can email be tracked through MAC ?
satishtech
Member Posts: 243
in Security+
If an anonymous email is received , can this be traced back by using MAC and ISP server logs ?
Comments
-
markulous Member Posts: 2,394 ■■■■■■■■□□I suppose it would depend on the client/server and whether layer 2 info is carried in the email header.
-
beads Member Posts: 1,533 ■■■■■■■■■□Theoretically if you were to have every piece of equipment in the capable of logging each packet associated with the entire email resulting in vast amounts of data to parse. So, no not from a practical sense. MAC addresses aren't usually logged into SYSLOG.
- b/eads -
netstat Member Posts: 65 ■■□□□□□□□□Not possible. The mac address of a (device's) interface is lost when packets are routed. The IP address of the interface is not lost however. The mac address seen in a routed packet is always the mac of the device which is on the local lan of the device you received the packet on. The IP address seen in a routed packet is the source of the packet (excluding NAT etc).
Inspecting the IP header of an email, however you will see the public IP address of the Mail Transfer Agent that sent the email and possibly the private address of the Mail Transfer Agent and /or the private IP address of the email client that actiually sent that email.
Therefore to answer your question, using the public IP address seen in the header of the email, you can determine from where the email / MTA originated. When using cloud services however, this becomes a bit more difficult as the MTA is in the cloud! -
volfkhat Member Posts: 1,075 ■■■■■■■■□□I have to partly disagree with the responses here.
With ONLY a MAC address.... No, it's Not possible.
(but that NEVER happens in real life. there's always more records)
You also stated "ISP server logs".
So, the Answer is YES, definitely a possibility.
Netstat is the closest to the mark:
"The mac address of a (device's) interface is lost when packets are routed.
The IP address of the interface is not lost however."
--
So what does this mean? Well, Consider this scenario:
Suppose that I SENT a very Threatening Email (aka, Bomb threat) to some agency, etc.
And suppose I did it from the public wifi at Starbucks.
The Agency can Definitely trace the email back to the StarBucks. (Gmail, Yahoo, Hotmail will have handed over their records to allow this). But that's as far as they can go based on the IP.
However, if StarBuck's infrastucture is saving their logs/records (probably), then My email can be tracked back to the SWITCH that it originated from. And once they know the Switch... they know my MAC Address.
But from here, the trail goes COLD.
UNLESS...
assume that 2 months BEFORE sending that email.... I decided to check my Facebook (or gmail, or Any personal account) on their wifi from the same device. Well, the Logs will have archived this traffic with my MAC address.
Suddenly, The Trial suddenly picks up again.
Long story short,
With enough manpower & resources, the authorities can show up at My door looking for The device with that specific MAC address.
my 2 cents.. -
YFZblu Member Posts: 1,462 ■■■■■■■■□□However, if StarBuck's infrastucture is saving their logs/records (probably),
...you'd be surprised.assume that 2 months BEFORE sending that email.... I decided to check my Facebook (or gmail, or Any personal account) on their wifi from the same device.
Now we're not only assuming that Starbucks keeps "logs", but that they keep ALL of them for a period of months. Again, you'd be surprised..Well, the Logs will have archived this traffic with my MAC address. Suddenly, The Trial suddenly picks up again.
So now they keep all network logs for a period of months, AND they're logging with a device performing packet inspection which would make HTTP traffic identifiable. Or perhaps they're just funneling everyone through an HTTP proxy and keeping those logs. Otherwise, we'd just be looking at some device connecting to Facebook's CDN's IP address. Furthermore, these logs would need to be centralized and searchable in the sense that layer 2 logs can be correlated with other traffic at the same time. Centralized, because I'm assuming they don't have TB's of log storage sitting next to the Frapuccino machine. Now, I haven't used Facebook in quite some time; but my understanding is that for the most part, they use SSL when possible. So we have all this wonderful logging, and it's a bunch of HTTPS requests which we can't peer into. Starbucks could enter into the sticky situation of breaking SSL for logging purposes, but that's likely not worth it.With enough manpower & resources, the authorities can show up at My door looking for The device with that specific MAC address.
This is 100% accurate. The thing is, most orgs don't put 'enough' in place. For one of two (or both) reasons:
1. They don't know what they don't know
2. Money
That being said, a company like Starbucks is a huge conglomerate. If anyone could have the monitoring necessary to do the job, they could. But over time I have learned not to give organizations the benefit of the doubt in that regard. If real and comprehensive monitoring was in place, that would be a treasure trove of data related to various areas of technology - which could then further be monetized into large sums of money. It would be an interesting endeavor for sure. -
volfkhat Member Posts: 1,075 ■■■■■■■■□□YFZblu,
You make a valid point regarding the likelihood of Starbucks logging anything.
For all we know, they have an unmanaged, off-the-shelf Linksys-router sitting in the back room :]
I'm not sure what to think.... but An agency would definitely need a lot of Cooperation:
They go to Yahoo/Gmail/M$ to trace the email to the originating IP.
They go to the ISP that owns the IP address to get the physical address.
They show up at Starbucks and HOPE it's not a $29 rinky-dink wireless router.
lol
But then again... the original poster stated that he knows the MAC address, right?
So... i guess my MAC was pulled from a log.... running on legitimate hardware... at a remote StarBucks datacenter?? (hypothetically speaking, of course
I'm not Exactly Sure How SSL works...
but i believe it Only protects the Content of the email. SSL would Not MASK the Layer3-IP-headers of the Email(?).
Thus, the StarBucks' Router (doing the NAT) would still Log the "Internal IP" along with the "Destination IP" when my bomb-threat-email passed through.
So... the Agency only needs the date/time the Email was sent (which they already have). Then they crosscheck the StarBucks NAT-Log for All Traffic that was going to Yahoo/Goog/M$ (within the timeframe). Thus, No SSL-breaking is required.
But How Busy was StarBucks that day?
How many people were on Starbuck's WiFi checking their Email at the "Exact Moment" that i sent the Bomb-threat email?
50 people? 30 people?
Obviously, it can be any number you like... but i think it would probably be a small number of devices.
So I GUESS, it Really All comes down to your point:
Did StarBUCKS have their infrastucture configured to track/log MAC-addresses when i sent the bomb-threat over their WIFI?
Well, here are 2 headlines that might provide insight:
How tracking customers in-store will soon be the norm | Technology | The Guardian
Indoor Location Technology Uses Wi-Fi to Track Shoppers | MIT Technology Review
Slight Tangent:
Companies provide "FREE WiFi" so that they can PULL as much uniquely-identifiable-Data off your phone/laptop as possible. This allows them to know how many Times you came to Starbucks this WEEK/MONTH/YEAR/Whatever. What better way to accomplish this than by tracking my MAC address? (No App Required!)
[End_Tangent]
So... if StarBucks Does have such a log; then it consists of a small # of MAC addresses from that time-frame (one of them being mine).
The Agency will then check this log as far back as they can (looking for more activity with the MACs on the list).
Eventually they Notice that, 2 months prior, one of the MACs, went on facebook for 10 minutes or so.
From here, it gets ugly:
The Agency goes to Facebook, and asks for the Names of the Accounts that were being accessed from the IP Address of the StarBucks on that Date & Time, 2 months prior.
Not a smoking gun..... but NOT a good situation for me.
The Agency is quickly building a list: matching MAC addresses with NAMES (via Facebook, etc).
And who did i send that bomb-threat-email to anyway?? A Current Employer? Former employer??
Now the Agency is Crosschecking that List of Names with the Employer's list of employees.
Checkmate.... -
veritas_libertas Member Posts: 5,746 ■■■■■■■■■■This is also assuming that the suspect didn't change his MAC address. It's easy to do.