|
The Technical Zone... The Geeky forum... Use this forum to discuss technical aspects of email, from authentication protocols to encryption. |
|
Thread Tools |
25 May 2017, 04:41 PM | #1 |
Junior Member
Join Date: May 2017
Posts: 5
|
Sending IP address investigation
A friend of mine has received an email reply (from the recipient, including the original) to an email that he did not send. At the time that the original was sent his laptop was not in his possession but at his workplace. Obviously someone at his workplace knew his userid and password and he is anxious to find out the IP address of the original sending email to facilitate his investigation.
The original email has been deleted by the sender so all he has is the reply including the original. Is it possible to get the "properties" of the original email including the IP address from where it was sent? |
26 May 2017, 12:24 AM | #2 |
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
There won't be any useful information in the reply message itself. What your friend would need is for the person who received the original e-mail to forward him a copy of the headers in that email message. That will almost certainly include an IP address, as well as routing information that shows not only the IP address the e-mail was sent from, but also which other servers it passed through.
However, based on the information you've provided, your friend may be making an unwarranted assumption here... Just because an e-mail said it came from his address doesn't mean it actually came from his account. E-mail FROM addresses are trivially easy to forge, so the message could have been sent from anywhere. The headers will reveal whether this is the case or not. |
26 May 2017, 01:46 AM | #3 | |
Junior Member
Join Date: May 2017
Posts: 5
|
Quote:
|
|
26 May 2017, 06:02 AM | #4 |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,746
|
Could be a phishing attempt--they send out emails that are purported to come from someone you know, but they really don't.
|
26 May 2017, 04:01 PM | #5 |
Junior Member
Join Date: May 2017
Posts: 5
|
|
27 May 2017, 05:49 AM | #6 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
I have several comments. To reduce confusion, I'm referring to the apparently fake original message as #1 and the reply to your friend as #2.
|
27 May 2017, 05:39 PM | #7 | |
Junior Member
Join Date: May 2017
Posts: 5
|
Quote:
My friend (F) was getting a lot of grief from a supervisor (S) for a number of reasons that aren't really relevant on this forum. F was suspended from work by S on a trumped-up charge that has now been completely dismissed by higher management and the focus is switching to the behaviour of S. F had his laptop taken by S when he was suspended, and since the laptop's return and his reinstatement (once the "charges" were deemed absurd), F has found two replies from clients to emails that were sent (presumably to incriminate F in some way) when the laptop was not in his possession. The original emails (presumably sent by S) had been deleted (again presumably by S), but the replies from the clients (including the originals still appended) were in his (F) inbox. I'm not sure of the actual "deletion" situation regarding whether or not they may still be in the trash or deleted folder as I haven't had a chance to talk in detail to F for a while. I was hoping that they may be some way of tracking down the IP address from where the original two emails were sent (by examination of the replies only) so that F can prove that they were sent from his place of work when he was suspended. I think It's safe to say that neither F nor S are sufficiently IT aware to be able to falsify any headers or properties of the emails.. It may well be that the two recipients of the original emails still have them, and that would be a way to find out, but I'm not sure whether or not the Company would be willing to involve the clients in that way. Again, there may well be internal procedures and facilities that could enable the Company to find out the truth, but I hoped to be able to give F enough basic information to enable him to provide his own evidence. I have suggested to F that he hands over his laptop to the IT department at his place of work and asks them to investigate. I'm 99.99% sure that it's not a phishing exercise but a malicious attempt to incriminate F. I hope that makes things a little clearer, apologies for my original garbled post. |
|
28 May 2017, 12:15 AM | #8 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
Without the server logs it's hard to be sure. All emails should contain a unique Message-Id header showing which email system or client originated the message. You haven't said whether a corporate email system (such as Exchange) was used or a service not hosted by the company. If it's an internal email system with an IT and HR department, I recommend going to the Human Resources department and filing a formal request for an IT investigation. This should be done as soon as possible.
Bill |
28 May 2017, 01:42 AM | #9 | |
Junior Member
Join Date: May 2017
Posts: 5
|
Quote:
|
|