Solved

Sending Hotmail from South Korea – would it take a particular route?

Posted on 2014-02-24
5
656 Views
Last Modified: 2014-04-03
We have a legal case, where we are trying to prove an email sent and the email account it was set up from, was setup and used for fraudulent purposes.

The email account is a Hotmail.co.uk email account, however the owner of the account is supposed to reside in South Korea and therefore any emails sent from it, should have originated from a web browser in South Korea.

In practice, we highly suspect they were actually sent from a web browser in the UK, The problem with webmail, is the headers show the email originates from servers in the US. This is understandable as Hotmail is a US service.

My questions:

1)      Is there any chance that emails sent from Hotmail, but based in South Korea are always routed in a certain way. For example, if emails from a web browser in South Korea are always stamped and routed through some particular route, then the absence of this, may be evidence it was not sent from South Korea.

2)      Do we think that Microsoft would retain information such as, what country the browser used was in? Therefore in the case of a court order we could obtain this information?

3)      Anything else anyone can think of that might help us in this case?
0
Comment
Question by:afflik1923
  • 2
  • 2
5 Comments
 
LVL 13

Accepted Solution

by:
frankhelk earned 334 total points
ID: 39882916
That's quite complicated.

The message is (basically) sent from the browser to the server as "HTTP POST" of form data. On the server it is converted to the proper mail file format by a script and shoved into some mail server for delivery. In that case the server with the script is the originating server (or maybe the first receiving server).

From what you have disclosed, it is fully logical that the mail message itself shows an originating server in the US ... due to the fact that the MS server farms who do Hotmail presumably are located in the US.

If there are no more informations in the lesser looked on header lines, the only party that could shed light on that is Microsoft - maybe they keep the logs long enough to help you out of your misery. Since you have a legal case, try to contact MS and ask to save a copy of the questionable part of the logs (if they still exist ... I don't know how long they keep 'em). Afterwards you have enough time to get a court order that allows MS to disclose the info. That might be (euphemism ahead) "somewhat complicated" due to the international charater of the problem. So it might be helpful to have a US dependance of your company.

I think MS is (like an ISP) bound by law to keep the logs for some time and keep copies longer if you ask them to do so for a legal case with possible criminal intent. But they couldn't disclose them without court order due to civil rights (privacy) reasons.

(Addition: The mentioned logs show the originating IP addres - with some legal effort that could be traced back to the person that had it at a given point in time. More easy it could be located within a country, possibly down to a city. These addresses are usually pooled, and with some logs from the provider it may be locked down to a person. The address ranges usually are locked to a dedicated access point that manages DSL lines or phone dial in ports i.e. in a city, or a part of it.)
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 166 total points
ID: 39882963
I agree with @frankhelk.  Of course your first problem is showing that fraud was intended and committed.  Lots of people have extra email addresses (I have over 20) for all kinds of reasons that do not include fraud.  The answer to #1 is simply no, routing is determined by the paths available and though there is probably a most common path, it is not necessarily fixed.  And #2, only Microsoft knows.

Have you done a search for the use of that email address on the web?
0
 

Author Comment

by:afflik1923
ID: 39882986
OK good points. And I did try and Google the email address in comments "email@email.co.uk" and there were no results.

Generally not looking good, but open to any more suggestions.
0
 
LVL 13

Assisted Solution

by:frankhelk
frankhelk earned 334 total points
ID: 39885040
At first I would try to contact Hotmail admin and describe the problem. Give all necessary info (i.e. the complete email header). See what happens. Don't hesitate, because logs won't stay forever on the hotmail servers.

Try to get the sender's IP address from them. Trace that down to a country and possibly region info (that's easy). That would help in the first place to say "from South Korea or from (...)".

Contact the ISP that owns the IP-address along with the time of use. That would possibly lead to the person who did send the email, but may end in an internet café etc.
0
 

Author Closing Comment

by:afflik1923
ID: 39975076
thanks for the input on this one.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Being able to change email signatures is made really simple with email signature software and services.
Resolve DNS query failed errors for Exchange
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now