Link to home
Create AccountLog in
Avatar of Netsol-NOS
Netsol-NOS

asked on

Tracking the origin of email messages

We have recieved a message from a hotmail user and we want to track its origin. I know that hotmail provides this information field called X-Originating-IP in the message headers but this is not there in the message sent by the user in question. I sent an email from my hotmail account to my corpoate account just to check and on examining the message header, I found this X-Originating-IP which was actually the IP address of my proxy server. So far so good. But then this same information does not appear in the message that I want to track. The header does show that the message is from hotmail but not anything beyond that like X-Originating-IP. Is it possible that one can turn this off while sending emails from hotmail account? If yes, then what is the other possibility to track such a sender?
ASKER CERTIFIED SOLUTION
Avatar of SysExpert
SysExpert
Flag of Israel image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
The email address has no one-to-one correspondance with the IP address where the mail was sent; for instance, I can send emails from outlook with a given SMTP server and displaying that this was sent by my hotmail address. This is NOT fraud or cloaking, just a matter of normal tnuing of configuration.

But of course it might also be used with some cloaking (eg, I can send a mail pretending that the sender is billg@m*icr*s*ft.com).

Thus the only information that is usually reliable is the IP address of the SMTP server that first got the message and the IP address it got it from [although this might also be cloaked].

You need to carefully examine the complete header.
Here are extracts of the header of a spam I just got:
[the name is replaced by XXX]

Return-Path: <XXX@toranoo.com>
Received: from mwinf2129.orange.fr (mwinf2129.orange.fr)
        by mwinb1007 (SMTP Server) with LMTP; Thu, 06 Mar 2008 15:42:03 +0100
X-Sieve: Server Sieve 2.2
Received: from me-wanadoo.net (localhost [127.0.0.1])
        by mwinf2129.orange.fr (SMTP Server) with ESMTP id 220092C000BC
        for <wfr35c2cad7000000055b16700b@back10-mail01-04.me-wanadoo.net>; Thu,  6 Mar 2008 15:42:03 +0100 (CET)
Received: from ...
        by mwinf2129.orange.fr (SMTP Server) with ESMTP id ...
        for <[that's me]>; Thu,  6 Mar 2008 15:42:03 +0100 (CET)
X-ME-UUID: 20080306144203593.0E77D2C000AC@mwinf2129.orange.fr
Received: from localhost (mfilter2-...)
        by spool.mail....(Postfix) with ESMTP id 7F70F32C144
        for <...>; Thu,  6 Mar 2008 15:42:01 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter2-v.mgt.gandi.net
Received: from ...
        by localhost (...) (amavisd-new, port 10024)
        with ESMTP id 2Y3N9a3ayk9g for <...>;
        Thu,  6 Mar 2008 15:41:46 +0100 (CET)
X-GreyListed: 150/1126 seconds (92.81.115.60:['untrusted'])
Received: from mara-af25116018 (unknown [92.81.115.60])
        by spool.mail.... (Postfix) with ESMTP id 8305632C136
        for <...>; Thu,  6 Mar 2008 15:38:47 +0100 (CET)
Message-ID: <01c88072$0f37c780$3c73515c@calyx>
From: "Kendall Fritz" <XXX@toranoo.com>
---------------------
Here, the probable source is mara-af25116018 (unknown [92.81.115.60]) at claimed IP address 92.81.115.60, and was said to be sent by Kendal at toranoo.com
Avatar of Netsol-NOS
Netsol-NOS

ASKER

The explanations provided here are not very much relevant to the question posed. I am talking about the X_Originating_IP that is mentioned in the header of the email messages from hotmail (or any other SMTP server that inserts this information). I receieved an email from hotmail that when opened in Lotus Notes did not have this information.
There is a development in this regard on my side that I would like to share however. When I opened the same email using the webmail of my Lotus Domino server and used the view source option, I was able to see the X_Originating_IP. How can I see this same information in Lotus Notes. Please note that the View-->Page Source does not show this information in Lotus Notes.
Netsol-NOS
- You are pointing at "a" (ie, one) message for which you ask questions.
- My explanations detailed how you can manually check this single message (or rather its headers) to understand and explore how it was sent and therefore help you to handle similar mails.

It seems that you have a more general question underlying the one stated: how to be able to handle that in Notes/ Domino.
Explanations above deliver a clear message: you cannot assume that all the mails you will have to handle do conform with your expected model, and that something more robust might be needed to handle some special cases.
You need to handle at least 2 cases:
- (Probably) genuine mails where the exposed sender and/or return email address are different from those that might be hinted by exploring the SMTP information
- (Probably) fake (probably) spam mails for which the header information has been altered unpredictably.
OK lets be more specific and I say that the enevironament is Lotus Domino/Notes based. Hhow can I see this same information on my Domino/Notes side with all the header details. (Probably) Fake messages or (probably) SPAM is not my concern at the moment.
Did you check ALL the fields of  Email doc via the Proerpties ?

> .. and we want to track its origin.
Impossible unless you have real time control to all hosts and their logs involved in routing the email at the time it passes by.
That's all you have to do ;-)
Please see my earlier comments:
"There is a development in this regard on my side that I would like to share however. When I opened the same email using the webmail of my Lotus Domino server and used the view source option, I was able to see the X_Originating_IP. How can I see this same information in Lotus Notes. Please note that the View-->Page Source does not show this information in Lotus Notes."
Why is this same information X_Originating_IP of not appearing in Lotus Notes using View-->Show-->Page Source while rest of the header details are appearing using this method.
I hope I have made the point more clear this time.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
where in lotus notes can i find a an email senders ip address from the computer the mail originated from