Mailsleuth Email Tracing Is 50% Off For NAIS Members!


Date:  Tue Sep 24, 2002  4:29 am
Subject:  E-mail Trace

Here is Information to use Headers to trace Fake E-mail addresses.

Tracing An Email Address FAQ

Tracing Email
These links support our "Tracing Email" classes.
Contact Temple Security for additional information.

Regards, Loui

From: "bradfordcole" <>
Tue Sep 17, 2002 7:25am
Re: Internet Tracking


Hi Scott & Group,

A good resource for basic and technical info re: e-mail tracking is:

Look under the section for INTERNET RESOURCE ARTICLES. You will need
a PDF viewer to read the articles.

Hope this helps you.

Best wishes,

Brad Cole


From:  Joann Miller <>
Date:  Mon Sep 16, 2002  9:48 pm
Subject:  Re: [PIHOTLINKS] Internet Tracking

Email headers can be tricky and misleading..... Since there are others
in this group that may need to dissect email headers I am replying both
to the group and directly to Scott in order to assist all.

Before anything else.... Let me apologize for the length, but I wanted
to give a detailed example.... Besides in real life I tend to be wordy

I used the message original message that Scott sent to the PIHotlinks
group. I first turned on full headers so that all of the detail was
available. (The message with full headers is at the end of this

I start by reviewing the full headers and working my way back through
the received lines. The first thing to realize is that some of the
information can be changed easily by the sender. Like the from line and
the date/time stamp. Other pieces can be changed depending on the
senders expertise and their access to the mail servers. For example.
The From line can easily be changed by a user so it's validity should
always be suspect. It is harder to modify the received lines as that is
the path the message took once it is sent. However someone with enough
expertise can modify the first received line as it leaves their machine
on it's journey across the internet. Another problem is that people can
dial from one location into another machine and then have mail sent out
from somewhere else. Using Scott's email here is some of the
conflicting information on where Scott might have been when he sent this

I usually look at the first received line first. In the message below
the line that we are interested in dissecting is:

Received: from tweety ( []by []with SMTP (MDaemon.PRO.PRO.v5.0.1.R)for
<>; Mon, 16 Sep 2002 11:36:52 -0400

This is the first received line as the mail message starts it's journey
to get to me. The next I do is to verify that the IP and the domain
name match. If they don't then the sender has some expertise and was
able to change some of the information. In this case I'm looking at and The easiest thing to do is to do a
nslookup on the IP address. For this example I used a program called
IP-Atlas as it also gives me location information for that machine. In
this case it tells me that is and is
located in San Jose California. So both the IP and machine name match.

The next thing I do is to match the time offset in the date filed with
this information to see if that makes sense. The user can easily
change this date field but most forget to.... The problem here is that
CA is usually -8 offset unless it is daylight savings then it is -7. So
something is wrong here as the time stamp is -6. So to see what the
problem might be I went to That web sites says
that it is in Salt Lake Utah. Makes a little more sense as Utah is -7
unless in daylight savings which is -6. If I look at with
IP-Atlas it gives me the IP of and a location of
Bluffdale Utah. This matches the message id as the message ID is

All email is assigned a message ID by the mail server. So in this case
I could check with and ask them to look at
008a01c25d96$9bd74850$2e01010a@b... With the log
files that are kept they could tell me who logged in and sent that
message. However most companies won't assist you unless you have a
legal right to know. Can we say subpoena? :)

Another clue is the reference line This throws in a
wrinkle into things. This is telling us that the message was in
reference to this message... The body of the message doesn't show a
chain of messages so this is a little strange. What probably happened
is that Scott took an existing message from PIHotlinks that was in his
mailer. Hit reply and then deleted the message to type this new
message. I checked the other PIHotlinks messages and this reference is
from the message sent by Russ Koogler <russpi@s...> concerning
Foreign Criminal Records. This just goes to show all of you that you
probably don't just want to hit reply and then erase the body as the
headers will keep things from the original message. It is always best
to start with a clean compose screen. On the other hand this may give a
clue as to who the sender is getting correspondence from.

My guess is that Scott lives near Bluffdale, Utah, which is where the
company headquarters are. My guess is that the company has multiple
servers one of which is a mail server in San Jose CA. Other things I
know from the headers. He uses a free mail service at
He uses outlook express 6.0 as his mailer. Scott also uses scottmmorris
as his Yahoo profile. I did a quick check and unfortunatly there isn't
any information available through the profile :(

Since I'm guessing Utah... I then searched for address and phone
numbers. Found 5 for Utah. 2 have a different middle initial. 3 list
just Scott Morris. So I would then get out a map to see how far the
following locations are from Bluffdale.
North Salt Lake, UT 84054-2041
Orem, UT 84058-5311
Provo, UT 84606-2711
I can do the same exercise for CA. However there a lot more to try. I
might also just try calling iaccess to see if there is a Scott Morris
working there and to get his extension or work number. Just out of
curiousity Scott.... how close am I?

There are also a variety of reverse email lookups that are available and
you might get lucky there. And I agree with Lea Shields in her reply.
Use a variety of search engines as they all have different information
and are indexed differently. Don't forget to be creative and try
different combinations of the name.

However all emails aren't as straightforward as this one. In this
example Scott uses his name in his email identity. That isn't usually
the case. The only way to determine a match between email and person is
to subpoena the required information from the company that runs the mail
server utilizing the mail ID.

Some of the tools I mentioned you can find on a training page I maintain
at Let me know if I can be of any
additional assistance.

Joann Miller


-------- Original Message --------
Received: from ( [])by (Postfix) with SMTP id 9D9098CE4for
<joann@i...>; Mon, 16 Sep 2002 16:28:45 -0400 (EDT)
Received: from [] by with NNFMP; 16 Sep 2002
20:28:44 -0000
Received: (qmail 45947 invoked from network); 16 Sep 2002 20:28:42 -0000
Received: from unknown ( with QMQP; 16 Sep 2002
20:28:42 -0000
Received: from unknown (HELO ( with SMTP; 16 Sep 2002 20:28:42 -0000
X-eGroups-Return: scottmmorris@m...
Received: from [] by with NNFMP; 16 Sep 2002
20:28:42 -0000
X-Sender: scottmmorris@m...
Received: (EGP: mail-8_1_1_3); 16 Sep 2002 15:39:42 -0000
Received: (qmail 82756 invoked from network); 16 Sep 2002 15:39:41 -0000
Received: from unknown ( with QMQP; 16 Sep 2002
15:39:41 -0000
Received: from unknown (HELO MailBreak.Com) ( with SMTP; 16 Sep 2002 15:39:41 -0000
Received: from tweety ( []by
[]with SMTP (MDaemon.PRO.PRO.v5.0.1.R)for
<>; Mon, 16 Sep 2002 11:36:52 -0400
Message-ID: <008a01c25d96$9bd74850$2e01010a@b...>
To: <>
References: <>
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Return-Path: scottmmorris@m...
From: "Scott M. Morris" <scottmmorris@m...>
X-Yahoo-Profile: scottmmorris
X-eGroups-Approved-By: pinais2001 <PINAIS@a...> via web; 16 Sep 2002 20:28:40 -0000
MIME-Version: 1.0
Mailing-List: list; contact
Delivered-To: mailing list
Precedence: bulk
List-Unsubscribe: <>
Date: Mon, 16 Sep 2002 09:34:55 -0600
Subject: [PIHOTLINKS] Internet Tracking
Content-Type: text/html; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Date:  Mon Sep 16, 2002  6:13 pm
Subject:  Re: [PIHOTLINKS] Internet Tracking

If you have tracked them to a particular geographical area then I would do a
court search for the person in that town. Does the subject have an unusual
last name? If so do an internet search on the last name. I prefer for this type of search because this search engine returns
better results on names then standard search engines. There are several
things that you can do from here. Have you done any searches on usenet to
see if the person has posted? I can do several things with internet searches
but there are a few questions that need to be answered before I can direct
you further. If you would like I can do a search for you if you give me the
subject name. No charge, just professional courtesy. Skip tracing is my
area of expertise and I have alot of contacts that can check information for
me I just need the name. Email me at

Lea Shields

Is anyone here familiar with tracking people on the Internet? I have
the IP
addresses from their email headers. I have tracked them to a particular

geographical location. Would anyone know what the next steps would be?
apologize if this isn't the right list to ask this on. If this is the
I would love to be directed to the best place to ask this. Thank you.

Scott Morris