SlideShare ist ein Scribd-Unternehmen logo

How to Trace an E-mail Part 2

‱
‱
L
Lebowitzcomics

1. The document describes tracing an email from "Dr. Grace Lawal" back to its origin. It was determined to be spam through invalid email addresses and lack of records for the named individual. 2. By examining the email headers, the path of the email was traced from an IP address in Nigeria to an ISP named Simba Technology. Simba Technology revealed the IP belonged to a customer who ran a cyber cafe, preventing identification of the individual. 3. Further steps like keylogging could potentially identify the sender, but were not taken due to the non-critical nature of the spam email.

TechnologieNews & Politik
1 von 5
Downloaden Sie, um offline zu lesen
How to trace emails back to source - www.ezboard.com Page 1 of 5 How to trace an e-mail, part 2: A case study by Robert Lebowitz, Digital Freedom Network (April 19, 2002) We have previously become familiar with what to look for in an e-mail header in order to trace an e-mail. We will now use the example from the last lesson to clarify the procedure in more detail. The e-mail we wish to trace is a spam message actually received by the Digital Freedom Network from one "Grace Lawal." In her message, Ms. Lawal asks for money for a business transaction. A reply to Ms. Lawal's e-mail address bounces back, revealing that is fake. Additionally, there is no record of any Grace Lawal connected with Zenith bank. Using the e-mail tracing methods broadly described thus far, how close can we get to finding out who this Ms. Lawal is? The original e-mail from "Grace Lawal" appears below. (The Received: fields have been bolded and colored for later reference.) Return-Path: <graceelawal@yahoo.com> Received: from [207.202.32.37] (HELO mailscan1.corp.idt.net) by mail.corp.idt.net (CommuniGate Pro SMTP 3.5.7) with SMTP id 3290036 for rlebow@corp.idt.net; Sat, 13 Apr 2002 11:49:42 -0500 Received: from 169.132.232.57 by mailscan1.corp.idt.net (InterScan E-Mail VirusWall NT); Sat, 13 APR 2002 12:54:55 -0400 Received: from mq.idtweb.com ([216.53.71.121] verified) by mail.idtweb.com (CommuniGate Pro SMTP 3.5.7) with ESMTP id 30370009 for rlebow@dfn.org; Sat, 13 APR 2002 12:51:44 -0400 Received: from [80.247.137.24] (HELO ab97c381.com) by mq.idtweb.com (CommuniGate Pro SMTP 3.5.7) with SMTP id 29632626 for rlebow@dfn.org; Sat, 13 APR 2002 11:51:46 -0500 From: "Dr. Grace Lawal" <graceelawal@yahoo.com> Reply-To: graceelawal@yahoo.com To: rlebow@dfn.org Date: Sat, 13 APR 2002 05:52:35 +1000 Subject: #Contact urgently# X-Mailer: Microsoft Outlook Express 5.00.2919.6900 DM MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===_LikeYe_888_2fptuofrlwlhlh" Message-ID: <auto-000029632626@mq.idtweb.com> X-Mozilla-Status: 8003 X-Mozilla-Status2: 00000000 X-UIDL: 1169 Dear Sir, I am Dr.Grace Lawal (Phd) Bank Manager of Zenith Bank,Lagos, Nigeria. I have urgent and very confidential business proposition for you. On June 6, 1997, a Foreign Oil consultant/contractor with the Nigerian National Petroleum Corporation, Mr.Barry Kelly made a numbered time (Fixed) Deposit for twelve calendar months, valued at US$25,000,000.00, (Twenty-five Million, Dollars) in my branch. Upon maturity, I sI discovered from his contract employers, the Nigerian National Petroleum Corporation that Mr. Barry Kelly died from an automobile accident. On further investigation, I found out that he died without making a WILL, and http://p218.ezboard.com/fcreditwrenchfrm2.showMessage?topicID=33.topic 5/16/2006
How to trace emails back to source - www.ezboard.com Page 2 of 5 all attempts to trace his next of kin was fruitless. This sum of US$25,000,000.00 has carefully been moved out of my bank to a security company for safekeeping. No one will ever come forward to claim it. Consequently, my proposal is that I will like you as an Foreigner to stand in as the owner of the money I deposited it in a security company in two trunk boxes though the security company does not know the contents of the boxes as I tagged them to be photographic materials for export. I want to present you as the owner of the boxes in the security company so you can be able to claim them with the help of my attorney. This is simple. I will like you to provide immediately your full names and address so that the Attorney will prepare the necessary documents which will put you in place as the owner of the boxes. The money will be moved out for us to share in the ratio of 70% for me and 30% for you. Thanks and God bless. Dr.Grace lawal (p.h.d) 1. View full header We see from the From: and Reply to: fields that the e-mail address of the sender of this annoying solicitation is graceelawal@yahoo.com. A reply, however, reveals that this is not a valid e-mail address. So, we now look at the Received: field. 2. Read the Received: fields in the header, with the bottom field the oldest MTA and the top the most recent Explaining these fields is quite straightforward. Received: from [207.202.32.37] (HELO mailscan1.corp.idt.net) by mail.corp.idt.net (CommuniGate Pro SMTP 3.5.7) with SMTP id 3290036 for rlebow@corp.idt.net; Sat, 13 APR 2002 11:49:42 -0500 Received: from 169.132.232.57 by mailscan1.corp.idt.net (InterScan E-mail VirusWall NT); Sat, 13 APR 2002 12:54:55 -0400 Received: from mq.idtweb.com ([216.53.71.121] verified) by mail.idtweb.com (CommuniGate Pro SMTP 3.5.7) with ESMTP id 30370009 for rlebow@dfn.org; Sat, 13 APR 2002 12:51:44 -0400 Received: from [80.247.137.24] (HELO ab97c381.com) by mq.idtweb.com (CommuniGate Pro SMTP 3.5.7) with SMTP id 29632626 for rlebow@dfn.org; Sat, 13 APR 2002 11:51:46 -0500 First, the e-mail came from 80.247.137.24 into mq.idtweb.com. (HELO identifies the sending machine. This cannot be relied upon however for accurate information.) The mail was received on Saturday, April 13, 2002 at 11:51:46 New York Time. Next, the e-mail passed from mq.idtweb.com into mail.idtweb.com. The mail was received on Saturday, April 13, 2002 at 11:51:44 New York Time. Next, the e-mail traveled from 169.132.232.57 to http://p218.ezboard.com/fcreditwrenchfrm2.showMessage?topicID=33.topic 5/16/2006
How to trace emails back to source - www.ezboard.com Page 3 of 5 mailscan1.corp.idt.net. The mail was received on Saturday, April 13, 2002 at 11:54:55 New York Time. Finally, the e-mail traveled from 207.202.32.37to mail.corp.idt.net. The mail was received on Saturday, April 13, 2002 at 11:49:42 New York Time. 3. Use Internet Registries to determine which companies own the IPs The e-mail originated from 80.247.137.24. We must look up the IP in one of the Internet registries on the Web. The place we will start is the American Registry of Internet Numbers (ARIN) at www.arin.net, which the registry for the Americas and sub-Saharan Africa. We choose to begin our search on ARIN only because "Grace Lawal" states that she is from Nigeria. We don't know this for sure, of course, but it is a good a place to start as any. After going to the ARIN Web site, we perform a WHOIS search on the IP address (See figure below). Figure 1: The WHOIS search on ARIN is on the upper right corner. The WHOIS search tells us that in fact this IP address is not in the ARIN database, but rather can be found in the database of European Regional Internet Registry (RIPE), located at www.ripe.net. As its name implies, RIPE is responsible for IP addresses of European organizations. We now perform the same WHOIS search on the RIPE Web site, entering the IP address, 80.247.137.24. This time, our search is successful. RIPE outputs the following data: inetnum: 80.247.137.0 - 80.247.137.255 netname: SIMBATECH descr: Simba Technology ltd is a Licensed ISP located Lagos Nigeria country: NG admin-c: ID116-RIPE tech-c: NIL3-RIPE status: ASSIGNED PA notify: anil@simbaonline.net mnt-by: AS17175-MNT changed: scooper@newskies.com 20020208 source: RIPE route: 80.247.128.0/20 descr: New Skies Satellites origin: AS17175 mnt-by: AS17175-MNT changed: scooper@newskies.com 20011116 source: RIPE person: Segun Adekoya address: Simba Technology Limited. address: 77/79 Eric Moore Road, Surulere, Lagos address: Nigeria. phone: +23417740120 fax-no: +23415851016 e-mail: segun@simbaonline.net nic-hdl: ID116-RIPE notify: support@simbaonline.net mnt-by: AS17175-MNT changed: scooper@newskies.com 20020208 http://p218.ezboard.com/fcreditwrenchfrm2.showMessage?topicID=33.topic 5/16/2006
How to trace emails back to source - www.ezboard.com Page 4 of 5 source: RIPE person: Anil Kumar address: Simba Technology Limited. Address: 77/79 Eric Moore Road, Surulere, Lagos phone: +23417740120 fax-no: +23415851016 e-mail: anil@simbaonline.net nic-hdl: NIL3-RIPE notify: anil@simbaonline.net mnt-by: AS17175-MNT changed: scooper@newskies.com 20020208 source: RIPE We can thus determine that Simba Technology is the Internet Service Provider (ISP) that took up "Grace Lawal's" e-mail after she sent it off to DFN. We also note that while "Grace Lawal" is almost certainly a false name, she (or he) might not have lied about being in Lagos, Nigeria, since that is where Simba is located. At any rate, Simba must have a record in the form of a mail or user log that will inform us from where the e-mail originated. Before we do this, let's go back and trace the remaining path of the e-mail. We can see that after it left Nigeria, it went directly to mq.idtweb.com. IDT Corporation hosts DFN, so already, we see the mail has arrived with no stopovers. From there, it went into mail.idtweb.com. The header then reports that the mail went from 169.132.232.57 to mailscan1.corp.idt.net, and then from 207.202.32.37 to mail.corp.idt.net. These IP addresses seem to come out of nowhere, but a WHOIS search on ARIN reveals that they are just IP addresses owned by IDT. Thus the mail arrived at IDT and then went through various scanning procedures to make sure it was not spam and did not contain a virus before it arrived in DFN's mailbox. 4. Contact the companies to ask that they check their user and message logs to see who was logged into that particular IP at that time This is the letter we sent to Simba Technology. It was addressed specifically to Anil Kumar and Segun Adekoya, the two contacts listed in the RIPE database entry above. (Note: The original message from "Grace Lawal" was attached to this e-mail to Simba, but is not reprinted again here.) From: Robert Lebowitz [mailto:rlebow@dfn.org] Sent: Wednesday, April 17, 2002 3:02 PM To: anil@simbaonline.net,segun@simbaonline.net Subject: Can you please check mail and user logs stats? Dear Sirs, Hi. I received the following mail that passed through your machines. Would you be kind enough to check the mail logs on simbaonline.net for Sat, April 13, 2002 05:52:35 +1000? (This would be 5:52:35 Sydney or Melbourne time). I highlighted the line of the header that indicates that the message passed through your system at this time. There does not appear to be any "grace lawal" at Zenith, and we have received quite a few "spam" http://p218.ezboard.com/fcreditwrenchfrm2.showMessage?topicID=33.topic 5/16/2006
How to trace emails back to source - www.ezboard.com Page 5 of 5 messages from her. Perhaps you can tell me the identity of--or at least any information about--this person. Thanks so much, Robert Lebowitz <message attached> The message to Simba was sent out in the morning. By the late afternoon, we received the following reply from Simba's general manager: Dear Mr.Robert This has reference to the concerns raised by you regarding the spam mails. We are basically a ISP in Nigeria. The IP involved belongs to one of our customer who runs a cyber cafe in Lagos. Since it is a cyber cafe we are not able to identify who is the person doing the same. Still we are taking all efforts to identify the person doing this mischief. Pls also let me know, if you have any suggestions on how this person could be isolated. Regards Viswanathan.D General Manager SimbaNET Nigeria Ltd. 77/79, Eric Moore Road Surulere, Lagos Nigeria. We know now that the e-mail was sent from a cyber cafe in Lagos, Nigeria. However, since one can send messages from a cyber cafe with complete anonymity, we are prevented from finding out more concrete information. If this were an e-mail of much greater importance—such as the ransom note sent from the kidnappers of U.S. journalist Daniel Pearl—we could take further steps to track our quarry. For instance, we could get the name of the Lagos cyber cafe from our contact at Simba. Then, on the assumption that the person sends out e-mail periodically from the same location, we could install key-sniffing devices in the computers at the cafe. These programs register a user's keystrokes, thus creating a record of everything that was typed at a particular terminal. Another recourse would be to make sure IDs were taken for the period in which a person was using a computer in a public cluster. But while these methods would aid greatly in identifying an e-mail sender, they also would impinge on the rights of others using the computers to conduct their personal business. Such a conflict defines the ongoing struggle between the fight against terrorism over the Internet and the right to privacy, which will continue to evolve in the years ahead. Go to How to trace an e-mail, part 1: An overview http://p218.ezboard.com/fcreditwrenchfrm2.showMessage?topicID=33.topic 5/16/2006

Empfohlen

How to Trace an E-mail Part 1
How to Trace an E-mail Part 1How to Trace an E-mail Part 1
How to Trace an E-mail Part 1
Lebowitzcomics
 
Malware from the Consumer Jungle
Malware from the Consumer JungleMalware from the Consumer Jungle
Malware from the Consumer Jungle
Jason S
 
Mortality of Design: History of Email
Mortality of Design: History of EmailMortality of Design: History of Email
Mortality of Design: History of Email
eROI
 
Kristian on cyber safety
Kristian on cyber safetyKristian on cyber safety
Kristian on cyber safety
Pentucket Regional High School
 
Resume Jyoti Menon
Resume Jyoti MenonResume Jyoti Menon
Resume Jyoti Menon
Jyoti Sudhir Menon
 
Diploma Supplement_1
Diploma Supplement_1Diploma Supplement_1
Diploma Supplement_1
Tomislav Ơoơtarić
 
geo.admin.ch: 3 years of successful data sharing for the masses – best practi...
geo.admin.ch: 3 years of successful data sharing for the masses – best practi...geo.admin.ch: 3 years of successful data sharing for the masses – best practi...
geo.admin.ch: 3 years of successful data sharing for the masses – best practi...
geoportal of the federal authorities of the Swiss Confederation
 
Newsletter nr 11_noiembrie_2014
Newsletter nr 11_noiembrie_2014Newsletter nr 11_noiembrie_2014
Newsletter nr 11_noiembrie_2014
Vochescu Alexandru
 

Empfohlen

How to Trace an E-mail Part 1
How to Trace an E-mail Part 1How to Trace an E-mail Part 1
How to Trace an E-mail Part 1
Lebowitzcomics
 
Malware from the Consumer Jungle
Malware from the Consumer JungleMalware from the Consumer Jungle
Malware from the Consumer Jungle
Jason S
 
Mortality of Design: History of Email
Mortality of Design: History of EmailMortality of Design: History of Email
Mortality of Design: History of Email
eROI
 
Kristian on cyber safety
Kristian on cyber safetyKristian on cyber safety
Kristian on cyber safety
Pentucket Regional High School
 
Resume Jyoti Menon
Resume Jyoti MenonResume Jyoti Menon
Resume Jyoti Menon
Jyoti Sudhir Menon
 
Diploma Supplement_1
Diploma Supplement_1Diploma Supplement_1
Diploma Supplement_1
Tomislav Ơoơtarić
 
geo.admin.ch: 3 years of successful data sharing for the masses – best practi...
geo.admin.ch: 3 years of successful data sharing for the masses – best practi...geo.admin.ch: 3 years of successful data sharing for the masses – best practi...
geo.admin.ch: 3 years of successful data sharing for the masses – best practi...
geoportal of the federal authorities of the Swiss Confederation
 
Newsletter nr 11_noiembrie_2014
Newsletter nr 11_noiembrie_2014Newsletter nr 11_noiembrie_2014
Newsletter nr 11_noiembrie_2014
Vochescu Alexandru
 
Educator Effectiveness in Wisconsin (DPI)
Educator Effectiveness in Wisconsin (DPI)Educator Effectiveness in Wisconsin (DPI)
Educator Effectiveness in Wisconsin (DPI)
Wisconsin Education Association Council
 
How2Recycle Label Presentation
How2Recycle Label PresentationHow2Recycle Label Presentation
How2Recycle Label Presentation
GreenBlue
 
Web application security for java (XSS,Session Fixation)
Web application security for java (XSS,Session Fixation)Web application security for java (XSS,Session Fixation)
Web application security for java (XSS,Session Fixation)
Ritesh Raushan
 
2010 DOE Directory
2010 DOE Directory2010 DOE Directory
2010 DOE Directory
Honolulu Civil Beat
 
marketing blogs in libraries
marketing blogs in librariesmarketing blogs in libraries
marketing blogs in libraries
sabaArshed
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
ORG, The Public Interest Registry
 
Open badgesmarch2014
Open badgesmarch2014Open badgesmarch2014
Open badgesmarch2014
Martin Cooke
 
What is doe level 6
What is doe level 6What is doe level 6
What is doe level 6
FSP Technology Inc.
 
Comandos spanning tree
Comandos spanning treeComandos spanning tree
Comandos spanning tree
1 2d
 
Tep business planning in tourism
Tep business planning in tourismTep business planning in tourism
Tep business planning in tourism
led4lgus
 
Email is Media
Email is MediaEmail is Media
Email is Media
Affiliate Summit
 
Uma sec council_june_22_v4
Uma sec council_june_22_v4Uma sec council_june_22_v4
Uma sec council_june_22_v4
Domenico Catalano
 
Test title
Test titleTest title
Test title
keszthelyi
 
ARIN Registration Services Department Report
ARIN Registration Services Department ReportARIN Registration Services Department Report
ARIN Registration Services Department Report
ARIN
 
MicrosoftÂź OutlookÂź Tips Hints For Admins
MicrosoftÂź OutlookÂź Tips Hints For AdminsMicrosoftÂź OutlookÂź Tips Hints For Admins
MicrosoftÂź OutlookÂź Tips Hints For Admins
pses12
 
USER & USAGE GEO.ADMIN.CH (OKCon 2013)
USER & USAGE GEO.ADMIN.CH (OKCon 2013)USER & USAGE GEO.ADMIN.CH (OKCon 2013)
USER & USAGE GEO.ADMIN.CH (OKCon 2013)
geoportal of the federal authorities of the Swiss Confederation
 
Social studies the next frontier
Social studies the next frontierSocial studies the next frontier
Social studies the next frontier
fishem88
 
Dating Pro Installation Instructions
Dating Pro Installation InstructionsDating Pro Installation Instructions
Dating Pro Installation Instructions
Pilot Group Ltd
 
RTI Connext 5.1.0
RTI Connext 5.1.0RTI Connext 5.1.0
RTI Connext 5.1.0
Jan Van Bruaene
 
ROBOTS: SERIAL KILLER BOYDEN GRAY
ROBOTS: SERIAL KILLER BOYDEN GRAYROBOTS: SERIAL KILLER BOYDEN GRAY
ROBOTS: SERIAL KILLER BOYDEN GRAY
Prayer Warriors Institute
 
The Phishing Ecosystem
The Phishing EcosystemThe Phishing Ecosystem
The Phishing Ecosystem
amiable_indian
 
Find ip address
Find ip addressFind ip address
Find ip address
sasandeaynat
 

Weitere Àhnliche Inhalte

Andere mochten auch

How2Recycle Label Presentation
How2Recycle Label PresentationHow2Recycle Label Presentation
How2Recycle Label Presentation
GreenBlue
 
Comandos spanning tree
Comandos spanning treeComandos spanning tree
Comandos spanning tree
1 2d
 
Tep business planning in tourism
Tep business planning in tourismTep business planning in tourism
Tep business planning in tourism
led4lgus
 
Test title
Test titleTest title
Test title
keszthelyi
 
Social studies the next frontier
Social studies the next frontierSocial studies the next frontier
Social studies the next frontier
fishem88
 

Andere mochten auch (20)

Educator Effectiveness in Wisconsin (DPI)
Educator Effectiveness in Wisconsin (DPI)Educator Effectiveness in Wisconsin (DPI)
Educator Effectiveness in Wisconsin (DPI)
 
How2Recycle Label Presentation
How2Recycle Label PresentationHow2Recycle Label Presentation
How2Recycle Label Presentation
 
Web application security for java (XSS,Session Fixation)
Web application security for java (XSS,Session Fixation)Web application security for java (XSS,Session Fixation)
Web application security for java (XSS,Session Fixation)
 
2010 DOE Directory
2010 DOE Directory2010 DOE Directory
2010 DOE Directory
 
marketing blogs in libraries
marketing blogs in librariesmarketing blogs in libraries
marketing blogs in libraries
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
Open badgesmarch2014
Open badgesmarch2014Open badgesmarch2014
Open badgesmarch2014
 
What is doe level 6
What is doe level 6What is doe level 6
What is doe level 6
 
Comandos spanning tree
Comandos spanning treeComandos spanning tree
Comandos spanning tree
 
Tep business planning in tourism
Tep business planning in tourismTep business planning in tourism
Tep business planning in tourism
 
Email is Media
Email is MediaEmail is Media
Email is Media
 
Uma sec council_june_22_v4
Uma sec council_june_22_v4Uma sec council_june_22_v4
Uma sec council_june_22_v4
 
Test title
Test titleTest title
Test title
 
ARIN Registration Services Department Report
ARIN Registration Services Department ReportARIN Registration Services Department Report
ARIN Registration Services Department Report
 
MicrosoftÂź OutlookÂź Tips Hints For Admins
MicrosoftÂź OutlookÂź Tips Hints For AdminsMicrosoftÂź OutlookÂź Tips Hints For Admins
MicrosoftÂź OutlookÂź Tips Hints For Admins
 
USER & USAGE GEO.ADMIN.CH (OKCon 2013)
USER & USAGE GEO.ADMIN.CH (OKCon 2013)USER & USAGE GEO.ADMIN.CH (OKCon 2013)
USER & USAGE GEO.ADMIN.CH (OKCon 2013)
 
Social studies the next frontier
Social studies the next frontierSocial studies the next frontier
Social studies the next frontier
 
Dating Pro Installation Instructions
Dating Pro Installation InstructionsDating Pro Installation Instructions
Dating Pro Installation Instructions
 
RTI Connext 5.1.0
RTI Connext 5.1.0RTI Connext 5.1.0
RTI Connext 5.1.0
 
ROBOTS: SERIAL KILLER BOYDEN GRAY
ROBOTS: SERIAL KILLER BOYDEN GRAYROBOTS: SERIAL KILLER BOYDEN GRAY
ROBOTS: SERIAL KILLER BOYDEN GRAY
 

Ähnlich wie How to Trace an E-mail Part 2

Find ip address
Find ip addressFind ip address
Find ip address
sasandeaynat
 
Footprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingFootprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hacking
Sathishkumar A
 
Safe Email Practices
Safe Email PracticesSafe Email Practices
Safe Email Practices
Jonathan Slavin
 
Domains - Slideshow
Domains - SlideshowDomains - Slideshow
Domains - Slideshow
BHTraining
 
Openbar Leuven // Safety first... in the Cloud by Koen Jacobs
Openbar Leuven // Safety first... in the Cloud by Koen JacobsOpenbar Leuven // Safety first... in the Cloud by Koen Jacobs
Openbar Leuven // Safety first... in the Cloud by Koen Jacobs
Openbar
 

Ähnlich wie How to Trace an E-mail Part 2 (20)

The Phishing Ecosystem
The Phishing EcosystemThe Phishing Ecosystem
The Phishing Ecosystem
 
Find ip address
Find ip addressFind ip address
Find ip address
 
Protecting Yourself Online
Protecting Yourself OnlineProtecting Yourself Online
Protecting Yourself Online
 
WCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security studentsWCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security students
 
Cyber Forensic - Policing the Digital Domain
Cyber Forensic - Policing the Digital DomainCyber Forensic - Policing the Digital Domain
Cyber Forensic - Policing the Digital Domain
 
8. cyber51-case-studies
8. cyber51-case-studies8. cyber51-case-studies
8. cyber51-case-studies
 
Hacking
HackingHacking
Hacking
 
Footprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingFootprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hacking
 
Safe Email Practices
Safe Email PracticesSafe Email Practices
Safe Email Practices
 
Web Security
Web SecurityWeb Security
Web Security
 
Security pre
Security preSecurity pre
Security pre
 
Letter anonymous-II
Letter anonymous-IILetter anonymous-II
Letter anonymous-II
 
London First - cyber attack simulation - 22nd May 2018
London First - cyber attack simulation - 22nd May 2018London First - cyber attack simulation - 22nd May 2018
London First - cyber attack simulation - 22nd May 2018
 
EmailTracing.ppt
EmailTracing.pptEmailTracing.ppt
EmailTracing.ppt
 
ID Theft
ID TheftID Theft
ID Theft
 
Domains - Slideshow
Domains - SlideshowDomains - Slideshow
Domains - Slideshow
 
Openbar Leuven // Safety first... in the Cloud by Koen Jacobs
Openbar Leuven // Safety first... in the Cloud by Koen JacobsOpenbar Leuven // Safety first... in the Cloud by Koen Jacobs
Openbar Leuven // Safety first... in the Cloud by Koen Jacobs
 
A guide to email spoofing
A guide to email spoofingA guide to email spoofing
A guide to email spoofing
 
What the Redaction of WHOIS Data Means for Cybersecurity
What the Redaction of WHOIS Data Means for CybersecurityWhat the Redaction of WHOIS Data Means for Cybersecurity
What the Redaction of WHOIS Data Means for Cybersecurity
 
2600 v03 n11 (november 1986)
2600 v03 n11 (november 1986)2600 v03 n11 (november 1986)
2600 v03 n11 (november 1986)
 

Mehr von Lebowitzcomics

Rfl dfn internetact2
Rfl dfn internetact2Rfl dfn internetact2
Rfl dfn internetact2
Lebowitzcomics
 
Rfl dfn cubaroca
Rfl dfn cubarocaRfl dfn cubaroca
Rfl dfn cubaroca
Lebowitzcomics
 
Rfl dfn ibrahim-acquitted
Rfl dfn ibrahim-acquittedRfl dfn ibrahim-acquitted
Rfl dfn ibrahim-acquitted
Lebowitzcomics
 
Hagadah reshet keshet_2003
Hagadah reshet keshet_2003Hagadah reshet keshet_2003
Hagadah reshet keshet_2003
Lebowitzcomics
 
SAR High School Moves Into its New Location
SAR High School Moves Into its New LocationSAR High School Moves Into its New Location
SAR High School Moves Into its New Location
Lebowitzcomics
 
Robberies Alarm Store Owners
Robberies Alarm Store OwnersRobberies Alarm Store Owners
Robberies Alarm Store Owners
Lebowitzcomics
 
Retaining Wall to be Rebuilt
Retaining Wall to be RebuiltRetaining Wall to be Rebuilt
Retaining Wall to be Rebuilt
Lebowitzcomics
 
Passover Program Scheduled at Hebrew Institute
Passover Program Scheduled at Hebrew InstitutePassover Program Scheduled at Hebrew Institute
Passover Program Scheduled at Hebrew Institute
Lebowitzcomics
 
New Minister at Riverdale's Church
New Minister at Riverdale's ChurchNew Minister at Riverdale's Church
New Minister at Riverdale's Church
Lebowitzcomics
 
Two Prominent Members of Riverdale's Orthodox Community to Leave for Israel
Two Prominent Members of Riverdale's Orthodox Community to Leave for IsraelTwo Prominent Members of Riverdale's Orthodox Community to Leave for Israel
Two Prominent Members of Riverdale's Orthodox Community to Leave for Israel
Lebowitzcomics
 
Ella Freilich dead at 87: Riverdalian almost nation's "Second Mother-in-Law"
Ella Freilich dead at 87: Riverdalian almost nation's "Second Mother-in-Law"Ella Freilich dead at 87: Riverdalian almost nation's "Second Mother-in-Law"
Ella Freilich dead at 87: Riverdalian almost nation's "Second Mother-in-Law"
Lebowitzcomics
 
Horace Mann Begins Search for New Head of School
Horace Mann Begins Search for New Head of SchoolHorace Mann Begins Search for New Head of School
Horace Mann Begins Search for New Head of School
Lebowitzcomics
 
Jewish Council Honors 4; Top Officials in Attendance
Jewish Council Honors 4; Top Officials in AttendanceJewish Council Honors 4; Top Officials in Attendance
Jewish Council Honors 4; Top Officials in Attendance
Lebowitzcomics
 
Funmathschool Criticized as Taking Too Many Field Trips
Funmathschool Criticized as Taking Too Many Field TripsFunmathschool Criticized as Taking Too Many Field Trips
Funmathschool Criticized as Taking Too Many Field Trips
Lebowitzcomics
 
Using Search Engines
Using Search EnginesUsing Search Engines
Using Search Engines
Lebowitzcomics
 
LOCAL YOUTHS BECOME INTEL SCIENCE TALENT SEARCH SEMI-FINALISTS
LOCAL YOUTHS BECOME INTEL SCIENCE TALENT SEARCH SEMI-FINALISTSLOCAL YOUTHS BECOME INTEL SCIENCE TALENT SEARCH SEMI-FINALISTS
LOCAL YOUTHS BECOME INTEL SCIENCE TALENT SEARCH SEMI-FINALISTS
Lebowitzcomics
 
Can Internet technology still revolutionize activism?
Can Internet technology still revolutionize activism?Can Internet technology still revolutionize activism?
Can Internet technology still revolutionize activism?
Lebowitzcomics
 

Mehr von Lebowitzcomics (20)

Finders Keepers
Finders KeepersFinders Keepers
Finders Keepers
 
Good Company
Good CompanyGood Company
Good Company
 
Rfl dfn internetact2
Rfl dfn internetact2Rfl dfn internetact2
Rfl dfn internetact2
 
Rfl dfn cubaroca
Rfl dfn cubarocaRfl dfn cubaroca
Rfl dfn cubaroca
 
Rfl dfn ibrahim-acquitted
Rfl dfn ibrahim-acquittedRfl dfn ibrahim-acquitted
Rfl dfn ibrahim-acquitted
 
Hagadah reshet keshet_2003
Hagadah reshet keshet_2003Hagadah reshet keshet_2003
Hagadah reshet keshet_2003
 
SAR High School Moves Into its New Location
SAR High School Moves Into its New LocationSAR High School Moves Into its New Location
SAR High School Moves Into its New Location
 
Robberies Alarm Store Owners
Robberies Alarm Store OwnersRobberies Alarm Store Owners
Robberies Alarm Store Owners
 
Retaining Wall to be Rebuilt
Retaining Wall to be RebuiltRetaining Wall to be Rebuilt
Retaining Wall to be Rebuilt
 
Passover Program Scheduled at Hebrew Institute
Passover Program Scheduled at Hebrew InstitutePassover Program Scheduled at Hebrew Institute
Passover Program Scheduled at Hebrew Institute
 
New Minister at Riverdale's Church
New Minister at Riverdale's ChurchNew Minister at Riverdale's Church
New Minister at Riverdale's Church
 
Two Prominent Members of Riverdale's Orthodox Community to Leave for Israel
Two Prominent Members of Riverdale's Orthodox Community to Leave for IsraelTwo Prominent Members of Riverdale's Orthodox Community to Leave for Israel
Two Prominent Members of Riverdale's Orthodox Community to Leave for Israel
 
Ella Freilich dead at 87: Riverdalian almost nation's "Second Mother-in-Law"
Ella Freilich dead at 87: Riverdalian almost nation's "Second Mother-in-Law"Ella Freilich dead at 87: Riverdalian almost nation's "Second Mother-in-Law"
Ella Freilich dead at 87: Riverdalian almost nation's "Second Mother-in-Law"
 
Horace Mann Begins Search for New Head of School
Horace Mann Begins Search for New Head of SchoolHorace Mann Begins Search for New Head of School
Horace Mann Begins Search for New Head of School
 
Jewish Council Honors 4; Top Officials in Attendance
Jewish Council Honors 4; Top Officials in AttendanceJewish Council Honors 4; Top Officials in Attendance
Jewish Council Honors 4; Top Officials in Attendance
 
Funmathschool Criticized as Taking Too Many Field Trips
Funmathschool Criticized as Taking Too Many Field TripsFunmathschool Criticized as Taking Too Many Field Trips
Funmathschool Criticized as Taking Too Many Field Trips
 
Using Search Engines
Using Search EnginesUsing Search Engines
Using Search Engines
 
Rfl dfn search1
Rfl dfn search1Rfl dfn search1
Rfl dfn search1
 
LOCAL YOUTHS BECOME INTEL SCIENCE TALENT SEARCH SEMI-FINALISTS
LOCAL YOUTHS BECOME INTEL SCIENCE TALENT SEARCH SEMI-FINALISTSLOCAL YOUTHS BECOME INTEL SCIENCE TALENT SEARCH SEMI-FINALISTS
LOCAL YOUTHS BECOME INTEL SCIENCE TALENT SEARCH SEMI-FINALISTS
 
Can Internet technology still revolutionize activism?
Can Internet technology still revolutionize activism?Can Internet technology still revolutionize activism?
Can Internet technology still revolutionize activism?
 

KĂŒrzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

KĂŒrzlich hochgeladen (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

How to Trace an E-mail Part 2

  • 1. How to trace emails back to source - www.ezboard.com Page 1 of 5 How to trace an e-mail, part 2: A case study by Robert Lebowitz, Digital Freedom Network (April 19, 2002) We have previously become familiar with what to look for in an e-mail header in order to trace an e-mail. We will now use the example from the last lesson to clarify the procedure in more detail. The e-mail we wish to trace is a spam message actually received by the Digital Freedom Network from one "Grace Lawal." In her message, Ms. Lawal asks for money for a business transaction. A reply to Ms. Lawal's e-mail address bounces back, revealing that is fake. Additionally, there is no record of any Grace Lawal connected with Zenith bank. Using the e-mail tracing methods broadly described thus far, how close can we get to finding out who this Ms. Lawal is? The original e-mail from "Grace Lawal" appears below. (The Received: fields have been bolded and colored for later reference.) Return-Path: <graceelawal@yahoo.com> Received: from [207.202.32.37] (HELO mailscan1.corp.idt.net) by mail.corp.idt.net (CommuniGate Pro SMTP 3.5.7) with SMTP id 3290036 for rlebow@corp.idt.net; Sat, 13 Apr 2002 11:49:42 -0500 Received: from 169.132.232.57 by mailscan1.corp.idt.net (InterScan E-Mail VirusWall NT); Sat, 13 APR 2002 12:54:55 -0400 Received: from mq.idtweb.com ([216.53.71.121] verified) by mail.idtweb.com (CommuniGate Pro SMTP 3.5.7) with ESMTP id 30370009 for rlebow@dfn.org; Sat, 13 APR 2002 12:51:44 -0400 Received: from [80.247.137.24] (HELO ab97c381.com) by mq.idtweb.com (CommuniGate Pro SMTP 3.5.7) with SMTP id 29632626 for rlebow@dfn.org; Sat, 13 APR 2002 11:51:46 -0500 From: "Dr. Grace Lawal" <graceelawal@yahoo.com> Reply-To: graceelawal@yahoo.com To: rlebow@dfn.org Date: Sat, 13 APR 2002 05:52:35 +1000 Subject: #Contact urgently# X-Mailer: Microsoft Outlook Express 5.00.2919.6900 DM MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===_LikeYe_888_2fptuofrlwlhlh" Message-ID: <auto-000029632626@mq.idtweb.com> X-Mozilla-Status: 8003 X-Mozilla-Status2: 00000000 X-UIDL: 1169 Dear Sir, I am Dr.Grace Lawal (Phd) Bank Manager of Zenith Bank,Lagos, Nigeria. I have urgent and very confidential business proposition for you. On June 6, 1997, a Foreign Oil consultant/contractor with the Nigerian National Petroleum Corporation, Mr.Barry Kelly made a numbered time (Fixed) Deposit for twelve calendar months, valued at US$25,000,000.00, (Twenty-five Million, Dollars) in my branch. Upon maturity, I sI discovered from his contract employers, the Nigerian National Petroleum Corporation that Mr. Barry Kelly died from an automobile accident. On further investigation, I found out that he died without making a WILL, and http://p218.ezboard.com/fcreditwrenchfrm2.showMessage?topicID=33.topic 5/16/2006
  • 2. How to trace emails back to source - www.ezboard.com Page 2 of 5 all attempts to trace his next of kin was fruitless. This sum of US$25,000,000.00 has carefully been moved out of my bank to a security company for safekeeping. No one will ever come forward to claim it. Consequently, my proposal is that I will like you as an Foreigner to stand in as the owner of the money I deposited it in a security company in two trunk boxes though the security company does not know the contents of the boxes as I tagged them to be photographic materials for export. I want to present you as the owner of the boxes in the security company so you can be able to claim them with the help of my attorney. This is simple. I will like you to provide immediately your full names and address so that the Attorney will prepare the necessary documents which will put you in place as the owner of the boxes. The money will be moved out for us to share in the ratio of 70% for me and 30% for you. Thanks and God bless. Dr.Grace lawal (p.h.d) 1. View full header We see from the From: and Reply to: fields that the e-mail address of the sender of this annoying solicitation is graceelawal@yahoo.com. A reply, however, reveals that this is not a valid e-mail address. So, we now look at the Received: field. 2. Read the Received: fields in the header, with the bottom field the oldest MTA and the top the most recent Explaining these fields is quite straightforward. Received: from [207.202.32.37] (HELO mailscan1.corp.idt.net) by mail.corp.idt.net (CommuniGate Pro SMTP 3.5.7) with SMTP id 3290036 for rlebow@corp.idt.net; Sat, 13 APR 2002 11:49:42 -0500 Received: from 169.132.232.57 by mailscan1.corp.idt.net (InterScan E-mail VirusWall NT); Sat, 13 APR 2002 12:54:55 -0400 Received: from mq.idtweb.com ([216.53.71.121] verified) by mail.idtweb.com (CommuniGate Pro SMTP 3.5.7) with ESMTP id 30370009 for rlebow@dfn.org; Sat, 13 APR 2002 12:51:44 -0400 Received: from [80.247.137.24] (HELO ab97c381.com) by mq.idtweb.com (CommuniGate Pro SMTP 3.5.7) with SMTP id 29632626 for rlebow@dfn.org; Sat, 13 APR 2002 11:51:46 -0500 First, the e-mail came from 80.247.137.24 into mq.idtweb.com. (HELO identifies the sending machine. This cannot be relied upon however for accurate information.) The mail was received on Saturday, April 13, 2002 at 11:51:46 New York Time. Next, the e-mail passed from mq.idtweb.com into mail.idtweb.com. The mail was received on Saturday, April 13, 2002 at 11:51:44 New York Time. Next, the e-mail traveled from 169.132.232.57 to http://p218.ezboard.com/fcreditwrenchfrm2.showMessage?topicID=33.topic 5/16/2006
  • 3. How to trace emails back to source - www.ezboard.com Page 3 of 5 mailscan1.corp.idt.net. The mail was received on Saturday, April 13, 2002 at 11:54:55 New York Time. Finally, the e-mail traveled from 207.202.32.37to mail.corp.idt.net. The mail was received on Saturday, April 13, 2002 at 11:49:42 New York Time. 3. Use Internet Registries to determine which companies own the IPs The e-mail originated from 80.247.137.24. We must look up the IP in one of the Internet registries on the Web. The place we will start is the American Registry of Internet Numbers (ARIN) at www.arin.net, which the registry for the Americas and sub-Saharan Africa. We choose to begin our search on ARIN only because "Grace Lawal" states that she is from Nigeria. We don't know this for sure, of course, but it is a good a place to start as any. After going to the ARIN Web site, we perform a WHOIS search on the IP address (See figure below). Figure 1: The WHOIS search on ARIN is on the upper right corner. The WHOIS search tells us that in fact this IP address is not in the ARIN database, but rather can be found in the database of European Regional Internet Registry (RIPE), located at www.ripe.net. As its name implies, RIPE is responsible for IP addresses of European organizations. We now perform the same WHOIS search on the RIPE Web site, entering the IP address, 80.247.137.24. This time, our search is successful. RIPE outputs the following data: inetnum: 80.247.137.0 - 80.247.137.255 netname: SIMBATECH descr: Simba Technology ltd is a Licensed ISP located Lagos Nigeria country: NG admin-c: ID116-RIPE tech-c: NIL3-RIPE status: ASSIGNED PA notify: anil@simbaonline.net mnt-by: AS17175-MNT changed: scooper@newskies.com 20020208 source: RIPE route: 80.247.128.0/20 descr: New Skies Satellites origin: AS17175 mnt-by: AS17175-MNT changed: scooper@newskies.com 20011116 source: RIPE person: Segun Adekoya address: Simba Technology Limited. address: 77/79 Eric Moore Road, Surulere, Lagos address: Nigeria. phone: +23417740120 fax-no: +23415851016 e-mail: segun@simbaonline.net nic-hdl: ID116-RIPE notify: support@simbaonline.net mnt-by: AS17175-MNT changed: scooper@newskies.com 20020208 http://p218.ezboard.com/fcreditwrenchfrm2.showMessage?topicID=33.topic 5/16/2006
  • 4. How to trace emails back to source - www.ezboard.com Page 4 of 5 source: RIPE person: Anil Kumar address: Simba Technology Limited. Address: 77/79 Eric Moore Road, Surulere, Lagos phone: +23417740120 fax-no: +23415851016 e-mail: anil@simbaonline.net nic-hdl: NIL3-RIPE notify: anil@simbaonline.net mnt-by: AS17175-MNT changed: scooper@newskies.com 20020208 source: RIPE We can thus determine that Simba Technology is the Internet Service Provider (ISP) that took up "Grace Lawal's" e-mail after she sent it off to DFN. We also note that while "Grace Lawal" is almost certainly a false name, she (or he) might not have lied about being in Lagos, Nigeria, since that is where Simba is located. At any rate, Simba must have a record in the form of a mail or user log that will inform us from where the e-mail originated. Before we do this, let's go back and trace the remaining path of the e-mail. We can see that after it left Nigeria, it went directly to mq.idtweb.com. IDT Corporation hosts DFN, so already, we see the mail has arrived with no stopovers. From there, it went into mail.idtweb.com. The header then reports that the mail went from 169.132.232.57 to mailscan1.corp.idt.net, and then from 207.202.32.37 to mail.corp.idt.net. These IP addresses seem to come out of nowhere, but a WHOIS search on ARIN reveals that they are just IP addresses owned by IDT. Thus the mail arrived at IDT and then went through various scanning procedures to make sure it was not spam and did not contain a virus before it arrived in DFN's mailbox. 4. Contact the companies to ask that they check their user and message logs to see who was logged into that particular IP at that time This is the letter we sent to Simba Technology. It was addressed specifically to Anil Kumar and Segun Adekoya, the two contacts listed in the RIPE database entry above. (Note: The original message from "Grace Lawal" was attached to this e-mail to Simba, but is not reprinted again here.) From: Robert Lebowitz [mailto:rlebow@dfn.org] Sent: Wednesday, April 17, 2002 3:02 PM To: anil@simbaonline.net,segun@simbaonline.net Subject: Can you please check mail and user logs stats? Dear Sirs, Hi. I received the following mail that passed through your machines. Would you be kind enough to check the mail logs on simbaonline.net for Sat, April 13, 2002 05:52:35 +1000? (This would be 5:52:35 Sydney or Melbourne time). I highlighted the line of the header that indicates that the message passed through your system at this time. There does not appear to be any "grace lawal" at Zenith, and we have received quite a few "spam" http://p218.ezboard.com/fcreditwrenchfrm2.showMessage?topicID=33.topic 5/16/2006
  • 5. How to trace emails back to source - www.ezboard.com Page 5 of 5 messages from her. Perhaps you can tell me the identity of--or at least any information about--this person. Thanks so much, Robert Lebowitz <message attached> The message to Simba was sent out in the morning. By the late afternoon, we received the following reply from Simba's general manager: Dear Mr.Robert This has reference to the concerns raised by you regarding the spam mails. We are basically a ISP in Nigeria. The IP involved belongs to one of our customer who runs a cyber cafe in Lagos. Since it is a cyber cafe we are not able to identify who is the person doing the same. Still we are taking all efforts to identify the person doing this mischief. Pls also let me know, if you have any suggestions on how this person could be isolated. Regards Viswanathan.D General Manager SimbaNET Nigeria Ltd. 77/79, Eric Moore Road Surulere, Lagos Nigeria. We know now that the e-mail was sent from a cyber cafe in Lagos, Nigeria. However, since one can send messages from a cyber cafe with complete anonymity, we are prevented from finding out more concrete information. If this were an e-mail of much greater importance—such as the ransom note sent from the kidnappers of U.S. journalist Daniel Pearl—we could take further steps to track our quarry. For instance, we could get the name of the Lagos cyber cafe from our contact at Simba. Then, on the assumption that the person sends out e-mail periodically from the same location, we could install key-sniffing devices in the computers at the cafe. These programs register a user's keystrokes, thus creating a record of everything that was typed at a particular terminal. Another recourse would be to make sure IDs were taken for the period in which a person was using a computer in a public cluster. But while these methods would aid greatly in identifying an e-mail sender, they also would impinge on the rights of others using the computers to conduct their personal business. Such a conflict defines the ongoing struggle between the fight against terrorism over the Internet and the right to privacy, which will continue to evolve in the years ahead. Go to How to trace an e-mail, part 1: An overview http://p218.ezboard.com/fcreditwrenchfrm2.showMessage?topicID=33.topic 5/16/2006