Spoofed/anonymous SMS and e-mail messages

Interesting article on this subject just the other day Identifying Anonymous E-Mail Authors

An investigation that i am working on requires the tracing of spoofed/anonymous SMS/text messages and e-mail messages.

Since I am new to this field, though not at all new to investigations, I could use some advice on how to perform this tracing task.

I am aware of the online spoofing services for SMS and e-mail, and assume that viewing the anon e-mail header details may disclose the sending/source IP address, and perhaps the originator's IP address. Fortunately, the recipients have retained the e-mail messages and I will have them forwarded to me. Would that be the correct protocol, do you think?

I was going to concentrate on examination of the e-mails since they are more likely to show IP details that could be traced depending on the spoofing service.

Any other thoughts on how I should proceed with the SMS messages and/or e-mails?

Please feel free to contact me directly on this.

Gil

Don't have them forward the messages to you, you will lose the headers of the original messages. The messages should be attached to another e-mail.

Do you have reason to believe that they are spoofed or are they just anonymous? With anonymous e-mails, you can trace the e-mail to a provider and even trace the source IP to a provider. But chances are unless you are working a criminal matter, the provider will not provide you the subscriber information (some ISPs do, most do not). Another thing to consider is reviewing the various logs at your client's facility (if they do any logging) to see if the same IP address shows up in a VPN, web, SMTP or other log associated with a known individual. For example, say Joe Smith logs into OWA with the same IP as the e-mails you are reviewing (even though the e-mails you are reviewing are from an unknown person). That would give you reason to believe that the anonymous e-mails may be coming from Joe Smith.

I was going to concentrate on examination of the e-mails since they are more likely to show IP details that could be traced depending on the spoofing service.

Any other thoughts on how I should proceed with the SMS messages and/or e-mails?

Emails
Have them send you the whole message, headers included.
different e-mail clients have different ways of showing headers, so point them to pages like these
http//spamcop.net/fom-serve/cache/19.html

If you have the header, besides IP-addresses, check for other signs
- message-ID (the last part sometimes contains the domain of the real sender)
- BIOS name (sometimes seen in Received lines)
- check contents for spelling mistakes, unique use of ,comma's & dots.
- if rich text format, check what fonts & color the sender used
- Sometimes the mail is sent from a local mailserver, in that case you'd want to check the ADS or what have you, but you probrably already knew that 😉

If the sender used gmail, you're SOL unless you're LE, but hotmail & others still show IP-addresses in headers. Be aware that it's possible to change information in mailheaders if suspect is a clever sysadmin.

If you have enough cause, you can ofcourse always look on the suspects' system for traces of the original message.

SMS
If you have access to the raw source of the SMS messages, you can at least try to find out which message center was used to send tje SMS. Usage of a non-standard one might give you an indication of forgery.

Hope this helps!

- Roland