![[P]](/web/20051013055303im_/http://www.kuro5hin.org/images/print3.gif)
|
Finding the location, identity, or affiliation of email senders (Internet)
By shinyobject
Fri Sep 30th, 2005 at 12:11:03 PM EST
|
|
|
Thanks to wireless networks, internet cafes, and web mail, it is now common to send email from just about anywhere. So, where was that friend, coworker, or stalker when she sent that message last night, and what else can we learn about her? Using simple techniques and a few well known, but often-overlooked email headers and internet tools, it's often easy to find out.
Likewise, the email you send may also include your location and
school or employer, even if sent from a personal account.
Do you or should you care?
|
|
|
|
|
|
|
|
Why care?
In general, you probably don't or shouldn't care where people are when they send mail. But other times it might be nice to know. What if you received a message like this one:
From: Bill
Subject: I've taken the cash and left town
See you never! Ha ha!
Well, you'll probably never get one like that, but maybe there's one of these in your inbox:
From: Jeff
Subject: Still stuck in Chicago
These meetings are taking forever. I'll need to stay all week.
Obviously that one is from Chicago, right?
But who is your "Secret Satan"?
From: Secret Satan
Subject: It is time
Guess who!
How about this next person, is she really an Apple insider?
From: Alice
Subject: Details on the new Wi-Fi iPod
Are you interested?
And is this next anonymous source real?
From: Informant
Subject: The new iPod causes hurricanes
Apple is staging a massive cover-up! Warn your readers!
Although most of us don't operate a hot rumor site, we may nevertheless
like to know what is hiding in the email we send and
receive, and whether it matters to us.
These fake messages are a little contrived, but they help us
to consider the situations in which a little information can
reveal a lot about a sender, using one of a few simple techniques.
Okay, okay, I care. Where are these people?
First you need to find the full message headers. If you don't know how to do this, just search for "<mail client> message headers".
(e.g.
outlook message headers
or
yahoo message headers)
The headers should look something like this:
Received: from 66.163.179.137 (HELO web35513.example.com) (66.163.179.137)
by mta160.example.com with SMTP; Sun, 25 Sep 2005 05:52:35 -0700
Received: (qmail 98625 invoked by uid 60001); 25 Sep 2005 12:52:34 -0000
Received: from [216.99.217.141] by web32706.example.com via HTTP; Sun, 25 Sep 2005 05:52:34 PDT
Message-ID: <2005091234232423@example.com>
Date: Sun, 25 Sep 2005 05:52:34 -0700 (PDT)
From: Bill <sender@example.com>
Subject: I've taken the cash and left town
To: Ted <you@example.com>
Now find the line furthest from the top that starts with "Received:", as shown in bold below.
Received: from 66.163.179.137 (HELO web35513.example.com) (66.163.179.137)
by mta160.example.com with SMTP; Sun, 25 Sep 2005 05:52:35 -0700
Received: (qmail 98625 invoked by uid 60001); 25 Sep 2005 12:52:34 -0000
Received: from [216.99.217.141] by web32706.example.com via HTTP; Sun, 25 Sep 2005 05:52:34 PDT
Message-ID: <2005091234232423@example.com>
Date: Sun, 25 Sep 2005 05:52:34 -0700 (PDT)
From: Bill <sender@example.com>
Subject: I've taken the cash and left town
To: Ted <you@example.com>
The "received" header usually has a "from" section and a "by" section:
Received: from [216.99.217.141] by web32706.example.com via HTTP; Sun, 25 Sep 2005 05:52:34 PDT
The "from" shows which machine is sending the message, and the "by" shows which machine is accepting it. In this case, the "from" machine most likely belongs to the sender, while the "by" machine belongs to their ISP. If you can't find a "from", then this technique won't work.
Next you need to find the IP address in the "from" part. This will be a series of four numbers separated by periods.
Received: from [216.99.217.141] by web32706.example.com via HTTP; Sun, 25 Sep 2005 05:52:34 PDT
Sometimes there might be other information on the "received" line, but the "from" IP address should still be easy to spot.
Received: from mobile (c-67-176-46-122.hsd1.co.comcast.net[67.176.46.122])
by comcast.net (sccrmhc12) with SMTP
id <2005023423523rfw34>; Wed, 21 Sep 2005 20:12:33 +0000
Email generated by viruses and spammers will typically include false headers
and other misleading information. Dissecting those headers is much more
complex and is covered in
greater
detail elsewhere. However, for most normal personal mail, the simple
technique described above is sufficient to find the originating IP address.
The following examples demonstrate several different ways in which
this IP address can be used to surmise the sender's location, identity,
or affiliation.
A reverse DNS lookup will find the host name associated with the IP address. This will typically reveal who the user's ISP or employer is. There are many websites that offer free reverse DNS lookup. Continuing with the example, we see that the IP address "216.99.217.141" has the host name "216-99-217-141.dsl.aracnet.com". This tells you that the sender has DSL internet access from aracnet.com.
But you really wanted to find the user's location, not whether they use DSL. Luckily for you, there are also websites that will try to determine the geographic location of an IP address. This site shows that "216.99.217.141" is located in Portland, Oregon. So thanks to Bill's IP address, we have a pretty good idea of where he went with the money. These tools are not perfect, so it is sometimes helpful
to get a second opinion.
Of course Portland is a pretty big place. It would be nice to narrow things down a little further. This is not as easy, but sometimes it is possible. Perhaps you know some of Bill's friends in Portland. If you received email from them in the past, then you might have the IP addresses of their computers. Maybe you find this message that Steve sent last week:
Received: from [216.99.217.141] by web32706.example.com via HTTP; Wed, 28 Sep 2005 03:54:11 PDT
From: Steve <steve@example.com>
Subject: things
To: Ted <you@example.com>
It was sent from the same IP address (216.99.217.141) as Bill's message! Bill most likely used Steve's computer to send the message. Now you know where to look for Bill.
Most home computers have temporary IP addresses, but with "always on" internet access, such as DSL and cable, "temporary" IP addresses can last for weeks or months. This is why the message that Bill sent using Steve's computer is likely to include the same IP address as the message that Steve sent using his computer last week.
Even when you can't discover exactly which computer was used to send the message, just knowing the city or even country could be enlightening. Let's move on to the second example email and take a look at the appropriate "received" header.
Received: from [81.66.12.180] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT
From: Jeff <jeff@example.com>
Subject: Still stuck in Chicago
These meetings are taking forever. I'll need to stay all week.
A geographic lookup on "81.66.12.180" shows that this message was most likely sent from Paris, France! No wonder Jeff is going to stay all week.
Can IP location help unmask the Secret Satan?
Received: from [81.66.66.66] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT
From: Secret Satan <secret@example.com>
Subject: It is time
Guess who!
The "anonymous" Secret Satan is likely someone you know, so search the
headers of your old mail for his IP address, "81.66.66.66". You may find a
message like this:
Received: from [81.66.66.66] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:11:52 PDT
From: Chris <chris@example.com>
Subject: Let's meet at noon
See you then
As in the first example, this shows that Chris is sharing a
computer or internet connection with Secret Satan. They aren't necessarily
the same person, but it's a good lead, and Secret Satan is a lot
less anonymous.
Sometimes you may be more interested in the information returned by the reverse DNS lookup. This could be the case with the third example message.
Received: from [17.255.100.112] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT
From: Alice <alice@example.com>
Subject: Details on the new Wi-Fi iPod
Are you interested?
Is Alice in a position to know anything about a new Apple product? A reverse DNS lookup on "17.255.100.112" returns "A17-255-100-112.apple.com". The message appears to have been sent from inside of Apple! This can happen even if Alice used a public webmail system and not Apple's email.
How about the other iPod email?
Received: from [207.46.125.17] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT
From: Informant <informant@example.com>
Subject: The new iPod causes hurricanes
Apple is staging a massive cover-up! Warn your readers!
A reverse DNS lookup on "207.46.125.17" returns "tide17.microsoft.com". I'm suspicious. But what if this "informant" was a little less obvious and instead sent the email using his home computer?
Received: from [24.16.89.112] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT
From: Informant <informant@example.com>
Subject: The new iPod causes hurricanes
Apple is staging a massive cover-up! Warn your readers!
A geographic lookup says that "24.16.89.112" is in Bellevue, Washington, just down the street from Microsoft, so I would still suspect a connection.
Does this technique always work?
No. Some email providers do not include the sender's IP address in the email headers. Even if they do, the sender may be accessing the internet though an anonymizer, such as Tor. It is also possible to confuse the process of finding the correct "received" header by including fake "received" headers. This tactic is very common among spammers, but very rare in normal email. Even when you do get the sender's IP address, the geographic lookup can sometimes return the wrong location.
It is also possible that you will bump into an internal host or IP address that is part of a private network. In these cases you will need to examine the "received" headers closer to the top of the message. However, you will generally only see this in corporate email, in which case the organizational affiliation is already obvious and the geographic location would correspond to the corporat email servers, not the user.
And Finally...
Does your email include this information? To find out, simply send an email to yourself, and then follow the above process to see if it includes your IP address and location. If your message does not appear to have any "received" headers, then you are looking at a local copy in your outbox. You need to check the message returned by your mail server; it may be necessary to "check mail" before this appears.
Please post whether your email includes your IP address, and if so, how accurate the location information is. Of course email has been like this forever, but originally the IP address belonged to some server at your school or workplace, and so it didn't reveal much that wasn't already obvious from your email address. Thanks to webmail and laptops, email can now travel with you, but it may reveal more than you realize.
I'm would like to hear what others think about this. How many of you knew that this information may be included in your email, and do you care? How many of you have used this trick to discover the location of a sender?
|
|
|
![]](/web/20051013055303im_/http://www.kuro5hin.org/images/header/rt_edge3.gif){kind=small}
![[XML]](/web/20051013055303im_/http://www.kuro5hin.org/images/rssblue.gif){kind=small}
