Find Email Origin: Trace Email Source & Sender

Verifying Email Origins: Beyond the Display Name

The email address displayed in your inbox, such as Bill.Smith@somehost.com, isn't always a reliable indicator of the sender's true identity. It’s crucial to investigate further to determine the actual source of a potentially suspicious email.

Understanding Email Spoofing

Appearances can be deceiving when it comes to email. Malicious actors frequently employ techniques to disguise their origin, making it seem as though an email originated from someone else.

This practice, known as email spoofing, involves falsifying the "From" address. It's a common tactic used in phishing attacks and other email-based scams.

How to Trace an Email's True Source

Determining the genuine origin of an email requires examining the email headers. These headers contain detailed information about the email's journey across the internet.

Here's a breakdown of how to access and interpret these headers:

• Accessing the Headers: Most email clients (Gmail, Outlook, etc.) provide a way to view the full email headers. Typically, this option is found within the email's settings or "Show Original" feature.
• Analyzing the "Received" Lines: The headers contain multiple "Received:" lines. These lines trace the email's path from server to server.
• Identifying the Originating Server: The bottom-most "Received:" line usually indicates the server from which the email was initially sent. This is a key piece of information.

Pay close attention to the IP addresses listed in the headers. You can use online tools to look up the geographical location and owner of these IP addresses.

Source of this Information

This guidance originates from a question and answer exchange on SuperUser. SuperUser is a segment of Stack Exchange, a collaborative network of question-and-answer websites.

Stack Exchange communities provide valuable insights and solutions to technical challenges, making them a useful resource for understanding complex topics like email security.

Understanding Email Origins

A SuperUser user, Sirwan, has posed a common question regarding the true source of incoming emails.

How can I determine the actual origin of an email?

Are there methods to uncover this information?

I am familiar with the concept of email headers, but require guidance on accessing them within platforms like Gmail.

We will now explore the details contained within email headers to answer these questions.

What are Email Headers?

Email headers are metadata appended to an email message. They contain routing information and details about the message's journey from sender to recipient.

Think of them as a detailed log of every server the email passed through.

Locating Email Headers in Gmail

Accessing email headers in Gmail is a straightforward process.

• Open the email in question.
• Click the three vertical dots (More) located next to the Reply button.
• Select "Show original" from the dropdown menu.

This action will display the full email headers in a new browser tab.

Analyzing Email Headers

The headers can appear complex, but key fields reveal the email's origin.

Focus on fields like "Received:" and "Return-Path:".

Understanding the "Received:" Fields

Multiple "Received:" fields are present, listed in reverse chronological order.

Each field indicates a server that handled the email, providing its hostname and timestamp.

Interpreting the "Return-Path:" Field

The Return-Path header specifies where bounce messages (delivery failures) are sent.

This can offer a clue to the sender's actual email server, though it can be spoofed.

Potential for Spoofing

It's crucial to understand that email headers can be spoofed.

Malicious actors can manipulate header information to disguise the email's true origin.

Therefore, header analysis isn't foolproof, but it provides valuable investigative data.

Additional Header Fields to Examine

Beyond "Received:" and "Return-Path:", consider these fields:

• Message-ID: A unique identifier for the email.
• X-Originating-IP: May reveal the sender's IP address (not always present).
• Authentication-Results: Shows the results of email authentication checks (SPF, DKIM, DMARC).

These fields can contribute to a more comprehensive understanding of the email's path.

Understanding Email Origins and Identifying Scams

A SuperUser community member, Tomas, provides a comprehensive explanation regarding the tracing of email origins, particularly in the context of identifying potential scams.

The example presented details a phishing attempt where a scammer, impersonating a friend named Alice, requested financial assistance from a recipient named Bill. The email was initially sent to bill@domain.com, appearing to originate from alice@yahoo.com, but was forwarded to bill@gmail.com.

Analyzing Email Headers

Tomas demonstrates how to utilize the “show original” feature within Gmail to access the complete email headers. These headers contain a chronological record of the email’s journey across various servers.

The headers are read from bottom to top, with the oldest entries appearing first. Each server involved in the transmission process adds its own “Received” message, detailing its interaction with the email.

For instance, a header like this is observed:

Received: from maxipes.logix.cz (maxipes.logix.cz. [2a01:348:0:6:5d59:50c3:0:b0b1])by mx.google.com with ESMTPS id j47si6975462eeg.108.2013.07.08.04.10.59for <bill@gmail.com>(version=TLSv1 cipher=RC4-SHA bits=128/128);Mon, 08 Jul 2013 04:11:00 -0700 (PDT)

This indicates that mx.google.com received the email from maxipes.logix.cz at a specific date and time.

Identifying the True Sender

To pinpoint the actual sender, the process involves locating the last trusted gateway – the first entry when reading the headers chronologically. This requires determining the recipient’s (Bill’s) mail server.

Using tools like the ‘host’ command in Linux or online MX record lookup services, the mail server for domain.com is identified as maxipes.logix.cz or broucek.logix.cz.

Consequently, the most trustworthy “Received” record is:

Received: from elasmtp-curtail.atl.sa.earthlink.net (elasmtp-curtail.atl.sa.earthlink.net [209.86.89.64])by maxipes.logix.cz (Postfix) with ESMTP id B43175D3A44for <bill@domain.com>; Mon, 8 Jul 2013 23:10:48 +1200 (NZST)

This record is considered reliable because it was logged by Bill’s mail server, indicating the email originated from the IP address 209.86.89.64.

IP Address Verification and Blacklists

The identified IP address, 209.86.89.64, can then be checked against various blacklists to assess its reputation. In this instance, the IP address was found to be listed on three blacklists, suggesting malicious activity.

Another header provides further information:

Received: from [168.62.170.129] (helo=laurence39)by elasmtp-curtail.atl.sa.earthlink.net with esmtpa (Exim 4.67)(envelope-from <alice@yahoo.com>)id 1Uw98w-0006KI-6yfor bill@domain.com; Mon, 08 Jul 2013 06:58:06 -0400

However, this header is less trustworthy as it could have been manipulated by the scammer to conceal their tracks.

Drawing Conclusions

Given that Alice uses Yahoo! and elasmtp-curtail.atl.sa.earthlink.net is not part of the Yahoo! network, it can be reasonably concluded that the email did not genuinely originate from Alice. This reinforces the need to avoid sending any financial aid in response to the fraudulent request.

Additional Resources

Other SuperUser contributors, Ex Umbris and Vijay, suggested utilizing SpamCop and Google’s Header Analysis tool as supplementary resources for decoding email headers and identifying potential scams.

• SpamCop: A service for analyzing and reporting spam.
• Google's Header Analysis tool: A tool provided by Google to help users understand email headers.