Email Tracing Open Mail Relays….
By Joseph Seanor



Spammer havens!Email, it seems that everyone is using it more everyday. In addition, people are trying to find ways to use the internet to make money, and thus enter the world of Spammers. Spammers, even the name leaves a strange taste in your mouth when you say it, but it is a fact of life. Spam is becoming the largest percentage of email that is sent on a daily basis, and there seems to be no stopping it. How is this done? How can these Spammers seem to come from all over the internet, from countries near and far? Well, in this article I would like to introduce to you one aspect of that world that will come into play with any of your email tracing cases. Open Mail Relays.

Let me give you a basic path that any email could take. The email leaves your computer and then is sent to a mail server and then to the user.

Of course, there are normally a number of email servers that get involved in the sending of some emails, but basically the email comes from your computer, to an email server and then to the final user. When it comes to mail servers, these servers are supposed to handle only the mail for the system that they manage email for, and no other servers. This is used to protect the email server from abuse and misuse by people. However, there is another type of email server that is called an Open Mail Relay. An Open Mail Relay is an email server that allows anyone to send an email through that email server to any other server, which is also called a third party relay. And on top of that, the Open Mail Relay will trust whatever you put in as your origin! This means that you can put in Arnold@arnoldforgovernor.com and by using an Open Mail Relay, you could send this to your boss! Which shows once again the validity of the statement that I have always said about the Internet, “You can be whoever you want to be on the Internet.” Spammers love Open Mail Relay’s to the point that they can send any type of email, pretending to be anyone they want to as many people as they want!

When it comes to an email tracing case, you might have heard of a client getting emails from a suspect and the emails seem to come from all around the world, like China or Hong Kong, and yet the suspect is known to be in the United States. The reason for this is that the person used an Open Mail Relay in another country to send the email. The one thing to note, is that you do not need to be a hacker or computer science major, in fact there are a number of email programs that you can buy that will do this for you! And to make matters worse, there are a few websites that can do this for you as well for as little as $10 a month. Remember, if your client is getting these emails from one suspect, and yet the emails are coming from all over the world, it is highly likely that the suspect is using Open Mail Relays to send out the emails.

In order to try and find out if the email server is an Open Mail Relay, there are a number of websites that you can use. Here are two of the ones that I like to use:

http://www.ordb.org/

This website is called the Open Relay Database; from here you can lookup in their database listing the name of the email server and see if that email server is listed as an Open Mail Relay. In addition, this website allows you to test the email server to see if it is an Open Mail Relay. By checking the database, you will see if the email server is an Open Mail Relay, and if it is not listed, you have the option to get the server tested to see if it is an Open Mail Relay, and a report will be mailed to you.

Another source of information about Open Mail Relays is:

http://www.openrelaycheck.com

This website is similar to the Open Relay Database, in that it provides a listing of servers that are found to be open and allows anyone to send an email as anyone they want to be, to anyone in the world. As of this date there are currently 11,120 Open Mail Relays around the world and this number will increase as more and more email servers are put onto the internet.

In order to check to see if the email you are tracing is from an Open Mail Relay, follow these steps:

1) Locate the name of the email server in the headers of the email (choose at least one email server to start with)
2) Go to http://www.ordb.org
3) Click on the link that says “Database lookups”
4) Enter the email server name into the box and click Submit
5) The website will return a report saying if the server is listed in their database or not.
6) If the email server is not listed in their database, you have the option of clicking and having the system check the server to see if it is an Open Mail Relay. This is a legal check and does not violate any laws.

From this information, you will be able to know if the email that you are looking at was sent through an Open Mail Relay. If the email was sent through an Open Mail Relay, do not assume that this is a hacker that sent the email, or that a hacker is the only person that could do this. As pointed out earlier in this article there are a number of programs and websites that use Open Mail Relays and the person does not need to do anything in order to access these servers.

In addition, Open Mail Relays will have logs of email connections and what IP’s or computers were used to connect to their server and sent the email through their server. But please bear in mind that these logs can roll-over (archive or get deleted) rather quickly. The sooner you contact that company with the mail server the better chance that you can obtain the logs that have this information. And this information could lead to your suspect or to the next link in the chain of your trace.

There are many aspects to an email trace, and this one piece, Open Mail Relays, is a vital piece to allow you to get the complete view of the path that an email took and will also provide you additional insight into your case. In the next issue, I will discuss more information about headers in emails and how to view these headers and understand what is occurring.

Joseph Seanor works for CIBIR Corp and provides Digital Intelligence to his clients and investigators alike. His website can be found at: http://www.cibir.net, or http://www.mailsleuth.net. Mr. Seanor also teaches classes to investigators and others on internet investigations, email tracing, and computer forensics.