Tuesday, March 29, 2011

Backtracking Emails

Most of us believe that the email message sent to them is determined by "FROM" header,but it cannot be denied that most of the times it's forged(Learn How).
The question then arises how to determine where the email came from? You have to understand how email messages are put together in order to backtrack an email message. SMTP is a text based protocol for transferring messages across the internet. A series of headers are placed in front of the data portion of the message. By examining the headers you can usually backtrack a message to the source network, sometimes the source host.
If you are using Outlook or Outlook Express you can view the headers by right clicking on the message and selecting properties or options.If you are using Gmail you need to click on "show original"(click on down arrow next to reply while reading a mail).For Yahoo:In the full message view,"View Full Header" option is placed under the "Actions" tab.
Now Let's Start actual work.Let's Take an example

Delivered-To: example@gmail.com
Received: by with SMTP id q49cs56051wed;
        Tue, 29 Mar 2011 02:16:36 -0700 (PDT)
Received: by with SMTP id p30mr4726146wfa.112.1301390194796;
        Tue, 29 Mar 2011 02:16:34 -0700 (PDT)
Received: from mail3.example.com (mail3.example.com [])
        by mx.google.com with ESMTP id n9si2646987wfa.133.2011.;
        Tue, 29 Mar 2011 02:16:34 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of forum@example.com 
designates as permitted sender) client-ip=;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for 
domain of forum@example.com designates as 
permitted sender) smtp.mail=forum@example.com
Received: from smtp.cc.example.com (smtp.cc.example.com [])
        by mail3.example.com (Postfix) with ESMTP id 7F6B510000B5
        for ; Tue, 29 Mar 2011 14:46:32 +0530 (IST)
Received: from (unknown [])
        by smtp.cc.example.com (Postfix) with ESMTPA id 2710D100008E
        for ; Tue, 29 Mar 2011 14:46:32 +0530 (IST)
Date: Tue, 29 Mar 2011 14:46:12 +0530
To: example@gmail.com
From: FORUM 
Subject: Account Details
Message-ID: <2c941018bd2797b0ef9cefde6a865691@>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="iso-8859-1"
X-Antivirus: avast! (VPS 110328-1, 28-03-2011), Outbound message
X-Antivirus-Status: Clean

Typically  any email service will label that it came from " FORUM " with email id " forum@example " as seen in the "From" header.

The header most likely to be useful in determining the actual source of an email message is the "Received" header. According to the top-most  “ Received :from” header in this message was received from the host mail3.example.comwith the ip address of “ by my server “mx.google.com”.  An important item to consider is at what point in the chain does the email system become untrusted? I consider anything beyond my own email server(here mx.google.com) to be an unreliable source of information. Because this header was generated by my email server it is reasonable for me to accept it at face value.

The next Received header (which is chronologically the first) shows the remote email server accepting the message from the host “unknownwith the ip “”.So this mail was sent by the owner of this ip address. There are a lot of free online ip address trackers available. By checking out the ip address in detail we can easily determine its owner and hence the sender of this email.