Basic email header analysis tools - a short tutorial

Discussion in 'General Information' started by Garreg Ddu, Feb 26, 2009.

Thread Status:
Not open for further replies.
  1. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Basic email header analysis tools.


    In response to questions from members to the Admin and Moderation Team, and with the agreement of the Boss, this short tutorial has been put together to help anyone who is interested to get a bit more information about their incoming scams. To help you any text which is Underlined and Blue is a link to another thread or site which contains a useful tool or information and can be "clicked" to take you there.


    It is not just of passing interest to find out where an email came from, but has a practical value as well. We can find not only the the address which is supposed to have sent it, but the location of the network where the scammer was logged in when the email was sent. There are some very good, simple to use tools which can help to find this information. This cannot be done with every email service, as some do not include the origins in their headers. It is possible to "forge" information in headers, but this can be detected. As noted in other threads, full headers and the information gleaned from them can be used to gather details about scammers which may then get used in other places, such as by Law Enforcement Organisations.


    The first step is to find and copy the full headers for the message. I usually copy and paste the headers into a simple editor, such as "Notepad", where annotation can be added as analysis progresses. Getting the headers depends on the email service you are using as the recipient. There is a wealth of information in the thread at How to find email headers which should help extract full headers from the most commonly used email systems. If you have an email service which is not listed, then please let the Administrators and Moderators know, using the "Contact Us" link at the bottom of every page or via "Private Conversation"(you can find who is who at Your friendly neighborhood admin team).


    When you have your header extracted and saved, you can start to investigate the information in it. Let us use an example of an email from a Nigerian criminal, sent to a MicroSoft Windows Live Mail inbox:

    Some details are obvious without any further use of software tools. The sending email address, which may be masked or "forged" in the compact header, is shown by the X-SID-PRA: field., in this case <sharp1976@o2.pl> which the sending system has designated as the Return-Path: as well. This is where any automatic responses from remote servers are directed. The Reply-To: has been set by the sender in order to divert replies to a different email address, in this case <mrpeterphillip49@gmail.com>

    To get more information the next step is to submit the headers to an analysis tool, such as http://www.ip2location.com/emailtracer.aspx. The site has some simple directions for use on the input panel. Use of the site is free, and guests may make up to 20 searches a day. If you register for a free trial account, you may make up to 200 searches a day.

    The results of submitting the header above are in a series of tables below the header input panel:

    Which is clearly incorrect when we look at the further IP Addresses from header in the table below. In this case, by referring to the Received: entries in the full header we can see that the important section is:
    which makes the statement "8.12.11.200" is the originating IP address" fall over at the first hurdle, as the IP address origin the email came from is 41.222.67.140 and not 8.12.11.200 which is the not really an IP address at all.

    Looking at the second table from the ip2location.com analysis, we can see:
    All that remains to be done now is to get the DNS lookup information about the IP Address. Clicking on this Whois link will go to the "Who-Is" lookup at DNSstuff, where you can enter the IP Address (hint: copy and paste) and find:

    This can be translated, in your simple editor, into a line such as

    Origin IP Address = 41.222.67.140 = Swift Networks Ltd., 31B Saka Tinubu Street, Victoria Island, Lagos. Nigeria.

    And that is all there is to getting the information which is posted in the forums.

    If you have any queries or problems, please let us know using the methods mentioned above.
     
    Last edited: Feb 18, 2012
  2. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Updated information

    With many thanks to Tywysoges Gwen and Ben for additional information, there is an update. The site at http://headertool.apelord.com/ has now been taken off-line, and we are using a new and very good resource at http://www.ip2location.com/emailtracer.aspx

    (Please note we no longer recommend use of a previously linked analysis site at iptrackeronline.com. Please use ip2location.com instead for all header analysis. This has very much better functionality and output compared to the now defunct http://headertool.apelord.com/ site and the iptrackeronline site.)

    Using the same example header, the results from http://headertool.apelord.com/ would have been:
    which is the same error as above. Removing the 8.12.11.200 false IP results in:
    A nice table appears below the analysis area, with all the details of the origin IP address, email and geographic data.
     
    Last edited: Mar 3, 2012
Thread Status:
Not open for further replies.

Share This Page