Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

X-TMN

Posted on 2014-06-09
16
Medium Priority
?
3,063 Views
Last Modified: 2014-07-17
I am trying to find out who is sending me emails by analyzing the email header looking for "X-ORIGINATING-IP", however it has been removed by ms, Is there any other way to get this information?. I have the mail header which contents this info "X-TMN: [MFL/CsAQEKwS6FBaH6erkgcbcjS7fbWLKme6V2pHuA8=]". Can X-TMN be decryp?

Thanks in advance
0
Comment
Question by:Ludwig Diehl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
  • +2
16 Comments
 
LVL 12

Expert Comment

by:Tej Pratap Shukla ~Dexter
ID: 40123692
Hey ludwigDiehl,

Email headers are next to impossible while decrypting them manually, you would require a forensic software that retrieves information from message headers and displays the results which can be understood easily.I know about few software which could actually help you retrieve that information.

Feel free to revert back for further queries.

Thanks
~Dex
0
 
LVL 70

Expert Comment

by:Merete
ID: 40123906
Try this online Email Header Analysis
http://www.iptrackeronline.com/email-header-analysis.php
How to extract email headers, a tutorial
http://www.iptrackeronline.com/how-to-extract-email-headers.php
0
 
LVL 9

Expert Comment

by:SirtenKen
ID: 40124263
X-TMN appears to be base-64 encoded, but decoding it doesn't provide anything that I've found to be immediately useful.Tests show that if you send email messages from the same IP address, but at different times, the X-TMN is different each time. It is possible that the IP address is combined with the timestamp and then passed through an encoding algorithm.
I think we're going to have to ask Microsoft for the answer and they'll probably only respond if compelled to through the legal process.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 64

Expert Comment

by:btan
ID: 40126470
In the case of why you don't always see it - check to see what client the sender was using. Chances are it won't be a Gmail or Hotmail address - but another client that doesn't append the optional header, since it doesn't need to be used to deliver the actual message.

Exchange (specifically Exchange 2010) is also typically configured in transport rule to remove the header X-TMN which is sort of non-standard email header

One thing to note, is just like any other header, the X-Originating-IP header can be easily faked. If you're looking to use the X-Originating-IP header for filtering, you may have better luck with the Received header, which may also contain the IP address.
0
 
LVL 6

Author Comment

by:Ludwig Diehl
ID: 40128698
Thanks everyone for replying. I tried several approaches, however none did the trick. About the client, I am almost 100% sure he/she used the web client so it definitely it doesn't have any explicit  IP information but the X-TMN tag which certainly does not display such info.
To let you know before posting I tried some online header analysis tools, checked the email header and even looked up at some Microsoft  forums, the answers from them are always private as it seems to be some sort user's privacy protection.

Thanks in advance,
I will let you know if I have any look
0
 
LVL 64

Expert Comment

by:btan
ID: 40128730
may want to try mxtoolbox online email hdr analysis and in case you want to grab more from various email client even web based spamcop may come handy
0
 
LVL 12

Expert Comment

by:Tej Pratap Shukla ~Dexter
ID: 40131532
Hey there

I've heard about few email forensic software such as EnCaseMaiXaminer by SysTools. These might help you retrieve X-TMN or other header information along with complete information about where all the mail traveled before reaching the recipient & much much more.

Thanks
~Dex
0
 
LVL 64

Expert Comment

by:btan
ID: 40132200
Below online check is useful and it explains each email header
http://scammed.by/analyze2.php

x-tmn is an unique signature added to emails by Microsoft for identification and not likely you can decode it and not worthwhile, you can see one example @ http://scammed.by/analyze2.php?__cf_waf_tk__=0722230084v3bg8MhJwXg3MMH_Go94T-G3VQ

Other info- likewise you can check out "6. E-MAIL FORENSIC TOOLS" in the pdf which compile all toolkit listing for perusal @ http://airccse.org/journal/nsa/1111nsa17.pdf
0
 
LVL 6

Author Comment

by:Ludwig Diehl
ID: 40133269
Hey guys thx for the replies.
<breadtan>, I tried the online header analyzer you suggest. It is pretty cool because it explains each section, however it cannot decode X-TMN. I am also reading the file you mentioned, which has lots of info about this stuff...
I am still trying to figure it out, coz it is very important for me to find out who is sending these emails.
0
 
LVL 64

Expert Comment

by:btan
ID: 40133460
X-TMN is more MS unique signature, it is not a straight B64 and I am suspecting it is some HMAC hashing and does someB64 thereafter - really no point "decoding" it unless MS can share more...the "who"probably has to come from other parameter and sometimes header is just one indicator, may want to check email content (http hdr, location, app info, etc), attachment (with meta-data) and the chain of perimeter traffic ...
0
 
LVL 6

Author Comment

by:Ludwig Diehl
ID: 40148434
The thing is that I only have this header:

Delivered-To: xxxx@gmail.com
Received: by 10.194.166.102 with SMTP id zf6csp50056wjb;
        Tue, 20 May 2014 12:58:58 -0700 (PDT)
X-Received: by 10.68.202.74 with SMTP id kg10mr21087119pbc.163.1400615937935;
        Tue, 20 May 2014 12:58:57 -0700 (PDT)
Return-Path: <smithvillaclub@outlook.com>
Received: from BAY004-OMC3S2.hotmail.com (bay004-omc3s2.hotmail.com. [65.54.190.140])
        by mx.google.com with ESMTPS id sd8si26029147pac.119.2014.05.20.12.58.57
        for <robcorr50@gmail.com>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Tue, 20 May 2014 12:58:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of smithvillaclub@outlook.com designates 65.54.190.140 as permitted sender) client-ip=65.54.190.140;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of smithvillaclub@outlook.com designates 65.54.190.140 as permitted sender) smtp.mail=smithvillaclub@outlook.com
Received: from BAY180-W50 ([65.54.190.189]) by BAY004-OMC3S2.hotmail.com with Microsoft SMTPSVC(7.5.7601.22678);
	 Tue, 20 May 2014 12:58:52 -0700
X-TMN: [MFL/CsAQEKwS6FBaH6erkgcbcjS7fbWLKme6V2pHuA8=]
X-Originating-Email: [smithvillaclub@outlook.com]
Message-ID: <BAY180-W502FBF13A1445C7746808DD13D0@phx.gbl>
Return-Path: smithvillaclub@outlook.com
Content-Type: multipart/alternative;
	boundary="_aa3b173a-057a-4ea4-833d-39c57961d53a_"
From: joan smith <smithvillaclub@outlook.com>
To: "xxxx@gmail.com" <xxxx@gmail.com>
Subject:
Date: Tue, 20 May 2014 14:58:52 -0500
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 20 May 2014 19:58:52.0084 (UTC) FILETIME=[EC3AF740:01CF7465]

Open in new window


So, if there is no source IP info, then what can I do to found it out?
0
 
LVL 6

Author Comment

by:Ludwig Diehl
ID: 40148435
find*
0
 
LVL 64

Accepted Solution

by:
btan earned 1500 total points
ID: 40148578
From the email header, it does not revealed the client ip and the first received is instead 65.54.190.189 by  BAY180-W50. Not very indicative of the sender real ip. One thing coming back is Microsoft email services like Hotmail, Live, Outlook etc. stopped showing the originating IP late in 2012. The Redmond address is just the Microsoft server.

I tried using http://www.ip-tracker.org/checker/email-lookup.php and minimally this is legit email account e.g. smithvillaclub@outlook.com. I doubt we can drill further to find the ip unless there is something hints from the sender to"beacon" anything back to you...tough nut...or seek authority if that is abusive account suspected...
0
 
LVL 6

Author Comment

by:Ludwig Diehl
ID: 40163429
Thanks for answering and sorry for the delay. It is true that only microsoft's IP address is shown, however it is absolutely necessary to find out where that sender is sending those emails from.
We want to know if he(she)  is doing it from the company or outside.
0
 
LVL 64

Expert Comment

by:btan
ID: 40163801
not easy folk as mentioned as the email header has limited and it will be good to grab or forensic the target machine if this is organisation asset as end user agreement acceptance compliance. another is probably looks at the exchange to sync up event timestamp but tedious ...another is send the target to trace his email - see
http://help.exacttarget.com/en/documentation/exacttarget/tracking/tracking/
0
 
LVL 6

Author Comment

by:Ludwig Diehl
ID: 40177308
Thx each and everyone for helping. It is now very a difficult task for me to decide who gave me the best answer. I will try my best ;). Thank you all once more!
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Rob
Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question