Sending IP address investigation

[hatters]

A friend of mine has received an email reply (from the recipient, including the original) to an email that he did not send. At the time that the original was sent his laptop was not in his possession but at his workplace. Obviously someone at his workplace knew his userid and password and he is anxious to find out the IP address of the original sending email to facilitate his investigation.

The original email has been deleted by the sender so all he has is the reply including the original.

Is it possible to get the "properties" of the original email including the IP address from where it was sent?

[jhollington]

There won't be any useful information in the reply message itself. What your friend would need is for the person who received the original e-mail to forward him a copy of the headers in that email message. That will almost certainly include an IP address, as well as routing information that shows not only the IP address the e-mail was sent from, but also which other servers it passed through.

However, based on the information you've provided, your friend may be making an unwarranted assumption here... Just because an e-mail said it came from his address doesn't mean it actually came from his account. E-mail FROM addresses are trivially easy to forge, so the message could have been sent from anywhere. The headers will reveal whether this is the case or not.

[hatters]

Quote:

Originally Posted by jhollington

There won't be any useful information in the reply message itself. What your friend would need is for the person who received the original e-mail to forward him a copy of the headers in that email message. That will almost certainly include an IP address, as well as routing information that shows not only the IP address the e-mail was sent from, but also which other servers it passed through.

However, based on the information you've provided, your friend may be making an unwarranted assumption here... Just because an e-mail said it came from his address doesn't mean it actually came from his account. E-mail FROM addresses are trivially easy to forge, so the message could have been sent from anywhere. The headers will reveal whether this is the case or not.

Thanks for the reply, much appreciated, and that has pretty much confirmed my first thoughts, but' it's great to have it confirmed by someone who actually knows what they're talking about (unlike me!), Thanks again.

[TenFour]

Could be a phishing attempt--they send out emails that are purported to come from someone you know, but they really don't.

[hatters]

Quote:

Originally Posted by TenFour

Could be a phishing attempt--they send out emails that are purported to come from someone you know, but they really don't.

Good thought, but definitely not in this case, Thanks anyway.

[n5bb]

I have several comments. To reduce confusion, I'm referring to the apparently fake original message as #1 and the reply to your friend as #2.

• In most cases deleting an email just moves it to the Trash folder. You said the "original email has been deleted by the sender". I don't know which sender you mean.
  • Do you mean that #1 was deleted by the person who sent it (which means you already know where the #1 message was actually originated)?
  • Or do you mean that #1 was deleted by the person who received it? If so, all they probably need to do is look at their Trash folder to find it.
• Nearly all email systems (including those used by large companies) have web access for sending and receiving messages. So it's probably not a good defense to say you didn't have physical access to a PC so didn't send the message. There are also various remote control programs (such as Team Viewer) which allow someone else to completely control your PC remotely.
• It does sound like it's some type of phishing or ruse message. The person who sent it might not know your friend, but has some information about them or someone else which they obtained in ways you don't understand. Or it could be a fellow employee or even a family member or a third party who has a reason to send such a fake message.
• Anyone can fake the From header quite easily using a wide range of email tools. There are also a wide range of other scenarios which could fake other headers. Anyone with access to any computer on the same network might be able to send a message with real headers at the same IP address as the original PC.

Bill

[hatters]

Quote:

Originally Posted by n5bb

I have several comments. To reduce confusion, I'm referring to the apparently fake original message as #1 and the reply to your friend as #2.

• In most cases deleting an email just moves it to the Trash folder. You said the "original email has been deleted by the sender". I don't know which sender you mean.
  • Do you mean that #1 was deleted by the person who sent it (which means you already know where the #1 message was actually originated)?
  • Or do you mean that #1 was deleted by the person who received it? If so, all they probably need to do is look at their Trash folder to find it.
• Nearly all email systems (including those used by large companies) have web access for sending and receiving messages. So it's probably not a good defense to say you didn't have physical access to a PC so didn't send the message. There are also various remote control programs (such as Team Viewer) which allow someone else to completely control your PC remotely.
• It does sound like it's some type of phishing or ruse message. The person who sent it might not know your friend, but has some information about them or someone else which they obtained in ways you don't understand. Or it could be a fellow employee or even a family member or a third party who has a reason to send such a fake message.
• Anyone can fake the From header quite easily using a wide range of email tools. There are also a wide range of other scenarios which could fake other headers. Anyone with access to any computer on the same network might be able to send a message with real headers at the same IP address as the original PC.

Bill

Wow, thanks for such a detailed reply. I'll try to explain the situation a little more clearly.

My friend (F) was getting a lot of grief from a supervisor (S) for a number of reasons that aren't really relevant on this forum. F was suspended from work by S on a trumped-up charge that has now been completely dismissed by higher management and the focus is switching to the behaviour of S.

F had his laptop taken by S when he was suspended, and since the laptop's return and his reinstatement (once the "charges" were deemed absurd), F has found two replies from clients to emails that were sent (presumably to incriminate F in some way) when the laptop was not in his possession. The original emails (presumably sent by S) had been deleted (again presumably by S), but the replies from the clients (including the originals still appended) were in his (F) inbox. I'm not sure of the actual "deletion" situation regarding whether or not they may still be in the trash or deleted folder as I haven't had a chance to talk in detail to F for a while.

I was hoping that they may be some way of tracking down the IP address from where the original two emails were sent (by examination of the replies only) so that F can prove that they were sent from his place of work when he was suspended. I think It's safe to say that neither F nor S are sufficiently IT aware to be able to falsify any headers or properties of the emails..

It may well be that the two recipients of the original emails still have them, and that would be a way to find out, but I'm not sure whether or not the Company would be willing to involve the clients in that way.

Again, there may well be internal procedures and facilities that could enable the Company to find out the truth, but I hoped to be able to give F enough basic information to enable him to provide his own evidence.

I have suggested to F that he hands over his laptop to the IT department at his place of work and asks them to investigate.

I'm 99.99% sure that it's not a phishing exercise but a malicious attempt to incriminate F.

I hope that makes things a little clearer, apologies for my original garbled post.

[n5bb]

Without the server logs it's hard to be sure. All emails should contain a unique Message-Id header showing which email system or client originated the message. You haven't said whether a corporate email system (such as Exchange) was used or a service not hosted by the company. If it's an internal email system with an IT and HR department, I recommend going to the Human Resources department and filing a formal request for an IT investigation. This should be done as soon as possible.

Bill

[hatters]

Quote:

Originally Posted by n5bb

Without the server logs it's hard to be sure. All emails should contain a unique Message-Id header showing which email system or client originated the message. You haven't said whether a corporate email system (such as Exchange) was used or a service not hosted by the company. If it's an internal email system with an IT and HR department, I recommend going to the Human Resources department and filing a formal request for an IT investigation. This should be done as soon as possible.

Bill

Yup, will do, and thanks for all your help, it's really appreciated.