Trace a prank email to the source

Someone recently asked—and I’m leaving out the details—something close to, “Someone just sent a prank email message to our members regarding plans for a party thrown by our organization. Can you help me find out who is the owner of this email address: (name of organization) @aol.com?” How do you find them? Here’s the answer:

Of course the return address was the name of the head of the organization. The signature line contains “Mrs. Smith” complete with the correct organization’s web site and phone number. It is a wonder the prankster didn’t use the organization’s logo, too.

You already know that the return address is useless. The sender information on email messages can be spoofed—meaning you don’t know the real sender. Have you ever received an email message from yourself?

The prank e-mail message was sent as a carbon copy to exactly 590 email addresses. 57 of those addresses were duplicates. 31 of them use AOL—the same source of the prank email—but that really doesn’t mean much.

Using blind carbon copy (BCC) instead of carbon copy (CC) makes it more difficult for the prankster to learn the 590 email addresses.

So, none of this is useful? How do you track down the results? The answer is headers and log files. Every email message contains headers which usually contain useful information that can sometimes pinpoint the sender and the email program they were using to send the email. Your IT professional can show you how to view the headers.

This blog is dedicated to executives and owners, so it is okay if you skip the following technical information:

To find headers in Outlook 2010, open the email message. Now, click on the File tab, make sure Info is selected in the left-hand column. Then, in the right-hand column of the menu, at the very bottom, is the Properties choice.

Click on Properties and notice the box at the bottom called Internet Headers. You can read the info right there if you want to. I find the small box constraining and elect to click in the box, choose CTRL-A, CTRL-C, then open notepad, and use CTRL-V in Notepad. Now you can expand Notepad to have a better look.

The received: from lines need to be examined and placed in order. Use the time stamps and/or from and by text to get the right order. Now, you are able to see the source unless someone has changed the headers. If you want to learn even more about this process, there is a good write-up at
www.kuro5hin.org/story/2005/9/29/31457/0519.

In case the headers only lead you part of the way, perhaps to the perimeter of an organization, then often the log files (if they are being recorded) inside of an organization will allow identification of the culprit. Log files can be configured to store a great deal of information such as what data goes where in a network, what users are doing, and connections to the Internet.

Contact the last person on the list entity you found in the header and see if they can provide you with more information. Some entities have a privacy policy that won’t allow them to help you from there, while some organizations are more than happy to help you track down the culprit. The other organization will track the date/time and the chronologically first source information you provide them to hopefully find the actual source.

In the case of the organization in this article, the source was tracked down to a specific computer that is owned by the organization.

And just suppose you do catch the prankster. Have you thought of what you’ll do then?

Please post your comments on this blog.


3 Comments

  • Andrea June 21, 2012 at 1:36 pm - Reply

    Interesting read. As for the bottom question, if the person in question is an employee of the company, I would confront the person ans ask if they had knowledge of the email in question. Based on their answer (lie or truth) I would proceed with the punishment.

  • Kim November 26, 2013 at 12:00 pm - Reply

    Thank you for posting this Mike. I have used http://traceanemail.com/ before with success, and your outline above definitely gives me a new perspective on tracing.

    • Mike Foster November 27, 2013 at 12:40 pm - Reply

      Good work – and there will be more information in a new blog entry soon…

Leave a Reply

Your email address will not be published. Required fields are marked *