Solved

How to determine where an email really came from

Posted on 2012-03-14
24
331 Views
Last Modified: 2012-06-27
We have a link that helps us know where the email came from:

http://whatismyipaddress.com/trace-email

Unfortunately, it seems that it looks into the actual "domain" and presents THAT specific address, not where it REALLY came from.

We though maybe knowing the Internet Provider would help, but there international Internet Provider I guess, that would make knowing where the email was produce would not be real.

How can we know from where it came from?

Please moderator, if the zones chosen is not the corrects, please reassign.

Thanx Lots!
0
Comment
Question by:rayluvs
  • 10
  • 7
  • 5
  • +1
24 Comments
 
LVL 50

Accepted Solution

by:
jcimarron earned 215 total points
ID: 37721451
Ramante--While old, these two references should help
http://ask-leo.com/how_can_i_trace_where_email_came_from.html

http://tips.vlaurie.com/2008/01/how-to-find-out-where-an-email-really-came-from/

Note, however, even if you determine where the email came from, any spam sender will probably use another email address next time.
0
 
LVL 3

Assisted Solution

by:DaFranker
DaFranker earned 143 total points
ID: 37721479
Unfortunately, the only "sure" way to know the exact location where an email (that we assume was sent with maximum technology and skill in origin masking) was sent from is to obtain complete control over all machines involved in communicating the contents of the email, up to and including the source machine that the sender used to send the email in the first place (in order to verify that this machine wasn't just another bounce). Even then, someone may under certain circumstances erase records or some records may be removed for other reasons from one or more machines along the path, which may make tracing difficult or even impossible.

The only "absolute" method is to have live control over every machine including the sending machine, while the email is sent. This would mean the sender has to use a machine over which you already have control (and for which you can log and then back-up logs externally in real time) to send the e-mail.

Email tracing (of emails with forged headers and using other origin-masking techniques) often involves retrieving logs from multiple servers, comparing logs and headers, cross-referencing addresses with servers and which server should send what kind of signal and so on and so forth.
0
 

Author Comment

by:rayluvs
ID: 37721506
By what you are saying, is it safe to say that there is no way, not being a Government Entity,  to do a "trace" of an email sent? No tools to buy or share/FreeWare to download that would accomplish this task?
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 37721690
Ramante--What is your purpose?

Organizations such as SpamCop might help.  http://www.spamcop.net/
0
 

Author Comment

by:rayluvs
ID: 37721798
My purpose is to know where the email is coming from.  If more info necessary, what I can tell you is that my boss has doubt where his sales reps are sending Thierry emails from.

Unfortunately, spamcop has no help toward what we need.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 37721883
Ramante--
"My purpose is to know where the email is coming from"
Country, City, email address, IP address, etc.??

I do not think Country can be faked too easily.
0
 

Author Comment

by:rayluvs
ID: 37722159
Country/City or just City or Country.....

You think is possible?
0
 
LVL 50

Assisted Solution

by:jcimarron
jcimarron earned 215 total points
ID: 37722407
Ramante--
Did you read  http://ask-leo.com/how_can_i_trace_where_email_came_from.html  ?

So you can trace, but do you get correct info?  WEll, it depends.  Take some of the headers from your salesmen and see what you get.  Does the info seem logical?  
And remember you can trace IP addresses here.
http://www.all-nettools.com/toolbox/smart-whois.php
0
 
LVL 3

Assisted Solution

by:DaFranker
DaFranker earned 143 total points
ID: 37723224
Ramante:

I'm not saying it's absolutely impossible or unfeasible in any manner without large resources at your disposal, but I am indeed inferring that without a lot of experience in related topics it'll be extremely difficult to be certain that the information you do find (because you *will* find some if you use the tools and techniques proposed by other experts here) is accurate.

My comment simply exposes the fact that, in extreme cases, it is possible to mask the origin of an email in a way that cannot be traced without those huge resources. However, doing so also requires larger resources and experience on the part of the sender.

Within the context you've specified, unless the sales reps are highly qualified IT experts (in which case they'd be reading your posts here and would already know you're trying to  trace them), chances are they won't knowingly be using advanced origin-masking methods.

So, try to get the most complete headers, and analyze the info for consistency. However, be prepared for the possibility to end up, despite your best efforts, with only a list of temporary IP addresses for an international ISP. Anyone who has a friend in another country can make their email go through that friend's computer to make it seem like they were sent from there, with a bit of reading.
0
 

Author Comment

by:rayluvs
ID: 37729555
I totally agree with you.  FYI, the sales repr are not technically inclined.  That is why we think that a lot of resources would not be needed.

To give you a piece of info.  A rep is supposed to be in Connecticut and all emails seems to be from sunnydale California (using http://whatismyipaddress.com/trace-email).

Unfortunately, the emails was checked when the rep returned, so it was hard to use other methods to know how true was this.

When we discussed this with friends and colleges, all told us that it could be possible that the rep emailed the boss using an Internet Provider not from Connecticut, not from the client site or hotel wifi spot, but from an nationwide Internet Provider.

The thing is that link we provided at the question seem to work.  We checked emails received from friends and colleges from Texas, Florida, Central America, Aisa, etc. and it seems to work.  It does display the city, state and Google Map of where was sent.

Yet, from this rep, which has very little tech knowledge, his emails came from California when it should been from Connecticut.

In conclusion, we would an input from EE regarding this issue and maybe some links or techniques or better yet, considerations to address this issue.
0
 

Assisted Solution

by:ajaydata
ajaydata earned 142 total points
ID: 37745599
I think you need not to worry about the anything else but only two things, headers of your email and IP address used to connect to your server to deliver that mail to you. As headers can be rewritten the way sender wants, so the only authentic / guaranteed parameter is IP address to rely upon.

Next is domain used in from id used during sending protocol ( not the from in body, as they may be different) . If sender has configured SPF record, you can find out authentic server ip address too and this will certainly give you trace back to the actual location city of the server.

Try out service like visualroute.com to see actual location of server.
0
 

Author Comment

by:rayluvs
ID: 37745795
Went to the site but nothing related to emails; can u send me the actual link that checks email?
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 

Expert Comment

by:ajaydata
ID: 37746540
Visualroute is to chk the actual route to the IP address of the sender server. It's nothing to do with email. So find out the sender server IP of the email you want to track and put that into visual route.
0
 

Author Comment

by:rayluvs
ID: 37747286
Understood; so just enter the emails senders ip address, right?
0
 

Expert Comment

by:ajaydata
ID: 37750747
Yes,  you got it .
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 37753492
Ramante--Please do not forget the advice in http:#a37722407 to check IP addresses in
http://www.all-nettools.com/toolbox/smart-whois.php
0
 

Author Comment

by:rayluvs
ID: 37758363
Just tried it with the link of  http://www.all-nettools.com/toolbox/smart-whois.php, but the link for Visualroute.com seemed to stop working.

The problem or curiosity is that the return value is still from sunnydale California.

Question to close the this thread:

Could be possible that the rep emailed the boss using an Internet Provider not from where they where staying; that is a Provider outside Connecticut?
0
 
LVL 50

Assisted Solution

by:jcimarron
jcimarron earned 215 total points
ID: 37758465
Ramante--In answer to your closing question, Sure.
I use Comcast as internet and email provider.  All my incoming emails show emeryville, ca and westchester.pa as the Received from address.  I and the senders live quite distant from either.
0
 

Assisted Solution

by:ajaydata
ajaydata earned 142 total points
ID: 37759813
Which SMTP server is being used is important to determine the actual Server sending emails and server used will have logs of the client (person sending email) IP machine. The person sending email may be sitting in Hotel, Cybercafe or friends house, u might get different ip all the time, but smtp ip will remain same.
0
 

Author Comment

by:rayluvs
ID: 37759875
Great info from both of you; we really have a way better understanding I this issue.

To really answer our doubt:
if the user has Comcast as email provider, using your example as emeryvil California, and is using a hotspot in his vacation in Miami Florida, how can I know the the email came from Miami Florida?


Hope this help pass out concerne.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 37760931
Ramante--You cannot with 100% certainty.  But the procedures in http:#a37721451 may help you  not rely on only the Received From at the top of the header.
0
 

Expert Comment

by:ajaydata
ID: 37762169
This will purely depend if Comcast is giving the real ip of the pc originating email, if yes, u will get the accurate location in most of the cases.
0
 

Author Comment

by:rayluvs
ID: 37817505
Thanx
0
 

Author Closing Comment

by:rayluvs
ID: 37817520
Thanx All!
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now