Tracing Electronic Mail

Frederick M. Avolio

<avolio@tis.com>

Trusted Information Systems, Inc.

Glenwood, MD

Introduction

Just as methods can be employed to trace postal mail (p-mail) back to the sender, there are methods that can be employed for tracing electronic mail (e-mail). Just as the methods for p-mail do not work in 100% of the situations, neither are there guaranteed methods for tracing e-mail.

The purpose of this paper is to present steps that can be used to trace e-mail. We will use sample e-mail messages as the subjects of our analysis. All of the messages used are real messages that someone at another company sent from his machine behind an Internet firewall to an electronic mailbox behind TIS’ firewall.

Friends at Digital Equipment Corporation and Warner-Lambert assisted in this test and we use their mail with their permission.

Example 1: No Intentional Cover-up

We will first examine an e-mail message received from someone who has sent the mail without trying to protect his own e-mail address, name, or location.

The text of the message follows. The line numbers have been added to facilitate commenting below.

1 Return-Path: smith@wl.com

2 Received: from envoy.wl.com by TIS.COM (4.1/SUN-5.64)

3 id AA18270; Mon, 14 Jun 93 16:00:35 EDT

4 Received: by envoy.wl.com (5.65/allen-042593);

5 id AA14285; Mon, 14 Jun 1993 15:59:01 -0400

6 Received: by skynet.research.aa.wl.com (5.65/al042593);

7 id AA24870; Mon, 14 Jun 1993 15:58:17 -0400

8 Message-Id: <9306141958.AA24870@skynet.research.aa.wl.com>

9 From: John Smith <smith@wl.com>

10 X-Organization: Warner-Lambert / Parke-Davis Research

11 To: avolio@TIS.COM

12 Subject: #1 away

13 Date: Mon, 14 Jun 93 15:58:17 -0400

14 X-Mts: smtp

15

16 This is a test message.

17

For tracing purposes, the most interesting lines are the From: line (line 9) and the Received: lines (lines 2 through 7). The From: line can be faked, as we will see below, and so is generally not trustworthy, but still is worth pursuing. (We will look at tracing via the Received: lines in the next example.)

We can send e-mail to the sender at this point. We might find out more about wl.com since we may be able to get enough information elsewhere to provide a way to approach the sender a bit more subtly.

There are two tools we can use on the Internet to give us information about domain names, people, and organization. The first is the whois service. If we issue the whois command with the argument wl.com it gives us the following information.

 

% whois wl.com

Warner Lambert / Parke-Davis (WL-DOM)

2800 Plymouth Road

Ann Arbor, MI 48106

Domain Name: WL.COM

Administrative Contact, Technical Contact, Zone Contact: Leibowitz, Allen K. (AL184) leibowa@WL.COM

(313) 998-3314

Record last updated on 29-Apr-93.

Domain servers in listed order:

ENVOY.WL.COM 162.48.254.3

MERIT.EDU 35.1.1.42

The other tool is nslookup. We issue the command to nslookup asking for a Start of Authority (SOA) record for the domain wl.com.

% nslookup

Default Server: sol.TIS.COM

Address: 192.33.112.100

> set query=soa

> wl.com.

Server: sol.TIS.COM

Address: 192.33.112.100

Non-authoritative answer:

wl.com origin = envoy.wl.com

mail addr = root.wl.com

serial=22, refresh=10800, retry=600, expire=86400, min=86400 Authoritative answers can be found from:

ENVOY.WL.COM inet address = 162.48.254.3 MERIT.EDU inet address = 35.1.1.42 > exit

In this case, using nslookup doesn’t help. Unfortunately, the mail address returned for the contact is a generic one ("root") and so is not as useful as the information returned from whois in this case.

At this point, with a phone number, organization, and address, one can proceed to contact the organization or individual involved. It might also be worthwhile to gather more data, as if we assumed that the From: line was faked.

 

Example 2: Intentional Cover-up

In this example, the mail address of the sender of the mail is suspected (or known) to have been falsified.

1 Return-Path: little.joe@bonanza.org

2 Received: from decuac.DEC.COM by TIS.COM (4.1/SUN-5.64)

3 id AA18164; Mon, 14 Jun 93 15:59:28 EDT

4 Received: from TIS.COM by decuac.DEC.COM (5.65/Ultrix-fma)

5 id AA04687; Mon, 14 Jun 93 15:58:25 -0400 XXX

6 Received: from envoy.wl.com by TIS.COM (4.1/SUN-5.64)

7 id AA17274; Mon, 14 Jun 93 15:51:58 EDT

8 From: Little Joe <little.joe@bonanza.org>

9 Date: Mon, 14 Jun 93 15:22:23 GMT

10 Message-Id: <9306141922.AA82912@bonanza.org>

11 To: Fred Avolio <avolio@TIS.COM>

12 Subject: bogus test #1

13

14 test #1

15 real time is Mon Jun 14 15:56:51 EDT 1993

16

17 -- Mr. Cartwright

Lines 1 and 8 indicate that the mail is from a user little.joe, real name Little Joe at domain bonanza.org. Using nslookup we determine that no such domain as bonanza.org exists.

% nslookup

Default Server: sol.TIS.COM

Address: 192.33.112.100

> set query=any

> bonanza.org.

Server: sol.TIS.COM

Address: 192.33.112.100

*** sol.TIS.COM can't find bonanza.org.: Non-existent domain

> exit

%

We assume this is a faked From: line and look to the Received: lines. Received: lines are added, one on top of another, as e-mail passes from one host to another. Unfortunately, they are not required, and, while most hosts do, some hosts don’t bother to add them. Think of Received: lines as postmarks, but postmarks that are added at each post office along the way, from mailing to delivery.

What we see is that according to the first (bottom) Received: line on lines 6 and 7, the mail originally came from envoy.wl.com into host tis.com at 15:51:58 EDT on Monday, June 14, 1993. Less than 7 minutes later it was transferred from tis.com to decuac.dec.com (lines 4 and 5). And finally, tis.com received it (again) from decuac.dec.com (lines 2 and 3) which took it for local delivery.

Notice, also, the Date: line might have been faked. The Received: lines indicate a different time period. (Note, all of these header lines can be "faked." It is the analysts job to look at them all together, decide what make the most sense or seem to be correct, and then go forward, investigating with that data, until proven wrong.)

The next step is check the log files on the other machines. To do this we must find out who to contact at envoy.wl.com and decuac.dec.com. Again, we use whois for this.

% whois decuac.dec.com

Digital Equipment Corporation (DEC-DOM)

Western Research Laboratory

250 University Avenue

Palo Alto, CA 94301-1616

 

Domain Name: DEC.COM

 

Administrative Contact:

Reid, Brian K. (BKR) reid@PA.DEC.COM

(415) 688-1307

Technical Contact:

Vixie, Paul (PV15) paul@VIX.COM

(415) 858-2736

Zone Contact:

Treese, Win (WT48) treese@CRL.DEC.COM

(617) 621-6615

 

Record last updated on 07-Jul-92.

 

Domain servers in listed order:

 

GATEKEEPER.DEC.COM 16.1.0.2

CRL.DEC.COM 192.58.206.2

DECUAC.DEC.COM 192.5.214.1

Through mail to Brian Reid (the administrative contact), we learned that the specific contact for decuac.dec.com is Rick Murphy, murphy@cop.dec.com. We now check wl.com.

% whois emory.wl.com

No match for "EMORY.WL.COM".

% whois wl.com

Warner Lambert / Parke-Davis (WL-DOM)

2800 Plymouth Road

Ann Arbor, MI 48106

 

Domain Name: WL.COM

Administrative Contact, Technical Contact, Zone Contact:

Leibowitz, Allen K. (AL184) leibowa@WL.COM

(313) 998-3314

 

Record last updated on 29-Apr-93.

 

Domain servers in listed order:

 

ENVOY.WL.COM 162.48.254.3

MERIT.EDU 35.1.1.42

We know the contact information for our own site (tis.com), so now we have all the mail addresses we need to investigate further.

The next step is to check the log files on the other machines. We sent the following message:

From: Frederick M Avolio <avolio@tis.com>

X-Organization: Trusted Information Systems, Inc.

X-Phone: +1 301 854 6889, +1 410 442 1673, FAX: +1 301 854 5363

To: murphy@cop.dec.com, Allen Leibowitz <leibowa@wl.com>, dave@tis.com

Subject: Pls check mail logs and user stats from "last"

Date: Mon, 14 Jun 93 16:55:35 -0400

Sender: avolio@tis.com

 

I received the following mail that passed through your machines. Would you check the mail logs on decuac.dec.com for any data related to this file?

 

Looking at this, it would seem that someone connected to tis.com's sendmail process from envoy.wl.com at 15:51:58 EDT. It would be helpful if you could check the system to see who was logged in on that machine at that time. If you have any further data that would help us more closely pinpoint the sender, it would be appreciated.

 

On tis.com, if you could check your mail logs and send me any/all relevant data also, it would be appreciated.

 

Thx

Fred

------- Forwarded Message

Return-Path: little.joe@bonanza.org

Received: from decuac.DEC.COM by TIS.COM (4.1/SUN-5.64)

d AA18164; Mon, 14 Jun 93 15:59:28 EDT

Received: from TIS.COM by decuac.DEC.COM (5.65/Ultrix-fma)

id AA04687; Mon, 14 Jun 93 15:58:25 -0400 XXX

Received: from envoy.wl.com by TIS.COM (4.1/SUN-5.64)

id AA17274; Mon, 14 Jun 93 15:51:58 EDT

From: Little Joe <little.joe@bonanza.org>

Date: Mon, 14 Jun 93 15:22:23 GMT

Message-Id: <9306141922.AA82912@bonanza.org>

To: Fred Avolio <avolio@TIS.COM>

Subject: bogus test #1

 

[ Body of message deleted -- Avolio ]

 

------- End of Forwarded Message

 

We received back the following messages.

Message from wl.com:

From: Allen Leibowitz <leibowa@wl.com>

To: Frederick M Avolio <avolio@TIS.COM>

Cc: murphy@cop.dec.com, dave@TIS.COM

Subject: Re: Pls check mail logs and user stats from "last"

Date: Mon, 14 Jun 93 17:04:03 -0400

 

Nothing in our mail log.

 

This user was logged on:

smith ttyp3 itchy.research.a Mon Jun 14 15:47 - 16:42 (00:54)

Login name: smith In real life: John Smith Directory: /usr/users/smith Shell: /bin/csh

On since Jun 14 16:59:08 on ttyp3 from itchy.research.a

 

Message from decuac.dec.com:

To: Frederick M Avolio <avolio@TIS.COM>

Cc: Allen Leibowitz <leibowa@wl.com>, dave@TIS.COM

Subject: Re: Pls check mail logs and user stats from "last"

In-Reply-To: Your message of "Mon, 14 Jun 93 16:55:35 EDT."

<9306142055.AA21666@TIS.COM>

Date: Mon, 14 Jun 93 19:50:04 -0400

From: "Rick Murphy" <murphy@burfle.cop.dec.com>

 

Relevant entries from the decuac.dec.com logs:

 

Jun 14 15:58:26 localhost 4687 sendmail: AA04687:

from=<little.joe@bonanza.org>, size=357, class=0,

received from TIS.COM (192.33.112.100)

Jun 14 15:58:29 localhost 4689 sendmail: AA04687:

to=<@decuac.dec.com:avolio@tis.com>, delay=00:00:04,

stat=Sent (tcp tis.com)

 

It appears that this originated from tis.com.

 

--Rick

Data from tis.com:

Jun 14 15:59:22 sol sendmail[17274]: AA17274:

from=little.joe@bonanza.org, size=263, class=0

Jun 14 15:59:29 sol sendmail[18164]: AA18164:

from=<little.joe@bonanza.org>, size=462, class=0

In looking at this data, the user John Smith on the wl.com system would appear to be the sender. While not all situations will be this straightforward, walking through the mail logs and headers can often get you close to at least a list of probable suspects.

Compare the log information from decuac.dec.com and tis.com. The data saved is different between the two sites. Each site can decide what, if anything, is logged, and to what level. There is still useful information to be gleaned from a minimal log. For example, the tis.com logs don’t tell us the machine name from which the mail was received or to whom it was going, but it does give size information and the message identifier (the names beginning with "AA" in the log files examples). This information could be used to follow particular pieces of mail through different systems. (We must keep in mind, that because of the addition of Received: lines, the size grows by 100 or so characters, each time a message passes through a mail gateway.)

Example 3: Other Examples

Of course, not all cases are straightforward. Received: lines can also be faked. In this example lines 4 and 5 are faked.

1 Return-Path: badguy@bad.place

2 Received: from bad.place (acme.com) by TIS.COM (4.1/SUN-5.64)

3 id AA28388; Tue, 15 Jun 93 10:41:21 EDT

4 Received: by crl.dec.com;

id AA01046; Tue, 15 Jun 93 10:38:33 -0400

5 Received: by quabbin.crl.dec.com;

id AA15488; Tue, 15 Jun 1993 10:33:19 -0400

6 Date: Tue, 15 Jun 93 10:39:51 EDT

7 Message-Id: <9306151440.AA28300@xxx.yyy>

8 From: Bad Guy <badguy@bad.place>

9 To: Fred Avolio <avolio@TIS.COM>

10 Subject: test 4

11

12 test 4

One cannot readily tell that they are faked by looking at them. Notice, they just indicate when and who received the mail (what time by what systems). They do not tell who it was received from. This is not a mistake. Some systems do not report both pieces of information.

In this case, we contact system managers at crl.dec.com and ask them for information pertaining to messages with the identifier AA01046 and AA15488 on their respective machines. We will find that these don’t lead us anywhere, but the final Received: line, when the message entered tis.com from acme.com might prove useful. We could check with the managers of the system at acme.com (as we did in example 2) and follow the trail that way. Notice, line 2 indicates that when a connection was made for mail, the remote system said it was bad.place but when our system did a reverse lookup on it on the Internet (kind of like "Caller ID"), the Domain Name System said that it was acme.com.

Example 4: An Analysis of Real Falsified Mail

We at TIS received, on a machine under our management, an example of falsified or spoofed mail in which someone had made it look as if it came from a government VIP. This mail did not constitute a threat, nor was it probably meant to be taken seriously by the recipients. We include this as a real-life example of a mail message that was received and that needed to be traced. Analysis was done for demonstration purposes only. We do not recommend this type of analysis on all forged e-mail of a non-threatening nature, since the time spent does not justify the benefits gleaned (none).

We received this mail "by accident." The sender intended to mail it to a group of addresses on a mailing list, but an error condition caused it to be routed to us, unbeknownst to the sender.

1. The spoofed message as originally sent (complete with typographical errors) is:

Received: from VIPLAC.GOV (a.b.c.d.e) by

x.b.c.d.e with SMTP id AA00559

(5.65c/IDA-1.4.4 for nnnnnn@x.b.c.d.e);

Thu, 10 Jun 1993 17:02:17 -0400

Date: Thu, 10 Jun 1993 17:02:17 -0400

From: billyboy@viplace.gov

Message-Id: <199306102102.AA00559@x.b.c.d.e>

Apparently-To: nnnnnn@x.b.c.d.e

 

This is an important message blah blah blah...

Please note the first line. A machine, x.b.c.d.e, received this from another host. The other host claimed to be VIPLAC.GOV which was almost a real host name but was intentionally mispelled. Someone — probably on x.b.c.d.e — decided to play a joke. That someone was probably logged on a.b.c.d.e (see the hostname in parentheses).

This person probably did the following:

· Connected to the network mail socket on x.b.c.d.e via TELNET.

· Identified itself as VIPLAC.GOV. The mail software took that and then showed — in parentheses — what it thought the hostname was: a.b.c.d.e.

· Told the mail server that it had mail for mailing list nnnnnn on that host and that it was from billyboy@viplace.gov.

· The person then typed in the text of the message. He or she didn’t do a great job since they didn’t include the (normal but not required) Subject: line nor did this person include a To: header line (the mail program adds an Apparently-to: line when no To: line exists).

2. An error condition was encountered on x.b.c.d.e. The error message, "Options MUST PRECEDE persons", is of no real interest, except that it caused the message to bounce.

...

From: Mail Delivery Subsystem <MAILER-DAEMON@x.b.c.d.e>

Message-Id: <199306102102.AA00609@x.b.c.d.e>

To: billyboy

Cc: Postmaster@x.b.c.d.e

Subject: Returned mail: unknown mailer error 5

 

----- Transcript of session follows -----

mail: Options MUST PRECEDE persons

554 nnnnnn@x.b.c.d.e... unknown mailer error 5

 

----- Unsent message follows -----

...

When it "bounces" with an error it sends it back to the sender. As far as it can tell the sender is billyboy@viplace.gov. So, it sent it to Viplace.gov for that user. Errors are sent from MAILER-DAEMON as indicated on the above From: line.

3. Viplace.gov doesn’t have such a user and bounced the mail back to the sender: MAILER-DAEMON@x.b.c.d.e.

...

From: MAILER-DAEMON@viplace.gov (Mail Delivery Subsystem)

Subject: Returned mail: User unknown

Message-Id: <9306102105.AA01806@viplace.gov>

To: MAILER-DAEMON@x.b.c.d.e

 

----- Transcript of session follows -----

550 <billyboy@viplace.gov>... User unknown

 

----- Recipients of this delivery -----

Bounced, cannot deliver:

<billyboy@viplace.gov>

 

----- Unsent message follows -----

...

Finally, the same strange error on the Navy machine caused mail from our MAILER-DAEMON to their MAILER-DAEMON to bounce back to us and so it got to the system manager on the Viplace.gov machine (which is how we got it).

The entire message as received here follows:

From MAILER-DAEMON@x.b.c.d.e Thu Jun 10 17:06:51 1993

Received: by viplace.gov (5.65/fma/mjr-120691);

id AA01824; Thu, 10 Jun 93 17:06:49 -0400

Received: from x.b.c.d.e/131.158.51.20 via smap

Received: by x.b.c.d.e id AA00630

(5.65c/IDA-1.4.4 for <MAILER-DAEMON@viplace.gov>);

Thu, 10 Jun 1993 17:05:09 -0400

Date: Thu, 10 Jun 1993 17:05:09 -0400

From: Mail Delivery Subsystem <MAILER-DAEMON@x.b.c.d.e>

Message-Id: <199306102105.AA00630@x.b.c.d.e>

To: MAILER-DAEMON

Cc: Postmaster@x.b.c.d.e

Subject: Returned mail: unknown mailer error 5

Status: R

----- Transcript of session follows -----

mail: Options MUST PRECEDE persons

554 root... unknown mailer error 5

----- Unsent message follows -----

Received: from viplace.gov by x.b.c.d.e

with SMTP id AA00628

(5.65c/IDA-1.4.4 for <MAILER-DAEMON@x.b.c.d.e>);

Thu, 10 Jun 1993 17:05:09 -0400

Received: by viplace.gov (5.65/fma/mjr-120691);

id AA01806; Thu, 10 Jun 93 17:05:49 -0400

Date: Thu, 10 Jun 93 17:05:49 -0400

From: MAILER-DAEMON@viplace.gov (Mail Delivery Subsystem)

Subject: Returned mail: User unknown

Message-Id: <9306102105.AA01806@viplace.gov>

To: MAILER-DAEMON@x.b.c.d.e

 

----- Transcript of session follows -----

550 <billyboy@viplace.gov>... User unknown

 

----- Recipients of this delivery -----

Bounced, cannot deliver:

<billyboy@viplace.gov>

 

----- Unsent message follows -----

Received: by viplace.gov (5.65/fma/mjr-120691);

id AA01804; Thu, 10 Jun 93 17:05:49 -0400

Received: from x.b.c.d.e/131.158.51.20 via smap

Received: from VIPLAC.GOV (a.b.c.d.e)

by x.b.c.d.e id AA00609

5.65c/IDA-1.4.4 for <billyboy@viplace.gov>);

Thu, 10 Jun 1993 17:02:17 -0400

Date: Thu, 10 Jun 1993 17:02:17 -0400

From: Mail Delivery Subsystem <MAILER-DAEMON@x.b.c.d.e>

Message-Id: <199306102102.AA00609@x.b.c.d.e>

To: billyboy

Cc: Postmaster@x.b.c.d.e

Subject: Returned mail: unknown mailer error 5

 

----- Transcript of session follows -----

mail: Options MUST PRECEDE persons

554 nnnnnn@x.b.c.d.e... unknown mailer error 5

 

----- Unsent message follows -----

Received: from VIPLAC.GOV (a.b.c.d.e)

by x.b.c.d.e with SMTP id AA00559

(5.65c/IDA-1.4.4 for nnnnnn@x.b.c.d.e);

Thu, 10 Jun 1993 17:02:17 -0400

Date: Thu, 10 Jun 1993 17:02:17 -0400

From: billyboy@viplace.gov

Message-Id: <199306102102.AA00559@x.b.c.d.e>

Apparently-To: nnnnnn@x.b.c.d.e

 

This is an important message blah blah blah...

 

Summary of Steps in Tracing Electronic Mail

1. Check From: line or Sender: line for mail address.

2. Check Received: lines to see if they match or help the analysis of the sender.

3. Use whois or nslookup to get information about the computers or domains used and to get personal contact information.

4. Get mail log and user log information from the relevant computers through contact with the system managers or other representatives of the organizations that own the computers.