Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Sending Hotmail from South Korea – would it take a particular route?

Posted on 2014-02-24
Medium Priority
Last Modified: 2014-04-03
We have a legal case, where we are trying to prove an email sent and the email account it was set up from, was setup and used for fraudulent purposes.

The email account is a Hotmail.co.uk email account, however the owner of the account is supposed to reside in South Korea and therefore any emails sent from it, should have originated from a web browser in South Korea.

In practice, we highly suspect they were actually sent from a web browser in the UK, The problem with webmail, is the headers show the email originates from servers in the US. This is understandable as Hotmail is a US service.

My questions:

1)      Is there any chance that emails sent from Hotmail, but based in South Korea are always routed in a certain way. For example, if emails from a web browser in South Korea are always stamped and routed through some particular route, then the absence of this, may be evidence it was not sent from South Korea.

2)      Do we think that Microsoft would retain information such as, what country the browser used was in? Therefore in the case of a court order we could obtain this information?

3)      Anything else anyone can think of that might help us in this case?
Question by:afflik1923
  • 2
  • 2
LVL 14

Accepted Solution

frankhelk earned 1336 total points
ID: 39882916
That's quite complicated.

The message is (basically) sent from the browser to the server as "HTTP POST" of form data. On the server it is converted to the proper mail file format by a script and shoved into some mail server for delivery. In that case the server with the script is the originating server (or maybe the first receiving server).

From what you have disclosed, it is fully logical that the mail message itself shows an originating server in the US ... due to the fact that the MS server farms who do Hotmail presumably are located in the US.

If there are no more informations in the lesser looked on header lines, the only party that could shed light on that is Microsoft - maybe they keep the logs long enough to help you out of your misery. Since you have a legal case, try to contact MS and ask to save a copy of the questionable part of the logs (if they still exist ... I don't know how long they keep 'em). Afterwards you have enough time to get a court order that allows MS to disclose the info. That might be (euphemism ahead) "somewhat complicated" due to the international charater of the problem. So it might be helpful to have a US dependance of your company.

I think MS is (like an ISP) bound by law to keep the logs for some time and keep copies longer if you ask them to do so for a legal case with possible criminal intent. But they couldn't disclose them without court order due to civil rights (privacy) reasons.

(Addition: The mentioned logs show the originating IP addres - with some legal effort that could be traced back to the person that had it at a given point in time. More easy it could be located within a country, possibly down to a city. These addresses are usually pooled, and with some logs from the provider it may be locked down to a person. The address ranges usually are locked to a dedicated access point that manages DSL lines or phone dial in ports i.e. in a city, or a part of it.)
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 664 total points
ID: 39882963
I agree with @frankhelk.  Of course your first problem is showing that fraud was intended and committed.  Lots of people have extra email addresses (I have over 20) for all kinds of reasons that do not include fraud.  The answer to #1 is simply no, routing is determined by the paths available and though there is probably a most common path, it is not necessarily fixed.  And #2, only Microsoft knows.

Have you done a search for the use of that email address on the web?

Author Comment

ID: 39882986
OK good points. And I did try and Google the email address in comments "email@email.co.uk" and there were no results.

Generally not looking good, but open to any more suggestions.
LVL 14

Assisted Solution

frankhelk earned 1336 total points
ID: 39885040
At first I would try to contact Hotmail admin and describe the problem. Give all necessary info (i.e. the complete email header). See what happens. Don't hesitate, because logs won't stay forever on the hotmail servers.

Try to get the sender's IP address from them. Trace that down to a country and possibly region info (that's easy). That would help in the first place to say "from South Korea or from (...)".

Contact the ISP that owns the IP-address along with the time of use. That would possibly lead to the person who did send the email, but may end in an internet café etc.

Author Closing Comment

ID: 39975076
thanks for the input on this one.

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses
Course of the Month10 days, 11 hours left to enroll

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question