0

Imagine I send one email with my e-mail client to a person B. Person B gets the email, and in the email header he/she can read the IP address from where it was sent.

Which IP address is written? The one of my router or of my email server? (In the case I do not host an email server.)

E.g. how I understood if the email was sent from a client email application then on the email header can be present the IP of my router, is this correct?

What I don't understand is why is this info so important if my home IP changes automatically once in 24h? Then the IP address present on the emails header cannot point back to me anymore.

Or do I miss something?

EDIT:

One more related question; when I send the email (with the e-mail client) to a person B, the email will go first to my email server. So when the email reaches the email server, in the header of the email will be already minimum 2 IPs "from addresses": the one of my router and the one of my ISP.

The question is:

1) Is the mail server keeping those "2 from addresses" and together with his address send the email to the mail server B?

In this case, the mail server B gets the mail with "3 from addresses" with one pointing directly to my router

2) Or does the mail server "reset" the from addresses, so at the final point my router IP is not present on the mail server B (mail header)?

schroeder
  • 123,438
  • 55
  • 284
  • 319
lucidBug
  • 123
  • 1
  • 4

3 Answers3

1

It depends, most email relays and mail servers will add headers with the sender's IP. Yet nothing forces them to add the correct IP. A typical email exchange would happen as:

email client -> your mail server -> destination mail server -> addressee's client

Yet, it can pretty well go:

email client -> local mail server -> remote mail server ->
  -> destination domain relay -> destination mail server -> addressee's client

Or an even more complex design. SMTP (and its extensions) is pretty robust in terms to proxying/relaying. And although this is not a requirement of SMTP most relays and mail servers simply keep all headers that are currently in the mail and just add their own on top.

This has a couple of interesting side effects, for example it isn't uncommon to find mail with several Received: headers.

Let's look at a couple of header examples in a rather complex mail path: The following is from a mail that uses google as a the mail server but has its own domain (i.e. the MX record for the mail domain is mail.google.com), the email then passes through a relay and then back to mail.google.com to a different gmail address.

First of all we get:

X-Received: by 10.x.x.x with SMTP id d27mr24214681oib.59.1473677977339;
        Mon, 12 Sep 2016 03:59:37 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with
        HTTPREST; Mon, 12 Sep 2016 06:59:36 -0400

This is from the client to gmail, note that the IP that google saw is there. Next it goes to the relay:

Received: from mail-it0-f41.google.com ([209.x.x.x]:37883)
        by mail.fsf.org with esmtps (TLS-1.0:RSA_AES_128_CBC_SHA1:16)
        (Exim 4.69)
        (envelope-from <******@hotelquickly.com>)
        id 1bjix0-0003Rs-3K
        for ******@member.fsf.org; Tue, 13 Sep 2016 04:20:18 -0400
Received: by mail-it0-f41.google.com with SMTP id 183so31757158itf.0
        for <****@member.fsf.org>; Tue, 13 Sep 2016 01:20:17 -0700 (PDT)

So we have one of google's mail server's IP talking to the relay at mail.fsf.org

And finally back to google:

Received: from mail.fsf.org (mail.fsf.org. [208.x.x.x])
        by mx.google.com with ESMTPS id n48sd14225674qtn.126.2016.09.13.01.20.23
        for <******@gmail.com>
        (version=TLS1 cipher=AES128-SHA bits=128/128);
        Tue, 13 Sep 2016 01:20:23 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning ******@hotelquickly.com does not designate 208.x.x.x
        as permitted sender) client-ip=208.x.x.x;
Authentication-Results: mx.google.com;
        dkim=pass header.i=@hotelquickly.com;
        spf=softfail (google.com: domain of transitioning ******@hotelquickly.com does not designate
        208.x.x.x as permitted sender) smtp.mailfrom=******@hotelquickly.com;
        dmarc=pass (p=NONE dis=NONE) header.from=hotelquickly.com
Received: from Debian-exim by mail.fsf.org with spam-scanned (Exim 4.69)
        (envelope-from <******@hotelquickly.com>)
        id 1bjix0-0003Rx-7z
        for ******@member.fsf.org; Tue, 13 Sep 2016 04:20:22 -0400

And there is even more because I use procmail but by then it deals with local IPs only.

In summary

Most machines will add the IPs of the machines they received mail from to mail headers, yet there is nothing forcing the machine to add the correct IPs. If you run your own mail server you can add misguiding IP addresses, yet the next hop in the mail path will add the IP it believes your mail server has to the headers (i.e. the mail server it received the mail from).

grochmal
  • 5,677
  • 2
  • 19
  • 30
  • thanks for the explanation. But this IP in the header will start from my router or from my mail server? I edited the question. – lucidBug Sep 17 '16 at 20:17
  • 1
    @lucidBug - If you are the owner of the machine that is the mail server, then you can configure it to ignore the IP from your router. If you are connecting (SMTP) to, say, mail.google.com then that server will add `Received: from [blah blah] `. – grochmal Sep 17 '16 at 20:24
  • Usually the "addressee 's client" won't be getting mail through smtp – GnP Sep 18 '16 at 00:22
1

The mail headers called "Received" contain a number of IP addresses that correspond to the mail servers the email passes through on its journey from the originator to the destination. You can easily examine these with the help of a web tool.

You read those from bottom to top as each new server adds a new header to the list.

Using those headers you can trace which machine sent and received the email at each stage of the journey.

Or at least you can if nobody has forged any of them along the way which is pretty common for automated spam.

In regard to your your exact questions. Your local (external) IP address will generally be recorded first as the submitting host but it rather depends on your email setup and the client.

If you get a dynamic IP address from your ISP then of course this will be different at different times but all of the addresses will be in a block or set of blocks that are traceable to your ISP. Armed with that knowledge, it is possible for suitably authorised people (and in many cases around the world including the USA, unauthorised officials) to request the ISP to tell them who was assigned an IP address at any specific time.

Again, however, in the case of spam, the originating IP addresses will either have been forged or will come from a machine in a botnet of which the actual owner is unaware.

If you want to check things out further, try this article which contains some example headers you can paste into the web tool I mentioned earlier.

Julian Knight
  • 7,092
  • 17
  • 23
  • so if my router ip changes every 24 h, even if the person B can read all the "from addresses", he will probably have my old ip address right? (imagine he reads the email the day after I've sent him) And he will need to ask my ISP like you told. Did I understand correctly? – lucidBug Sep 17 '16 at 20:14
  • "Using those headers you can trace which machine sent and received the email at each stage of the journey." Are you sure of that? What if I use Tor and I use a local mail-client? – O'Niel Sep 17 '16 at 20:48
  • @lucidBug: He would have to have an email each day from you in order to get the IP's. If he has the clout to "persuade" your ISP to give up the data, he can find you or at least your machine. It should take a court order to do that in most western countries. Govt agencies may have exceptions. In other countries, less savoury types will have their own methods. – Julian Knight Sep 17 '16 at 22:57
  • @O'Niel: That's why I twice made the comment about forged IP's, it isn't an absolute by any means. Use a secure VPN service that doesn't keep records. TOR has known vulnerabilities around exit nodes but obviously makes it harder. Of course, some of these things are illegal in some countries. Take care. – Julian Knight Sep 17 '16 at 23:00
-1

No, if someone wanted to they can spoof it.

Normally, I believe it depends on which e-mail service you use. With Gmail, it doesn't send your personal IP along with the e-mail, it'll send the IP of the Gmail server.

To test this you can try running Wireshark, and creating an account from both e-mail services. Then try sending an e-mail to/from which ever e-mail service you want, and see if they match what you were expecting.

No one
  • 1
  • 2