Analyzing Email Messages and Determine Sender’s Source IP [Part 2]

In the previous part of Analyzing Email Messages and Determine Sender’s Source IP [Part 1] we had a brief introduction to email systems and we learned together about the email message components, the message envelope, the message header, and the message body.
In this part we will discuss how to analyze the email message and how to determine the sender source IP. Although the message header is the main message component that will used during our work, there is an unfortunate truth “Nearly all message header fields could be forged”. The only trusted header field is  the Received: header .

How to view message header?
Viewing message header depends on the email provider and the used email client and usually you will consult the email client manual to know how to view the message header. In the following section we will take some examples of how to view message header?

• Viewing the Message Header in Gmail using  Web browser:
  Open the message. Click on the "down-arrow" on the top-right of the message and select "Show Original". Below images are snapshots from a message sent from my Yahoo email account to my Gmail account.

• Viewing the Message Header in Live, Hotmail or Outlook.com email using  Web browser:
  From the email inbox or messages list. Right-click on the message and select "View Message Source".

• Viewing the Message Header in MS Outlook:
  Open the message in MS Outlook. Now go to "View" and select "Message Options" - or "File" -> "Info" -> "Properties".
  Look at "Internet Headers".

Manual Analysis of Email Message Header
After viewing the email header as the following we will extract important header fields and explain each one of them.

Delivered-To: abdullah.yousouf@gmail.com (7)Received: by 10.194.119.165 with SMTP id kv5csp2398913wjb; Wed, 21 Oct 2015 07:59:40 -0700 (PDT) X-Received: by 10.107.19.106 with SMTP id b103mr8753905ioj.144.1445439580404; Wed, 21 Oct 2015 07:59:40 -0700 (PDT) Return-Path: <atest_2000@yahoo.com> (6)Received: from nm16-vm3.bullet.mail.ne1.yahoo.com (nm16-vm3.bullet.mail.ne1.yahoo.com. [98.138.91.146]) by mx.google.com with ESMTPS id v29si7732890ioi.35.2015.10.21.07.59.39 for <Abdullah.yousouf@gmail.com> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 21 Oct 2015 07:59:40 -0700 (PDT) Received-SPF: pass (google.com: domain of atest_2000@yahoo.com designates 98.138.91.146 as permitted sender) client-ip=98.138.91.146; Authentication-Results: mx.google.com; spf=pass (google.com: domain of atest_2000@yahoo.com designates 98.138.91.146 as permitted sender) smtp.mailfrom=atest_2000@yahoo.com; dkim=pass header.i=@yahoo.com; dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1445439579; bh=iCCBdD1SchQG2KB dgNVg28FkUjKGk+m8ViOzLA7xlBo=; h=Date:From:Subject:To:From:Subject; b=j4Q/wIDYDfBmAgWocqtZn8O/EM5skUR5v3oiR3 vxwgimyzzz3WgtH2TS/8rl+6U1EPKcSZc4VuArZQSAc9luMBKgW6lLp02ojxy4IIAUmpguZyEVFWZfWpPAOk6fdPfJYG3W5L4EtagY+YlxSa lXWh7CdpmsTTOLf9mK4gYZwZBw8KBdSgL/OpgLlVghpQLAxKpDQmoF3q3YgrEoZc59v7+w0dNq3iB0S+3kxmonj5vVVFbsbVTD25s7dA6zxU ZVZdtJQ7L9E0KmENl5kYLbSYp5uPVWDGnuPbMxnmx3y63x9ufGYhEKnOBY4lUN61EfoqNsZgQQHzUWTG9WMdPWYQ== (5)Received: from [98.138.100.115] by nm16.bullet.mail.ne1.yahoo.com with NNFMP; 21 Oct 2015 14:59:39 -0000 (4)Received: from [98.138.88.234] by tm106.bullet.mail.ne1.yahoo.com with NNFMP; 21 Oct 2015 14:59:38 -0000 (3)Received: from [127.0.0.1] by omp1034.mail.ne1.yahoo.com with NNFMP; 21 Oct 2015 14:59:38 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 446952.69905.bm@omp1034.mail.ne1.yahoo.com (2)Received: (qmail 83569 invoked by uid 60001); 21 Oct 2015 14:59:38 -0000 X-YMail-OSG: _R0c044VM1kcemNNGYZioM44s3FERhgWTGCOCRA94F29fDD xKQIpQQc0DQDMEe6yVQrXA3Jt2AmNQMaVrLno9ENdwYIpS305tRQ6KMDx_ql 8CmwqYpfTvpq7hDN4BfxWT4Kwq7MDEnhUDkOhXM9xC2Yb1NjtDh8ccLAJgJu gNrtyWTDbcqNju1DPGpOCkDrwlyVQDmjx.qb83W8LQjjJ5SN657u_uNRZZ8d 8dqwqkpcaWdELwwSlDlzituowTNpKYHTUhKedlKGEhCoSCBm3uMfMZoLRqRl WUgXvsSEiWpJxH7VI_8ADynXgcE9hHubi7V74FO80gw6H0_pzYaJA0zI1VHu Oh0e0NkdWKd9.htbnSnT4w6Tk2ba84wuN1KlO1pbjwqKEUhQGe_EpzhSZAX7 Rcavy1FiskJJd3IOsJk58JqAbaAVnp_XWoBzPHNlsF0fiv..PW_Se79dBBVX m2VWwlwddtvJFo.x9IDo306_BB2h7B5CI5uJ6dE.Yc.DKwC2auTYP6rtA8WZ 53jsLlArVMvv71dPXzFrn_3L3xL4pq.mAzVgM.lBi9tpt7HhP6InNGali9cN FY1ReCspBB4Ym2El. (1)Received: from [41.32.28.249] by web310605.mail.ne1.yahoo.com via HTTP; Wed, 21 Oct 2015 07:59:38 PDT X-Mailer: YahooMailBasic/802 YahooMailWebService/0.8.203.817 Message-ID: <1445439578.66136.YahooMailBasic@web310605.mail.ne1.yahoo.com> Date: Wed, 21 Oct 2015 07:59:38 -0700 From: atest_2000 <atest_2000@yahoo.com> Subject: Our 0ffers To: Abdullah.yousouf@gmail.com MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="-20674205-2075390769-1445439578=:66136" ---20674205-2075390769-1445439578=:66136 Content-Type: text/plain; charset=us-ascii ---20674205-2075390769-1445439578=:66136 Content-Type: application/pdf; name="doc.pdf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="doc.pdf"

The easiest way for finding the original sender’s source IP is by looking for the X-Originating-IP header field. This header is important since it tells you the IP address of the computer that had sent the email. Most of the times this header is removed by email systems or at least has no value. If you cannot find the X-Originating-IP header, then you will have to go through the Received headers to find the sender's IP address.

In the above header example we added red numbers for all Received: Header fields and as the Received: header read from bottom to top, the numbers started from bottom Received: header field and we can read them in the following order:

(1)Received: from [41.32.28.249] by web310605.mail.ne1.yahoo.com via HTTP; Wed, 21 Oct 2015 07:59:38 PDT
(2)Received: (qmail 83569 invoked by uid 60001); 21 Oct 2015 14:59:38 -0000
(3)Received: from [127.0.0.1] by omp1034.mail.ne1.yahoo.com with NNFMP; 21 Oct 2015 14:59:38 –0000

(4)Received: from [98.138.88.234] by tm106.bullet.mail.ne1.yahoo.com with NNFMP; 21 Oct 2015 14:59:38 –0000

(5)Received: from [98.138.100.115] by nm16.bullet.mail.ne1.yahoo.com with NNFMP; 21 Oct 2015 14:59:39 -0000
(6)Received: from nm16-vm3.bullet.mail.ne1.yahoo.com (nm16-vm3.bullet.mail.ne1.yahoo.com. [98.138.91.146])
        by mx.google.com with ESMTPS id v29si7732890ioi.35.2015.10.21.07.59.39
(7)Received: by 10.194.119.165 with SMTP id kv5csp2398913wjb;
        Wed, 21 Oct 2015 07:59:40 -0700 (PDT)

From the previous lines order, the first IP address that starts the sending process
is 41.32.28.249 which is the source IP address of the email sender. Now we can use 
any Whois service to find more information about this IP address. Using https://who.is/ 
for example; we can search for the IP address 41.32.28.249 and the result will give 
us information about the sender’s ISP (Internet Service Provider) or webhost the IP 
address belongs as shown in the following image and if it is a spam email, we can 
send a complaint to the owner of the originating IP address.

Automated Analysis of Email Message Header  

Actually there are multiple tools and online services that can automate the process of email message  message analysis, 
just google it and you will have ton of tools and sites. One of my favorite online email header analysis tools is IP2Location Email Header Tracer, 
just copy the entire email header and past it into the Lookup box on the previous link and click on Lookup.

You will receive a nice look analysis just like the following:

There are alot of online and offline tools for email header analysis like:

1.  https://toolbox.googleapps.com/apps/messageheader/
2. http://mxtoolbox.com/EmailHeaders.aspx
3. https://www.whatismyip.com/email-header-analyzer/
4. http://www.iptrackeronline.com/email-header-analysis.php
5. https://testconnectivity.microsoft.com/

Thank you for reading this post. Your feed back is highly appreciated.