How to trace a fake mail?

Hi guys,

I have a serious problem for you. A friend wants me to analyse a fake
mail he has received in order to understand from which pc of the
company it has been sent. This mail is a serious abuse from an employee
against the company he works for and my friend wants to get the 'mole',
if it is possible. The problem is: if the 'mole' has used some spam
technique to hide his sensible informations, is there any chance to get
him?
What have I got to do to understand the LAN pc where the mail has been
sent?
Here's the interesting parts of the mail headers:

X-Cloudmark-Score: 0.000000 []

Received: from [62.94.10.162] (HELO smtp.eutelia.it)

by mailfe05.swip.net (CommuniGate Pro SMTP 5.0.8)

with ESMTP id 179086340 for luca.magosso@tele2.it; Thu, 14 Sep 2006
14:38:31 +0200

Received: from amd (ip-194-166.sn3.eutelia.it [194.153.194.166])

by smtp.eutelia.it (Eutelia) with SMTP id E59581B9BDC;

Thu, 14 Sep 2006 14:38:29 +0200 (CEST)

Message-ID: <000001c6d7fa$6874f8d0$6a00000a@amd>


What kind of information you can understand from these headers?

Thank you in advance for any hint,
Andrea

Re: How to trace a fake mail?

Post removed (X-No-Archive: yes)

Re: How to trace a fake mail?

Kalle Bass wrote:
> Andrea wrote:
> > Hi guys,
>
> Hello.
>
> > Received: from [62.94.10.162] (HELO smtp.eutelia.it)
> >
> > by mailfe05.swip.net (CommuniGate Pro SMTP 5.0.8)
> >
> > with ESMTP id 179086340 for luca.magosso@tele2.it; Thu, 14 Sep 2006
> > 14:38:31 +0200
> >
> > Received: from amd (ip-194-166.sn3.eutelia.it [194.153.194.166])
> >
> > by smtp.eutelia.it (Eutelia) with SMTP id E59581B9BDC;
> >
> > Thu, 14 Sep 2006 14:38:29 +0200 (CEST)
> >
> > Message-ID: <000001c6d7fa$6874f8d0$6a00000a@amd>
> >
> >
> > What kind of information you can understand from these headers?
>
> That the e-mail was received from 194.153.194.166

Of course :-) I suppose this is the mail server address. How can I
trace the client's pc address?

Re: How to trace a fake mail?

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-8014-1159621362-0001
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Andrea writes:

> Received: from [62.94.10.162] (HELO smtp.eutelia.it)
>
> by mailfe05.swip.net (CommuniGate Pro SMTP 5.0.8)
>
> with ESMTP id 179086340 for luca.magosso@tele2.it; Thu, 14 Sep 2006
> 14:38:31 +0200
>
> Received: from amd (ip-194-166.sn3.eutelia.it [194.153.194.166])
>
> by smtp.eutelia.it (Eutelia) with SMTP id E59581B9BDC;
>
> Thu, 14 Sep 2006 14:38:29 +0200 (CEST)
>
> Message-ID: <000001c6d7fa$6874f8d0$6a00000a@amd>
>
>
> What kind of information you can understand from these headers?

The message was received from IP address 194.153.194.166 on Thu, 14 Sep 2006
14:38:29 +0200 (CEST).



--=_mimegpg-commodore.email-scan.com-8014-1159621362-0001
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBFHmryx9p3GYHlUOIRAuoXAJ0Wr1qTMA2+dqd1WXwZ4CYpW1xbuACf RUe4
iR3CpwBETDBt2zHzS5ARpKg=
=/FAw
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-8014-1159621362-0001--

Re: How to trace a fake mail?

On Sat, 30 Sep 2006, Andrea wrote:

A> >
A> > > Received: from [62.94.10.162] (HELO smtp.eutelia.it)
A> > >
A> > > by mailfe05.swip.net (CommuniGate Pro SMTP 5.0.8)
A> > >
A> > > with ESMTP id 179086340 for luca.magosso@tele2.it; Thu, 14 Sep 2006
A> > > 14:38:31 +0200
A> > >
A> > > Received: from amd (ip-194-166.sn3.eutelia.it [194.153.194.166])
A> > >
A> > > by smtp.eutelia.it (Eutelia) with SMTP id E59581B9BDC;
A> > >
A> > > Thu, 14 Sep 2006 14:38:29 +0200 (CEST)
A> > >
A> > > Message-ID: <000001c6d7fa$6874f8d0$6a00000a@amd>
A> > >
A> > >
A> > > What kind of information you can understand from these headers?
A> >
A> > That the e-mail was received from 194.153.194.166
A>
A> Of course :-) I suppose this is the mail server address. How can I
A> trace the client's pc address?
A>

So why not post all the headers instead of just a subset?


Alan

( If replying by mail, please note that all "sardines" are canned.
There is also a password autoresponder but, unless this a very
old message, a "tuna" will swim right through. )

Re: How to trace a fake mail?

"Andrea" wrote:

>What have I got to do to understand the LAN pc where the mail has been
>sent?

What makes you think it was sent from a PC on the LAN?

>Received: from amd (ip-194-166.sn3.eutelia.it [194.153.194.166])

The message was sent using a computer connected to Eutelia's network.
As far as I can tell, Eutelia is an Italian ISP and this IP number
appears to be one of its ADSL allocated numbers.

If Eutelia is your own ISP then it may be that this is the IP number
allocated to your own connection, (easily checked) or it may be a
dynamically assigned IP number from someone using a home broadband
connection.

If it isn't your own LAN and you want Eutelia to tell you who was
using that IP number at the time the mail was sent then you almost
certainly need a court order before they will disclose the
information. Even then, all they can tell you is that it came from a
certain subscriber, and if that subscriber is someone with a LAN then
they cannot tell you who on the LAN was responsible.

Sometimes you will find a header line which contains (HELO xxx) or
(EHLO xxx) where xxx is often the machine name allocated to the
individual PC on a LAN, (see Control Panel, System, Computer Name)
which helps pin down the actual PC.

Of course, even then it is not proof that the person who uses that PC
is the one who sent the email. People often leave their PCs unattended
and logged in and in a large office it is usually easy to quickly send
an incriminating email from someone else's PC rather than use your
own.

Re: How to trace a fake mail?

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-8582-1159624743-0001
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Andrea writes:

>
> Kalle Bass wrote:
>> Andrea wrote:
>> > Hi guys,
>>
>> Hello.
>>
>> > Received: from [62.94.10.162] (HELO smtp.eutelia.it)
>> >
>> > by mailfe05.swip.net (CommuniGate Pro SMTP 5.0.8)
>> >
>> > with ESMTP id 179086340 for luca.magosso@tele2.it; Thu, 14 Sep 2006
>> > 14:38:31 +0200
>> >
>> > Received: from amd (ip-194-166.sn3.eutelia.it [194.153.194.166])
>> >
>> > by smtp.eutelia.it (Eutelia) with SMTP id E59581B9BDC;
>> >
>> > Thu, 14 Sep 2006 14:38:29 +0200 (CEST)
>> >
>> > Message-ID: <000001c6d7fa$6874f8d0$6a00000a@amd>
>> >
>> >
>> > What kind of information you can understand from these headers?
>>
>> That the e-mail was received from 194.153.194.166
>
> Of course :-) I suppose this is the mail server address. How can I
> trace the client's pc address?

Look at the logs on this mail server. This is the earliest origination
point that can be determined from the mail headers that you posted. Any
additional logging information can only exist on this mail server.



--=_mimegpg-commodore.email-scan.com-8582-1159624743-0001
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBFHngnx9p3GYHlUOIRAp0bAJ0fDT2JaLxmrR/0pxGJ6yu9jaWXmwCb Beba
osBLQgkBbyFmnE7TOSK0XzM=
=o4Vs
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-8582-1159624743-0001--

Re: How to trace a fake mail?

On Sat, 30 Sep 2006 04:21:41 -0700, Andrea wrote:

> NNTP-Posting-Host: 82.54.200.50

If you are expecting sympathy, you are posting from interbusiness.it and
telecomitalia.it. We have been victimized by these people before. A lot
of their IP space is blocked on many IP systems.



nslookup 82.54.200.50
Server: 207.69.188.187
Address: 207.69.188.187#53

Non-authoritative answer:
50.200.54.82.in-addr.arpa name = host50-200-dynamic.54-82-r.retail.telecomitalia.it.

Authoritative answers can be found from:
200.54.82.in-addr.arpa nameserver = dnsti.interbusiness.it.
200.54.82.in-addr.arpa nameserver = dnsts.interbusiness.it.
dnsti.interbusiness.it internet address = 151.99.125.5
dnsts.interbusiness.it internet address = 80.22.52.131