Tue, 29 Mar 2011 02:16:36 -0700 (PDT)

Received: by 10.142.67.30 with SMTP id p30mr4726146wfa.112.1301390194796;

        Tue, 29 Mar 2011 02:16:34 -0700 (PDT)

Return-Path: 

Received: from mail3.example.com (mail3.example.com [202.3.77.190])

        by mx.google.com with ESMTP id n9si2646987wfa.133.2011.03.29.02.16.34;

        Tue, 29 Mar 2011 02:16:34 -0700 (PDT)

Received-SPF: pass (google.com: best guess record for domain of forum@example.com 

designates 202.3.77.190 as permitted sender) client-ip=202.3.77.190;

Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for 

domain of forum@example.com designates 202.3.77.190 as 

permitted sender) smtp.mail=forum@example.com

Received: from smtp.cc.example.com (smtp.cc.example.com [172.31.1.22])

        by mail3.example.com (Postfix) with ESMTP id 7F6B510000B5

        for ; Tue, 29 Mar 2011 14:46:32 +0530 (IST)

Received: from 172.24.33.93 (unknown [172.24.33.93])

        by smtp.cc.example.com (Postfix) with ESMTPA id 2710D100008E

        for ; Tue, 29 Mar 2011 14:46:32 +0530 (IST)

Date: Tue, 29 Mar 2011 14:46:12 +0530

To: example@gmail.com

From: FORUM 

Subject: Account Details

Message-ID: <2c941018bd2797b0ef9cefde6a865691@172.24.33.93>

X-Priority: 3

X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)

MIME-Version: 1.0

Content-Transfer-Encoding: 8bit

Content-Type: text/plain; charset="iso-8859-1"

X-Antivirus: avast! (VPS 110328-1, 28-03-2011), Outbound message

X-Antivirus-Status: Clean

Typically  any email service will label that it came from " FORUM " with email id " forum@example " as seen in the "From" header.

The header most likely to be useful in determining the actual source of an email message is the "Received" header. According to the top-most  “ Received :from” header in this message was received from the host “mail3.example.com” with the ip address of “202.3.77.190” by my server “mx.google.com”.  An important item to consider is at what point in the chain does the email system become untrusted? I consider anything beyond my own email server(here mx.google.com) to be an unreliable source of information. Because this header was generated by my email server it is reasonable for me to accept it at face value.

The next Received header (which is chronologically the first) shows the remote email server accepting the message from the host “unknown” with the ip “172.24.33.93”.So this mail was sent by the owner of this ip address. There are a lot of free online ip address trackers available. By checking out the ip address in detail we can easily determine its owner and hence the sender of this email.