Pathmaker Group - Incident Response Services

"Our female employees were being tormented by hostile, illicit emails coming to their company email accounts from an unknown person on the "Internet". We had a suspicion that an employee we fired may be doing this because the emails referenced office politics that outsiders wouldn't be aware of. PathMaker Group provided the material evidence we needed to obtain a restraining order.

SVP of Human Resources, large advertising firm

Email Attack / Hate Mail Response

Many people who use Yahoo, AOL, GMail, or Hotmail email along with a multitude of others think that their true identity and location are anonymous. Hidden behind their cloak of anonymity they sometimes lash out at their employers, political adversary, highschool rival, difficult boss, or ex-girlfriend/ex-boyfriend, and so on. These people are very surprised when we trace them within a very short time to their service provider and location. Assuming the email is of a threatening or illegal nature it is not difficult to initiate an enquiry leading directly to the person involved for appropriate actions by authorities.

1. Tracing an email address:

All we need is the actual email message or access to the server that received the message. We've even been able to identity the source based on their email address alone. However, it should be noted that email addresses can be easily forged, the results from tracing an email address may not be related to the true sender. We can however send a special forensic email to the address which will reveal where it was opened and details of the IP address of the person reading the messages computer along with other revealing potentially useful data.

2. Email Internet Headers:

The key to tracing is our knowledge that every received email carries Internet Headers as well as understanding how these work at a very technical level. We analyze these headers very closely in order identify the exact source.

3. 'Received' Headers:

One of the most important header fields is the Received header field, which usually has a syntax similar to:

Received: from ******** by ******* via ******** with ******** id ******** for ******* ; date-time

Every time an email moves through a new mail server, a new Received header line. Similar to FedEx package tracking, whenever your package enters a new sorting facility and is 'swiped' through a tracking machine and a record of that transfer is kept.

In most cases, we can identify the IP address of the sender's computer, the sender's geographical location, and the company providing Internet service (or ISP) for the IP address. Reports for email abuse -- such as spam, email-borne viruses and email threats - can then be directed to the sender's ISP who is easy to pin down once we have the actual IP address.

Internet Headers for an email message sometimes contain some really interesting information about the sender. Of course we won't know this until we start looking into the specific case but this is a guide as to what sometimes presents itself.

PathMaker Group's certified investigators have traced hundreds of emails back to their original source for many concerned clients and we can do this for you.

For more information on our incident response services, please contact PathMaker Group at 817-704-3644.