I am trying to find out who is sending me emails by analyzing the email header looking for "X-ORIGINATING-IP", however it has been removed by ms, Is there any other way to get this information?. I have the mail header which contents this info "X-TMN: [MFL/CsAQEKwS6FBaH6erkgcbcjS7fbWLKme6V2pHuA8=]". Can X-TMN be decryp?

Thanks in advance
Ludwig DiehlSystems ArchitectAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tej Pratap Shukla ~DexterServer AdministratorCommented:
Hey ludwigDiehl,

Email headers are next to impossible while decrypting them manually, you would require a forensic software that retrieves information from message headers and displays the results which can be understood easily.I know about few software which could actually help you retrieve that information.

Feel free to revert back for further queries.

Try this online Email Header Analysis
How to extract email headers, a tutorial
X-TMN appears to be base-64 encoded, but decoding it doesn't provide anything that I've found to be immediately useful.Tests show that if you send email messages from the same IP address, but at different times, the X-TMN is different each time. It is possible that the IP address is combined with the timestamp and then passed through an encoding algorithm.
I think we're going to have to ask Microsoft for the answer and they'll probably only respond if compelled to through the legal process.
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

btanExec ConsultantCommented:
In the case of why you don't always see it - check to see what client the sender was using. Chances are it won't be a Gmail or Hotmail address - but another client that doesn't append the optional header, since it doesn't need to be used to deliver the actual message.

Exchange (specifically Exchange 2010) is also typically configured in transport rule to remove the header X-TMN which is sort of non-standard email header

One thing to note, is just like any other header, the X-Originating-IP header can be easily faked. If you're looking to use the X-Originating-IP header for filtering, you may have better luck with the Received header, which may also contain the IP address.
Ludwig DiehlSystems ArchitectAuthor Commented:
Thanks everyone for replying. I tried several approaches, however none did the trick. About the client, I am almost 100% sure he/she used the web client so it definitely it doesn't have any explicit  IP information but the X-TMN tag which certainly does not display such info.
To let you know before posting I tried some online header analysis tools, checked the email header and even looked up at some Microsoft  forums, the answers from them are always private as it seems to be some sort user's privacy protection.

Thanks in advance,
I will let you know if I have any look
btanExec ConsultantCommented:
may want to try mxtoolbox online email hdr analysis and in case you want to grab more from various email client even web based spamcop may come handy
Tej Pratap Shukla ~DexterServer AdministratorCommented:
Hey there

I've heard about few email forensic software such as EnCaseMaiXaminer by SysTools. These might help you retrieve X-TMN or other header information along with complete information about where all the mail traveled before reaching the recipient & much much more.

btanExec ConsultantCommented:
Below online check is useful and it explains each email header

x-tmn is an unique signature added to emails by Microsoft for identification and not likely you can decode it and not worthwhile, you can see one example @ http://scammed.by/analyze2.php?__cf_waf_tk__=0722230084v3bg8MhJwXg3MMH_Go94T-G3VQ

Other info- likewise you can check out "6. E-MAIL FORENSIC TOOLS" in the pdf which compile all toolkit listing for perusal @ http://airccse.org/journal/nsa/1111nsa17.pdf
Ludwig DiehlSystems ArchitectAuthor Commented:
Hey guys thx for the replies.
<breadtan>, I tried the online header analyzer you suggest. It is pretty cool because it explains each section, however it cannot decode X-TMN. I am also reading the file you mentioned, which has lots of info about this stuff...
I am still trying to figure it out, coz it is very important for me to find out who is sending these emails.
btanExec ConsultantCommented:
X-TMN is more MS unique signature, it is not a straight B64 and I am suspecting it is some HMAC hashing and does someB64 thereafter - really no point "decoding" it unless MS can share more...the "who"probably has to come from other parameter and sometimes header is just one indicator, may want to check email content (http hdr, location, app info, etc), attachment (with meta-data) and the chain of perimeter traffic ...
Ludwig DiehlSystems ArchitectAuthor Commented:
The thing is that I only have this header:

Delivered-To: xxxx@gmail.com
Received: by with SMTP id zf6csp50056wjb;
        Tue, 20 May 2014 12:58:58 -0700 (PDT)
X-Received: by with SMTP id kg10mr21087119pbc.163.1400615937935;
        Tue, 20 May 2014 12:58:57 -0700 (PDT)
Return-Path: <smithvillaclub@outlook.com>
Received: from BAY004-OMC3S2.hotmail.com (bay004-omc3s2.hotmail.com. [])
        by mx.google.com with ESMTPS id sd8si26029147pac.119.2014.
        for <robcorr50@gmail.com>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Tue, 20 May 2014 12:58:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of smithvillaclub@outlook.com designates as permitted sender) client-ip=;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of smithvillaclub@outlook.com designates as permitted sender) smtp.mail=smithvillaclub@outlook.com
Received: from BAY180-W50 ([]) by BAY004-OMC3S2.hotmail.com with Microsoft SMTPSVC(7.5.7601.22678);
	 Tue, 20 May 2014 12:58:52 -0700
X-TMN: [MFL/CsAQEKwS6FBaH6erkgcbcjS7fbWLKme6V2pHuA8=]
X-Originating-Email: [smithvillaclub@outlook.com]
Message-ID: <BAY180-W502FBF13A1445C7746808DD13D0@phx.gbl>
Return-Path: smithvillaclub@outlook.com
Content-Type: multipart/alternative;
From: joan smith <smithvillaclub@outlook.com>
To: "xxxx@gmail.com" <xxxx@gmail.com>
Date: Tue, 20 May 2014 14:58:52 -0500
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 20 May 2014 19:58:52.0084 (UTC) FILETIME=[EC3AF740:01CF7465]

Open in new window

So, if there is no source IP info, then what can I do to found it out?
Ludwig DiehlSystems ArchitectAuthor Commented:
btanExec ConsultantCommented:
From the email header, it does not revealed the client ip and the first received is instead by  BAY180-W50. Not very indicative of the sender real ip. One thing coming back is Microsoft email services like Hotmail, Live, Outlook etc. stopped showing the originating IP late in 2012. The Redmond address is just the Microsoft server.

I tried using http://www.ip-tracker.org/checker/email-lookup.php and minimally this is legit email account e.g. smithvillaclub@outlook.com. I doubt we can drill further to find the ip unless there is something hints from the sender to"beacon" anything back to you...tough nut...or seek authority if that is abusive account suspected...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ludwig DiehlSystems ArchitectAuthor Commented:
Thanks for answering and sorry for the delay. It is true that only microsoft's IP address is shown, however it is absolutely necessary to find out where that sender is sending those emails from.
We want to know if he(she)  is doing it from the company or outside.
btanExec ConsultantCommented:
not easy folk as mentioned as the email header has limited and it will be good to grab or forensic the target machine if this is organisation asset as end user agreement acceptance compliance. another is probably looks at the exchange to sync up event timestamp but tedious ...another is send the target to trace his email - see
Ludwig DiehlSystems ArchitectAuthor Commented:
Thx each and everyone for helping. It is now very a difficult task for me to decide who gave me the best answer. I will try my best ;). Thank you all once more!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.