Most Innovative Company, South Africa, 2016, African Business Awards
Best Forensic Investigation Company, Africa, 2016, African Corporate Excellence Awards
Best in Security, Forensics & Investigations – 2016 – International Business Awards

How to send Untraceable Emails

What makes an email untraceable is not that it is impossible to trace at all, but rather that tracing it would cost too much money, time or effort to do. Most of the methods and tools we describe will provide adequate anonymity and protection against the recipient being able to identify or locate you. But be warned, your actions can still be monitored from elsewhere (like your ISP or network administrator) so don’t be an idiot.

Email Alias

At the simplest level you could set up email forwarding or email aliasing. This won’t fool many people because while your name and email address in the “from” field might be unrecognizable to the recipient, the email header would expose your originating IP address and domain, the email delivery route and as well as the main email address that your alias is linked to.

Here’s the email header from an email I sent my colleague from an alias I created. The parts highlighted in green show the bogus information but the parts highlighted in red would give me away.

Return-path: A N Onymous <anonymous@email.com>
Envelope-to: jason@intertel.co.za
Delivery-date: Wed, 12 Apr 2017 19:02:26 +0200
Received: from roundcubeweb3.jnb1.host-h.net ([41.203.16.56] helo=InterMail.cpt.host-h.net)
   by dedi951.jnb1.host-h.net with esmtpa (Exim 4.80)
   (envelope-from <anonymous@email.com>)
   id 1cyLf0-0000JK-LZ; Wed, 12 Apr 2017 19:02:26 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”=_c8fe4382de90c189aa3530ae79195318″
Date: Wed, 12 Apr 2017 19:02:26 +0200
From: A N Onymous <anonymous@email.com>
To: jason@intertel.co.za
Subject: Guess =?UTF-8?Q?What=3F?=
Organization: Bogus Company Ltd
Reply-To: kerry@intertel.co.za
Mail-Reply-To: kerry@intertel.co.za
Message-ID: <7a079dc2d5cd870b6c7db541af201346@intertel.co.za>
X-Sender: anonymous@email.com
User-Agent: InterMail
X-Authenticated-Sender: kerry@intertel.co.za
X-Virus-Scanned: Clear (ClamAV 0.99.2/23290/Wed Apr 12 14:48:39 2017)
Delivered-To: intertt-jason@intertel.co.za
–=_c8fe4382de90c189aa3530ae79195318
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=UTF-8

Anonymous Account

An obvious solution to many of the pitfalls of the email alias method would simply be to create a brand new email address, e.g. a Gmail account, using bogus details.

Return-path: <ikilledkenny411@gmail.com>
Envelope-to: jason@intertel.co.za
Delivery-date: Fri, 14 Apr 2017 04:08:48 +0200
Received: from mail-vk0-f43.google.com ([209.85.213.43])
   by dedi951.jnb1.host-h.net with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128)
   (Exim 4.80)
   (envelope-from <ikilledkenny411@gmail.com>)
   id 1cyqfD-0005lO-Fy
   for jason@intertel.co.za; Fri, 14 Apr 2017 04:08:48 +0200
Received: by mail-vk0-f43.google.com with SMTP id r69so35305494vke.2
   for <jason@intertel.co.za>; Thu, 13 Apr 2017 19:08:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
   d=gmail.com; s=20161025;
   h=mime-version:from:date:message-id:subject:to;
   bh=cQm98A1vNhlIihO+IteSX/pkPtPM2pjBFwOaqwqSdIs=;
   b=NYmPQXpw4s7M77t74HeqceNoz0xfXx7sEqqw+WYFQ5gAW3wq6YweKvjQBVeFCY4zrf
   FPNcFzO5CINT+hX8QIhrw4YyrsDVwu+3hvr4jnKJASlvvLabebM+7nywRPDuF22kCv+l
   un4TnX7FI4y7Kl+TFQdtfOSiJKib5tmILPUeahPj9r81m7WgKltsbNgSFh1uIumQpOQp
   3xjmLJMicD0u9sOgNgl6D5bswpwfFxau2pvYUwy0VL+gXp5Ow56JUv+5AoRVQZRQ/0FO
   wGRrfcxV0YOcYS+G0pSKGKx84qTM7z3pY0i3sudICNyIMKIb61HOBGUjLbuQmlZcgq4W
   ZDfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
   d=1e100.net; s=20161025;
   h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
   bh=cQm98A1vNhlIihO+IteSX/pkPtPM2pjBFwOaqwqSdIs=;
   b=lWotek/2hTNyDhUmHW0cPVrDFbvNMi8Qosf972wM6D81tbZ0UL4mc8a0/2khpcaYIe
   yYCAMdZV4IZDUTH1YsDW6mAh4S1HrwjhZI3Iq6455F7XQezt4W4j11kCXr9jN3NXLf3I
   Z87wrsxb9xEWdbhIqs7C6rZVRmGDD8AWf3Wvze832Z7s2xbJXa9rOWut4Gdc08syjsNY
   wGWICGRElmgphngRk3HiwLVaNByF0OK7TE27cgau4QpzpI1gAzIiGLB8FXAak9NpBAIu
   Z+DyiK+ceAUX+X8rE17zGahkaU1wGF/bvpCgxlV5xusCvbTonBBJQ4eh+MGZgaUhsNZ2
   u6fg==
X-Gm-Message-State: AN3rC/7/ugEMndhXdEcFsvjEZN7f5ge1DJXUkK90GCsVZ0UfBAXY2ghH
   fadaN9xsE18ejGHeT32GqeJrECaLLA==
X-Received: by 10.31.75.68 with SMTP id y65mr2552872vka.46.1492135717028; Thu,
   13 Apr 2017 19:08:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.74.91 with HTTP; Thu, 13 Apr 2017 19:08:36 -0700 (PDT)
From: A N Onymous <ikilledkenny411@gmail.com>
Date: Fri, 14 Apr 2017 04:08:36 +0200
Message-ID: <CAGLeAQoatJ6efSe0F3VoZm3Reg9m6roVta795w6+nW=zJBboHw@mail.gmail.com>
Subject: Guess who?
To: jason@intertel.co.za
Content-Type: multipart/alternative; boundary=001a114da8b25ec83f054d16ebc0
X-Virus-Scanned: Clear (ClamAV 0.99.2/23294/Thu Apr 13 22:53:07 2017)
X-Unfudged-Spam-Score: -1.6 (-)
Delivered-To: intertt-jason@intertel.co.za

Examining the header you could be forgiven for thinking that this email is anonymous. It doesn’t seem to show any data that could be traced back to me, and even my IP address has been removed from the header by Google (for privacy reasons). Don’t be fooled. This email is traceable. Our Cyber Investigation Team was able to link the “originating” IP address 10.176.74.91 to my actual client IP address which pointed to my home DSL connection (below).

server logs

To get from that point to the point of identifying me took a single phone call. Granted, the ability to make those connections and trace such an email isn’t within the reach of most people. Not many people would go to the trouble (or expense) of trying unless you’ve been an idiot and used your Gmail account to commit a crime or harass someone.

Anonymous Emailer

Now things start to get trickier for anyone wanting to trace you. An anonymous emailer consists of a web form and a script that runs on a server. You’ll enter the from, to, subject and message into the web form and that will be submitted to the script which will compose an email (along with headers) that is then sent from the server to the recipient. If the owner of the server doesn’t keep logs that link your IP address to each email then anyone tracing that email will only get as far as identifying the server from which it was sent.

Return-path: <anonymous@mail.com>
Envelope-to: jason@intertel.co.za
Delivery-date: Sun, 16 Apr 2017 04:08:45 +0200
Received: from bitsy.mit.edu ([18.72.0.3])
  by dedi951.jnb1.host-h.net with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
  (Exim 4.80)
  (envelope-from <anonymous@mail.com>)
  id 1czZcG-0003qs-VG
  for jason@intertel.co.za; Sun, 16 Apr 2017 04:08:45 +0200
Received: from brettint by bitsy.mit.edu with local (Exim 4.88)
  (envelope-from <anonymous@mail.com>)
  id 1czZc9-003eyX-Kv
  for jason@intertel.co.za; Sat, 15 Apr 2017 20:08:33 -0600
To: jason@intertel.co.za
Subject: Guess who?
Message-ID: <767c4668bbac377adc08eba7c7d4052d@www.spy.tools>
Date: Sun, 16 Apr 2017 02:08:33 +0000
From: “A N Onymous” <anonymous@mail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary=”_=_swift_v4_1492308513_65326f726afd53b36bda9114efa63edf_=_”
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – bitsy.mit.edu
X-AntiAbuse: Originator/Caller UID/GID – [1499 1500] / [47 12]
X-AntiAbuse: Sender Address Domain – mail.com
X-Virus-Scanned: Clear (ClamAV 0.99.2/23300/Sat Apr 15 22:55:19 2017)
X-Unfudged-Spam-Score: 3.3 (+++)
Delivered-To: intertt-jason@intertel.co.za

Here’s an anonymous emailer to test. Please be warned that all emails are logged (along with your actual IP address and other information). Please don’t be silly and use this mailer for any shady emails – its for educational purposes only.

The Origin

IP Address

Internet Cafe

Header Fudging

Proxies / VPNs

Mail Servers

Encryption

Relaying

Remailers