SEIS722 Wednesday, May 12, 2010

Tracing E-Mail Messages

Jayesh Naithani
SEIS722 – Computer Forensics
University of Saint Thomas
Saint Paul, Minnesota

Abstract
This paper will examine how to trace the origin of an e-mail message using message headers, message text,
and network logs. It will also discuss some of the challenges today in tracking the source of e-mail
messages and in determining the identity of the senders.

Keywords: E-mail forensics, e-mail headers, e-mail tracking, sender, receiver, identity

1 Introduction
E-mail is often used in criminal acts and in-appropriate actions such as threats, frauds (phishing), sexual harassment
and stalking, mail bombing, and extortion. Almost any type of crime today contains some form of Internet related
evidence. Organizations such as private companies have to deal with an equal amount of Internet related issues such
as dealing with inappropriate e-mail, including threats, to preventing and co-operating in the fight against spamming
and phishing.
E-mail can be hard to connect to an individual in principle, but in practice it can be traced and connected to the
perpetrator. E-mail headers contain information that allows investigators to trace it, and the e-mail itself contains
the most important clues regarding its authenticity. Along with information contained in network, router, and e-mail
server logs it is possible to trace the path of the e-mail from recipient back to the sender.
Not all e-mail can be traced however. And especially if the sender used identity concealing methods such as the
use of an anonymizer service, spoofing techniques, bot networks, tunneling, open proxies, open mail relays, and
untraceable Internet connections. When such techniques are used, it can also be quite difficult to determine the
identity of the sender just by examining the electronic trail.
This paper will examine standard e-mail tracing techniques, and some of the techniques that e-mail senders use
to hide their electronic trail that makes it difficult to track the source. Some advanced digital forensic techniques for
e-mail tracing will also be presented.

2 E-mail fundamentals
Users send e-mail typically using an e-mail client. The client sends the e-mail usually consisting of a text file to an
e-mail server. The server hands the e-mail to the client at the receiver’s machine if it is a local delivery, or it hands
it to other e-mail servers via the Internet. The email may actually get relayed between other mail hosts, before it is
eventually transferred to a mail server in the recipient’s domain [3].
At least four computers are generally needed to process e-mail. The first is the sender’s computer, where the e-
mail originated. The second is the e-mail server of the sender’s ISP (Internet Service Provider) which receives the
e-mail from the sender’s computer. The third is the e-mail server of the recipients ISP, which receives the e-mail
from the sender’s ISP. Finally, the fourth is the computer of the recipient receiving the message from their ISP’s e-
mail server. Each of the computers has a unique identifier called an IP (Internet Protocol) address. If the ISP of
the receiver and sender are the same, then a minimum of three computers are involved [10].
Following are some services that are important to know about in order to effectively trace e-mail.

2.1 Internet Mail Protocols

When a user wants to read an incoming email using their email client program, such as Microsoft Outlook, IBM
Lotus Notes, or a web browser, they connect to the e-mail server using one of four different methods:

 Post Office Protocol (POP)

1
 TRACING E-MAIL MESSAGES

 Internet Mail Access Protocol (IMAP)

 Microsoft’s Mail API (MAPI)
 Web mail (http)

The important thing to understand about these different protocols is that their use affects where mail messages
are stored. POP mail users always use their local machines for their e-mail archives, while clients using IMAP and
MAPI have the option of storing e-mails on the server. Incoming and outgoing messages for web based post office
service such as Google Mail, Yahoo Mail, or AOL are also stored on the server [10].
Outgoing e-mail uses a different protocol called Simple Mail Transfer Protocol (SMTP). SMTP is a simple
protocol and consists of a few text based commands or keywords. Servers that accept mail and relay to other servers
(also called Mail Transfer Agents or MTAs) also use SMTP [10]. Non-SMTP transmissions can occur as well when
e-mails are exchanged between users on the same e-mail system. The important thing to understand here is that
when messages are being relayed between servers, SMTP is used to keep track of the IP addresses of the other
servers connecting to them, and the IP addresses of these servers are added to information on the e-mail header. E-
mail servers have the ability to maintain logging information, and they are also a reliable source of information
about e-mail headers.

2.2 Regional Internet Registries and WHOIS Service

These are organizations responsible for the administration and registration of IP addresses. There are currently four
organizations:

 APNIC (Asia Pacific Network Information Center)

 ARIN (American Registry of Internet Numbers)
 LACNIC (Latin American and Caribbean IP address Regional Registry)
 RIPE NCC (Reseau IP Europeens Network Coordination Center)

Each of these entities maintains a database of registered IP addresses and contact data that is freely available on
the internet [11].

2.3 Domain Name System (DNS)

The Domain Name System is a hierarchical naming system for computers, services, or resources connected to the
Internet or a private network. It is used to translate between domain names and IP addresses, and to control Internet
e-mail delivery [9, 11].

2.4 Internet Protocol (IP) Addressing

An Internet Protocol address is a numerical label that is assigned to devices participating in a computer network and
which use the Internet Protocol for communicating between other devices. IP addresses in IPv4 consist of 4 decimal
numbers between 0 and 255, whereas IPv6 expands the addresses to eight fields with hexadecimal values ranging
from 0000 to FFFF. When an IP address is linked directly to a machine, it is considered a static address. Since the
address space within IPv4 is not sufficient, many computers connected to the Internet have a dynamic address
assigned by a DHCP (Dynamic Host Configuration Protocol) server, and they only remain valid for a short period of
time. The DHPC server maintains logs that connect the assigned IP address to the MAC (Media Access Control)
address on the computer’s network card. This information is valuable to a forensics investigator when tracing the
source of an e-mail [11].

3 E-mail tracing
Determining an e-mail’s origin is referred to as “tracing” [12]. This process requires examining e-mail headers, e-
mail message files, and e-mail server logs.

3.1 E-mail components

An e-mail message consists of two parts: a header, and a body [8]. The following is an example of an e-mail:

2
 TRACING E-MAIL MESSAGES

Received: from usspw021.lawson.com (10.0.0.208) by USSPW043.corpnet.lawson.com

(10.0.13.102) with Microsoft SMTP Server id 8.1.393.1; Sat, 1 May 2010 12:41:35 -0500
Received: from mail111-va3-R.bigfish.com ([216.32.180.113])by
smtp.lawson.com with ESMTP id 2010050112411636-735057 ; Sat, 1 May 2010 12:41:16 -0500
Received: from mail111-va3 (localhost.localdomain [127.0.0.1] by
mail111-va3-R.bigfish.com (Postfix) with ESMTP id E4A5A16005F3 for
<jayesh.naithani@lawson.com>; Sat, 1 May 2010 17:41:15 +0000 (UTC)
Received: from mail111-va3 (localhost.localdomain [127.0.0.1]) by mail111-va3
(MessageSwitch) id 1272735674701091_24844; Sat, 1 May 2010 17:41:14 +0000(UTC)
Received: from VA3EHSMHS024.bigfish.com (unknown [10.7.14.251]) by
mail111-va3.bigfish.com (Postfix) with ESMTP id 9CE02C50050 for
<jayesh.naithani@lawson.com>; Sat, 1 May 2010 17:41:14 +0000 (UTC)
Received: from smtp4.stthomas.edu (140.209.3.234) by VA3EHSMHS024.bigfish.com
(10.7.99.34) with Microsoft SMTP Server id 14.0.482.44; Sat, 1 May 2010
17:41:13 +0000
Received: from mail.stthomas.edu (Not Verified[140.209.2.117]) by
smtp4.stthomas.edu with MailMarshal (v6,7,2,8378) id <B4bdc67b70000>; Sat, 01
May 2010 12:41:11 -0500
Received: from UST-E2K7VS3.stthomas.edu ([fe80::c490:22a0:102b:f7f4]) by
UST-EXCHHTS2.stthomas.edu ([2002:8cd1:275::8cd1:275]) with mapi; Sat, 1 May
2010 12:41:11 -0500
From: "Naithani, Jayesh" <nait4086@stthomas.edu>
To: "jnaithani@gmail.com" <jnaithani@gmail.com>

Read Bottom Up
CC: Jayesh Naithani <jayesh.naithani@lawson.com>
Date: Sat, 1 May 2010 12:41:11 -0500
Subject: How are you?
Thread-Topic: How are you?
Thread-Index: AQHK6VV9wvdSp0Todk6XpkEWJuJyxw==
Message-ID: <AC162E333D854F429B9DFD32777480EB2D4365C090@UST-E2K7VS3.stthomas.edu>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
X-Reverse-DNS: smtp4.stthomas.edu
X-MIMETrack: Itemize by SMTP Server on SMTP/Lawson at 05/01/2010 12:41:16 PM,
Serialize by Router on USSPC01/Server/Lawson(Release 7.0.3FP1|February 24, 2008) at
05/01/2010 12:41:35 PM, Serialize complete at 05/01/2010 12:41:35 PM
X-TNEFEvaluated: 1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Content-Language: en-US
Return-Path: nait4086@stthomas.edu

Hi Jayesh,

How are you?

- Jayesh

Table 1. An e-mail message composed of message headers and message body.

The header contains routing information about the e-mail, source and destination information, IP address of the
sender, and timestamps. The message body (in green) contains the actual message, and can optionally contain
attachments. The message headers (in teal) are the most important part for investigating and tracing the email.

3.2 E-mail header

The e-mail header has a standard content, as defined by RFC822 (Standard for the Format of ARPA Internet
Messages). They follow a format which is same for e-mails sent using Outlook Express or using a web based
application such as Google Mail [3].
E-mail headers are organized from the bottom up. They contain three main pieces of information that could
help determine the identity of the sender: the sender’s email address, the IP address of the machine or e-mail host
used to send the message, message id and time related information indicating when the message was sent.

3
 TRACING E-MAIL MESSAGES

3.2.1 Senders e-mail address

The sender’s e-mail address can typically be found after the “From” section of the header.

Date: Thu, 6 May 2010 19:30:59 -0500

Message-ID: <g2la6f154ed1005061730u92701267s468317ee41b6021c@mail.gmail.com>
Subject: Re: How are you?
From: Jayesh Naithani <jnaithani@gmail.com>
To: Jayesh Naithani jayesh_naithani@yahoo.com
Table 2. Locating the sender e-mail address

It can also be found under other sections:

 X-Originating-E-mail
 X-Originating-IP
 X-Sender
 Return-Path

From Jayesh Naithani Fri May 7 00:30:59 2010

X-Apparently-To: jayesh_naithani@yahoo.com via 206.190.38.61; Thu, 06 May 2010 17:30:59 -0700
Return-Path: <jnaithani@gmail.com>
X-Originating-IP: [209.85.211.192]
Table 3. Locating origination IP address

X-Headers are inserted by client programs, and is a defacto standard for passing information to other e-mail
handling programs for processing. E-mail headers should always be viewed with caution by investigators as they
can be easily faked [3]. Once the originating IP address is identified, it can be used to determine the owner of the IP
address. Inspection of server logs obtained may reveal more information about the identity of the person using that
address during the date and time in question of the email.

3.2.2 Routing information

Each of the “Received” lines in the e-mail headers represents one handoff using SMTP between machines.

Received: from 127.0.0.1 (EHLO mail-yw0-f192.google.com) (209.85.211.192)

by mta1083.mail.ac4.yahoo.com with SMTP; Thu, 06 May 2010 17:30:59 -0700
Received: by mail-yw0-f192.google.com with SMTP id 30so368495ywh.10
for <jayesh_naithani@yahoo.com>; Thu, 06 May 2010 17:30:59 -0700 (PDT)
Received: by 10.91.180.3 with SMTP id h3mr193736agp.82.1273192259085; Thu, 06
May 2010 17:30:59 -0700 (PDT)
Received: by 10.90.79.4 with HTTP; Thu, 6 May 2010 17:30:59 -0700 (PDT)
Table 4. Routing chain

Using the bottom-to-top approach, the earliest line from the bottom indicates the mail being received by the
sender’s e-mail server. Subsequent “Received” lines show handoffs between one e-mail host to another. The
topmost or last “Received” line is the handoff to the final e-mail host in the routing chain involved in delivering the
email to the receiver. Here is the format of a typical “Received” record:

Received: from [sending-host’s-name][sending-host’s-address]

by [receiving-host’s-name]
[software-used]
with [protocol][message-id]
for [recipient’s address];[date][time][time-zone-offset]

Together the “Received” lines should form an unbroken chain from the sender’s e-mail host to the receiver’s e-
mail host, and describe the progress of the e-mail from the sender to the receiver. At each point, the host names
should be verified to resolve to their IP addresses Important here also is to examine the logs of all servers in the
4
 TRACING E-MAIL MESSAGES

received chain as soon as possible to verify the routing information indicated in the headers. Logs files do get
removed quickly. The actual computer used to send the information, or to receive the message if using a non-HTTP
e-mail client, may also not get reported in the header [11].
Finally, the routing information added by servers is not under the control of the sender, and cannot be forged.
However, bogus “Received” fields can still be added, and forencic investigators should always be on the lookout for
these towards the lower end of the routing chain.

3.3 Examining e-mail message IDs and client side evidence

Message IDs play an important role in tracing e-mail messages.

Date: Thu, 6 May 2010 19:30:59 -0500

Message-ID: <g2la6f154ed1005061730u92701267s468317ee41b6021c@mail.gmail.com>
Subject: Re: How are you?
From: Jayesh Naithani <jnaithani@gmail.com>
To: Jayesh Naithani jayesh_naithani@yahoo.com
Table 5. Message-ID

They help when searching e-mail logs to corroborate if the message was in fact sent via the particular computer,
and can sometimes contain time related and other helpful information about the e-mail. The message-ID is a unique
string assigned by the mail system when the message was created. SMTP servers involved in receiving the message
and passing it along towards its destination also create message IDs (see Table 6).

Received: by mail-yw0-f192.google.com with SMTP id 30so368495ywh.10

for <jayesh_naithani@yahoo.com>; Thu, 06 May 2010 17:30:59 -0700 (PDT)
Table 6. SMTP message ID

Once the e-mail sender’s identity has been confirmed, the Message ID can be a strong piece of evidence to
associate the machine used to send the e-mail to the received e-mail headers. Specialized forensic tools are often
required to find deleted e-mail files on the sender’s computer [3].

3.4 E-mail initiation methods

E-mail can be sent using different methods [9]. Here is a list of some common ones:

 Using SMTP stand-alone client applications such as Microsoft Outlook, IBM Lotus Notes and others.
 Using HTTP (web) based e-mail services such as AOL, Yahoo Mail, Google Mail and others.
 Sending e-mail manually using other applications and scripts.

Tracing e-mail origin can differ depending on initiation methods. With HTTP based e-mail, if the sender and
receiver are using the same web service, no servers are involved in exchanging e-mail outside of the web service. In
such cases, tracing the e-mail becomes a matter of determining the ISP that owns the IP address in the “Received”
section of the e-mail header. If a sender uses a company’s SMTP server then Network Address Translation (NAT),
which enables a corporate network to use one set of IP addresses for internal traffic and another set for external
traffic [5], may likely be used and a non-published IP address could be recorded in e-mail headers [3].
Some factors are shared between initiations methods, such as static and dynamic address policies of ISPs and
corporate networks, the importance of time information in e-mail headers, and the use of tunneling services such as
SSH (Secure Shell) [3, 4]. Other factors differ, such as false headers and use of open relay and open proxy servers
which are more relevant to SMTP based e-mails. All these factors are important when examining e-mail headers to
determine the origin of the e-mail, or when reviewing the e-mail headers for forged information.

3.5 Additional header information

Additional information in headers can reveal more information about the sender. The date information can provide
the senders time zone by location [13]. Sometimes information added by e-mail clients can unintentionally reveal
more information about the sender.

5
 TRACING E-MAIL MESSAGES

X-Facebook: from zuckmail ([MTAuMzAuMTczLjE5OQ==])

by www.facebook.com with HTTP (ZuckMail);
Date: Thu, 22 Apr 2010 07:03:46 -0700
To: Jayesh Naithani <jnaithani@gmail.com>
From: Facebook notification+ysgk5ga@facebookmail.com

$ perl -MMIME::Base64 -le 'print decode_base64("MTAuMzAuMTczLjE5OQ==")'

10.30.173.199
Table 7. Headers added by the Facebook ZuckMail SMTP client

Decoding the information in the above header reveals the IP address of the sender. Facebook has recently
changed this header to only include localhost (127.0.0.1) Base64 encoded, to preserve the anonymity of the sender
[14]. But this is enough to demonstrate that e-mail clients can provide additional clues about the sender’s location
by adding information via e-mail headers, and as a result of features which are typical of the e-mail client.

3.6 Examining e-mail message text

Documents and files attached to e-mails can hold important information about the sender or creator of the e-mail.
Certain software products from Microsoft embed information in documents containing a GUID (Globally Unique
Identifier) which is a unique number that can be used to match the MAC address of the computer used to send the e-
mail, as well as the name and login ID of the creator of the document [3].

4 Advanced e-mail tracing techniques

Often it can be difficult to obtain the network addresses of e-mail offenders from just examining the e-mail header
information. There are several techniques which involve investigating network devices such as routers, residual data
on e-mail servers, and even the use of bait tactics to identity a senders IP address.

4.1 Analyzing network logs and residual data on servers

Network administrators and ISPs maintain router logs for inbound and outbound traffic. An e-mail server maintains
logs for recording the e-mail it processes [6]. These logs help identify the e-mail messages an account received, the
IP address from which they are sent, the time and date the e-mail server received them, when the client computer
used to access the e-mail, and the e-mail contents [2].
ISP servers tend not to keep log data for long periods of time. Also some e-mail servers maintain circular logs,
and information in them gets overwritten periodically. It is important for an investigator to contact e-mail and
network administrators of the e-mail sender’s network as soon as possible once they have identified the source of the
e-mail.

4.2 Using bait tactics

If the e-mail address of the sender appears to be genuine, forensic investigators can use bait tactics by sending an e-
mail to the sender containing the following:

 An http “<img src>” tag where the source of picture is placed on an http server. When the receiver opens
the message, an entry containing the IP address of the receiver’s machine is logged on the http server
holding the image. The helps track down the sender and validate the ownership of the e-mail address.
However, this technique may not always work as some browsers and e-mail clients block the downloading
of images [3].
 If the sender is using an open proxy server that makes it difficult track them down, then forensic
investigators can try sending emails with an embedded Java Applet or Active X control that extracts the
receiver’s IP address and other information from their machine and sends it back to the investigator [2].

5 Difficulties in tracing e-mail

E-mail offenders and cyber criminals are using different methods to hide or forge their identities. Among other
things spoofing or forging of e-mail headers, use of bot networks, tunneling, open proxies, open mail relays, and
untraceable Internet connections as used to conceal a sender’s identity.

6
 TRACING E-MAIL MESSAGES

5.1 Spoofing
Spoofing is the process where a sender inserts fake headers into the e-mail address to hide the network address of
their computer. For example, a sender can insert fake “From” and “Reply-To” headers into the e-mail [7]. When
performing an analysis of e-mail headers it is important to keep in mind that these headers can be forged.
The X-Originating-IP field can assist in the identification of the computer used to send the email messages.
This field may not always be included however. But if present, this field should match the address in the bottom
“Received” message line. If not, then it may indicate that some of the header information has been forged.
Once a sender’s IP address has been identified there are several resources such as http://samspade.org that can
be used to identify the owner of the message.

5.2 Bot networks

A bot network is a set of machines that have been compromised by a sender using bot software sent over the
Internet. The owner of the machines has no idea that their machine has been penetrated. The “botnet” is then
controlled remotely by the sender in sending the e-mail [7]. Thus the e-mail ends up getting traced to an innocent
individuals network address. A botnet is a favorite tool for spammers.
A sender can remotely penetrate a vulnerable third-party computer as well and use it for sending e-mails. Use
of zombie and Trojan horse programs on these computers are some examples of how a sender can further obscure
their identity.

5.3 Static vs. Dynamic IP addresses

The difficulty in determining the sender and source of an e-mail may sometime depend on the IP address policy of
the ISPs and corporate e-mail servers [3]. The IP address of the sender’s e-mail host or sender’s computer could be
either static or dynamic. A static IP address is much easier to track. When the IP address is dynamic, other methods
using time and date information within the e-mail along with information on the sender’s e-mail server may be
required to tie the e-mail to its source.

5.4 Network time sync

If the ISP or corporate e-mail server’s time is not perfectly synced to network time, it can complicate the task of
determining the sender of the e-mail [3]. Time has important value in a court of law. Time sync can become
essential for all servers involved in tracing an e-mail, and crucial to proving cases in court.

5.5 Tunneling
Tunneling can be used by e-mail senders to evade being traced by law enforcement [3]. SSH tunneling is one
approach used by home users. When tunneling is used, only the IP address of the tunneling server shows up in the
“Received” section of e-mail headers. Also, the use of the SSH server used for tunneling may not be logged. In
addition, there may be a number of users logged onto the same server using SSH at the time the e-mail was sent, and
this make it hard to prove the identity of the sender in court. All this makes tracing the source of a tunneled e-mail
quite complex.

5.6 Open proxies and anonymous services

An open proxy is a server that is accessible by any Internet user and allows them to connect their computers to it and
use it as a forwarding service [1]. An open proxy can then be used to hide network addresses. When using web-
based email services the senders can add another layer of indirection by using a web-based anonymizing service [4].
Accessing the e-mail service via this service will insert the IP address of the proxy server. Even further obscurity
can be introduced by accessing other such servers as well.

5.7 Open relays

E-mails that are sent over the Internet pass through a number of gateways on their way from a sender’s computer to
a receiver [1]. These gateways are also called mail relays, and an open mail relay is one that has been mis-
configured to accept from any computer on the Internet. This helps the sender conceal their identity as it appears
that the e-mail is being sent by from the open relay and not the actual sender. Open relays can then be used with
open proxies to hide the source and identity of the e-mail sender.

7
 TRACING E-MAIL MESSAGES

5.8 Untraceable Internet connections

A sender can additionally hide their identity by accessing the Internet from Internet cafes, university and public
computer labs, and stolen 3G cards [2]. Even if the network address of the computer can be identified, it may not be
enough to connect it with the identity of the sender.

5.9 Other factors

There are certain cases when e-mail administrators are not willing to turn over records and files because of various
other reasons. Pedophilia and terrorism cases will usually get high attention and greater level of cooperation.
Harassment and threat e-mails are not responded to as quickly and sometimes not at all. Court orders requesting
data to be made available sometimes may not apply to that jurisdiction because of geographical boundaries. All
these factors further increase the difficulty of tracing e-mail messages and with the proper identification of the e-
mail senders.

6 Conclusion
Tracing e-mail messages is a large and complex topic. This paper briefly describes the basic method for tracing e-
mail messages and determining the identity of the sender using header information, server network logs, and
message text.
E-mail messages consist of a header and body, and optionally attachments. The e-mail header contains the
information a forensic investigator needs to track the origin of the message. E-mail logs and server information can
be used to additionally track the source of e-mail messages.
Finally, the paper outlines a few of the common challenges facing any forensic investigator when attempting to
identify the source and identity of the e-mail and sender. Senders can forge header information and make use of
insecure computers, open relay hosts and proxies, and untraceable Internet connections to hide their source and
identity. In such cases, a message can only be traced back to the point where the forgery begins, or when further
routing information is untrustworthy and sometimes unavailable.

References
1. Qi, M., Edgar-Nevill, D., Wang, Y., and Xu, R. 2008. Tracking online trails. Int. J. Electron. Secur. Digit.
Forensic 1, 4 (Nov. 2008), 353-361.
2. Ickin Vural, HS Venter. Investigating Identity Concealing and Email Tracing Techniques
3. Al-Zarouni Marwan. 2004. Tracing E-mail Headers. We-B Centre & Edith Cowan University
4. Akin, T. 2003. Webmail Forensics. Retrieved 12/5/2004, from
http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/bh-usa-03/bh-us-03-akin.pdf
5. http://www.wikipedia.com
6. Bill Nelson, Amelia Phillips, and Christopher Steuart. 2010. Guide to Computer Forensics and
Investigations, Fourth Edition.
7. Boneh, Dan. 2004. The Difficulties of Tracing Spam Email. Department of Computer Science Stanford
University.
8. Jones, H. 2001. Removing the Mystery from E-mail Tracing. Retrieved 6/5/2004, from
http://ncfs.ucf.edu/Email%20Tracing2.ppt
9. Venit, A. J. 2000. The Key to Unlocking E-Mail Headers. Retrieved 6/5/2004, from
http://ncfs.ucf.edu/email%20tracing%20SA%20Venit.ppt
10. Rick’s Spam Digest, http://www.rickconner.net/spamweb/anatomy.html
11. Thomas J. E. Schwarz, 2006. S.J. Email Fundamentals.
http://www.cse.scu.edu/~tschwarz/COEN252_06/Lectures/emailTracing.html
12. Thomas J. E. Schwarz, S.J. 2006. Email and Internet Investigations.
http://www.cse.scu.edu/~tschwarz/COEN252_06/Lectures/Email%20Investigation.html
13. Donald Cheung, 2010. SEIS722 Email Tracing Lecture Notes.
14. Chester Wisniewski’s Blog, http://www.sophos.com/blogs/chetw/g/2010/05/08/facebook-notifications-
leak-ip-addresses