Smart Computing Article - Backtracking E-mail

Subscribe Today | Contact Us | Register Now

Home | Tech Support | Q&A Board | Article Search | Subscribe & Shop

Backtracking E-mail

Email This

Print This
View My Personal Library

Protect Yourself July 2000 • Vol.8 Issue 7 Page(s) 64-65 in print issue	Add To My Personal Library
Backtracking E-mail How To Hunt Spammers

Electronic mail (e-mail) is one of the many good things in life that lends itself well to misuse. E-mail has greatly enhanced the way we do business, as well as simplified and sped up personal communications. You can now send someone a picture or a letter, and the person can literally get it in seconds instead of days if you had sent the picture or letter via regular mail. And just as your traditional mailbox becomes stuffed full of unwanted junk mail, your e-mail inbox suffers from the same digital fate.

E-mail is a nearly anonymous, faceless form of communication that direct-mail marketers and those just trying to cause a little mischief can easily misuse. But what can you do if the e-mail becomes more than just a nuisance and crosses over to threatening? How can you determine who sent you a piece of e-mail and prove it? It isn't easy, but you can do it. You can backtrack an e-mail message, but it requires getting knee-deep in the workings of the Internet and some of the e-mail servers.

The Internet & IP.

For better or worse, everything that happens on the Internet is tracked, logged, and analyzed. Somewhere, a system is recording all your activities, from when you log on to your ISP (Internet service provider) to how many e-mail messages you send. This is a feature of the underlying transmission protocol in use on the Internet.

The Internet uses a protocol (a way of exchanging data) called TCP/IP (Transmission Control Protocol/Internet Protocol; a language governing communication among all computers on the Internet). Every computer and device that attaches to the Internet must have a unique IP (Internet Protocol; the address of a computer on a TCP/IP network) address. Just as commercial Web sites have a unique IP address, you have one for the duration of your Internet time. (Your ISP assigns you this address.) This is where the logging begins.

Follow The Trail.

Let's follow the IP trail left by a typical online user to see what information is available to the would-be digital detective. Normally, if you were trying to track down an online stalker, you would be going about this in the reverse order presented here. However, we felt it was easier to explain by starting at the dial-up stage instead of at the other end.

Because your ISP bills are based on your monthly connect time, its system tracks a large amount of data each time you call. Its system can tell you not only your user name but also what time you called, when you logged off, the amount of data you sent or received, and which phone line you called in on. This is true of a mom-and-pop ISP or a large corporate service such as AOL (America Online). This is the first link in the online chain.

If you send any e-mail, it first has to go to your ISP's SMTP (Simple Mail Transfer Protocol; a communications protocol that directs e-mail exchange on TCP/IP networks) server. This is an outbound-only mail server that takes user e-mail, inspects the destination address, locates the destination on the Internet, and then sends it on its way. Again, this is all carefully logged with a time and date stamp, file size, e-mail package ID, sending computer name (yes, your computer's name with your ISP), destination, and result (error, OK, etc). This information provides a link from a message to a specific user session on a specific Internet service.

So now, the e-mail is on its way to your mailbox. When it arrives, it may or may not have traveled a direct path from the sender's SMTP mail server to your POP3 (Post Office Protocol 3; a format for storing and retrieving e-mail messages used by mail servers and clients) inbound mail server. If the e-mail followed a direct path, the sending SMTP server added its machine name, IP address, date and time stamp, and other pertinent information to the header (a section of an e-mail, ordinarily at the beginning of the message, that routes it to its destination and often identifies the sender) of the e-mail packet. If the message bounced through a couple of systems, all those mail systems added their local information to the e-mail's header. (Things can get messy if your mail goes through more than a couple of mail servers.)

You're probably wondering where all this header information is because 99% of us never see it. It is hidden in the message and not displayed to you unless you specifically ask your mail client for it. To view this information in Microsoft Outlook 98, for example, open the e-mail, click the View menu, and select Message Options. In the Internet Headers section, you will find the routing and other hidden processing information. Other e-mail programs have similar viewing options.

So we can now find out where an e-mail came from, at what time the user sent it, and who (what user name) sent it. From the ISP, we can find out who that user is and directly associate an e-mail with that person. That's good, but to really track the message to a user requires the involvement of your local authorities and possibly a court order to get access to the user logs. Most of the time, if you forward the e-mail along with a note asking that something be done about the sender to the system that sent it, the ISPs will police themselves before actual legal action needs to take place. So far, so good, right? Well, for normal e-mail, that is usually enough.

Spammer Tricks.

If everything was that easy, none of us would have to deal with megabytes of junk e-mail from addresses that only a Martian could pronounce. What these professional bulk mailers do is use other mail servers as a relay point for their mail. For the unwitting relay servers, they simply are doing their job to the detriment of the innocent users. If an e-mail server is not configured to disallow relay mail, a spammer (a person who sends unsolicited bulk e-mail) can send his or her batch of mail to a SMTP server not on his or her ISP's network and then out to the intended targets. The relay server is a dumping-off point that looks like a legitimate host, with the original source almost completely hidden.

Hotmail & Other Web-Based Mail Systems.

We can see from above that anyone can easily trace an e-mail back to its source. You can even track mail coming from Web-based e-mail services such as Hotmail back to the creator. What does hinder the tracking of e-mails to these services is there is no user-identity verification going on when a user creates the e-mail account. You can put in any name, address, sex, and age in for your e-mail account.

It takes some work, but even with these Web-based mail systems, you can still track a message back to its originator. These systems log what IP address accessed the system (the e-mail writer) and at what date and time. Using this information, you can still go back to the ISP and find out what user name logged on at that time. It's a painful process, but one that you can do.

Proving Authorship.

So we have seen where we can follow the path an e-mail takes through the digital domain. . . providing someone actually wrote the message. Here's the bad part: Just because the message came from a particular computer does not mean the main user of that computer wrote the message. We call the person the "main user" because in many homes and offices, more than one person has access to the computer, and we humans are generally lazy and save our dial-up passwords. This lets anyone walk up, go online, and send e-mail. And you can't prove which person sent the message.

However, more often than not, you can handle harassing e-mails by simply forwarding them to the "abuse" account of the originating domain. Many times the Web master handles com-
plaints. In larger systems, though, an abuse team will handle your concerns. Before getting too crazy and calling the police and FBI, send copies of the e-mails to the domain they came from and see what it can do for you. Most of the time, that is all it takes to stop the har-
assment. If it doesn't, contact your ISP and ask for its help filtering the e-mail. As a last resort, you may have to get the authorities involved to shut down an offensive spammer.

by Keith Schultz

Anonymous Surfing

If you want to protect your privacy while surfing or e-mailing on the Web, there are a couple of resources available to you, some of which are free. One such site is Anonymizer.com (http://www.anonymizer.com). When you surf through the Anonymizer.com system, it blocks your online information from potentially prying digital eyes. Things such as your IP (Internet Protocol) address and e-mail address, browser type and version, cookie data, and other personal data are kept behind its proxy server's walls, letting you escape logging and profiling by other Web sites.

Anonymizer.com offers a free service, as well as a premium account for $5 per month. The paid accounts receive priority Web access and URL (universal resource locator) encryption. URL encryption helps prevent proxy systems from detecting your destination Web address. The site also offer anonymous dial-up access, as well as e-mail. In addition, business users can take advantage of Anonymizer .com's network licensing so multiple users can use the system at the same time.

An all-free service is silentbrowser.com (http://www.silentbrowser.com). Even though it isn't quite as comprehensive as Anonymizer.com, silentbrowser.com provides a solid level of privacy protection without requiring you to fork over your cash. The-Cloak.com (http://www.the-cloak.com) goes one step farther with free anonymous surfing by not only encrypting the data from your browser to its system but also offering remote cookies support. This means any cookies left by Web sites you visit are on The-Cloak.com's system, not on your system.

You can surf anonymously to protect your privacy, but be aware that even these services may keep usage logs if for nothing other than to determine if any illegal activity is taking place through their systems. the-Cloak.com, for example, keeps log files for a few days to make sure a spammer didn't use its system in a spamming raid.

Want more information about a topic you found of interest while reading this article? Type a word or phrase that identifies the topic and click "Search" to find relevant articles from within our editorial database.

Home Copyright & Legal Information Privacy Policy Site Map Contact Us