Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: OT: IP of the originating machine from a gmail email

from [Nikhil Wagholikar] Network Security [Permanent Link]
Subject: Re: OT: IP of the originating machine from a gmail email
Date: Sat, 29 Dec 2007 08:12:18 +0300 
Hello Saqib,

Definitely you can know who within this world has sent you email. For
this you need to perform email header analysis. Since you asked
specifically for GMAIL, the way to see header information in Gmail is
to click on "Show original" in the mail opened from inbox. This is the
same place where you get the option of Reply, Reply to All, Forward
etc.
This is mostly possible if the sender has preferred to send email via
a MUA and not through typical web-base of Gmail.

In the header, you can check for the string named

"Received: from [WWW.XXX.YYY.ZZZ] (helo=AAA.BBB.CCC.DDD)"

OR

"Received: from [WWW.XXX.YYY.ZZZ] (helo=hostname.domain)"

where WWW.XXX.YYY.ZZZ is the public IP Address of the user who has
sent the mail. You could go to DNS.com and find out who has registered
this public IP Address.

Now the "helo" string varies since different Mail User Agents (MUA)
implement it differently.

Some prefer to just send their internal/private IP Address i.e.
pre-NAT Address (AAA.BBB.CCC.DDD) such as 192.168.0.75 and some prefer
to send their hostname.domain information, whereas some others just
prefer to send 127.0.0.1 as their identity for 'helo' string. This
sometimes also depend on the mail server configurations.

Like Mozilla Thunderbird in Microsoft Windows platform prefers to send
the pre-NAT Address i.e. private IP Address and the same in Linux
prefers to send the hostname.domain information.

Besides "Received: from" you can also derive some juicy information
about the sender like "User-Agent" which will tell you about the MUA
used by the sender. It could be typically Microsoft Outlook 11 or 12
or it could be Mozilla Thunderbird, K-Mail etc.

---
NIKHIL WAGHOLIKAR
Information Security Analyst
NII Consulting
Web: http://www.niiconsulting.com
Security Products: http://www.niiconsulting.com/products.html



On Dec 28, 2007 5:34 AM, Ali, Saqib <docbook.xml@gmail.com> wrote:

Hello,

I was wondering if there is a way to get the IP address of the machine
that was used to compose an email that was sent using gmail?


saqib
http://www.quantumcrypto.de/dante/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Port-Knocking vulnerabilities?, Jay
Next by Date:  Re: Securing Email, Deanosaur
Previous by Thread:  OT: IP of the originating machine from a gmail email, Ali, Saqib
Next by Thread:  Re: OT: IP of the originating machine from a gmail email, Dave
Indexes:  [Date] [Thread] [Top] [All Lists]