You've Got Email...to Trace!

Posted on May 1, 2006

We all get email, way too much of it. And sometimes in can come from anonymous sources and people claiming to be in important positions in a company, government or agency.

But how do you really know where an email come from?

The return email address can be easily faked. Try it yourself. Just go into the settings of your favourite email program (such as Outlook, Outlook Express or even web-based services like Hotmail and Gmail). In one of the configuration buttons, it will ask you what email address you want to be shown. You can type in george@whitehouse.gov or osama@cave.com and that's the email address that will flash across anybody's screen when you send a message.

It's a ruse that only goes so far: if they hit "reply" you'll never get their answer, whether you're really in a cave or the White House or not. But the point is, on the web what you see is often not what you get.

Alternatively, anyone can create a "real" front by setting up a genuine email account that then bounces (forwards) their return email to your main (hidden) server. For example, one of my public emails, juliansher@canada.com does that for me. But someone else could have set up that account, pretend to me and receive replies to that email address.

So every journalist should be wary of email origins ... and know how to trace them.

Of course, as a matter of policy, never quote from an email alleging to be from an important source or person without confirming - by phone or another direct encounter - that the person is who they say they are.

But there are also ways you can do some basic investigation beforehand.

READ THE NUMBERS

Computers are designed to simplify things for us so they keep a lot of things hidden from view.

For example, we foolish humans think the website for CNN is www.CNN.com but those words - called domain names -- are just a kind of convenient fiction computers create so we can find our way around the web without having to punch in a bunch of numbers. CNN's real web address - called its IP or Internet Protocol address -- 64.236.24.28. Try typing in those numbers in your browser and you'll get CNN's home page.
Each computer that is connected to the Internet needs to have such a unique identification Think of it as the street address on your house. It is usually shown as a four sets of numbers separated by decimal points, like CNN's "64.236.24.28".
Similarly, every time you log on to the internet to send an email - whether at work, at home or in a web café - your computer is assigned an IP number, an Internet Protocol number. (Often, many computers in the same office or internet café share the same IP address).

So the task in tracing an email is first, to find the originating IP address and second, if possible, to figure out where that address is located.

READ THE HEADERS

To do that, you have probe behind the simple face of an email. Most mail programs, to keep things smooth and easy, hide all the technical data that comes with every email. You usually just see the From:, To:, and maybe the CC:, information.

But if you are unsure of an email's authenticity, you can get a lot of information by looking at what is called the "header" - the log of where that email traveled on the web.

Every email program allows you to view the headers. You just have to find out the steps to take.

For example, in most recent versions of Outlook:

*Open up the email
*Click on View
*Click on Options
*In the bottom box, labeled "Message Header" you should see a lot of text with plenty of numbers that look like technical gibberish. Highlight, copy and paste that text in a Word document or another format you use.

In Outlook Express, it is slightly different:
* Open the e-mail message
* Click the File menu
* Click Properties
* Click the Details tab
* Click Message Source button
* Highlight, copy and paste that text
*Or, you can use the keyboard shortcut CTRL+F3 to open the Message Source window and then cut and paste.

(For those of you who use corporate email programs such as Groupwise, there are more detailed steps on my web page at www.journalismnet.com/people/trace.htm)

Okay. Assuming you've completed all the steps above, you should see what amounts to a travel diary that shows what steps that email took to bounce its way across the internet to your inbox. For example, I recently received an email from someone saying he was with with US Department of Justice. The message header looked something like this:

X-Gmail-Received: 0ac5ff953e33e7c61391d4994b8031f57180a017
Delivered-To: sher.julian@gmail.com
Received: by 10.64.179.14 with SMTP id b14cs1173qbf;
Thu, 27 Oct 2005 13:01:52 -0700 (PDT)
Received: by 10.64.193.7 with SMTP id q7mr1977781qbf;
Thu, 27 Oct 2005 13:01:52 -0700 (PDT)
Return-Path: <John.Smith@usdoj.gov>
Received: from wdcsun3.usdoj.gov (wdcsun3.usdoj.gov [149.101.1.103])
by mx.gmail.com with ESMTP id q16si364711qbq.2005.10.27.13.01.51;
Thu, 27 Oct 2005 13:01:52 -0700 (PDT)

But how can I be sure the person really did sent the message from Washington's Department of Justice?

RUN THE NUMBERS
Once you have the full message header, you want to find the starting point of the email. Reading message headers can be a bit daunting. Some mail programs help by having a line that says:
X-Originating-IP
This shows the IP address from which the e-mail originated.
If not, look for the section called
Received:

This shows the routing which the e-mail took to get to you. In the example above, I highlighted the first line which shows the number:

149.101.1.103

Copy the IP number you find that seems to be the starting point of the email. It can sometimes take a few tries. Now go to one of several web sites that allow you to trace or identify IP addresses.

My two favourites are Complete Whois at http://www.completewhois.com/ and IPAddress Guide at http://www.ipaddressguide.com.

Put in the IP address you found. (These sites also check for other types of numbers for web pages, so be sure you select the right button or space to look for IP addresses)

In most cases, the results will show you the country, city or even the corporate server the email sender is using. For example, when I put in the number "149.101.1.103" I get this result:

[IPv4 whois information for 149.101.1.103 ]
[whois.arin.net]
OrgName: US Dept of Justice
OrgID: UDJ
Address: P.O. Box 59110
City: Potomac
StateProv: MD
PostalCode: 20859

Which proves the email came from the Department of Justice. Of course, it could be a janitor using a computer there and pretending to be an important official, so you still have to use the traditional verification methods to make sure the email sender is who they say they are. But at least you know where the email came from.

HIDING YOURSELF

The system is not perfect.

Sometimes, the results bounce you to other databases, such as the RIPE directory for European web address, and you just have to do a little more digging.

Tracking an email for one of the popular web services such as Hotmail or Yahoo can be more frustrating. Often the DNS trace will just show a generic host computer operated by these companies. But sometimes, you can find out where the person logged on to use their account. For example, when I ran a trace on a recent email I got from a Yahoo account, I got this IP address -- 63.164.145.198 -- which led me to:

OrgName: Kinkos, Inc.
Address: 255 West Stanley Avenue
City: Ventura
StateProv: CA
PostalCode: 93002-8000
Country: US

Plus, you - or anybody else -- can shield your IP address by using various web privacy pages and software (the most popular one is Anonymizer at www.anonymizer.com.)

Still, better to do everything you can to make sure the email message you get is genuine.