Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

From a forwarded Email, can I find out who origionally sent the email?

Posted on 2011-02-18
6
Medium Priority
?
9,499 Views
Last Modified: 2012-05-11
Hello,

I have been asked to trace an email but the person only has a forwarded version of the message (The original message was forwarded to the person who is requesting this service). Is it possible to find out the original sender from the forwarded message? FYI, I haven't seen the email yet but want to have, "all my ducks in a row" before I look.

Any help would be appreciated! Thanks!
0
Comment
Question by:WindhamSD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 9

Assisted Solution

by:AriMc
AriMc earned 500 total points
ID: 34928838
It depends on a lot of things. Usually the forward options in e-mail clients do not include the original header information in the forwarded mail but if it was forwarded as an attachment, then the original headers along with the original sender's e-mail address (or at least what he/she claims is the e-mail address) can be included.

Sometimes you can obviously see the original sender from the contents of the message.

Theoretically it would also be possible for the forwarding e-mail client to include non-standard X-headers that include the original sender's information but I have never seen this happening.

Then if it is some other mailing system than the de-facto standard internet SMTP, then the circumstances are completely different.

0
 
LVL 64

Assisted Solution

by:btan
btan earned 1000 total points
ID: 34931554
Some background on email header  that is important for tracing email sources......

Email header can minimally reveal IP addresses (in the Received header field or X-Originating-IP header field) of the origin (at most computer not claiming it is the person esp the computer is shared or broken into etc). The IP can lead you to minimally isolate party that you can contact or seek advice on finding out more of the sender. But in the cases of ISP to reveal those info (when IP is not constant etc), they will not entertain other unless governed by law enforcement instructions....

But do also note that the IP is not necessarily the origin e.g. if you receive an email sent from a Gmail account through the web browser, you may not be able to find the real IP address because Google hides the real IP address of the sender. However, if someone sends you a mail from his/her Gmail account using a client like Thunderbird, Outlook or Apple Mail, you can find the originating IP address. Some useful online tools to check IP include IP2Location and GeoBytes IP Locator.

See this link @ http://aruljohn.com/info/howtofindipaddress/
See also eMailTrackerPro @ http://www.visualware.com/resources/tutorials/email.html

Interestingly, email header may contain leaked sender information such as Windows computer name, Timezone information, Mailer software. They may provide tiny bits of the source  

Coming back to your forwarded email, strictly speaking forwarding inline do quotes the message below the main text of the new message, and usually preserves original attachments as well as a choice of selected headers (e.g. the original From and Reply-To.) The recipient of a message forwarded this way may still be able to reply to the original message; the ability to do so depends on the presence of original headers and may imply manually copying and pasting the relevant destination addresses.

Forwarding (the whole email) as attachment prepares a MIME attachment (of type message/rfc822) that contains the full original message, including all headers and any attachment. Note that including all the headers discloses much information about the message, such as the servers that transmitted it and any client-tag added on the mailbox. You can then adopt the earlier approach to trace back. The info on the forwarding is reference to Wikipedia
0
 
LVL 4

Accepted Solution

by:
JohnDecker earned 500 total points
ID: 34936764
As has been said, even if you do have the headers, you won't get very far with identifying the sender. My IP address, using the tools above, as well as some favourites of my own, put me about 1 million people and 400kms away from where I really am. I am in New Zealand where the infrastructure is pretty spread out.

In the US or Europe you will get a closer hit in terms of position, but not in terms of population - ie you will still be millions away from identifying your target. And that doesn't even take into account proxy servers, which would ruin things for you.

If it is a static IP address and you look it up (www.dnsstuff.com) you may find a company but you would have to hope the registration details are accurate. They may not be: in Nigerian scams stolen caredit cards are used to register sites and the details are often those of the credit card holder rather than the scammer, more's the pity.

Another way is to take the email address and put it into a tool such as www.pipl.com or even just Google it.

Depending on the email you can Google chunks of the text (if you suspect others may have received it) or the sender's name.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 64

Expert Comment

by:btan
ID: 34941700
the consensus is that you can find more info but all these will not lead to direct source, esp it is intended or target by organised group. you can only do as much using various tools but it really boils down on objective in the investigation stated out front. nothing is impossible just that it take time and the necessary aids to drill, it depends whether you need to .....
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1000 total points
ID: 34941704
the consensus is that you can find more info but all these will not lead to direct source, esp it is intended or target by organised group. you can only do as much using various tools but it really boils down on objective in the investigation stated out front. nothing is impossible just that it take time and the necessary aids to drill, it depends whether you need to ..... risk of expsoure
0
 

Author Closing Comment

by:WindhamSD
ID: 34997165
Thanks for all your help!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question