How to Trace E-Mails

Kim Komando's show and newsletter are such great fun. Today's newsletter tells how to trace e-mails, something I know many here have pondered.

Here's her site: http://www.komando.com/
Her columns are posted there, but this one's not up yet.

MY WEEKLY COLUMN: Uncovering E-mail Origins is Child's Play
by Kim Komando

So, you sent an e-mail to the CEO. You remember--it's the one where you suggested he do something anatomically impossible. You changed the From: line to a clever alias or you used a free Yahoo! or Hotmail account. Aren't you something!

You weren't clever enough, though. Even though you sent that e-mail from home, you're going to be tracked down.

What happened? Your computer is still identifiable, even though you changed your e-mail address. All computers on the Internet have an Internet Protocol address. It's all in the e-mail's header. This information is suppressed, so most people never see it. But it can be shown, and it contains the route taken by an e-mail. That route includes the originator's IP number.

There have been well-publicized examples. People who sent viruses have been tracked down through headers. And they were relatively sophisticated computer users. So let's take a look at headers. All e-mail programs have the ability to show this information. To do that:

In Microsoft Outlook, double click the e-mail. Then click View>>Options. In Outlook Express, click the e-mail. Then click File>>Properties and select the Details tab.

For Eudora, double click the message. Then click the Blah Blah button. In Netscape, click the message to open it. Then click View>>Message Source to display the header.

The first thing you'll notice is that the information shown doesn't make much sense. It looks like stuff that only an engineer could love. But the tracking information is relatively easy to decipher.

The key is the sections beginning with the word "Received:" There will be at least two. If the message goes through several computers, there could be four or five "Received:" sections. A little knowledge will bring an investigator right back to the e-mail originator.

Following is some hypothetical header information. The IP numbers here are made up; they aren't assigned to anyone. The rest is made up, too. This information is just illustrative.

Received: from mail.heavenonly.com (mail.heavenonly.com
[123.312.54.12]) by mail.bigcompany.com (8.8.5/8.7.2) with ESMTP id EAA12345 for joesmith@bigcompany.com; Tue, 9 Sep 2002 13:10:30 -0700 (MST)
Received: from joe.sunshine.com (joe.sunshine.com
[124.213.45.11]) by mail.heavenonly.com(8.8.5) id 123A56; Tue, 9 Sep 2002 13:07:17 -0700 (MST)

The "Received:" sections in headers read from bottom to top. So the bottom one is from you, the originator. You have disguised your address as joe.sunshine.com. That Received: section shows that the e-mail went to your ISP's mail server, mail.heavenonly.com.

The second (top) "Received:" section shows that Big Company's server received the e-mail from mail.heavenonly.com, and it was addressed to joesmith@bigcompany.com. Joe, of course, is the CEO.

Even though you disguised your identifier in the bottom "Received:"
section, you can still be identified. The IP number--124.213.45.11--
is tied to your computer. A subpoena probably will pry that information from the ISP. In all likelihood, your ISP will not go to court to protect your privacy.

There are a number of places on the Internet where IP numbers can be traced. I traced the numbers in the above example through InterNic:

h t t p://www.internic.net/whois.html ( http://www.internic.net/whois.html )

In the hypothetical case above, the IP number would actually be assigned to the Internet service provider. The ISP uses it to identify the individual customer's computer. It is possible to hide that number, but most people don't know how or don't bother. They're too busy with their clever message.

There will be other information in the header. That stuff won't make much sense to you, either. But it doesn't matter; the information used to trace e-mails is in the "Received:" sections.

So here's the bottom line: If you're going to make disparaging remarks about the boss, do it quietly around the water cooler.

Don't put them in writing. And don't e-mail them to the boss. You may not be as clever as you think.