Really anonymous?

How anonymous is an "anonymous" email?

As is often the case when a new virus appears on the Internet, the FBI or international police are able to track down where the infection came from. This shows that an apparently anonymous peace of information, such as an email, can't be anonymous at all ...

An email message does not simply contain what you see whrn opening it in OutLook or your email client of choice; there is more information, which is normally stripped off when the email is displayed.

In the example that we will discuss in this page, a user sent an email using our well known service offered on http://www.front-row-seat.com/html/send_email.html
He/she used:

cocco@mail.ch as sender
webmaster@grande-forme.com as recipient

Here is the message sent:

To see the header, the quickest way is to save the message in the .eml (or similar) format provided by OutLook:

The .eml file can be opened by a normal editor and it contains the headers that come with the text:

 

Return-path: 
Envelope-to: webmaster@grande-forme.com
Delivery-date: Wed, 17 Mar 2004 10:12:25 -0800
Received: from [69.41.238.66] (helo=matrix.webservercity.com)
	by chiron.lunarpages.com with esmtp (TLSv1:DES-CBC3-SHA:168)
	(Exim 4.24)
	id 1B3fWj-0007B7-1U
	for webmaster@grande-forme.com; Wed, 17 Mar 2004 10:12:25 -0800
Received: from nobody by matrix.webservercity.com with local (Exim 4.24)
	id 1B3fWd-0003Q3-12; Wed, 17 Mar 2004 18:12:19 +0000
To: webmaster@grande-forme.com
Subject: Long time
From: cocco@mail.ch
X-Mailer: php
Message-Id: 
Date: Wed, 17 Mar 2004 18:12:19 +0000
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - matrix.webservercity.com
X-AntiAbuse: Original Domain - grande-forme.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - mail.ch

What do you see?

Cocco

Free anonymous email from
http://www.front-row-seat.com/html/free_email.html

Now, cocco@mail.ch is of course a fake address and it will not tell us much, except that the anonymous sender is witty, funny or annoying.

The important part of the message is:

Received: from [69.41.238.66] (helo=matrix.webservercity.com)

This shows that the email was sent from the server matrix.webservercity.com (IP address 69.41.238.66), which is indeed the server that hosts www.front-row-seat.com Every sent email has an id, which in our case is id 1B2brx-0005OQ-0S (this will tell a lot to the system administrators, probably that the domain was www.front-row-seat.com).
We also know the time the message was sent: Mar 15 11:44:23

Now, the system manager and we from www.front-row-seat.com have access to our webserver log files; a webserver logfile will show, at the very least, the IP address of a visitor to the website. Searching for this timestamp on the log we find:

We clearly see that the originating IP address is 80.255.43.218 (of course, we don't normally provide this kind of information). If this is (as it seems) one of the IP addresses used by the ISP cablecom.ch in Switzerland, Cablecom will certainly know which household was accessing that IP address at the time! (again, Cablecome won't tell anybody, except when requested by the police). This shows that the email wasn't anonymous at all.

To find out which ISP provider owns a certain IP address there are several possible ways, but an excellent one is our own script. Simply click on this link and you will see how much information your IP address transmits.

Our "anonymous email service" should be used for the purposes it was first thought up for: primarily, for sending emails from your normal email address when you are away; secondly, when you don't want to show your address for some reason; thirdly, for some light fun.

If you think that you can safely use it for illegal activities, be warned that you won't be able to get away with it easily.