Tracking eMail

Apart from the tools for "traceroute", "IP", "dig" in Sam Spade and other applications, Network Solutions can give you definitive information on .com / .net / .org domains and you'll usually find http://www.nic.xx where xx is the country code will give some useful information. For example the UK one is http://www.nic.uk/

Worth reading the 'spam finding' help in Sam Spade as well. I've also put up some brief information on the bits available to you to use in Sam Spade.

OK, lets have a quick look at a piece of spam as an example of how to go about finding the owner.

Return-Path: <david-west@wanadoo.fr> 

Could be true but lets not bank on it as this can be forged.

 
Received: from tele-punt-22.mail.demon.net 
([194.217.242.7]) by pedt.demon.co.uk 
with SMTP id <0pypQfAa9194AwNh@pedt.demon.co.uk> 
for <eMail address deleted> ; Fri, 14 Apr 2000 
19:11:38 +0100

OK, I got it from my mail server. Fine. Note that, if you traceroute to the IP address, it is correct and should be.

 Received: from vicar.netnames.net ([209.207.204.249]) 
by punt-2.mail.demon.net id aa2123640; 
14 Apr 2000 18:05 GMT

We now start matching IP address and the server. vicar.netnames.net [who do my current eMail redirection] should match. A traceroute to that machine name goes to 209.207.204.249 so far so good. Traceroute to the IP address gives no Reverse DNS but tracing the machine translates to it. This first hop from when your ISP got the eMail for you should almost always be OK.


Received: from 
tamaris.wanadoo.fr (smtp-rt-12.wanadoo.fr [193.252.19.60] 
(may be forged)) by vicar.netnames.net (8.9.1/8.9.1) 
Fri, 14 Apr 2000 19:06:14 +0100 (BST)

Now the 'may be forged' bit means that the server is not reporting all the information correctly. Could be a forgery or a clueless ISP. A traceroute to 193.252.19.60 goes to the smtp-rt-12.wanadoo.fr machine so OK so far. The message has come because the machine is identifying itself erroneously to the outside world as tamaris.wanadoo.fr and the relay the eMail passed through has checked the IP address to determine if it matches the name the machine presented itself with.


Received: from andira.wanadoo.fr (193.252.19.152) 
by tamaris.wanadoo.fr; 14 Apr 2000 20:05:55 +0200

Now then, 193.252.19.152 is actually, when tracerouted, a machine actually called smtp-abo-3.wanadoo.fr and it's starting to look a little dubious as SMTP outgoing eMail doesn't often go through two outgoing eMail servers but checking the IP block owner shows that the IP address is owned by wanadoo.fr so we can assume, for the moment, they have an odd mail setup or that this is the first false pre-inserted header.


Received: from pyqn.nnggw.gwfy.com 
(193.250.246.247) by andira.wanadoo.fr; 
14 Apr 2000 20:05:55 +0200 

Right, the address pygn.nnggw.gwfy.com doesn't exist. A check on the IP block shows it belongs to wanadoo.fr and the machine is actually Mix-Lille-106-2-247.abo.wanadoo.fr Taking a quick look for gwfy.com brings up an owner in Croatia but with a web site on a US Server that is basically a pile of clickthoughs to get money. So we are still with wanadoo.fr as that address is very likely a dialup .

Received: from mail.ihsjm.net (host.hdbix.net 
[865.874.994.859]) by pcok.msfffark_er.nu

That IP address cannot exist as the dotted quad addresses only go up to 255 so this is definitely a fake line and prewritten before the eMail was sent. The domains don't exist either.

<snip a pile of other fake lines with similarly absurd IP addresses and even absurder machine names including the rather delightful machine called qwertyuiop.asdfghjkl.com> - look at your keyboard to see what I mean.

Message-Id: <200004141954.KFO5256@pyqn.nnggw.gwfy.com>

This can easily be faked and would a Croatian be dialling internationally to send a pile of spam ? Very unlikely. Determined attempt to get somone else to get the blame IMO.

Date: ven., 14 avr 2000 19:54:02 +0100 
X-UIDL: 870483510,914

Definitely possible to forge but likely added at the time of injection as the times match the routeing the eMail took.

From: "David" <bjifjc@tibl.ltuxj.xjvj.com>

Too easy to forge and generally will be from a free account or not exist - like this one doesn't as xjvj.com does not exist.

Your are recieving this e-mail because you entered one 
of my webstites

No I didn't, I've just shown you must be spamming.

 To unsubscribe reply to this e-mail and you will be 
taken off of my mailing list

No way! All this will do is prove to you my eMail address is live and I actually read the damned things.

Conclusion

All the IP addresses before the fake stuff points to wanadoo.fr and I would suspect, in this case, the spammer has got his own eMail address as the Return-Path: header. abuse@wanadoo.fr in this case.

Some Notes

Always double check the information you are getting from the headers to make sure you are eMailing the correct ISP. If in doubt then ditch it.

Note that eMails that come via such as hotmail or deja will have a header to tell you which client they were posting for - mine would come out as "posted for client (194.222.191.220)" which would easily be checked as pedt.demon.co.uk

If you are lucky, you will find an X-Compaints-To: header but, as this can be forged if the ISP doesn't automatically add it, treat with suspicion until you've looked at the headers.

Look at the date and time information provided by each part of the eMail relay as usually this disappears when the fake headers start appearing.

If the trail shows cyberpromo.com as the host then just ditch it as it is a well known spamhaus and a complaint could just put you a list!

© Site copyright Pedt Scragg,
2000 - 2002 except as specified.