E-Mail forensics

2 views
Skip to first unread message

Francis Kaitano;CISSP

unread,
Jul 11, 2007, 6:42:50 AM7/11/07
to Whiteha...@googlegroups.com
Hi

I want to trace the orignation of an email that was sent to XX LTd staff on a week ago using a yahoo account. Management is   is suspecting that the email could have been sent by one of the internal people.

We need to trace through to find the  the orignating point of the email.
Which procedures or tools can i use.

Jaco Kroon

unread,
Jul 11, 2007, 6:49:16 AM7/11/07
to Whiteha...@googlegroups.com

Check the headers. If it was genuinly sent via yahoo the IP address of
the connecting browser will be in there, also, if it was sent via smtp
all the way, the orriginating IP will also be there.

Then run a whois on that IP address, find the ISP and ask them who was
connected to that IP address at the time specified in the headers, and
inform them that it's a case of abuse, they may require you to actually
file a complaint or get a supoena or something (I personally don't give
out that kind of information unless I'm pretty sure that it's legit).

Once you have that information you're set. If it's a company, you
better hope that they are not letting their mail clients go out
directly, or in the case of browsers keep proxy logs (most small
companies don't).

Good luck.

Jaco

Praveenkumar

unread,
Jul 11, 2007, 9:06:40 AM7/11/07
to WhitehatAfrica
Hi Francis,

You can follow the procedure given at the following link,

http://groups.google.com/group/securitytaskforce/browse_thread/thread/588b1dd8645c5ff0

Hope it will help you out in tracing the origin of the email....

Cheers,
Praveenkumar

On Jul 11, 6:42 pm, "Francis Kaitano;CISSP" <fkait...@gmail.com>
wrote:

Reply all
Reply to author
Forward
0 new messages