E-mail spammers are not incognito Tricky senders can be tracked easily
Komando Nov. 12, 2002
So, you sent an evil e-mail to the CEO. You changed the "From:" line to a clever alias or used a Yahoo! or Hotmail account to be anonymous.
Even though you changed your e-mail address, your computer is identifiable. All computers on the Internet have an Internet protocol address. It's all in the e-mail's header. This information is suppressed, so most people never see it. But it can be shown, and it contains the route taken by an e-mail. That route includes the originator's IP number.
Let me give you a real-world example. In July, a well-meaning fan started blitzing radio stations with e-mails. He was asking that they carry my radio show. Stations were getting hundreds of e-mails, all signed with obviously phony names. They were not amused.
We got the header information from one of the victimized stations. With it, we were able to identify the fan's Internet service provider, which called the fan. The e-mails stopped.
People who sent viruses or spam (junk e-mail) have been tracked down through headers. And they were relatively sophisticated computer users.
It's all in the header
So let's take a look at headers. All e-mail programs have the ability to show this information. To do that:
In Microsoft Outlook, double click the e-mail. Then click View and Options.
In Outlook Express, click the e-mail. Then click File and Properties and select the Details tab.
For Eudora, double click the message. Then click the "Blah Blah" button.
In Netscape, click the message to open it. Then click View and Message Source to display the header.
The information shown looks like stuff that only an engineer could love. But the tracking information is relatively easy to decipher.
The key is the sections beginning with the word "Received:" There will be at least two. If the message goes through several computers, there could be four or five "Received:" sections. A little knowledge will bring an investigator right back to the e-mail originator.
Following is some hypothetical header information. The IP numbers here are made up; they aren't assigned to anyone. The rest is made up, too. This information is just illustrative.
Received: from mail. heavenonly.com (mail. heavenonly.com 1/8123.312 .54.12 3/8) by mail.bigcompany.com (8.8.5/8.7.2) with SMTP id EAA12345 for joesmith(AT)bigcompany.com; Tue, 9 Sep 2002 13:10:30 -0700 (MST) Received: from joe.sunshine.com (joe.sunshine.com 1/8188.8.131.52 3/8) by mail. heavenonly.com(8.8.5) id 123A56; Tue, 9 Sep 2002 13:07:17 -0700 (MST)
The "Received:" sections in headers read from bottom to top. So the bottom one is from you, the originator. You have disguised your address as joe.sunshine.com. That Received: section shows that the e-mail went to your ISP's mail server, mail.heavenonly.com.
The second (top) "Received:" section shows that Big Company's server received the e-mail from mail.heavenonly.com, and that it was addressed to email@example.com. Joe, of course, is the CEO.
Tracking an address
Even though you disguised your identifier in the bottom "Received:" section, you can still be identified. The IP number -184.108.40.206 - is tied to your computer. A subpoena could pry that information from the ISP, which won't go to court to protect your privacy.
There are a number of places on the Internet where IP numbers can be traced. I traced the numbers in the above example through InterNic (www. internic.net/whois.html).
In the hypothetical case above, the IP number would actually be assigned to the Internet service provider. The ISP uses it to identify the individual customer's computer based on the user name and password the customer provided when he or she logged on.
It is possible to hide that number with a technique called Internet address "spoofing," but most people don't know how or don't bother.
Kim Komando is a nationally syndicated talk radio host and author. Her radio show is from noon to 2 p.m. Saturdays on KFYI-AM (550).