E-mail Tracing Part Three
The Yahoo experience
in the previous two articles that discuss the e-mail headers and some of the things you need to look for in order to efficiently and effectively trace an e-mail. Again to make sure that we have all of our bases covered when it comes to an e-mail trace just a short little review here. there are nine basic areas of the e-mail header that you want to make sure that you are paying attention to or if you’re like me and you print them out if you use your yellow highlighter on.
These areas are:
1. Received line
2. Dateline
3. From line
4. Two line
5. Subject line
6. Message ID line
7. X-originating IP line
8. Received from line
9. X-Mailer line
And of course let’s not forget the formula I taught you about in our second article on tracing e-mail headers. That formula is e-mail header plus message ID plus server logs equals location of the e-mail sender! Now that we’ve conducted the short will review lets get into today’s article on tracing e-mails which is the Yahoo experience.
Quite a number of people use Yahoo as their e-mail client because for fall it’s free, and second of all they can appear to be whoever they want to be when they use this e-mail account. However as cyber investigators we know that is not true. So in order to do an e-mail trace on yahoo mails let’s first find out how were able to get the headers from a yahoo e-mail.
Okay so now you or your client comes with a Yahoo e-mail that needs to be traced. The first thing you need to do is to log into the Yahoo mail account online. Now if this is your client make sure they are the ones that law again because no matter what any e-mail account is considered private and privilege to let you have some sort of sign documentation allowing you to do this, however in my own experience I always let that person sign into their own account.
The first thing he wanted to his lead and sign in to the yahoo account that you want to look at the e-mail at. The next thing you want to do is click on the tab that says inbox, once you have done that locate the e-mail that you want to trace. Begin by clicking on the e-mail once so it is highlighted, and now you should see the e-mail in the lower half of the window on the webpage. Now looking at the bottom half the window I want you to look on the right hand side of the e-mail you should see a set of words that read compact header with the down arrow next to it. If you click on that down arrow you’ll see any Nether set of options; compact header, standard header, and full header. What we want to do is select full header so that we can see all of the e-mail headers for this e-mail. When you do select full header is 82nd window will pop up and we’ll show you the full message headers from the e-mail you’re looking at. Bees are the headers we want to look at when we trace an e-mail from Yahoo Mail. You will see that all of the e-mail headers are here and yet the message is not which is perfect for our investigative needs because the message is secondary to the e-mail headers. Make sure that you print this out or you save it so that you can look at it later and then you can begin your e-mail tracing.
Now remember our secret formula e-mail letters plus message ID plus server logs equals location of the e-mail sender. So when you begin to look at your yahoo e-mail headers you want to look for the headers, which you now have, next you want for the message ID. Scan through all of the e-mail lines and you will see one usually close to the subject of the e-mail that says the message ID and it will give you a message ID number and letters and some additional information as well. The e-mail letter I’m currently looking at that I have now found the message ID for gives me a series of numbers at any website name. So now suddenly I know that this e-mail has come from in this example PayPal. As I look through the e-mail I see the from line is service@PayPal.com well lets see there are we now have two items that point to PayPal and remember what I said about the message ID in our previous article. The message ID is supposed be unique on the Internet there should be no to message IDs alike on the Internet if there are fake. So now my looking at this e-mail just looking at the issue of thefrom line in the message ID we can now start to look at the e-mail coming from PayPal. Well the very next thing we want to do after highlighting the message ID number is we want to go up to the received line the received line will tell us where the e-mail originated from and where it went to. Now the receiver line is a unique type of information normally what you will find with the received line is that it is back words meaning the very first received from server is actually the last hop the e-mail went through before he came into your inbox.
However looking at this e-mail from a yahoo account it shows that the first server in the received line is actually the originating server of this e-mail. Now this may not always be the case but let’s bear that in mind when looking at this we want to evaluate every single server that is on the received line so we can trace its backwards and we’ll find out each and every server that is e-mail went through. Why we need to do that? I’ll remember our magic formula e-mail headers plus message ID plus server logs equals the location of the e-mail sender. We need to know each and every server that is IMO went through because each and every server will have a set of logs that we can request to be aware help to identify the originating point of this e-mail. And in any legal case you want to be extremely thorough in your investigation and this is the only way to do that.
Now that you’ve gotten that information from the received line, you have the message ID, you have the from line, what else can we learn in this yahoo e-mail? Well in this e-mail you’ll find a line that says authentication results. And here you will see the MTA which stand for Mail Transfer Agent. The MTA is simply a server program that helps to transfer e-mail messages from one computer to another. Surveys we were talking about the actual programs that take the e-mail and ship it between each server and your received line. So now we’ve seen the MTA line that gives us information about what MTA sent the e-mail to us now we know the next direction to go with the e-mail trace.
Now the other thing you will see on this line as well is the fact that you see something called the domain Keys. Domain Keys is an e-mail authentication process that was designed to help verify the DNS information of an e-mail sender so that thereby you could actually try and filter out the spam. Basically here we’re looking at a nether method that the Internet service providers use to authenticate e-mail. Basically using domain keys provides you a hint to end the integrity of the e-mail from a signing server to a verifying server. The very first Internet service provider to use the domain Keys concept was of course Yahoo. Yahoo has been putting domain Keys on all of their outgoing e-mails since I started using this back in 2004. So when you see domain Keys on this this is one way you can help to verify where the e-mail originated from.
Now that we’ve looked at the headers from a Yahoo e-mail, we know a number of things we would look for in our e-mail headers for our next e-mail sitting in our Yahoo inbox. But that is the time for a nether article on e-mail tracing. For now we want a lead and close out this article and we would like to invite you to check out the e-mail tracing seminar this being held at http://www.pimall.com/pi-class/