Have you ever read an email? I bet you were about to say "yes!", but I assure you that you most likely have not.
What you've read is just what the sender wanted you to see. Emails are not delivered to your computer screen by some magical force, the process invloves various transformations that are applied to the email while it is en route. The real thing looks different, and it contains various details that indicate how the message travelled across the globe before it reached you.
I will reveal some of the details about how it works, and explain how this can be used to track anonymous messages. While the story itself is in plain English, there are some technical quirks that I'll include for the geeks in the audience; feel free to skip those and look at the pictures instead.
Email is based on several communication protocols, such as POP3 (to retrieve messages) and SMTP (to send them). These protocols are quite straightforward, once you familiarize with them you learn that:
- an email traverses multiple nodes on a network before it reaches you
- various headers are added to it at each step of the way
- the server trusts whatever the sender says
The last bit is particularly interesting - when I connect to an SMTP server to send a message, I have to specify the recipient, the subject of the email, as well as say who I am. I can write whatever I want in the "from" field. Even though my name is Alex, nothing prevents me from saying that I am Jane, and that my address is firstname.lastname@example.org, instead of email@example.com.
Who would design such a protocol? Doesn't it open a lot of possibilities for abuse?
Those are reasonable questions. Life was simple back in the old days, protocols were not designed with security in mind. The ancient Geeks were doing things simply because they could, and it was good™... until evil and greedy people began to exploit this and ruined the experience for all of us. But I digress.
Today, a properly configured SMTP server will not accept messages from a random person in the street, so spoofing identities (i.e. sending something as if it came from someone else) is not as trivial as it used to be.
One day I received such an email, it happened during the exam period at the university, this is what it looked like:
The context is that a number of students copied someone else's work, which I recognized due to a paragraph in the text. I wanted to find the original author, and that's when the anonymous messages began pouring in. The mailing list provides a historical record.
What did I do next? Having read the specifications of the POP3 protocol, I knew that there's more in that email than the untrained eye can see. So I took a look at its headers - those extra bits prepended to the message whenever it goes from one node to another.
Here's how to do that, it is very simple, so fire up telnet right away and connect to the POP3 server of your email provider. The example below illustrates how that works when there's no encryption involved.
You can see that it is quite straightforward. The commands are easy to understand and you can read your email this way. The nice side effect is that when girls ask you about your favourite email client, you can say "telnet", and they'll be impressed by your 1337 skills!
Here's a real example of such a session:
+OK 5 messages (242688 octets)
+OK 8090 octets
Received: from [184.108.40.206] (port=29199 helo=n7.bullet.sp1.yahoo.com)
by mx36.mail.ru with esmtp
for firstname.lastname@example.org; Thu, 05 Jul 2007 09:00:11 +0400
Received-SPF: none (mx36.mail.ru: 220.127.116.11 is neither permitted nor denied by domain of returns.bulk.yaho
o.com) client-ip=18.104.22.168; envelope-from=direct.mruxezldoqwtsmrxgeydsojvg4wtknrxguwtmmzs-omniflez=mail.ru
Received: from [22.214.171.124] by n7.bullet.sp1.yahoo.com with NNFMP; 05 Jul 2007 05:01:17 -0000
Received: from [126.96.36.199] by t3.bullet.sp1.yahoo.com with NNFMP; 05 Jul 2007 05:01:17 -0000
Date: 04 Jul 2007 22:35:57 -0700
Received: from [127.0.0.1] by dmserver2.ycrm.sp1.yahoo.com with NNFMP; 05 Jul 2007 05:35:57 -0000
From: "Yahoo! Photos" <email@example.com>
Subject: Yahoo! Photos is closing -- Action Required
Content-Type: text/plain; charset="iso-8859-1"
Dear Yahoo! Photos user,
For some time now, we've
[blablabla, a lot of text here]
+OK POP3 server at mail.ru signing off
You should have noticed at least two things:
- the password is sent to the server in plain text
- when I retrieve the message, the server sends me some mumbo-jumbo
- followed by some empty lines, which mark the beginning of the actual message (it is called a body - that's what normal people see)
- the end of the message is marked with a single dot in the line. "What if my body contains a line with a single dot in it?" - this is left as an exercise to the reader
The other thing you need to know is that the message contains the IP address of the original sender.
I then used a WHOIS server to find out more details about this address. Just go to your favourite search engine and type "whois railean.net" or "whois 127.0.0.1" (replace the localhost address with the IP you're interested in). You can learn things such as:
- which country the IP address is located in
- which Internet provider it belongs to
- which person to contact if you notice any abuse from this address
Here's an actual example (I somewhat changed the email addresses to protect the innocent) of a query related to an IP address from Sri Lanka:
inetnum: 188.8.131.52 - 184.108.40.206
descr: ADSL SECTION-IP &BB
descr: ADSL - SRI LANKA TELECOM
status: ASSIGNED NON-PORTABLE
changed: firstname.lastname@example.org 20050202
person: Asela Eranda
address: Internet Division
address: 7th floor
address: OTS Building
address: Sri Lanka Telecom
address: Lotus Road
remarks: Please send all IP abuse complaints to email@example.com
changed: firstname.lastname@example.org 20090331
changed: email@example.com 20090507
That's how I figured out this was someone from Moldova, the same city as the one I live in, and that the company responsible for the IP address is Moldtelecom.
However, that doesn't answer the question "who the hell is this person?", does it? I needed to harvest more information, thus I applied some social engineering.
I responded to the students' mailing list in a way that encouraged the sender to write more messages of this kind. After collecting some additional samples, I saw that they all originate from the same address. This part was important, because otherwise I would be forced to extrapolate from a single data-point, and that's not a good thing.
To map the IP address to a person, I relied on my uber-archive; it contains almost every message I ever sent or received since I had an email account. Being able to search the entire message (that is - the header and the body, not just the body) is the key ingredient.
After a few moments, the search results were displayed.
There were several emails that came from that IP address: the anonymous ones, and two other people, who consistently used the same IP since the beginning of the semester. Most of the messages (and all of the recent ones) came from one person.
That person was the mysterious sender. It's easy when you know it, right? Yes, but not quite so. This was easy because the sender didn't take the basic measures to conceal their location.
Comment from: Anonymous [Visitor]
Well, you didn’t blur the name enough, because a person who has the list, can cross reference it.
That is an important observation, but for a different reason: blurred pictures can be deblurred.
Such filters use a function that transforms the pixels of an image, and one can reverse the process and get pretty decent results by applying an inverse transformation.
If you want to hide something - cover it with a black rectangle; the Interpol caught a pedophile who “protected” his face using a similar method.
If you’re interested in this kind of forensics, check out Fourandsix.
This one is “just blurred” because it doesn’t contain any secret information, the identity of the sender is hidden because it is not relevant in this context, not because I wanted it protected. In fact, there’s a much easier way to find the person - see who responded to message 157 on the fafomatic mailing list (which is public).
Comment from: Lucifer [Visitor]
Is the original IP: 220.127.116.11 ???
No, this is the IP of the last SMTP server in the chain. You should read it from the bottom up.
In this specific case, the IP of origin is set to 127.0.0.1
Received: from [127.0.0.1] by dmserver2.ycrm.sp1.yahoo.com with NNFMP; 05 Jul 2007 05:35:57 -0000
The email in question is sent by a Yahoo service, so the email could have been generated on the server itself, hence you see 127.0.0.1.
If it were sent by a real person, the person’s IP should be there.
Note that different email services have different behaviours, some may not reveal the IP of the original sender.
Comment from: Toxic [Visitor]
Great article! A detective story, I must admit. Very useful and cool. ;)
Comment from: Rich [Visitor]
You are from Moldova. Perfect. I am trying to figure out if a girl I am dating is scamming me. I am in USA. If her email is labeled. .from mobile mail. Ru, does that mean she is sending from her mobile network, or would her phone say that on email even if on wifi? I noticed that sometimes, when I know she is home, there is no Mobile mail .ru stamp on the bottom of her email. Does that just mean she is on her laptop and not on her iPhone 4 or 5? Can I tell from her email if she is on her home wifi or out at night screwing someone else and just pretending to send me a goodnight email from home?
Hi Rich, if you end up thinking about ways to formally determine whether something is true or false in a relationship - that’s a red flag right there.
But if we take that aside and focus on the technical matter itself, here’s what I think about this situation. I don’t use the mail.ru service so I am not familiar with those labels you mention.
However, just like I wrote in the article, if the source IP address is present in the headers of the email - you’ll see her home WiFi address, regardless of the device (laptop, phone, etc) she used to send the message.
If you see some other IP address, it could mean that she is not at home. Or it could mean that she’s sending it from another WiFi network available from her home (some Internet providers here provide free access and you can catch the signal without getting out of your house), or from her 3G data plan.
In other words, there are multiple ways to interpret the data, so the best bet is to just ask a direct question and get a direct answer. Perhaps you can just ask for a video call in Skype and see the environment.
p.s. it also helps not to assume that she is screwing someone else.
Form is loading...