Solved

From a forwarded Email, can I find out who origionally sent the email?

Posted on 2011-02-18
6
6,176 Views
Last Modified: 2012-05-11
Hello,

I have been asked to trace an email but the person only has a forwarded version of the message (The original message was forwarded to the person who is requesting this service). Is it possible to find out the original sender from the forwarded message? FYI, I haven't seen the email yet but want to have, "all my ducks in a row" before I look.

Any help would be appreciated! Thanks!
0
Comment
Question by:WindhamSD
6 Comments
 
LVL 9

Assisted Solution

by:AriMc
AriMc earned 125 total points
ID: 34928838
It depends on a lot of things. Usually the forward options in e-mail clients do not include the original header information in the forwarded mail but if it was forwarded as an attachment, then the original headers along with the original sender's e-mail address (or at least what he/she claims is the e-mail address) can be included.

Sometimes you can obviously see the original sender from the contents of the message.

Theoretically it would also be possible for the forwarding e-mail client to include non-standard X-headers that include the original sender's information but I have never seen this happening.

Then if it is some other mailing system than the de-facto standard internet SMTP, then the circumstances are completely different.

0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 34931554
Some background on email header  that is important for tracing email sources......

Email header can minimally reveal IP addresses (in the Received header field or X-Originating-IP header field) of the origin (at most computer not claiming it is the person esp the computer is shared or broken into etc). The IP can lead you to minimally isolate party that you can contact or seek advice on finding out more of the sender. But in the cases of ISP to reveal those info (when IP is not constant etc), they will not entertain other unless governed by law enforcement instructions....

But do also note that the IP is not necessarily the origin e.g. if you receive an email sent from a Gmail account through the web browser, you may not be able to find the real IP address because Google hides the real IP address of the sender. However, if someone sends you a mail from his/her Gmail account using a client like Thunderbird, Outlook or Apple Mail, you can find the originating IP address. Some useful online tools to check IP include IP2Location and GeoBytes IP Locator.

See this link @ http://aruljohn.com/info/howtofindipaddress/
See also eMailTrackerPro @ http://www.visualware.com/resources/tutorials/email.html

Interestingly, email header may contain leaked sender information such as Windows computer name, Timezone information, Mailer software. They may provide tiny bits of the source  

Coming back to your forwarded email, strictly speaking forwarding inline do quotes the message below the main text of the new message, and usually preserves original attachments as well as a choice of selected headers (e.g. the original From and Reply-To.) The recipient of a message forwarded this way may still be able to reply to the original message; the ability to do so depends on the presence of original headers and may imply manually copying and pasting the relevant destination addresses.

Forwarding (the whole email) as attachment prepares a MIME attachment (of type message/rfc822) that contains the full original message, including all headers and any attachment. Note that including all the headers discloses much information about the message, such as the servers that transmitted it and any client-tag added on the mailbox. You can then adopt the earlier approach to trace back. The info on the forwarding is reference to Wikipedia
0
 
LVL 4

Accepted Solution

by:
JohnDecker earned 125 total points
ID: 34936764
As has been said, even if you do have the headers, you won't get very far with identifying the sender. My IP address, using the tools above, as well as some favourites of my own, put me about 1 million people and 400kms away from where I really am. I am in New Zealand where the infrastructure is pretty spread out.

In the US or Europe you will get a closer hit in terms of position, but not in terms of population - ie you will still be millions away from identifying your target. And that doesn't even take into account proxy servers, which would ruin things for you.

If it is a static IP address and you look it up (www.dnsstuff.com) you may find a company but you would have to hope the registration details are accurate. They may not be: in Nigerian scams stolen caredit cards are used to register sites and the details are often those of the credit card holder rather than the scammer, more's the pity.

Another way is to take the email address and put it into a tool such as www.pipl.com or even just Google it.

Depending on the email you can Google chunks of the text (if you suspect others may have received it) or the sender's name.
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 62

Expert Comment

by:btan
ID: 34941700
the consensus is that you can find more info but all these will not lead to direct source, esp it is intended or target by organised group. you can only do as much using various tools but it really boils down on objective in the investigation stated out front. nothing is impossible just that it take time and the necessary aids to drill, it depends whether you need to .....
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 34941704
the consensus is that you can find more info but all these will not lead to direct source, esp it is intended or target by organised group. you can only do as much using various tools but it really boils down on objective in the investigation stated out front. nothing is impossible just that it take time and the necessary aids to drill, it depends whether you need to ..... risk of expsoure
0
 

Author Closing Comment

by:WindhamSD
ID: 34997165
Thanks for all your help!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Are you irritated by repeating emails issue in Microsoft Outlook 2016 after recent update ?  Lets’ see how to resolve and prevent duplicate emails in the Outlook 2016 using some simple techniques.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now