From a forwarded Email, can I find out who origionally sent the email?

Hello,

I have been asked to trace an email but the person only has a forwarded version of the message (The original message was forwarded to the person who is requesting this service). Is it possible to find out the original sender from the forwarded message? FYI, I haven't seen the email yet but want to have, "all my ducks in a row" before I look.

Any help would be appreciated! Thanks!
WindhamSDAsked:
Who is Participating?
 
JohnDeckerConnect With a Mentor Commented:
As has been said, even if you do have the headers, you won't get very far with identifying the sender. My IP address, using the tools above, as well as some favourites of my own, put me about 1 million people and 400kms away from where I really am. I am in New Zealand where the infrastructure is pretty spread out.

In the US or Europe you will get a closer hit in terms of position, but not in terms of population - ie you will still be millions away from identifying your target. And that doesn't even take into account proxy servers, which would ruin things for you.

If it is a static IP address and you look it up (www.dnsstuff.com) you may find a company but you would have to hope the registration details are accurate. They may not be: in Nigerian scams stolen caredit cards are used to register sites and the details are often those of the credit card holder rather than the scammer, more's the pity.

Another way is to take the email address and put it into a tool such as www.pipl.com or even just Google it.

Depending on the email you can Google chunks of the text (if you suspect others may have received it) or the sender's name.
0
 
AriMcConnect With a Mentor Commented:
It depends on a lot of things. Usually the forward options in e-mail clients do not include the original header information in the forwarded mail but if it was forwarded as an attachment, then the original headers along with the original sender's e-mail address (or at least what he/she claims is the e-mail address) can be included.

Sometimes you can obviously see the original sender from the contents of the message.

Theoretically it would also be possible for the forwarding e-mail client to include non-standard X-headers that include the original sender's information but I have never seen this happening.

Then if it is some other mailing system than the de-facto standard internet SMTP, then the circumstances are completely different.

0
 
btanConnect With a Mentor Exec ConsultantCommented:
Some background on email header  that is important for tracing email sources......

Email header can minimally reveal IP addresses (in the Received header field or X-Originating-IP header field) of the origin (at most computer not claiming it is the person esp the computer is shared or broken into etc). The IP can lead you to minimally isolate party that you can contact or seek advice on finding out more of the sender. But in the cases of ISP to reveal those info (when IP is not constant etc), they will not entertain other unless governed by law enforcement instructions....

But do also note that the IP is not necessarily the origin e.g. if you receive an email sent from a Gmail account through the web browser, you may not be able to find the real IP address because Google hides the real IP address of the sender. However, if someone sends you a mail from his/her Gmail account using a client like Thunderbird, Outlook or Apple Mail, you can find the originating IP address. Some useful online tools to check IP include IP2Location and GeoBytes IP Locator.

See this link @ http://aruljohn.com/info/howtofindipaddress/
See also eMailTrackerPro @ http://www.visualware.com/resources/tutorials/email.html

Interestingly, email header may contain leaked sender information such as Windows computer name, Timezone information, Mailer software. They may provide tiny bits of the source  

Coming back to your forwarded email, strictly speaking forwarding inline do quotes the message below the main text of the new message, and usually preserves original attachments as well as a choice of selected headers (e.g. the original From and Reply-To.) The recipient of a message forwarded this way may still be able to reply to the original message; the ability to do so depends on the presence of original headers and may imply manually copying and pasting the relevant destination addresses.

Forwarding (the whole email) as attachment prepares a MIME attachment (of type message/rfc822) that contains the full original message, including all headers and any attachment. Note that including all the headers discloses much information about the message, such as the servers that transmitted it and any client-tag added on the mailbox. You can then adopt the earlier approach to trace back. The info on the forwarding is reference to Wikipedia
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
btanExec ConsultantCommented:
the consensus is that you can find more info but all these will not lead to direct source, esp it is intended or target by organised group. you can only do as much using various tools but it really boils down on objective in the investigation stated out front. nothing is impossible just that it take time and the necessary aids to drill, it depends whether you need to .....
0
 
btanConnect With a Mentor Exec ConsultantCommented:
the consensus is that you can find more info but all these will not lead to direct source, esp it is intended or target by organised group. you can only do as much using various tools but it really boils down on objective in the investigation stated out front. nothing is impossible just that it take time and the necessary aids to drill, it depends whether you need to ..... risk of expsoure
0
 
WindhamSDAuthor Commented:
Thanks for all your help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.