Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

tracing fakemails

1 view
Skip to first unread message

Lorenz Glatz

unread,
Nov 22, 1994, 10:16:40 AM11/22/94
to
Is there ANY way to trace back fake emails? Are there for example
system files that record connections to SMTP, thus allowing to
trace who used fakemail originating from a certain machine?
Is there a way to find out which machine was used to send
the fakemail? etc.....

Tanks for any help!

Lorenz Glatz \\///
gl...@ariel.pap.univie.ac.at (o o)
-------------------------------------------------ooO-(_)-Ooo-----------

jestin

unread,
Nov 23, 1994, 10:35:13 AM11/23/94
to
In article <3at20o$6...@infosrv.edvz.univie.ac.at> gl...@ariel.pap.univie.ac.at (Lorenz Glatz) writes:

> Is there ANY way to trace back fake emails? Are there for example
> system files that record connections to SMTP, thus allowing to
> trace who used fakemail originating from a certain machine?


I think that your "normal" mail agent (elm, mail mailx) connects to
SMTP. If you want to fake a mail, it's a raw connection on SMTP port
number that you'd have to trace. That's hard to make the difference !

> Is there a way to find out which machine was used to send
> the fakemail? etc.....

When I receive a faked mail,
- I save it
- I watch out for the original machine that has posted the mail
( it appears on thae header )
- eventually, I compare the sender name with the result of a "last"
command grepped with the name if it is a local mail (which is often the
case in this matter ...).

Perhaps a script would prove useful to automate such a sequencial process.

hope this helps.


--

__________________________ `o O'
/\ jes...@eis.enac.dgac.fr\__________ooO__U__Ooo_________
\ \ Ader239, ENAC, 7 av E.Belin, 31055 TOULOUSE (FRANCE)\
\ \ you can find me at #62175852 ... if you're lucky \
\ \_______________________________________________________\
\/_______________________________________________________/

Holveck

unread,
Nov 23, 1994, 2:54:18 PM11/23/94
to
My Aunt MAUREEN was a military advisor to IKE & TINA TURNER!!

>>>>> "glatz" == Lorenz Glatz <gl...@ariel.pap.univie.ac.at> writes:

> Is there ANY way to trace back fake emails? Are there for
> example system files that record connections to SMTP, thus
> allowing to trace who used fakemail originating from a certain
> machine? Is there a way to find out which machine was used to
> send the fakemail? etc.....

Careful inspection of the headers usually does the trick pretty well.
Especially the `Path:' header or the `Received-By:' headers.

EG: Death threat fakemailed to pres...@whitehouse.gov; you can
imagine about how that went after they caught the guy.
--
------------------------------------------------------------------------
Joel Ray Holveck, jo...@pollock.math.swt.edu, KC5ACN
GCS -d+(?)(--) p--- c++(++++) l+@ u++ e+@ m++(*) s--/- n--- h--(+)(*)
f+(?) !g w++(-@) t+++(+) r++ y+(*)
The fourth law of computing:
Anything that can go wr
.signature: Segmentation violation -- core dumped

Robert Haas

unread,
Nov 23, 1994, 7:25:37 PM11/23/94
to
In article <3at20o$6...@infosrv.edvz.univie.ac.at> gl...@ariel.pap.univie.ac.at (Lorenz Glatz) writes:
>Is there ANY way to trace back fake emails? Are there for example
>system files that record connections to SMTP, thus allowing to
On some systems, if you logging level on the "mail" facility is high
enough, all connections will get two or three lines of log messages.
Check your /etc/syslog.conf setup.

>trace who used fakemail originating from a certain machine?
>Is there a way to find out which machine was used to send
>the fakemail? etc.....

Look at the fakemailed message with "more". Often mail programs strip out
some of the header lines. Sometimes the source machine is buried in one
of the "Received" lines someplace. Sometimes, if ident is running on the
originating machine, you'll even get the username.

...Robert

Harvey Shapiro

unread,
Nov 27, 1994, 1:11:54 AM11/27/94
to
Lorenz Glatz (gl...@ariel.pap.univie.ac.at) wrote:
: Is there ANY way to trace back fake emails? Are there for example

: system files that record connections to SMTP, thus allowing to
: trace who used fakemail originating from a certain machine?
: Is there a way to find out which machine was used to send
: the fakemail? etc.....

Can it be done? Yes... Is it fesable? Unless the administrator from the
STMP site is a close friend of yours, No...
You'd have to go back the SMTP site (easy enough since that's the address
on the mail...), and get the port 25 telnet log, it'd be in a buffer, and
it's not likely it's archived, so by the time you figure out that your
actually going to take care of the problem and investigate, the
evidence is already deleted... This is why people use fake mail in the
first place, it's difficult, and a pain in the ass to trace...
But no, it's not impossable...

: Tanks for any help!

: Lorenz Glatz \\///
: gl...@ariel.pap.univie.ac.at (o o)
: -------------------------------------------------ooO-(_)-Ooo-----------

--

0 new messages