EMAIL TRACKING QUESTIONS AND ANSWERS

 

 Mailsleuth Email Tracing Is 50% Off For NAIS Members!

 

From:  LMChewy777@aol.com
Date:  Tue Sep 24, 2002  4:29 am
Subject:  E-mail Trace

Here is Information to use Headers to trace Fake E-mail addresses.

Tracing An Email Address FAQ
http://www.investigateanyoneonline.com/tracemail.shtml

Tracing Email
These links support our "Tracing Email" classes.
Contact Temple Security for additional information.
http://www.templesecurity.com/trace.htm

Regards, Loui



From: "bradfordcole" <bradcole@diogenesllc.com>
Date:
Tue Sep 17, 2002 7:25am
Subject:
Re: Internet Tracking

 

Hi Scott & Group,

A good resource for basic and technical info re: e-mail tracking is:

http://www.diogenesllc.com/articlesinfopdfformat.html

Look under the section for INTERNET RESOURCE ARTICLES. You will need
a PDF viewer to read the articles.

Hope this helps you.

Best wishes,

Brad Cole


 

From:  Joann Miller <joann@intellaire.com>
Date:  Mon Sep 16, 2002  9:48 pm
Subject:  Re: [PIHOTLINKS] Internet Tracking


Email headers can be tricky and misleading..... Since there are others
in this group that may need to dissect email headers I am replying both
to the group and directly to Scott in order to assist all.

Before anything else.... Let me apologize for the length, but I wanted
to give a detailed example.... Besides in real life I tend to be wordy
:)

I used the message original message that Scott sent to the PIHotlinks
group. I first turned on full headers so that all of the detail was
available. (The message with full headers is at the end of this
message.)

I start by reviewing the full headers and working my way back through
the received lines. The first thing to realize is that some of the
information can be changed easily by the sender. Like the from line and
the date/time stamp. Other pieces can be changed depending on the
senders expertise and their access to the mail servers. For example.
The From line can easily be changed by a user so it's validity should
always be suspect. It is harder to modify the received lines as that is
the path the message took once it is sent. However someone with enough
expertise can modify the first received line as it leaves their machine
on it's journey across the internet. Another problem is that people can
dial from one location into another machine and then have mail sent out
from somewhere else. Using Scott's email here is some of the
conflicting information on where Scott might have been when he sent this
email.

I usually look at the first received line first. In the message below
the line that we are interested in dissecting is:

Received: from tweety (gw.iaccess.com) [64.221.226.129]by
mailbreak.com [216.207.225.173]with SMTP (MDaemon.PRO.PRO.v5.0.1.R)for
<PIHOTLINKS@yahoogroups.com>; Mon, 16 Sep 2002 11:36:52 -0400

This is the first received line as the mail message starts it's journey
to get to me. The next I do is to verify that the IP and the domain
name match. If they don't then the sender has some expertise and was
able to change some of the information. In this case I'm looking at
gw.iaccess.com and 64.221.226.129. The easiest thing to do is to do a
nslookup on the IP address. For this example I used a program called
IP-Atlas as it also gives me location information for that machine. In
this case it tells me that 64.221.226.129 is gw.iaccess.com and is
located in San Jose California. So both the IP and machine name match.

The next thing I do is to match the time offset in the date filed with
this information to see if that makes sense. The user can easily
change this date field but most forget to.... The problem here is that
CA is usually -8 offset unless it is daylight savings then it is -7. So
something is wrong here as the time stamp is -6. So to see what the
problem might be I went to http://www.iaccess.com/. That web sites says
that it is in Salt Lake Utah. Makes a little more sense as Utah is -7
unless in daylight savings which is -6. If I look at iaccess.com with
IP-Atlas it gives me the IP of 65.215.129.214 and a location of
Bluffdale Utah. This matches the message id as the message ID is
bluffdale.iaccess.com.

All email is assigned a message ID by the mail server. So in this case
I could check with iaccess.com and ask them to look at
008a01c25d96$9bd74850$2e01010a@b... With the log
files that are kept they could tell me who logged in and sent that
message. However most companies won't assist you unless you have a
legal right to know. Can we say subpoena? :)

Another clue is the reference line
5.1.0.14.2.20020910181819.00b435c0@p... This throws in a
wrinkle into things. This is telling us that the message was in
reference to this message... The body of the message doesn't show a
chain of messages so this is a little strange. What probably happened
is that Scott took an existing message from PIHotlinks that was in his
mailer. Hit reply and then deleted the message to type this new
message. I checked the other PIHotlinks messages and this reference is
from the message sent by Russ Koogler <russpi@s...> concerning
Foreign Criminal Records. This just goes to show all of you that you
probably don't just want to hit reply and then erase the body as the
headers will keep things from the original message. It is always best
to start with a clean compose screen. On the other hand this may give a
clue as to who the sender is getting correspondence from.

My guess is that Scott lives near Bluffdale, Utah, which is where the
company headquarters are. My guess is that the company has multiple
servers one of which is a mail server in San Jose CA. Other things I
know from the headers. He uses a free mail service at mailbreak.com.
He uses outlook express 6.0 as his mailer. Scott also uses scottmmorris
as his Yahoo profile. I did a quick check and unfortunatly there isn't
any information available through the profile :(

Since I'm guessing Utah... I then searched for address and phone
numbers. Found 5 for Utah. 2 have a different middle initial. 3 list
just Scott Morris. So I would then get out a map to see how far the
following locations are from Bluffdale.
North Salt Lake, UT 84054-2041
Orem, UT 84058-5311
Provo, UT 84606-2711
I can do the same exercise for CA. However there a lot more to try. I
might also just try calling iaccess to see if there is a Scott Morris
working there and to get his extension or work number. Just out of
curiousity Scott.... how close am I?

There are also a variety of reverse email lookups that are available and
you might get lucky there. And I agree with Lea Shields in her reply.
Use a variety of search engines as they all have different information
and are indexed differently. Don't forget to be creative and try
different combinations of the name.

However all emails aren't as straightforward as this one. In this
example Scott uses his name in his email identity. That isn't usually
the case. The only way to determine a match between email and person is
to subpoena the required information from the company that runs the mail
server utilizing the mail ID.

Some of the tools I mentioned you can find on a training page I maintain
at http://www.joann.net/training/. Let me know if I can be of any
additional assistance.

Joann Miller
http://www.intellaire.com/
joann@i...

 

-------- Original Message --------
Received: from n2.grp.scd.yahoo.com (n2.grp.scd.yahoo.com [66.218.66.75])by
mail.intellaire.net (Postfix) with SMTP id 9D9098CE4for
<joann@i...>; Mon, 16 Sep 2002 16:28:45 -0400 (EDT)
X-eGroups-Return: sentto-477611-4953-1032208123-joann=intellaire.com@r...
Received: from [66.218.67.197] by n2.grp.scd.yahoo.com with NNFMP; 16 Sep 2002
20:28:44 -0000
Received: (qmail 45947 invoked from network); 16 Sep 2002 20:28:42 -0000
Received: from unknown (66.218.66.217)by m4.grp.scd.yahoo.com with QMQP; 16 Sep 2002
20:28:42 -0000
Received: from unknown (HELO n10.grp.scd.yahoo.com) (66.218.66.65)by
mta2.grp.scd.yahoo.com with SMTP; 16 Sep 2002 20:28:42 -0000
X-eGroups-Return: scottmmorris@m...
Received: from [66.218.67.175] by n10.grp.scd.yahoo.com with NNFMP; 16 Sep 2002
20:28:42 -0000
X-Sender: scottmmorris@m...
X-Apparently-To: PIHOTLINKS@yahoogroups.com
Received: (EGP: mail-8_1_1_3); 16 Sep 2002 15:39:42 -0000
Received: (qmail 82756 invoked from network); 16 Sep 2002 15:39:41 -0000
Received: from unknown (66.218.66.216)by m10.grp.scd.yahoo.com with QMQP; 16 Sep 2002
15:39:41 -0000
Received: from unknown (HELO MailBreak.Com) (216.207.225.170)by
mta1.grp.scd.yahoo.com with SMTP; 16 Sep 2002 15:39:41 -0000
Received: from tweety (gw.iaccess.com) [64.221.226.129]by mailbreak.com
[216.207.225.173]with SMTP (MDaemon.PRO.PRO.v5.0.1.R)for
<PIHOTLINKS@yahoogroups.com>; Mon, 16 Sep 2002 11:36:52 -0400
Message-ID: <008a01c25d96$9bd74850$2e01010a@b...>
To: <PIHOTLINKS@yahoogroups.com>
References: <5.1.0.14.2.20020910181819.00b435c0@p...>
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-MDRemoteIP: 64.221.226.129
X-Return-Path: scottmmorris@m...
X-MDaemon-Deliver-To: PIHOTLINKS@yahoogroups.com
From: "Scott M. Morris" <scottmmorris@m...>
X-Yahoo-Profile: scottmmorris
X-eGroups-Approved-By: pinais2001 <PINAIS@a...> via web; 16 Sep 2002 20:28:40 -0000
MIME-Version: 1.0
Mailing-List: list PIHOTLINKS@yahoogroups.com; contact PIHOTLINKS-owner@yahoogroups.com
Delivered-To: mailing list PIHOTLINKS@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:PIHOTLINKS-unsubscribe@yahoogroups.com>
Date: Mon, 16 Sep 2002 09:34:55 -0600
Subject: [PIHOTLINKS] Internet Tracking
Reply-To: PIHOTLINKS@yahoogroups.com
Content-Type: text/html; charset=US-ASCII
Content-Transfer-Encoding: 7bit


From:  lshields224@aol.com
Date:  Mon Sep 16, 2002  6:13 pm
Subject:  Re: [PIHOTLINKS] Internet Tracking

If you have tracked them to a particular geographical area then I would do a
court search for the person in that town. Does the subject have an unusual
last name? If so do an internet search on the last name. I prefer
www.surfwax.com for this type of search because this search engine returns
better results on names then standard search engines. There are several
things that you can do from here. Have you done any searches on usenet to
see if the person has posted? I can do several things with internet searches
but there are a few questions that need to be answered before I can direct
you further. If you would like I can do a search for you if you give me the
subject name. No charge, just professional courtesy. Skip tracing is my
area of expertise and I have alot of contacts that can check information for
me I just need the name. Email me at lshields224@aol.com.

Lea Shields
lshields224@aol.com


Is anyone here familiar with tracking people on the Internet? I have
the IP
addresses from their email headers. I have tracked them to a particular

geographical location. Would anyone know what the next steps would be?
I
apologize if this isn't the right list to ask this on. If this is the
case,
I would love to be directed to the best place to ask this. Thank you.

Scott Morris