.

Finding Originators IP of a mail sent using Gmail Web Interface

<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Sun Jan 21, 2007 8:57 am

Finding Originators IP of a mail sent using Gmail Web Interface

Hi All,

I believe, all of you are aware of the fact that we cannot find the originating IP of a mail sent from a gmail account sent using the web interface (the traditional email header (X-Originating IP)). The only way to find the information is by contacting the google / gmail services. This delays the investigation of a cyber crime which involves a mail sent from a gmail account. Can we have a discussion on the following:

  • Is there any other ways to find the originating IP from the headers.?
  • How long does Gmail keeps the records?
  • Does any one have a similar experience to share?
 

Sorry If this is not the right forum to post it. If it is not, Moderators please change the location.

Regards and best wishes

Morpheus
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

p0et

User avatar

Full Member
Full Member

Posts: 197

Joined: Thu Nov 02, 2006 4:38 pm

Location: Victoria, Canada

Post Mon Jan 22, 2007 10:34 am

Re: Finding Originators IP of a mail sent using Gmail Web Interface

So far I do not have anything to contribute but I would also love to hear from others regarding the above topic.  ;)
GCIH, Security+, Network+, A+, MCP, DCSE
<<

oyle

User avatar

Sr. Member
Sr. Member

Posts: 264

Joined: Mon Jan 02, 2006 11:19 am

Location: Cleveland Ohio

Post Wed Jan 24, 2007 7:46 pm

Re: Finding Originators IP of a mail sent using Gmail Web Interface

Can't you just do a Whois on it? I'm not familiar with Gmail, other than it is Google email. But there is a lot of hostile sentiment towards gmail. Lots of it is due to Google's privacy policies. It may not be exactly on topic of this thread, but I could post a link to a page exlaining al the hostility to gmail. It would explain a lot, and may help this discussion, although it would help indirectly.

Sure, as long as you have a domain name, just do a whois. then after you do a whois, you should have an IP. Then you plug the IP in http://www.geoiptool.com/en to find where it's located. Simple.
Last edited by oyle on Wed Jan 24, 2007 7:48 pm, edited 1 time in total.
MCP, MCP+I, MCSA, MCSE(NT4/W2K), CCNA, CCA, NWCCC, VH-PIRTS, CEH
--------------------
"hackers are like jedi, crackers are like the sith: do not fall prey to the dark side".

From 1337 h4x0r h4ndb00k: "the ten laws of geek", law x
                  -Tapeworm
<<

jimbob

Post Thu Jan 25, 2007 6:12 am

Re: Finding Originators IP of a mail sent using Gmail Web Interface

Gmail's mail headers do not reveal the IP address of the sender, which means the recipient cannot easily start investigating the source of the mail.

I do not know about Google's data retention policies but they likely follow US legislation and that they would only reveal information in response to an official request from law enforcement.

Jim
<<

oyle

User avatar

Sr. Member
Sr. Member

Posts: 264

Joined: Mon Jan 02, 2006 11:19 am

Location: Cleveland Ohio

Post Thu Jan 25, 2007 1:40 pm

Re: Finding Originators IP of a mail sent using Gmail Web Interface

Ok, here is the info I found on Gmail. I could never explain it as well as this page does. But for all us dummies that don't know about Gmail, this is good stuff to know.

http://www.gmail-is-too-creepy.com/
MCP, MCP+I, MCSA, MCSE(NT4/W2K), CCNA, CCA, NWCCC, VH-PIRTS, CEH
--------------------
"hackers are like jedi, crackers are like the sith: do not fall prey to the dark side".

From 1337 h4x0r h4ndb00k: "the ten laws of geek", law x
                  -Tapeworm
<<

boney

User avatar

Jr. Member
Jr. Member

Posts: 61

Joined: Mon Jan 15, 2007 8:46 am

Location: India

Post Fri Jan 26, 2007 8:47 am

Re: Finding Originators IP of a mail sent using Gmail Web Interface

Hey,
You can try by digging in the headers of the sender and performing a tracert on the ip address !
Hope this helps and if you get better solution than this .... kindly blet me know.

take care !

boney !
C|EH

All my life I wanted a computer...
Now I want my life back !
<<

eRiCtHyReD

User avatar

Newbie
Newbie

Posts: 18

Joined: Tue Jan 16, 2007 11:02 am

Post Fri Jan 26, 2007 9:34 am

Re: Finding Originators IP of a mail sent using Gmail Web Interface

You can enable download your emails using POP3 protocol.

Then download them using your email client.

Then you should be able to see the full headers  8)

Hope this helps,

eRiCtHyReD
CEH MCSE CCNA  Security+ Network+ A+
<<

shawn

User avatar

Newbie
Newbie

Posts: 15

Joined: Fri Oct 20, 2006 3:38 pm

Post Fri Jan 26, 2007 10:38 am

Re: Finding Originators IP of a mail sent using Gmail Web Interface

I might be wrong but I dont think you can get the actual IP address of the sender through mail headers.  I know that you will get the IP of the gmail mail server in the headers but will not get the actual users IP due to them connecting through a web interface and sending mail from there the source IP will be gmail which does you no good as you already know that.  Also, even if you do get the end users IP, most likely it will be registered to their ISP which may not even be in the same area, and not them.  You will run into the same problem with their ISP giving out details as to the acutal destination of the IP.  At least in the US they tend not to give out information without some kind of law enforcement being involved.
CEH, CCNA, Security+
<<

Kev

Post Sat Jan 27, 2007 11:09 pm

Re: Finding Originators IP of a mail sent using Gmail Web Interface

Its getting more and more difficult to get the IP of the sender. Way back in the day it was easy.  If the sender is naive enough to send from something like outlook express, well no problem. I remember when you could be doing an IM with ICQ and just netstat or use trillian and BANG you had their IP!  The problem is more and more you don’t get the origin of the IP but the server they mailed or IM’d from at best.  There are only a few ways to get it.  If you can email the sender and trick them into clicking on a hyperlink in your email, etc…  Or if you have enough legal back up to get the connecting server host to give up the IP that connected to them. The important thing to remember is most things are logged. Getting that info is the hard part sometimes.  If I email you from a Gmail account, they have the IP I used.  Is that my real IP?  Is it the IP I did it through 3 proxy servers? Is it the IP from a zombie server I own from Kasastan? Is that the IP from the hotel down the street that is sending out free wireless internet all the way out into their parking lot?  My point is, if they are good you won’t find them.  Sorry for that bleak news and I wish I knew of some super tool that would find anyone’s IP but that’s not the reality. It’s so very important to have a defense in place that is so strong so that’s not even an issue.
Last edited by Kev on Sun Jan 28, 2007 11:11 am, edited 1 time in total.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software