email

Sometimes people might send you information or hatemail from a fake address. This can be done quite easily simply by changing the "Sender" and "Return-to" fields to something different. You can do this, since these fields, i.e. your identity, are normally not checked by the mailserver when you send mail, but only when you receive mail.

Every email has a so-called header. The header is the part in which the route the email has taken is being described. Since the header is rather ugly, it is normally hidden by the email programme. Every email programme can display them, though (look into the "Options" or "Preferences" menu).

The mail we use below is a typical, but not rather sophisticated example of faked email. Fortunately for us journalists, most people are not more sophisticated than this. You should however be aware of the fact, that there are much more sophisticated ways to fake mail. A message sent to to the newsgroup alt.security and archived on the web explains one possible way to deal with some of these cases. But for now - back to the "easy cases":

States that the message contains normal, plain text without any "fancy" letters like umlauts etc.

This line contains a tracking-number, which the originating host has assigned to the message. The Message-Id is unique for each message and in this case contains the IP-number of the originating host. If you for some reason doubt that the message really came from someone at "seltsam.com", you can now take this number and have it translated into something more meaningful. For this task you can for example use TJPing, a small programme that tracks IP-packages online and resolves IP-numbers.

Using TJPing we found that the real name of the originating computer is:

top

This is actually the originating computer from which the message was sent. Not the mailserver. If the address was at a university, as in this case, this is not a great help, since there are many students using the same computers all day. The situation is very different within companies, though, since employees tend to have their own computers, which no one else uses. If the header doesn't show any further information, you might use this information by calling the companies system-administration and ask "Say, who's sitting at Node 60?". Amazingly often you will get a reply. It is comparatively easy to find out which company you are dealing with. Just cut off the first set of digits from the Official Name (L-Red_10.), add www and type it into your browser. You will see, that www.jmk.su.se is the journalism department of the University of Stockholm.

This line is solid gold! This tells you, who was logged on to the mail-server when the message was sent. Not all email-programmes add this line, though. Eudora does, whereas Pegasus Mail doesn't.

So now we know, that the user who sent us the mail is "o-pabjen". The IP-number is that of the mailserver used (checking with TJPing, we learn it's called bang.jmk.su.se). Now you could actually reply to the message by sending a mail to o-pabjen@130.237.155.254 or o-pabjen@bang.jmk.su.se.

But maybe you want to know his real name. In this case you can try to "Finger" the account. Finger is a command which reveals basic information about the account holder. Due to the increased attention to privacy online, more and more servers have disabled it. It is always worth a try, though. Using WSfinger we learn the following:

So now you have a name: Jens Pabst. "Global" could be part of the name or be some kind of code added by the system administration for internal purposes.

top

If you manage to obtain the information we have so far, then you don't actually have to look any further. You have what you want. "Kuno Seltsam <kuno@seltsam.com>" is really Jens Pabst <o-pabjen@bang.jmk.su.se>.

up to the top