IST 454: Computer and Cyber Forensics
Lab 8 - E-mail Tracing
Introduction
Email spamming, email spoofing, fake e-mails, phishing, and “identity theft” have increased
significantly and are growing at a very fast rate. Over the past year, nearly everyone with an
email address received phishing or fake emails daily. According to Gartner [1], the number of
victims who lost money due to phishing scams in 2008 was over 5 million US consumers, a 39.8
percent increase over the number of victims a year earlier. The average loss was approximately
$351 per consumer affected. Some other statistics at a popular security company M86 show that
1-2% of all mail are phishing related. They also have a nifty phishing statistics blog letting you
know who the top-targeted businesses are along with a breakdown of where much of the
phishing mail originates. You can find the info on M86’s site [2].
Another useful site is Phishtank.com [3]. They allow users to report phishing attacks as well as
getting automated phishing site reports via OpenDNS. As an example of how huge this problem
is, the total number of active phishing scans currently is $2,508 (as of this writing). The number
of inactive scams is currently over $526,000.
Objectives
Tracing e-mail is the first step in detecting and combating e-mail related crime. The purposes of
this hands-on exercise are:
(1) Understand e-mail related crime and its incidence.
(2) Investigate e-mail crimes and violations.
(3) Identify fake e-mails
(4) Trace e-mails sources
(5) Prevent phishing attacks
Scenario
Eric woke up to the sun streaming in through his windows. It was a weekend and the sun put
him in a good mood. Suddenly remembering that he was supposed to receive an important
email, he rushed to his computer. As he waited for it to boot, he started to sing, but suddenly, he
stopped and muttered, “What the heck! Why do I have so many junk mails? eBay, Pay pal,
LaSalle… I don’t even have an account with them!” The fake emails ruined Eric’s day.
Your good friend, Eric, has asked you to help him trace all these suspect e-mails. Eric would
like to know:
Are they really junk mails?
Who sent the e-mail?
1
Where are they from?
Who is the ISP (Internet service provider)?
(Are all these from the same person and/or source?)
Configuration
You need to connect to Internet to trace the e-mail; therefore, you have to use a regular machine,
not a virtual machine, in campus or at home.
Warning: Please do not visit the phishing web links in the e-mails. Please do not provide any
information to their web sites either.
The Investigation Process
The common process in tracing e-mails contains the following major steps:
1. Locate the header information in your e-mail software.
2. Examine the header information.
3. Determine the IP address of the sender
4. Identify the ISP who hosts the suspect IP address (Whois, nslookup)
5. Collect other supplement information, such as “Windows” Computer Name, time zone
information, the X-mailer software used, and X-Originating–IP, etc. (Traceroute)
6. Examine and verify the fake links – phishing web links (nslookup)
7. Report e-mail abuse
2
Please select two different types of your favorite spam e-mail for investigation. Please read the
references [4–7] for detailed tracing procedures and tools/utilities that can be used for the
investigation.
Task 1: Identify and Copy Target Emails
Explore and discuss why these are phishing e-mails. Copy and save these e-mails as part of the
report. Explain how you copy using your e-mail client program (clearly indicate which program
you used).
Task 2: Obtain Header Information
Please document the location and the process of obtaining header information and include them
in the report. Provide screenshot if needed.
Task 3: Analyze Header Information
Analyzing header information to find the following information [4, 7]:
The sender’s IP address
The domain name system (DNS) sent
Windows computer name (if available)
Time zone information (If available)
Mailer software used (if available)
Fake information included in the e-mails.
Task 4: Trace the e-mails
Explain and verify that the DNS is consistent with the IP or not (using an appropriate tool
such as whois, Samspade).
Trace to find the service providers [8] using an appropriate tool (e.g., Traceroute)
Task 5: Report E-mail Abuse
Write (and send) a sample statement to report the abuse [7].
Share your results.
Task 6: Email Spoofing
Explore and discuss the process of spoofing e-mail.
Which type of information can be spoofed?
Is it legal to hide/alter sender information?
3
Note: There are many references and tools available on the Internet. Also There are several
videos available at YouTube).
Team Report:
Clearly state your results of this project. You are expected to hand in a report in the following
format:
A cover page (including project title) with team name and team members
A table of contents with page numbers
Use double-spaced type for convenient grading
Number pages. Font size 12, single column
Save the Microsoft Word document with the team name in the title. Upload the document
into the appropriate ANGEL dropbox.
Please write a report to document your investigation. The report should have the following
sections. Each section should cover all the topics described below.
Section I: Answer the Questions - Provide answers to the analysis questions (refer to other
Internet resources if needed.) Use the following questions to aid your investigation and report
writing.
1. What e-mail client did you use and where can you find “header” information?
2. How do you analyze the e-mail header? What kind of information is contained in the e-
mail header?
3. What tools did you use to trace the e-mail originator? What did you find (please report
details, IP, Whois, Where, When, etc.)
4. What are the major motivations for phishers?
5. Can phishing be prevented? Please discuss!
6. What is email spoofing? Is it legal or illegal to spoof e-mail? Please discuss!
Section II: Make sure that you attach the headers and e-mails (in html or doc format) in your
report as an Appendix.
Grading Rubric
This project has a number of specific requirements. The requirement for each section is
documented in the above project instruction “Report.” Whether you receive credit depends on
the following situations:
You will get full credit on one item, if it is correctly reported as required and well written.
You will get half credit on one item, if it is reported as required but there is something
definitely wrong.
You will not get any credit for one item, if it is not reported.
4
Credit for each section is as follows.
Section I: Answer the 6 Analysis Questions (60%):
Questions are worth 10% each.
Section II Appendix (40%)
Note
Be sure to include your name and email address in the report. The report should be turned in
before class on the specified due date. Late submissions will be issued a grade deduction
especially if permission is not obtained from the instructor. The instructor reserves the right to
grant or reject extra time for report completion.
References
[1] Gartner Newsroom, “Gartner Says Number of Phishing Attacks on U.S. Consumers
Increased 40 Percent in 2008,” April 14, 2009.
http://www.gartner.com/it/page.jsp?id=936913
[2] M86 Security Labs, “Spam Statistics.”
http://www.m86security.com/labs/spam_statistics.asp
[3] OpenDNS, “PhishTank”. http://www.phishtank.com/
[4] Deb Shinder, “Understanding E-mail Spoofing.”
http://www.windowsecurity.com/articles/Email-Spoofing.html
[5] Email Broadcast FAQ, “FAQ: Email Spoofing & Phishing”.
http://www.mailsbroadcast.com/email.broadcast.faq/46.email.spoofing.htm
[6] USUS, “Tracing E-mail.” http://www.usus.org/elements/tracing.htm
[7] Visualware, “Trace email -- who sent you that email and where are they located?”
http://www.visualware.com/internetsecurity/resources/tutorials/email.html
[8] Wikipedia, “Traceroute.” http://en.wikipedia.org/wiki/Traceroute
[9] Wikipedia, “E-mail Spoofing.” http://en.wikipedia.org/wiki/Email_spoofing
Tools/Utilities
Nslookup (Under DOS Command Prompt). To find IP Address of the DNS
Sam Spade.
- Dig - requests all the DNS records for a host or domain
- Finger - asks a server about one of its users
- Traceroute - finds the route packets take between you and the address
- Whois - find out contact information for the current domain or IP address
- Ping - sends a series of packets to current address to see if it's alive
You can search and download “Sam Spade” software free. E.g., it can be found from:
http://www.softpedia.com/get/Network-Tools/Network-Tools-Suites/Sam-Spade.shtml
Thomas Kernen, “Traceroute.” http://www.traceroute.org/
5