Is there any tool to trace all emails? I need to trace ip address and location of sender address.I also need to identify emails from fake address.
Asked
Active
Viewed 1.3k times
1
-
Please explain what exactly you are trying to do. – Ramhound Jun 28 '12 at 14:26
-
i got an email from example@gmail.com. i want find who send this email.i want his ip when sending this email for proof – open source guy Jun 28 '12 at 15:44
-
What you want is not possible. It could have sent by anyone in the world. Google does not keep track of who actually sent it, only which account, which is likely `example@gmail.com` unless it was spoofed of course. – Ramhound Jun 28 '12 at 18:31
4 Answers
2
You can't get the ip address of the sender but you can see the ip address of the server that was used to send the email. This is how to distinguish between fake and real email address. for example in gmail when you click on the small arrow in an email and select 'show original email' you can find information regarding the source of the email. I just got this email from linkedin: Received: from mailc-cd.linkedin.com (mailc-cd.linkedin.com. [199.101.160.48]) by mx.google.com with ESMTP id tj6si707840pbc.168.2012.06.27.19.13.01; Wed, 27 Jun 2012 19:13:01 -0700 (PDT). if it was a fake message you will see just an ip address or you can lookup the ip address to see if it was for the email provider.
Thawab
- 89
- 3
-
Notice that mail headers are read bottom-up. New headers are always added to the top of the mail. Also notice that fakers are aware of this and often add fake headers to an email before sending it. – jippie Jun 28 '12 at 07:44
-
@jippie: A number of MTAs exhibit the behavior you describe, but RFC 2822 doesn't mandate it. – Blrfl Jun 28 '12 at 12:45
1
I'll try to answer to your second question: how to detect fake (spoofed) e-mails.
All you need is to take a look at your e-mail headers. Received will tell you about the route, which message took to get to you. You should read that headers in reverse orders. If Received headers consist of server-names not related to the e-mail domain, then you probably received spoofed e-mail. Let's assume that we got e-mail from test@stackexchange.com and we want to check if it's a fake or not. The easiest (and usually effective) method is checking MX records: host -t MX stackexchange.com and comparing them with Received headers.
Another method to avoid spoofed e-mails is using mail-serves which implemented Sender Policy Framework (you can read more about it here: https://www.rfc-editor.org/rfc/rfc4408) or DomainKeys Identified Mail.
By examining e-mail headers you can determine if sent e-mail is spoofed or not, but you cannot trace the sender's IP address. However, there are some exceptions. The stuff which you can find inside the e-mail headers depends on the e-mail facility used. Some web-email-servers implementations have additional headers. The example is X-Originator-IP which COULD store the IP address of the computer which sent e-mail.
-
"Some web-email-servers implementations have additional headers" -- which web mails are putting people ip into the headers? I found that Yahoo and Hotmail do this. – Aug 04 '12 at 09:59
1
There is no single tool that provides a full backtrace to an IP (unless the remailers choose to add such headers) but there is a single process you can use:
Get a court order with sufficient interjurisdictional authority. This way the police have the power to "unravel" the chain and examine corporate logs to back trace the email.
Of course idle curiosity doesn't qualify as a good enough reason for the courts*. The email chain of a death threat, bomb hoax, drug buy or a family court injunction on the other hand is something the courts take more seriously.
* Unless you are spy agency and the "court" is FISC.
LateralFractal
- 5,143
- 18
- 41
-1
In gmail you have the option to view the message in it's original form. All the information provided there is all you can get (ok, short of reading a servers logs).
Celeritas
- 10,039
- 22
- 77
- 144