Interesting Email footprinting ?

[bradleylamar]

Well, here goes my first thread ever....

I'm getting emails from a source that must know me personally. They aren't threats- no big deal- just little harassing jokes. I'm pretty sure I know the culprit but I need proof before accusing. Anyways, I've done quite a bit of research on tracing emails the last week and here's what I've come up with...
I looked at the full header and found 5 received from fields. The very original received from field (the starting point) says
"... from USERNAME (unknown [xxx.xxx.xxx.xxx]) by mailhost.fubar.net
1. I guess my first question starts here: Why is the USERNAME unknown on the IP address that it is sending an email from?

Well, next I wasn't familiar with the mail server mailhost.fubar.net and going purely on the assumption that this friend of mine is the culprit, I did a DNS lookup using dig on the company that he works at (actually a state agency). One of the servers listed was ns.fubar.net, so then I felt pretty confident. But by using DShield I found that the IP address for fubar.net has a CIDR of 22 & 21- meaning that there could be 3,000 ip's inside this host. I knew there would be a lot but 3,000 suprised me. Well, that is not sufficient enough for me to accuse my friends when it's one out of 3,000. So I kept digging...
I used DShield to locate who the IP belonged to that was inside my email header. The IP belonged to a completely different agency! Actually it belonged to a University. But DShield did show me that one of the DNS servers for the University was the same as one of the DNS servers that his agency uses! I know for sure that the email didn't originate at this University b/c this University is in another city that I've never even visited.
2. My second question is my is my email header reporting that it came from a University in another city when my friend works downtown?

Well, I tried to decipher the message ID but it doesn't seem to adhere to the same standard that I've read about on the internet. It is 3 series of alpha-numeric characters seperated by $ signs and then ends @USERNAME.
3. Does anyone know how to decipher this message ID?

Well, I don't quite have enough evidence to accuse my friend. I don't think he knows enough to fake an IP address and the emails keep coming from the same IP every time. I guess this goes to prove I'm still a newbie.

Any help is appreciated-

[AngelicKnight]

Step 1: Replace friend

Has your research included any older AO threads here? I'd direct you to The Duck, he's written quite a bit of stuff on that topic and might be able to help you along your way. I'm sure some of the older senior members will hop on here and have some advice to give to you shortly as well.

Welcome aboard.

[ShagDevil]

bradleylamar, a couple things. I just went through this same ordeal recently.

For starters, tracing emails can sometimes yield the actual original IP of the sender but it's not reliable enough to depend on.
Ok, lets see what else I noticed.
1)-USERNAME (unknown [xxx.xxx.xxx.xxx]) by mailhost.fubar.net is probably a forged Received: field. Whomever is sending the email can easily forge the previous Received: fields. A forged Received: field can have almost anything in it.
2)

But DShield did show me that one of the DNS servers for the University was the same as one of the DNS servers that his agency uses!

They may share a DNS server but by no means does it indicate where the email originated from.
3)

I know for sure that the email didn't originate at this University b/c this University is in another city that I've never even visited

irrelevent. The email may have originated from anywhere.
4)

My second question is my is my email header reporting that it came from a University in another city when my friend works downtown?

Again, because the previous Received: fields can be forged easily.
5)

Does anyone know how to decipher this message ID

I don't believe there's a whole lot you can do with the message ID because whomever sent the email may be behind a proxy and telnetting into an open mail server. In which case, it won't help you much.

Post the actual expanded email header if you could. Just blank out your personal stuff, like your email addy and your mail server. This may better help us explain the email to you.