Hello all, i found this forum when looking for sites which deal with forensic email analysis and similar topics. Firstly can i say what a superb forum, and being only moderately technical, i will be spending a lot more time here now i have arrived – the info on here is enough for a degree in Computer Science!!!
Anyway…. on to the issue at hand….
I am trying to assess the conclusion to be drawn from some investigation i have done regarding a dishonest marketing scheme which has duped several friends of mine as well as myself. I won't mention as that wouldn't be fair at least in theory until courts have heard the evidence though i am 100% certain of many other dishonest practices carried out so this isn't case-dependent, but this will be going to the courts and authorities soon enough. Before that i am just trying to confirm if our findings to date confirm one particular facet of this whole case - does the info found prove with certainty that the same man sent the emails and used the same computer to log in to forums from?
Briefly, the details are
A product is marketed by a company. This is a one man company. This man has logged into our private support forum from his IP address which is UK based but i won't quote it here
The company was contacted to ask for testimonials from independent customers using his product, after having received sales letters etc. Two emails were received from different 'people' whom we believe are aliases, as well as a third alias who has taken part in forums online etc to promote the product claiming to be independent and not connected to the company. I believe all of these persons are aliases set up by the owner of the company.
The SAME IP ADDRESS appears in the Email Header in ALL emails from ALL persons mentioned above, AS WELL AS from the company owner's own access logs to our forum. In effect 4 different people (allegedly) all with the same IP address in their emails or network logs.
I am technically proficient but i am not an IP expert. Could someone please advise if the above confirms our suspicion that the same computer terminal sent all of the communications, emails, logins etc? I am pretty sure this is the case but i am looking for confirmation from experts or people with more knowledge than myself.
Does anyone have any comments, will be VERY grateful for any help with this.
Thank you very much
Need more information. Typically the IP address is recorded in a Received header for each MTA in the process, plus the original client, however, it is certainly possible to fake this depending on how much control one has over the MTAs involved. The most recent MTA will be at the top. The client will usually be in the last Received header before the message body. If the last Received IP address is the same for all messages and this is the client IP, then you could assume that they originated from the same system although if this were a NATed address, that may or may not be significant.
There are a number of RFCs which describe header information, beginning with RFC 822 on through 2822, 3864, 5335. These should help you understand what the headers might and might not mean.
thank you very much seanmcl.
As expected you have put my knowledge to shame! I haven't a clue about some of that, but i did understand the IP bit in the header.
I can confirm two things
1. The originator would NEVER have wanted to spoof the IP of the other identities, i.e. the very LAST thing he would want is to have the same IP as them so this rules out him falsely trying to appear as them. on the contrary, he claimed these people were all successful users of his product and were in no way connected with him. More importantly he claimed they were based on london when he is based 200 miles away!
2. The last "received" header is the one which matches across all headers with same IP.
Thanks again for your help, i think this is as i expected, pretty damn certain its all from him. The fact that the english and grammar, style of speech etc also match is a supporting factor, though not confirmation of anything in itself!
Very grateful for your comments
The SAME IP ADDRESS appears in the Email Header in ALL emails from ALL persons mentioned above, AS WELL AS from the company owner's own access logs to our forum. In effect 4 different people (allegedly) all with the same IP address in their emails or network logs.
…snip…
Could someone please advise if the above confirms our suspicion that the same computer terminal sent all of the communications, emails, logins etc?
Like Sean said, there isn't enough information to go on.
You say that the same IP address appears in the headers…but with respect to which entries? X-Originating IP address? What have you done to determine what device is at that IP address? Is it an MTA? If so, that kind of makes sense…
I think I understand.
The vendor A, with IP A, logs into forum.
You ask for references in e-mail.
Vendor A, responds with MTA IP A (identical to the forum login IP), and says sure.
You get Reference B, and Reference C e-mails, but both of them have the same MTA IP A in header.
You are asking to draw a conclusion on looking at just the matching IPs in header info from Vendor A e-mail, Reference B & C e-mail, and forum login by Vendor A.
Is that correct?
The likelihood of that the same transfer agent being used by three geographically dispersed individuals is unlikely in my opinion.
Caveat - if the e-mail service provided by Vendor A to Reference B & C, or their primary e-mail service provider are identical transfer agent can appear in the header.
Have you tried to connect and identify the transfer agent at IP A?
Have you responded to Reference B & C in e-mail, and ask them to provide a telephone number so you can call them?
It would allow you to reverse-look-up the numbers and find out who they are associated with.
Hi jhup, thanks very much. Yes asked for phone numbers and point blank refuse to talk on phone citing reasons of "i don't like talking on the phone", i have children and need to be with them all the time" and similar 'odd' reasons!
Your post was superb, but a bit technical for me i think. Yes they are all geographically dispersed and for one think the whole thing stinks to high heaven.
If anyone has time to look, i have all 3 email headers which i could PM or email someone if someone was kind enough to look )
Thanks again to all for your help
one
If anyone has time to look, i have all 3 email headers which i could PM or email someone if someone was kind enough to look )
Sure. You can PM me or use my e-mail (mclinden@informed.net). All of this would be confidential, of course.
I can take a gander too, if you want a second opinion. Just PM the headers here.
As far as my networking knowledge goes, if they are living in different areas and/or have different Internet Service Providers. Its extremely unlikely for them to have had the same IP assigned to them once the other one released it.
Usually with broadband connection you get leased IP addresses for long periods of times in this respect (days if not weeks).
In regards to time, what was the time difference between one emailto another? hours, days, weeks?!
Hi Ranj, weeks and weeks and weeks )