You receive an e-mail from a prospective customer – requesting information on your products, price etc. or placing order. Normally, you would like to find out more information about this customer before parting with requested information, especially if the information is of sensitive nature like price list, discount rate etc. There may be other occasions when you want to find out more information about e-mail sender – for example, to locate the identity of a spammer or someone whose identity is suspicious. How do you go about it?
I belong to a closed network of CEOs who share information with each other regarding international finance and trade deals worldwide and every month we share notes in our own blacklists as well as high level messages carrying “red flags”. Since I achingly encounter fraudsters (and lately some cyberbullies) on a weekly basis, I decided to write about one simple technique we do that I tell our employees worldwide in how we do business within MJS companies.
E-mail is perhaps the easiest thing to acquire in the Internet. Though Internet is anonymous – there are few tools with which you may dig out some information about your customer before entering into a negotiation. For example – if you receive an e-mail from a ‘customer’ with US postal address but discover that the e-mail has been sent from an African country – you´ll know what to do with the help of these steps.
Analysis of Given Details
Every e-mail has at least three distinct elements:
From: (e.g. email@example.com)
To: (e.g. firstname.lastname@example.org)
Subject (e.g. Want to buy Your products)
The simplest test is to put the tail of sender’s e-mail address (e.g. www.whyme1234.com for email@example.com) in your browser’s window and check if there is a web-site at this URL. If you find a valid and business like web-site at this URL – your job becomes easier. One can dig out significant details from web-site as also other sources. Please see Faida article – ‘How to evaluate a business web-site’ for details. However, if you can not find e-mail sender’s web-site at URL – do not jump to conclusion that the sender is phony. Lot’s of people use business e-mail address without web-site. In such cases, you need to determine if this guy is one of them or is using an anonymous web-based free e-mail, disguised as business e-mail. Your next task is to find out ownership details of the domain name.
Tracing Owner of Domain Name
Internet Corporation For Assigned Names and Numbers (ICANN) is the nodal agency that supervises registration of domain names. Information on ownership of domain names can be located from ICANN approved registrars, who maintain public access database (called whois) on ownership of domain names. Please visit such a whois (e.g. http://www.internic.net/whois.html) and check ownership of domain name. If the sender is using a business e-mail – the domain name should be registered in sender’s or his/her company’s name.
When e-mail Sender Uses free web-based E-mail service
What happens when the e-mail sender uses a web-based free e-mail service (e.g. hotmail.com,yahoo.com, rediffmail.com etc.) ? Well, you can still find information about the sender by analyzing the e-mail header.
Unraveling Hidden information from e-mail header
Every e-mail has a visible set of information on sender (From:), recipient (To:), subject (Subject:), Organization of the sender (Orgn:) etc. However, there’s a great deal more hidden within, that can reveal significant information about the sender. A little scrutiny of this hidden information may help you locate sender’s country, genuineness of the e-mail used in ‘From:’ column, whether the sender tried to conceal his/her identity etc. A fake sender attempting to confuse identity usually means a fraudster trying to steal your money or a virus attack, a potential hazard in either case, that can cost you a lot in terms of financial loss, computer crash etc. A little time spent on analyzing suspicious looking e-mails is an insurance against such disasters. Those using Yahoo, AOL, Hotmail or any such web-based e-mail service may think that their true identity and location are hidden. In reality – one may still find information about them by analyzing their e-mail headers.
What is E-mail Header
The part of an e-mail where such hidden information is stored is called ‘header’. Header of an e-mail stores various information on the path it has traversed while reaching your mailbox – right from sender’s computer. Normally, one doesn’t need this kind of information and mail clients (Eudora, Outlook, Netscape etc. ) do not display it. To see e-mail header in Netscape, open any e-mail and click View > Page Source For Outlook, right-click on the mail message that is still in your Inbox, select ‘Options…’ from the resulting popup menu Examine the ‘Internet Headers’ in the ‘Message Options’ dialog At first look – the header may look confusing and puzzling. This is more so for spam e-mails as spammers try their best to make the header misleading. Do not lose heart – I am going to explain how to pick up right information from it.
Examining a Typical Header
Let us examine following e-mail header:
1. Delivery-date: Wed, 03 Nov 2004 23:59:47 -0600 2. Received: from bani by arjuna.banijya.com with local-bsmtp (Mann 4.43) 3. id 1CPaev-00057o-Q4 4. for firstname.lastname@example.org; Wed, 03 Nov 2004 23:59:47 -0600 5. Received: from [220.127.116.11] (helo=rediffmail.com) 6. byarjuna.banijya.com with smtp (Mann 4.43) 7. id 1CPaev-00057f-8T 8. for email@example.com; Wed, 03 Nov 2004 23:59:45 -0600 9. Received: (qmail 28471 invoked by uid 510); 4 Nov 2004 05:59:09 -0000 10. Date: 4 Nov 2004 05:59:09 -0000 11. Message-ID: <firstname.lastname@example.org> 12. Received: from unknown (18.104.22.168) by rediffmail.com 13. via HTTP; 04 nov 2004 05:59:08 -0000 14. MIME-Version: 1.0 15. From: “Raj International ” 16. Reply-To: “Raj International “ 17. To: “InfoBanc” 18. Subject: Thanks for activation
Explanation of Header Elements
If you look carefully at e-mail header above, a pattern is clearly visible. The header is composed of several lines of text – each starting with header name (e.g. Delivery-date) , a colon (:), a space and finally header value. If a line starts with a tab or spaces (line nos. 2-4 and 5-8) – that line is a continuation of the previous header value line. So, the header name ‘Received:’ in line 2 has a header value that spans lines 2 to 4. Some of the header names are simple and self-explanatory, such as the ‘Delivery-date:’, ‘From:’, ‘Reply-To:, ‘Subject:’ etc. For example, sender’s e-mail address appears after header name ‘From:’ and the recipients e-mail address appears after the ‘To:’ header name. Please note – mail servers have no way to check if the sender is using his or her own e-mail address. This lack of verification is a weakness – that spammers and fraudsters use ruthlessly to confuse recipients. So, do not accept sender’s e-mail address at face value. A fraudster or spammer, in all likelihood, will never use his/her actual e-mail address. Instead, he/she may use a legitimate e-mail address (it could even be your own e-mail) as sender. We shall not discuss each and every header name – as many of these can be forged or a fake one inserted by spammer. What is most important for our purpose (and most difficult to forge) is the ‘Received:’ headers. Analysis of ‘Received:’ header names can reveal a great deal of information about the sender.
Locating Actual Sender from Header Analysis
Every e-mail has a header that stores significant information about sender of the e-mail and the path it traversed before reaching your mailbox. In earlier issues – we have discussed how to read e-mail headers and various header elements. In this issue, we shall discuss how to locate actual sender of an e-mail and his/her geographical location. Considering anonymous nature of Internet – this a vital piece of information for every e-business. If you receive an e-mail from a ‘customer’ with US postal address but discover that the e-mail has been sent from an African country – you know what to do ! Users of web-based free e-mail services like Yahoo, Rediffmail, Hotmail etc. may think that their true identity and location are hidden. In reality – one may still find information about them by analyzing their e-mail headers.
Of all header elements we have discussed, ‘Received:’ headers are most important for identifying sender’s country. One reason is that – ‘Received:’ headers are most difficult to tamper with. Any header element can be forged and faked ones inserted up to a point, as the headers are just textual data, and only the headers added by servers that you trust can be considered reliable. Every time an e-mail moves through a new mail server, a new Received header line (and possibly other header lines) is added to the beginning of the headers list. This means that as you read the Received headers from top to bottom, you are gradually moving closer to the computer/person that sent you the e-mail. But please note that as you read through the Received header fields and get closer to the computer/person that sent you the e-mail, you need to consider the possibility that the sender added one or more false Received header lines to the list (at the time, the senders beginning of the list) in an attempt to redirect you to another location and prevent you from finding the true sender. But, now that you know false header lines are possible, just stay alert.
Reading ‘Received:’ Header
Consider following e-mail header and its interpretation:
1. Received: from [22.214.171.124] (helo=web20024.mail.yahoo.com) 2. by arjuna.banijya.comwith smtp (Mann 4.43) 3. id 1CPhNE-0002Qt-0T 4. for email@example.com; Thu, 04 Nov 2004 07:09:56 -0600 5. Received: from [126.96.36.199] by web20024.mail.yahoo.com via 6. HTTP; Thu, 04 Nov 2004 05:09:53 PST
Line 5 – 6 : Mail server web20024.mail.yahoo.com receives a mail from IP 188.8.131.52
By the way – IP stands for Internet Protocol. The Internet uses a technology to interlink millions of computers in its fold – TCP/IP. The core of this technology is called IP addressing or Internet Protocol addressing. Every computer connected to Internet is given a unique number for identification – called IP number. IP number is used to verify location and activities of any computer. Your ISP provider assigns you an IP address each time you connect to the Internet. It is evident from header interpretation that actual sender is the one at the bottom of series of ‘Received:’ headers and the recipient is at the top. In other words, mail server web20024.mail.yahoo.com received an e-mail from IP address 184.108.40.206. So IP address 220.127.116.11 is the sender of this e-mail. Interestingly, this sender used a free web-based e-mail service (yahoo.com) to send this e-mail – still his/her identity can be traced using IP address 18.104.22.168 found in mail header.
Locating Sender’s Country from IP Address
Spammers and fraudsters may forge many header elements like ‘From:’, ‘Received-date:’ etc. – but it is very difficult to change IP addresses inserted by mail servers. At best, they may insert fake ‘Received’: headers to confuse recipient.
Once you locate IP address of actual sender’s mail server or computer, it is possible to locate geographical location or country.
E-mails are anonymous by nature – but contains significant information in its header about the path it traversed before reaching your mailbox. The header is normally not visible. We have discussed how to view and analyze header of any e-mail and locate actual sender with his/her IP address. In this issue – we shall discuss how to locate sender’s country from IP address.
Internet Resources for IP Analysis
There are various free and paid-for Internet resources to help you find information about IP addresses, domain names etc.
Perhaps the leader in IP tracking software, Visualware has number of products to track e-mail, IP, domain name owner etc. VisualRoute and eMailTrackerPro are two software from Visualroute that can help you significant information on e-mails. VisualRoute has a free service to demonstrate how the software works. If your IP tracking requirement is modest – you may use this free service to track any IP address. However, if you wish to use this facility regularly – please consider buying the software. To use the free service – please visit Visualware web-site http://www.visualware.com/index.html
Click on ‘Online demos’ button on above page – you will reachhttp://www.visualware.com/demo/index.html
Click on ‘VisualRoute’ link on above page and you will reach IP Tracking area –http://visualroute.visualware.com/
There is a simple one-step registration process that requires your e-mail address only. Enter your e-mail address in registration box – an identification number (called PIN) will be sent to your e-mail. Use this PIN for first time – you will not require it again. After registration – copy and paste any IP number and it will immediately show the country of origin of the IP number on world map.
2. DNS Stuff
My favorite – this is a very powerful yet completely free service that does dozens of extremely useful functions. Internet is truly a marvelous place – where else would you find such high quality service completely free of cost ? This does not even require registration – please visit http://www.dnsstuff.com/ and perform dozens of IP and DNS related functions. To trace geographic location of an IP address – please use Tracert (Traces the route packets)
3. American Registry for Internet Numbers (ARIN)3. American Registry for Internet Numbers (ARIN)
An excellent free source for finding information on IP number. To use this service, please visit http://www.arin.net/whois/index.html . Enter the IP into the search text box and hit “Submit”. If the IP address belongs to an organization in North America or sub-Saharan Africa it will display the details of owner of the IP address. For organizations located outside ARIN’s geographical area of responsibility – here are other resources
RIPE (European Registry): http://www.ripe.net/ripencc/pub-services/db/whois/whois.html
APNIC (Asia Pacific Registry): http://www.apnic.net/apnic-bin/whois2.pl
LACNIC (Latin America and the Caribbean Registry): http://lacnic.net/cgi-bin/lacnic/whois?lg=EN
To determine in which geographical area a particular country is located, see the List of Countries in Regional Registry Geographical Areas: http://www.arin.net/library/internet_info/countries.html
4. NetGeo – The Internet Geographic Database
NetGeo is a free service for locating geographical position of an IP address. Though this free service is almost as good as Visualware – much of its functionality is now lost as its database is not updated regularly.
You may find more information about NetGeo at http://www.caida.org/tools/utilities/netgeo/
To use this facility – please visit http://www.dnsstuff.com/ and use NetGeo IP Lookup
Here are just some pointers to help your business and personal life. Our companies, MJS Commodities and MJS Capital are very active within international trade, we are very diligent in making sure that we deal with real players in the business. Trust, Integrity and relationships are our greatest commodities in our business. I hope this will help you become productive and have a safe experience in this new technologically savvy generation of fraud, scams and cyberbullying. I look forward to your comments, feedback and suggestion.