From: Mark Eckenwiler <meckenwi@leo.gov
Newsgroups: leo.gen.computer.investigate_tools,leo.gen.computer_forensics
Sent: Friday, January 28, 2000 4:58 PM
Subject: Re: E-mail trace?

 Entire treatises have been written on the obscure art of reading e-mail
 headers.  (I list some useful ones below.)  This is not a forensics job;
 it's the job of a skilled network investigator.

 As for getting the stuff introduced: an average jury will completely lose
 you if you start explaining forged headers, ESMTP, and IP addresses.  (And
 if they don't lose you, what they'll be thinking is "if this is so easy to
 fake, I'm not gonna rely on it to convict.")  What you really want to do,
 if at all possible, is run the investigation back to your perp, and then
 hope that he's stupid enough to have kept a copy of the message (or to
have
 one recoverable on his machine's drive; now there's a job for your
 forensics examiner).  This will completely eliminate the necessity of
 dragging your jury through the technical mud.

 Useful sites:
 http://www.stopspam.org/email/headers/headers.html
 http://www.catalog.com/mrm/security/trace-forgery.html
 http://www.bookcase.com/library/faq/archive/net-abuse-faq/spam-faq.html
 http://www.blighty.com/spam/docs.html
 http://www.ao.net/waytosuccess/reportspam.html
 http://doofus.ml.org/spam/lessons/
 http://www.cl.ais.net/jchevron/spamtrack.html