Where was this email sent from?

Question

I have done the message header lookup but the problem is that the 1st result for the from field is blank, so I would like to know can someone with a bit more experience then the basic knowledge of reverse lookups give me some advice with the following header:

Received: from CO1NAM03HT178.eop-NAM03.prod.protection.outlook.com
(2603:10a6:800:e9::13) by VE1PR03MB5759.eurprd03.prod.outlook.com with HTTPS
via VI1PR0302CA0003.EURPRD03.PROD.OUTLOOK.COM; Mon, 28 Sep 2020 12:07:13
+0000
Received: from CO1NAM03FT018.eop-NAM03.prod.protection.outlook.com
(10.152.80.60) by CO1NAM03HT178.eop-NAM03.prod.protection.outlook.com
(10.152.81.4) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.21; Mon, 28 Sep
2020 12:07:12 +0000
Received: from mail-yb1-f176.google.com (209.85.219.176) by
CO1NAM03FT018.mail.protection.outlook.com (10.152.80.174) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.3412.21 via Frontend Transport; Mon, 28 Sep 2020 12:07:11 +0000
Received: by mail-yb1-f176.google.com with SMTP id 67so721281ybt.6
for <jeffreysbaycorp@outlook.com>; Mon, 28 Sep 2020 05:07:11 -0700 (PDT)
From: Jan Blom <blom2jan@gmail.com>
To: "jeffreysbaycorp@outlook.com" <jeffreysbaycorp@outlook.com>

The result from the Google Message header tool:

The information you are looking for can not be find in the header you show. — Steffen Ullrich, Sep 28 '20 at 15:49
could you please elaborate? Your comment does not indicate any direction as to why or how to move on from here? Thanks — WebAcumen, Sep 28 '20 at 15:50

score 2 · Answer 1 · answered Sep 28 '20 at 15:58

You've already got a screen shot of the answer from Google's header parser, but we can parse them again here if you like.

First, ignore your local server infrastructure. You're at MS o365, so you want to ignore the Received headers above the oldest one that's by an outlook.com server. That leaves two relays, the one acknowledging receipt by your infrastructure (thus by ….mail.protection.outlook.com) and the Google-internal handoff:

Received: from mail-yb1-f176.google.com (209.85.219.176) by
    CO1NAM03FT018.mail.protection.outlook.com (10.152.80.174) with Microsoft SMTP
    Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
    15.20.3412.21 via Frontend Transport; Mon, 28 Sep 2020 12:07:11 +0000
Received: by mail-yb1-f176.google.com with SMTP id 67so721281ybt.6
    for <jeffreysbaycorp@outlook.com>; Mon, 28 Sep 2020 05:07:11 -0700 (PDT)

This message originated from Google's mail infrastructure. Google doesn't reveal much about its senders (which is why that field is blank on the decoder), so that's as far as you can get.

Google does, however, require using a verified address in its users' outbound From headers, meaning you should be able to assume that the purported sender is legitimate even if you can't find that person's IP address in the headers (because web mail doesn't typically log its HTTP transactions as verbosely as mail relays log SMTP transactions, see this question).

Where was this email sent from?

1 Answers1