Someone sent me an email, and I truly need to trace it back to whoever sent it. This is an individual who has been stealing passwords, account information, etc… from UBID members, and they need to be stoped. They sent me an email, and I really need to find out who they are, somehow. So, is this possible?
It may be possible, depending on the headers included with the email, and whether or not you can access them. You can probably at least trace the individual back to an ISP and work from there.
If you can view the detailed headers of the email message, you should see something like:
Received: from mailserver.hisisp.com ([1.1.1.1]) by mailserver.yourisp.com ([2.2.2.2]) with SMTP id RAA25161 for <you@yourisp.com>; Tue Oct 8 2002 19:19:30 -400 (EDT)
…if there were mail relays in between, there may be more than one “Received:” line, e.g.:
Received: from relay.otherisp.com ([3.3.3.3]) by mailserver.yourisp.com ([2.2.2.2]) with SMTP id RAA25161 for <you@yourisp.com>; Tue Oct 8 2002 19:19:30 -400 (EDT)
Received: from mailserver.hisisp.com ([1.1.1.1]) by relay.otherisp.com ([3.3.3.3]) with SMTP id RAA25161 for <you@yourisp.com>; Tue Oct 8 2002 19:17:45 -400 (EDT)
…the last “Received:” line listed will be as far back as you can trace the mail message, and in theory should be the machine that originated the message.
Yes.
E-mail contains “headers” which show the path the e-mail takes as it is passed from one computer to the next. The header display is normally toggled off in most e-mail programs but you should be able to switch it on. Copy and paste just the headers here (the body of the message isn’t as important) and we can at least tell you which ISP it came from.
How do I go about seeing the “headers” in AOL mail?
Nevermind, is this what you need?
Return-Path: <customerservice@ubld.com>
Received: from rly-xd02.mx.aol.com (rly-xd02.mail.aol.com [172.20.105.167]) by air-xd01.mail.aol.com (v89.10) with ESMTP id MAILINXD11-1007165659; Mon, 07 Oct 2002 16:56:58 -0400
Received: from web102.bizmail.yahoo.com (web102.bizmail.yahoo.com [216.136.172.122]) by rly-xd02.mx.aol.com (v89.10) with ESMTP id MAILRELAYINXD26-1007165636; Mon, 07 Oct 2002 16:56:36 2000
Message-ID: <20021007205635.71773.qmail@web102.bizmail.yahoo.com>
Received: from [62.231.66.127] by web102.bizmail.yahoo.com via HTTP; Mon, 07 Oct 2002 13:56:35 PDT
Date: Mon, 7 Oct 2002 13:56:35 -0700 (PDT)
From: “uBid Inc.” <customerservice@ubld.com>
Subject: Security Check
To: lumkinsc98@aol.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-2015247683-1034024195=:71165"
By the way, I got the above by clicking on “details” in the header.
I once got an email from Bill Gates, who was developing an email tracing program. He was offering $5000 to anyone who forwarded to everyone they know, which I of course did. I never got a check, though, so it may not be available yet. Probably needs more testing.
I got this from a whois search on the ip. email abuse to abuse@rdsnet.ro
WHOIS Query Result for 62.231.66.127:
inetnum 62.231.66.0 - 62.231.66.255
Origin RDSNET
descr Romania Data Systems
descr Bucharest Branch
country RO
Admin. Contact AS1385-RIPE
Tech. Contact RDS-RIPE
status ASSIGNED PA
remarks INFRA-AW
Notify as-admin@rdsnet.ro
mnt-by AS8708-MNT
changed tim@rdsnet.ro 20020809
source RIPE
route 62.231.64.0/18
descr RDSNET
Origin AS8708
mnt-by AS8708-MNT
changed tim@rdsnet.ro 20011123
source RIPE
role Romania Data Systems NOC
address 71-75 Dr. Staicovici
address Bucharest / ROMANIA
phone +40 21 30 10 888
fax-no +40 21 30 10 892
e-mail tech@rdsnet.ro
Admin. Contact AS1385-RIPE
Tech. Contact BS747-RIPE
NIC Handle RDS-RIPE
remarks ---------------------------------
remarks abuse reports: abuse@rdsnet.ro
remarks NOC Phone 24x7: +40 21 30 10 888
remarks NOC E-mail: support@rdsnet.ro
remarks ---------------------------------
Notify tech@rdsnet.ro
mnt-by AS8708-MNT
changed tim@rdsnet.ro 20010507
source RIPE
person Andrei Stirbu
address Romania Data Systems
address Str. Sf. Vineri nr. 25
address Bl. 105C sector 3
address Bucharest, Romania
phone +40 21 301 0888
fax-no +40 21 301 0851
e-mail andii@rdsnet.ro
NIC Handle AS1385-RIPE
Notify as-admin@rdsnet.ro
mnt-by AS8708-MNT
changed danacorb@rnc.ro 19990212
changed ciprian@rnc.ro 19990805
changed root@s2.rnc.ro 20000218
changed andii@rdsnet.ro 20000220
source RIPE
I doubt your target is actually posting from Rumania. I’d guess that that server is hosting an open relay. It doesn’t show up in the Open Relay Database at this time, though … Anyway, if that’s the case, your trail is at a dead-end. (Unless it’s possible that your guy really is in Rumania, in which case you should contact Interpol. Or something.)
Why do you think this person has been “stealing” passwords … dealing with cases like this daily - it is just a nerd form of teritorial pissings … stay out of my chat room or i will hack you ect ( AKA nuke ya)
If you are worried about peopel cracking your passwords make a good alphanumeric password
IE
n33ks923m
mw933nd7
ba5344j3j
ect
never put real names in and never end a password with the number 1
IE
fred1
happy1
gordon1
just too easy to break.
Because they stole mine, and hundreds of other UBID users, that’s why.
How is this person stealing passwords and stuff and why did he e-amil you?
Its easy to forge headers too. Its probably just a spam scam email.
I would argue that 62.231.66.127 must be more than an open relay – it is actively involved in the forgery. If it were simply an open relay, there would be another “Recieved:” line which looks like this:
Received: from <some other site> by 62.231.66.127 …
So either 62.231.66.127 is a relay which conceals sources prior to it (which means it’s a haven for abuse and should be reported) or it’s the guy’s computer which originated the mail. I’d put money on the latter.
Brent, here’s how you read these headers. Here they are in a simplified form (note that they’re chronologically backwards):
(1) Received: from machine2.aol.com by machine1.aol.com
(2) Recieved: from mailserver.yahoo.com by machine2.aol.com
(3) Recieved: from 62.231.66.127 by mailserver.yahoo.com
This boils down to machine1.aol.com making the following claim:
“I, machine1.aol.com, received this message from machine2.aol.com.
machine2.aol.com claims to have received this message from mailserver.yahoo.com, but I have not verified that. If you trust machine2.aol.com, you can treat this as a verifiable fact.
Further, machine2.aol.com claims that mailserver.yahoo.com claims to have gotten the message from 62.231.66.127. If you trust both machine2.aol.com and mailserver.yahoo.com, then you can treat this as a verifiable fact.”
So you can see that going further down in the headers involves deciding which servers you trust. It’s probably safe to say that machines handling mail for aol.com and yahoo.com are trustworthy enough to accurately record the sources of the messages they handle. Which leaves you suspecting 62.231.66.127 (see NotMrKnowItAll’s info).
This seems pretty straightforward: the originating computer is the bad one. Note, however, that the trace could look something like this:
(1) Received: from machine2.aol.com by machine1.aol.com
(2) Received: from mailserver.yahoo.com by machine2.aol.com
(3) Received: from 62.231.66.127 by mailserver.yahoo.com
(4) Received: from machine1.microsoft.com from 62.231.66.127
(5) Received: from machine2.microsoft.com from machine1.microsoft.com
Note that in this case, you can’t trust the lines that claim to come from x.microsoft.com, because the untrustworthy machine (62.231.66.127) could have just fabricated those out of thin air. Once you trace back to a machine you don’t trust, nothing past that point can be trusted.