Is there ANY way to trace back fake emails? Are there for example
system files that record connections to SMTP, thus allowing to
trace who used fakemail originating from a certain machine?
Is there a way to find out which machine was used to send
the fakemail? etc.....

Tanks for any help!

Lorenz Glatz                                        \\///  
gl...@ariel.pap.univie.ac.at                        (o o)    
-------------------------------------------------ooO-(_)-Ooo-----------

I think that your "normal" mail agent (elm, mail mailx) connects to
SMTP. If you want to fake a mail, it's a raw connection on SMTP port
number that you'd have to trace. That's hard to make the difference !

When I receive a faked mail,
        - I save it
        - I watch out for the original machine that has posted the mail
          ( it appears on thae header )
        - eventually, I compare the sender name with the result of a "last"
command grepped with the name if it is a local mail (which is often the
case in this matter ...).

Perhaps a script would prove useful to automate such a sequencial process.

        hope this helps.

--

 __________________________              `o O'
/\  jes...@eis.enac.dgac.fr\__________ooO__U__Ooo_________
\ \   Ader239, ENAC, 7 av E.Belin, 31055 TOULOUSE (FRANCE)\
 \ \  you can find me at #62175852 ... if you're lucky     \
  \ \_______________________________________________________\
   \/_______________________________________________________/

My Aunt MAUREEN was a military advisor to IKE & TINA TURNER!!

    > Is there ANY way to trace back fake emails? Are there for
    > example system files that record connections to SMTP, thus
    > allowing to trace who used fakemail originating from a certain
    > machine?  Is there a way to find out which machine was used to
    > send the fakemail? etc.....

Careful inspection of the headers usually does the trick pretty well.
Especially the `Path:' header or the `Received-By:' headers.

EG: Death threat fakemailed to presid...@whitehouse.gov; you can
imagine about how that went after they caught the guy.
--
------------------------------------------------------------------------
         Joel Ray Holveck, jo...@pollock.math.swt.edu, KC5ACN
GCS -d+(?)(--) p--- c++(++++) l+@ u++ e+@ m++(*) s--/- n--- h--(+)(*)
                                   f+(?) !g w++(-@) t+++(+) r++ y+(*)
The fourth law of computing:
  Anything that can go wr
.signature: Segmentation violation -- core dumped

On some systems, if you logging level on the "mail" facility is high
enough, all connections will get two or three lines of log messages.
Check your /etc/syslog.conf setup.

Look at the fakemailed message with "more". Often mail programs strip out
some of the header lines. Sometimes the source machine is buried in one
of the "Received" lines someplace. Sometimes, if ident is running on the
originating machine, you'll even get the username.

...Robert

: Is there ANY way to trace back fake emails? Are there for example
: system files that record connections to SMTP, thus allowing to
: trace who used fakemail originating from a certain machine?
: Is there a way to find out which machine was used to send
: the fakemail? etc.....

Can it be done? Yes... Is it fesable? Unless the administrator from the
STMP site is a close friend of yours, No...
You'd have to go back the SMTP site (easy enough since that's the address
on the mail...), and get the port 25 telnet log, it'd be in a buffer, and
it's not likely it's archived, so by the time you figure out that your
actually going to take care of the problem and investigate, the
evidence is already deleted...  This is why people use fake mail in the
first place, it's difficult, and a pain in the ass to trace...
But no, it's not impossable...

: Tanks for any help!

: Lorenz Glatz                                        \\///  
: gl...@ariel.pap.univie.ac.at                        (o o)    
: -------------------------------------------------ooO-(_)-Ooo-----------

--