Does raw data from an email disclose the actual creator?

1

Is it possible to discover the creator or whereabouts of the creator of an email through reading the raw data of the email alone, using for example BT YAHOO WEBMAIL? Case in question involves emails that are being created by someone who has hacked the account and not the account holder. Time discrepancies have been seen on the raw data compared to the time stamp on the actual emails but to amateur eyes that is all that can be extrapolated so far.

Vesper007

Posted 2018-08-11T17:45:33.750

Reputation: 35

1can you check the senders IP in the mail headers ? – alfred – 2018-08-11T17:56:25.047

Possibly. [edit] the question to include the full mail headers. – DavidPostill – 2018-08-11T18:03:09.613

1Do not post any actual IP – alfred – 2018-08-11T19:16:09.893

You need to read email header from bottom to top, Received field(s) will show you path how it went to the final destination. Actual submitter is in the first (from the bottom) Received field. Received-SPF field will disclose what was used in real From when servers talked to each other. – Alex – 2018-08-11T19:44:26.667

Comments actually not a good place to answer a question, so I expanded it and moved to the answer section. – Alex – 2018-08-11T23:28:37.063

Answers

1

You need to read email header from bottom to top.
Received: field(s) will show you path how email went to the final destination, all intermediate servers that email by passed. Actual submitter of email is in the first (from the bottom) Received: field.

Field From: not always can be trusted because it possible to forge it on some badly configured sending servers, so to reveal what was really used in communication protocol in place of
MAIL FROM: one can investigate header's field: Received-SPF: that will disclose real sender's email in sub-field: envelope-from=
(Of course this field would be available only if receiving server care to check SPF, that preventing email forging).
This field Received-SPF: also indicate status of SPF checking if it pass verification, that confirm email was sent really from email server that domain owner authorized to send emails.

If a sender's server care about its users, there also could be DKIM: field that is the digital sign and integrity mechanism that guarantee that email was truly sent via authorized email server and message itself wasn't forged. (It works kind of like HTTPS, but only used to protect only integrity of original email, so if some middle man would try to change something in email, than public key cryptography will trigger error)

Those fields above are most useful to identify real sender as well to be make sure that email wasn't forged.

Alex

Posted 2018-08-11T17:45:33.750

Reputation: 5 606

Once again Alex, thank you so much. You have really helped and made it easy to understand too! – Vesper007 – 2018-08-12T04:58:54.877

Asked: 2018-08-11T17:45:33.750

Viewed: 238 times

Active: 2018-08-12T10:27:37.387