Solved

From a forwarded Email, can I find out who origionally sent the email?

Posted on 2011-02-18
6
5,837 Views
Last Modified: 2012-05-11
Hello,

I have been asked to trace an email but the person only has a forwarded version of the message (The original message was forwarded to the person who is requesting this service). Is it possible to find out the original sender from the forwarded message? FYI, I haven't seen the email yet but want to have, "all my ducks in a row" before I look.

Any help would be appreciated! Thanks!
0
Comment
Question by:WindhamSD
6 Comments
 
LVL 9

Assisted Solution

by:AriMc
AriMc earned 125 total points
ID: 34928838
It depends on a lot of things. Usually the forward options in e-mail clients do not include the original header information in the forwarded mail but if it was forwarded as an attachment, then the original headers along with the original sender's e-mail address (or at least what he/she claims is the e-mail address) can be included.

Sometimes you can obviously see the original sender from the contents of the message.

Theoretically it would also be possible for the forwarding e-mail client to include non-standard X-headers that include the original sender's information but I have never seen this happening.

Then if it is some other mailing system than the de-facto standard internet SMTP, then the circumstances are completely different.

0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 34931554
Some background on email header  that is important for tracing email sources......

Email header can minimally reveal IP addresses (in the Received header field or X-Originating-IP header field) of the origin (at most computer not claiming it is the person esp the computer is shared or broken into etc). The IP can lead you to minimally isolate party that you can contact or seek advice on finding out more of the sender. But in the cases of ISP to reveal those info (when IP is not constant etc), they will not entertain other unless governed by law enforcement instructions....

But do also note that the IP is not necessarily the origin e.g. if you receive an email sent from a Gmail account through the web browser, you may not be able to find the real IP address because Google hides the real IP address of the sender. However, if someone sends you a mail from his/her Gmail account using a client like Thunderbird, Outlook or Apple Mail, you can find the originating IP address. Some useful online tools to check IP include IP2Location and GeoBytes IP Locator.

See this link @ http://aruljohn.com/info/howtofindipaddress/
See also eMailTrackerPro @ http://www.visualware.com/resources/tutorials/email.html

Interestingly, email header may contain leaked sender information such as Windows computer name, Timezone information, Mailer software. They may provide tiny bits of the source  

Coming back to your forwarded email, strictly speaking forwarding inline do quotes the message below the main text of the new message, and usually preserves original attachments as well as a choice of selected headers (e.g. the original From and Reply-To.) The recipient of a message forwarded this way may still be able to reply to the original message; the ability to do so depends on the presence of original headers and may imply manually copying and pasting the relevant destination addresses.

Forwarding (the whole email) as attachment prepares a MIME attachment (of type message/rfc822) that contains the full original message, including all headers and any attachment. Note that including all the headers discloses much information about the message, such as the servers that transmitted it and any client-tag added on the mailbox. You can then adopt the earlier approach to trace back. The info on the forwarding is reference to Wikipedia
0
 
LVL 4

Accepted Solution

by:
JohnDecker earned 125 total points
ID: 34936764
As has been said, even if you do have the headers, you won't get very far with identifying the sender. My IP address, using the tools above, as well as some favourites of my own, put me about 1 million people and 400kms away from where I really am. I am in New Zealand where the infrastructure is pretty spread out.

In the US or Europe you will get a closer hit in terms of position, but not in terms of population - ie you will still be millions away from identifying your target. And that doesn't even take into account proxy servers, which would ruin things for you.

If it is a static IP address and you look it up (www.dnsstuff.com) you may find a company but you would have to hope the registration details are accurate. They may not be: in Nigerian scams stolen caredit cards are used to register sites and the details are often those of the credit card holder rather than the scammer, more's the pity.

Another way is to take the email address and put it into a tool such as www.pipl.com or even just Google it.

Depending on the email you can Google chunks of the text (if you suspect others may have received it) or the sender's name.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 61

Expert Comment

by:btan
ID: 34941700
the consensus is that you can find more info but all these will not lead to direct source, esp it is intended or target by organised group. you can only do as much using various tools but it really boils down on objective in the investigation stated out front. nothing is impossible just that it take time and the necessary aids to drill, it depends whether you need to .....
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 34941704
the consensus is that you can find more info but all these will not lead to direct source, esp it is intended or target by organised group. you can only do as much using various tools but it really boils down on objective in the investigation stated out front. nothing is impossible just that it take time and the necessary aids to drill, it depends whether you need to ..... risk of expsoure
0
 

Author Closing Comment

by:WindhamSD
ID: 34997165
Thanks for all your help!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now