Solved

How to determine where an email really came from

Posted on 2012-03-14
24
339 Views
Last Modified: 2012-06-27
We have a link that helps us know where the email came from:

http://whatismyipaddress.com/trace-email

Unfortunately, it seems that it looks into the actual "domain" and presents THAT specific address, not where it REALLY came from.

We though maybe knowing the Internet Provider would help, but there international Internet Provider I guess, that would make knowing where the email was produce would not be real.

How can we know from where it came from?

Please moderator, if the zones chosen is not the corrects, please reassign.

Thanx Lots!
0
Comment
Question by:rayluvs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 7
  • 5
  • +1
24 Comments
 
LVL 50

Accepted Solution

by:
jcimarron earned 215 total points
ID: 37721451
Ramante--While old, these two references should help
http://ask-leo.com/how_can_i_trace_where_email_came_from.html

http://tips.vlaurie.com/2008/01/how-to-find-out-where-an-email-really-came-from/

Note, however, even if you determine where the email came from, any spam sender will probably use another email address next time.
0
 
LVL 3

Assisted Solution

by:DaFranker
DaFranker earned 143 total points
ID: 37721479
Unfortunately, the only "sure" way to know the exact location where an email (that we assume was sent with maximum technology and skill in origin masking) was sent from is to obtain complete control over all machines involved in communicating the contents of the email, up to and including the source machine that the sender used to send the email in the first place (in order to verify that this machine wasn't just another bounce). Even then, someone may under certain circumstances erase records or some records may be removed for other reasons from one or more machines along the path, which may make tracing difficult or even impossible.

The only "absolute" method is to have live control over every machine including the sending machine, while the email is sent. This would mean the sender has to use a machine over which you already have control (and for which you can log and then back-up logs externally in real time) to send the e-mail.

Email tracing (of emails with forged headers and using other origin-masking techniques) often involves retrieving logs from multiple servers, comparing logs and headers, cross-referencing addresses with servers and which server should send what kind of signal and so on and so forth.
0
 

Author Comment

by:rayluvs
ID: 37721506
By what you are saying, is it safe to say that there is no way, not being a Government Entity,  to do a "trace" of an email sent? No tools to buy or share/FreeWare to download that would accomplish this task?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 50

Expert Comment

by:jcimarron
ID: 37721690
Ramante--What is your purpose?

Organizations such as SpamCop might help.  http://www.spamcop.net/
0
 

Author Comment

by:rayluvs
ID: 37721798
My purpose is to know where the email is coming from.  If more info necessary, what I can tell you is that my boss has doubt where his sales reps are sending Thierry emails from.

Unfortunately, spamcop has no help toward what we need.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 37721883
Ramante--
"My purpose is to know where the email is coming from"
Country, City, email address, IP address, etc.??

I do not think Country can be faked too easily.
0
 

Author Comment

by:rayluvs
ID: 37722159
Country/City or just City or Country.....

You think is possible?
0
 
LVL 50

Assisted Solution

by:jcimarron
jcimarron earned 215 total points
ID: 37722407
Ramante--
Did you read  http://ask-leo.com/how_can_i_trace_where_email_came_from.html  ?

So you can trace, but do you get correct info?  WEll, it depends.  Take some of the headers from your salesmen and see what you get.  Does the info seem logical?  
And remember you can trace IP addresses here.
http://www.all-nettools.com/toolbox/smart-whois.php
0
 
LVL 3

Assisted Solution

by:DaFranker
DaFranker earned 143 total points
ID: 37723224
Ramante:

I'm not saying it's absolutely impossible or unfeasible in any manner without large resources at your disposal, but I am indeed inferring that without a lot of experience in related topics it'll be extremely difficult to be certain that the information you do find (because you *will* find some if you use the tools and techniques proposed by other experts here) is accurate.

My comment simply exposes the fact that, in extreme cases, it is possible to mask the origin of an email in a way that cannot be traced without those huge resources. However, doing so also requires larger resources and experience on the part of the sender.

Within the context you've specified, unless the sales reps are highly qualified IT experts (in which case they'd be reading your posts here and would already know you're trying to  trace them), chances are they won't knowingly be using advanced origin-masking methods.

So, try to get the most complete headers, and analyze the info for consistency. However, be prepared for the possibility to end up, despite your best efforts, with only a list of temporary IP addresses for an international ISP. Anyone who has a friend in another country can make their email go through that friend's computer to make it seem like they were sent from there, with a bit of reading.
0
 

Author Comment

by:rayluvs
ID: 37729555
I totally agree with you.  FYI, the sales repr are not technically inclined.  That is why we think that a lot of resources would not be needed.

To give you a piece of info.  A rep is supposed to be in Connecticut and all emails seems to be from sunnydale California (using http://whatismyipaddress.com/trace-email).

Unfortunately, the emails was checked when the rep returned, so it was hard to use other methods to know how true was this.

When we discussed this with friends and colleges, all told us that it could be possible that the rep emailed the boss using an Internet Provider not from Connecticut, not from the client site or hotel wifi spot, but from an nationwide Internet Provider.

The thing is that link we provided at the question seem to work.  We checked emails received from friends and colleges from Texas, Florida, Central America, Aisa, etc. and it seems to work.  It does display the city, state and Google Map of where was sent.

Yet, from this rep, which has very little tech knowledge, his emails came from California when it should been from Connecticut.

In conclusion, we would an input from EE regarding this issue and maybe some links or techniques or better yet, considerations to address this issue.
0
 

Assisted Solution

by:ajaydata
ajaydata earned 142 total points
ID: 37745599
I think you need not to worry about the anything else but only two things, headers of your email and IP address used to connect to your server to deliver that mail to you. As headers can be rewritten the way sender wants, so the only authentic / guaranteed parameter is IP address to rely upon.

Next is domain used in from id used during sending protocol ( not the from in body, as they may be different) . If sender has configured SPF record, you can find out authentic server ip address too and this will certainly give you trace back to the actual location city of the server.

Try out service like visualroute.com to see actual location of server.
0
 

Author Comment

by:rayluvs
ID: 37745795
Went to the site but nothing related to emails; can u send me the actual link that checks email?
0
 

Expert Comment

by:ajaydata
ID: 37746540
Visualroute is to chk the actual route to the IP address of the sender server. It's nothing to do with email. So find out the sender server IP of the email you want to track and put that into visual route.
0
 

Author Comment

by:rayluvs
ID: 37747286
Understood; so just enter the emails senders ip address, right?
0
 

Expert Comment

by:ajaydata
ID: 37750747
Yes,  you got it .
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 37753492
Ramante--Please do not forget the advice in http:#a37722407 to check IP addresses in
http://www.all-nettools.com/toolbox/smart-whois.php
0
 

Author Comment

by:rayluvs
ID: 37758363
Just tried it with the link of  http://www.all-nettools.com/toolbox/smart-whois.php, but the link for Visualroute.com seemed to stop working.

The problem or curiosity is that the return value is still from sunnydale California.

Question to close the this thread:

Could be possible that the rep emailed the boss using an Internet Provider not from where they where staying; that is a Provider outside Connecticut?
0
 
LVL 50

Assisted Solution

by:jcimarron
jcimarron earned 215 total points
ID: 37758465
Ramante--In answer to your closing question, Sure.
I use Comcast as internet and email provider.  All my incoming emails show emeryville, ca and westchester.pa as the Received from address.  I and the senders live quite distant from either.
0
 

Assisted Solution

by:ajaydata
ajaydata earned 142 total points
ID: 37759813
Which SMTP server is being used is important to determine the actual Server sending emails and server used will have logs of the client (person sending email) IP machine. The person sending email may be sitting in Hotel, Cybercafe or friends house, u might get different ip all the time, but smtp ip will remain same.
0
 

Author Comment

by:rayluvs
ID: 37759875
Great info from both of you; we really have a way better understanding I this issue.

To really answer our doubt:
if the user has Comcast as email provider, using your example as emeryvil California, and is using a hotspot in his vacation in Miami Florida, how can I know the the email came from Miami Florida?


Hope this help pass out concerne.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 37760931
Ramante--You cannot with 100% certainty.  But the procedures in http:#a37721451 may help you  not rely on only the Received From at the top of the header.
0
 

Expert Comment

by:ajaydata
ID: 37762169
This will purely depend if Comcast is giving the real ip of the pc originating email, if yes, u will get the accurate location in most of the cases.
0
 

Author Comment

by:rayluvs
ID: 37817505
Thanx
0
 

Author Closing Comment

by:rayluvs
ID: 37817520
Thanx All!
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Mailbox Delegation List 45 110
IMAP copying tool 14 72
Exchange 2016 - not receiving mail 17 96
Program files permissions 1 43
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question