kastro
asked on
Mail flow is like this
i am investigating an email record and need to know from where the email was sent and what is the device used to send
When i checked the header details by using analyzer i find some mail flow along with the source ip of mail server but not the sender location and IP
HE1EUR02FT012.mail.protect ion.outloo k.com(185. 70.40.133)
Fri, 26 Jul 2019 06:18:19 +0000
HE1EUR02FT012.eop-EUR02.pr od.protect ion.outloo k.com
Fri, 26 Jul 2019 06:18:19 +0000
AM3PR07CA0075.eurprd07.pro d.outlook. com
AM0PR07MB3940.eurprd07.pro d.outlook. com
Fri, 26 Jul 2019 06:18:21 +0000
AM6PR07MB3942.eurprd07.pro d.outlook. com
Receiveers
When i checked the header details by using analyzer i find some mail flow along with the source ip of mail server but not the sender location and IP
HE1EUR02FT012.mail.protect
Fri, 26 Jul 2019 06:18:19 +0000
HE1EUR02FT012.eop-EUR02.pr
Fri, 26 Jul 2019 06:18:19 +0000
AM3PR07CA0075.eurprd07.pro
AM0PR07MB3940.eurprd07.pro
Fri, 26 Jul 2019 06:18:21 +0000
AM6PR07MB3942.eurprd07.pro
Receiveers
If your entry reflects all the received: lines
This means the email was submitted through the web interface.
Commonly, there is an identifier in the headers that MS can use to determine the source, ip, credentials, user who sent the message.
If you can post the entire message header, I can point out what to look for in a message header and how to determine the flow..
This means the email was submitted through the web interface.
Commonly, there is an identifier in the headers that MS can use to determine the source, ip, credentials, user who sent the message.
If you can post the entire message header, I can point out what to look for in a message header and how to determine the flow..
As arnold mentioned, that's not even close to all of the headers. Please post everything that you have if you're comfortable sharing.
that is why I suggested a proper header analysis tool. not enough here
Run the header in this tool https://testconnectivity.microsoft.com/?tabid=mha
ASKER
I cant share the complete header details as its confidential but i ll give u the history that i am receiving email from different sources to defame the company top management.
I have only email header but no logs from mail server mail gateway and Firewall
I need to find
sender location not the location of gmail or protonmail
tracking the sender email either its genuine when it was created who own this email etc etc
getting maximum details about the person behind this activity
Delivery-Information.docx
I have only email header but no logs from mail server mail gateway and Firewall
I need to find
sender location not the location of gmail or protonmail
tracking the sender email either its genuine when it was created who own this email etc etc
getting maximum details about the person behind this activity
Delivery-Information.docx
Protonmail is designed very much around privacy, so good luck on that. Plus they definitely don't record IPs in the headers.
Gmail doesn't stick in the origin IP either.
Going through the legal system is really going to be your best shot.
Gmail doesn't stick in the origin IP either.
Going through the legal system is really going to be your best shot.
Here is how thing work
The top most Received: headers is the last added
The Received: header closest to the From: entry is the first added.
Received: from source
by the system that added this header and tim
In short you are tracing up, making sure that the source matches the prior receiver. If they do not match, the header below is fake.
Received: from source1
by source on today
Received: from source3
by source2 yesterady
The originating, lowest most Received: line can be seen as a fake since the next addition of a Received line reflects source1 as the source of the message delivered to the one adding the Received: entry
Commonly in most of the current web based email submissions, they have an X-something: header that has some funny characters. only they can decrypt the reference to identify the sender, username, IP, etc.
See if they have an abuse department, provide the header message to that department with the complaint.
They should adderss the issue with the party.
The top most Received: headers is the last added
The Received: header closest to the From: entry is the first added.
Received: from source
by the system that added this header and tim
In short you are tracing up, making sure that the source matches the prior receiver. If they do not match, the header below is fake.
Received: from source1
by source on today
Received: from source3
by source2 yesterady
The originating, lowest most Received: line can be seen as a fake since the next addition of a Received line reflects source1 as the source of the message delivered to the one adding the Received: entry
Commonly in most of the current web based email submissions, they have an X-something: header that has some funny characters. only they can decrypt the reference to identify the sender, username, IP, etc.
See if they have an abuse department, provide the header message to that department with the complaint.
They should adderss the issue with the party.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
https://mxtoolbox.com/EmailHeaders.aspx