How to Identify the REAL Source of an unsolicited E-mail

Who Sent It???:

The good news is that even if the e-mail address is forged, there are ways to identify the sender. You see, unless your Internet Service Provider's (ISP) mail server is improperly configured, it will record the IP address of the host from which it received the e-mail. There are tools you can use to find out who is responsible for that IP address, and (usually), they can identify what account was using that IP address when the e-mail was sent.

The first thing you need to do is open the "full message headers" for the e-mail you received. A tutorial on opening full message headers is beyond the scope of this document, but there is an excellent howto here. If you can't find instructions on obtaining the headers in your e-mail software at that location, then you should probably consider getting a new e-mail program :) (I highly recommend Mozilla or Thunderbird for it's advanced features, but that's just one geek's opinion).

When you open the headers, you will probably see something that looks similar to this:

    Return-path: <ima.spammer@SpamDomain.com>
    Received: from mailfarm01.MyISP.net (mailfarm01.MyISP.net [10.180.0.241])
      by ims01.prv.MyISP.net
      (iPlanet Messaging Server 5.1 HotFix 1 (built Jul 28 2002))
      with ESMTP id <0HNM007IN8ER9X@ims01.prv.MyISP.net> for
      goodguy@MyISP.net; Fri, 31 Oct 2003 11:44:51 -0900 (AKST)
    Received: from SpamDomain.com (mx11.SpamDomain.com [1.2.3.4])
      by mailfarm01.MyISP.net (8.12.10/8.12.10) with SMTP id h9V9iibs056183 for
      <goodguy@MyISP.net>; Fri, 31 Oct 2003 11:44:48 -0900
    Date: Fri, 31 Oct 2003 00:56:57 -0800
    From: Sleazy Spammer <ima.spammer@SpamDomain.com>
    Subject: Free!!! Spam to mailbox daily!
    To: goodguy@MyISP.net
    Reply-to: ima.spammer@SpamDomain.com
    Message-id: <200310310944.h9V9iibs056183@mailfarm01.MyISP.net>
    MIME-version: 1.0
    X-Mailer: Microsoft Outlook Express 5.00.8223.2333
    Content-type: Text/HTML
        

So what does the information in a "Received" line mean? Let's look at one in detail:

    Received: from SpamDomain.com (mx11.SpamDomain.com [1.2.3.4])
      by mailfarm01.MyISP.net (8.12.10/8.12.10) with SMTP id h9V9iibs056183 for
      <goodguy@MyISP.net>; Fri, 31 Oct 2003 11:44:48 -0900
        

First, the line starts with "Received" to tell you that the following information is connection information. After the "Received" tag, the mail server writes the name the sender's mail server used to identify itself. This information can be encoded in the mail server program, or can be set on the computer itself, and consequently can't be trusted, as it is under the control of whoever operates that mail server. However, the information inside the parenthesis is how your ISP's mail server identified the sender's mail server. The information inside the square brackets ([1.2.3.4] in this case) is the IP address for the sender's mail server, and is the most reliable information in the headers. If you don't know what an IP address is, you can think of it as being something like a phone number for every computer on the Internet. In general, it uniquely identifies each and every host on a network. While there are a few exceptions to this rule (like dynamically assigned addresses or Private IP Addresses), the sender's ISP should always be able to identify the host, even if using dynamic IP addresses (if this IP is a private IP address, then this is probably a forged record). The rest of the information, other than the date at the end of the record, can be ignored for now, as it is only useful to your ISP.

As we've already said, you can't trust the "Return-path", the "From" address or the "Reply-to" address. However, the "Received" lines are much harder to forge, and even when forged "Received" lines are present, some of the "received" lines will always be legitimate. In general, the forged "Received" lines, if any, will be at the bottom, since they can be inserted into the body of the e-mail, but your ISP's mail server will always add it's received lines at the top of the message. So, work your way down the received lines until you find where your ISP's mail server received the message.

This sounds much harder and more confusing than it really is. In the example above, the top "Received" line shows that a server called ims01.prv.MyISP.net received the e-mail from another server called mailfarm01.MyISP.net, which is using the IP address 10.180.0.241. Unfortunately, unless you work at your ISP (like I do), it's not always easy to tell if the connection was from outside your ISP's network or between servers on your ISP's network.

However, here are some tips that might indicate a transfer on your ISP's mail farm:

• Both servers share a domain name, like MyISP.net, or perhaps .prv.MyISP.net
• Both servers are using private IP addresses
• You recognize the host names from looking at headers on legitimate e-mails.

And here are some hints that the received lines might be forged:

• There are dial, cable or DSL host names above the received line you are looking at:
  • Received: from 3.2.1.dial-host.someISP.net
  • Received: from cable192.bigISP.com
  • Received: from 36-24-36-adsl.example.org
• There is an IP address (or a host name that suggests an IP address), that does not match the reported host name (note--this could be an indication that the sending mail server was spoofing a host name rather than that the entire "Received" line is forged):
  • Received: from mx01.forgedISP.net (mx11.spam.com [4.8.3.17]) by mailserver.goodguy.com

Unfortunately, none of these are 100% sure; tracking spammers is an art, and takes practice. Even abuse administrators at Internet Service Providers sometimes have trouble sorting the good info from the forgeries.

Next: What do I do next?