The Tech Daily

Hi Readers, I will show you how to trace an email sender from the email header. Every email comes with information attached to it about its history. This information is called the header. A header will look somewhat similar to the below:

MIME-Version: 1.0
Received: from rwcrmhc11.comcast.net ([204.127.198.35]) by mc7-f12.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 25 Nov 2003 19:56:18 -0800
Received: from pavilion (pcp03530790pcs.mnhwkn01.nj.comcast.net[68.37.24.150]) by comcast.net (rwcrmhc11) with SMTP id <20031126034457013001nk6pe>; Wed, 26 Nov 2003 03:44:57 +0000
X-Message-Info: JGTYoYF78jGkTvdOiviUvHyY85nt7iLD
Message-ID: <000801c3b3cf$a92237a0$96182544@mnhwkn01.nj.comcast.net>
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
Disposition-Notification-To: "Leona"
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Return-Path: leona6256@comcast.net
X-OriginalArrivalTime: 26 Nov 2003 03:56:18.0897 (UTC) FILETIME=[3F5AFC10:01C3B3D1]


First, let me tell you how to view the header file of an email.

Gmail
1. Login to Gmail.
2. Open the message you'd like to view headers for.
3. Click the down arrow next to Reply, at the top-right of the message pane.
4. Select Show original. The full headers will appear in a new window.

Hotmail

1. Log in to your Hotmail account.
2. Click Options next to the tabs.
3. Select Mail from the left-side menu.
4. Click Mail Display Settings.
5. Under Message Headers, select Advanced.
6. Click OK.
The full headers for all of your messages will now be available. Return to your inbox, and open the message you'd like to view headers for.

Yahoo! Mail
1. Log in to your Yahoo! Mail account.
2. Open the message you'd like to view headers for.
3. Click Full Headers at the top of your message. The full headers will appear above the message text.

Now, I will explain what each title in the header file means:

Message ID:
It is used to identify the system from which the the message has originated (i.e. from the system the sender has logged in). However, this is too easy to forge, and is consequently not reliable.


X- headers are user defined headers. They are inserted by email client programs or applications that use email. Here from the X- headers inserted into the email by the email client it is clear that the sender has used Microsoft Outlook Express 6.00.2800.1106 to send this email.

X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106

MIME-Version:
MIME stands for Multipurpose Internet Mail Extension. It tells the recipient what types of attachments are included in email. It is a format that allows people to send attachments that do not contain Standard English Words, but rather graphics, sounds, and e-mails written with other characters. The Mime-Version field merely confirms that the version of MIME used corresponds to the standard version (which is currently 1.0).

From:
From is useless in tracing an e-mail. It consists of the email of the sender but this can be obviously be a fake. One can use any fake-mailer to fake the sender's name.

Content-Type:
This line tells the receiving e-mail client exactly what MIME type or types are included in the e-mail message. If the Content–Type is text/plain; charset="us-ascii" just tells us that the message contains a regular text message that uses English characters. ASCII is the American Standard Code for Information Interchange and is the system used to convert numbers to English characters.

Return-Path:
It is the address to which your return e-mail will be sent. Different e-mail programs use other variations of Return-Path:. These might include Return-Errors-To: or Reply-To etc.

Received:

This field is the key to find out the source of any e-mail. Like a regular letter, e-mails gets postmarked with information that tells where it has been. However, unlike a regular letter, an e-mail might get "postmarked" any number of times as it makes its way from its source through a number of mail transfer agents (MTAs). The MTAs are responsible for properly routing messages to their destination.

The header is splitted and the two received headers are given below.

Received Header 1: 204.127.198.35 - Tue, 25 Nov 2003 19:56:18 -0800
from rwcrmhc11.comcast.net ([204.127.198.35])
by mc7-f12.hotmail.com
with Microsoft SMTPSVC(5.0.2195.6713)


Received Header 2: 68.37.24.150 - Wed, 26 Nov 2003 03:44:57 +0000
from pavilion (pcp03530790pcs.mnhwkn01.nj.comcast.net[68.37.24.150])
by comcast.net (rwcrmhc11)
with SMTP
id <20031126034457013001nk6pe>



Note down the IP Address in the last received header, in this case it is 68.37.24.150. This is the IP Address from where the email has originated.

Tracing the owner by the IP Address

Every computers hooked on to internet is assigned with an IP address. Individual users possess a dynamic IP address when they logged on to any ISP to access internet. These IP addresses are assigned by the ISP itself. Organization usually possess static/public IP address which is stored in a database of registries.

There are three major registries covering different parts of the world. They are

http://www.arin.net/ => American Registry of Internet Numbers (ARIN) : It assigns IP addresses for the Americas and for sub Saharan Africa.

http://www.apnic.net/ => Asia Pacific Network Information Centre (APNIC) : It covers Asia

http://www.ripe.net/ => Réseaux IP Européens (RIPE NCC) : It covers Europe

Thus, to find out which organization owns a particular IP address, you can make a "WHOIS" query in the database at any of these registries. You do this by typing the IP address into the "WHOIS" box that appears on each of these websites.

"Received Header" will have the IP address of the ISP in case the users has dialed up to the ISP while sending the email. But if the user has send the email from within the corporate then the corporate public/static IP address is logged.