Everyone knows changing mail address in address bar and pretending to send mail from someone else's accout is easy..
so i looked up on google "find out where email came from"
some of the links suggest-- 1. Log into your account and open the email in question.
Click on the down arrow that’s to the right of the Reply link. Choose Show Original from the list.
Now here’s the technical part that I was telling you about earlier! You need to look for the lines of text that start with “Received: from“.
I did all above steps but found out that gmail uses mail client ip as sender ip and not the ip of that particular PC(For security purpose they say...) It has sender's IP as mr. google.com and some private netwk IP(10.43.103.195)
so now my problem is -- is there any damn way in the world to trace where the hell did this mail come from??!!(at least IP of sender)?
This is the header i got when i followed above 3 steps which is of no use...--
Delivered-To: xxxxxxxx#gmail.com
Received: by 10.204.40.79 with SMTP id j15csp110512bke;
Fri, 22 Mar 2013 01:55:20 -0700 (PDT)
Return-Path: <xxxxxxxxxxx#gmail.com>
Received-SPF: pass (google.com: domain of xxxxxxxxxxx#gmail.com designates 10.43.103.195 as permitted sender) client-ip=10.43.103.195
Authentication-Results: mr.google.com;
spf=pass (google.com: domain of xxxxxxxxxxxx#gmail.com designates 10.43.103.195 as permitted sender) smtp.mail=xxxxxxxxxxxx#gmail.com;
dkim=pass header.i=#gmail.com
X-Received: from mr.google.com ([10.43.103.195])
by 10.43.103.195 with SMTP id dj3mr548753icc.3.1363942518977 (num_hops = 1);
Fri, 22 Mar 2013 01:55:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=x-received:mime-version:from:date:message-id:subject:to
:content-type;
bh=Vi/MI39WKoec07maKoVjz5/ZzUxhO1k+BoeRUkBbWOc=;
b=kZ/EniFvV15mZ9iBeKNiKsJsQvWHL5N8zqrazVxeKmAARQLotyAAIDU7Or9Xc1OBwY
cwuPqSKmVX1RV7tX5wwcdYyzEA/gmskzgGteimv0BInTzVO7dwgi4gU5cZYdm6Qj/GMo
rJfGs5ty6VjidYMFwyn0K5Z0frh2NX2e7RXP0R6da6U5WMU2bQ9epOD4ZhKF+bSdUvb9
WGu3/HWJNTgwrFivspsA6q0M6JkQWYFM6J83h62kIgU897gsXkRlwPacn63tHySC6CNm
DJZGzRJryQZEJTI4owOImP6XDrK+uxPDFAiTnIG5xFR8PBXsQp+FP+XcsqIHqXSjCtl1
xXdQ==
X-Received: by 10.43.103.195 with SMTP id dj3mr548753icc.3.1363942518971; Fri,
22 Mar 2013 01:55:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.134.164 with HTTP; Fri, 22 Mar 2013 01:54:58 -0700 (PDT)
From: xxxxxxxxxxxx#gmail.com
Date: Fri, 22 Mar 2013 14:24:58 +0530
Message-ID: <CACD4ahHmkbNCj9G5taUkXYC=K=n4qVvxY75SSSv3hUG00r6dkQ#mail.gmail.com>
Subject:
To: xxxxxxxx#gmail.com
Content-Type: multipart/alternative; boundary=bcaec5171a235666e504d87f9dd8
--bcaec5171a235666e504d87f9dd8
Content-Type: text/plain; charset=ISO-8859-1
If the sender uses gmail/yahoo/hotmail etc. to send an email (ie. if they don't use a third-party software like Outlook or Thunderbird), there is no way to find out the "PC IP address" because it's hidden for 'privacy reasons.' Probably the only legitimate way (other than through legal means) is to ask the sender to reveal their IP address (using such tools like https://verifyyourip.com).
Related
We've configured SPF, DKIM and DMARC records for our domain and they're working fine. Our DMARC reports from Gmail, Hotmail, Yahoo also confirm the same.
However, just last week, one of our (Gmail) users brought to our attention a fraudulent email sent from a spoofed email address on our domain.
After looking at the email headers, we realised Gmail didn't initiate a DMARC check at all and the email landed in user's inbox. Gmail had only performed an SPF check which had passed because the check was performed on the envelop FROM header domain.
The email header (with identifying details redacted) looked like the following:
Delivered-To: redacted#gmail.com
Received: by 10.28.167.23 with SMTP id q23csp326872wme;
Mon, 20 Feb 2017 23:53:04 -0800 (PST)
X-Received: by 10.36.147.1 with SMTP id y1mr22192213itd.34.1487663583976;
Mon, 20 Feb 2017 23:53:03 -0800 (PST)
Return-Path: <redacted#fraudulentdomain.net>
Received: from server2.fraudulentdomain.net (server2.fraudulentdomain.net. [144.X.Y.Z])
by mx.google.com with ESMTP id i196si19658513ioi.78.2017.02.20.23.53.03
for <redacted#gmail.com>;
Mon, 20 Feb 2017 23:53:03 -0800 (PST)
Received-SPF: pass (google.com: domain of redacted#fraudulentdomain.net designates 144.X.Y.Z as permitted sender) client-ip=144.X.Y.Z;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of redacted#fraudulentdomain.net designates 144.X.Y.Z as permitted sender) smtp.mailfrom=redacted#fraudulentdomain.net
Received: by server2.fraudulentdomain.net (Postfix, from userid 330)
id 385716C165; Tue, 21 Feb 2017 08:53:03 +0100 (CET)
To: redacted#gmail.com
Subject: Some Subject
From: My Service <spoofed#mydomain.com>,
"MIME-Version:1.0"#server2.fraudulentdomain.net
Content-type: text/html; charset=iso-8859-1
Message-Id: <20170221075303.385716C165#server2.fraudulentdomain.net>
Date: Tue, 21 Feb 2017 08:53:03 +0100 (CET)
Why did Gmail not initiate a DMARC check and just performed an SPF check? Is it got to do something with the Display FROM header having 2 values?
That's a bug, I reported it to Google, they have fixed it now.
Recently decided to move away from google mail services and to establish private mail server. What I came up to was that email sent from one me#example.com to inbox#gmail.com and spam#gmail.com was put in Inbox and Spam folders accordingly.
Problem
Why is the mail distributed to different folders? Does the mail destination folder (*#gmail.com) depends on
account settings - I was able to receive mail to Inbox from me#example.com when marked as non-spam in my gmail account ?
service settings - some specific requisites for gmail, for example, headers like Received-SPF, DKIM-Signature ?
global settings - superclass, other services (yahoo, hotmail, outlook), more/less headers ?
Message
Checked the pass'es in some header fields. That IMHO seems to be fine as well. The respective IP's are hidden.
Delivered-To: spam#gmail.com
Received: by [example.com] with SMTP id s194csp2015594wmd;
Tue, 16 Jun 2015 03:43:40 -0700 (PDT)
X-Received: by 10.66.154.233 with SMTP id vr9mr57332135pab.124.1434451419946;
Tue, 16 Jun 2015 03:43:39 -0700 (PDT)
Return-Path: <me#example.com>
Received: from mail.example.com (example.com. [[example.com]])
by mx.google.com with ESMTP id hf2si854902pbb.140.2015.06.16.03.43.38
for <spam#gmail.com>;
Tue, 16 Jun 2015 03:43:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of me#example.com designates [example.com] as permitted sender) client-ip=[example.com];
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of me#example.com designates [example.com] as permitted sender) smtp.mail=me#example.com;
dkim=pass header.i=#mail.example.com;
dmarc=pass (p=QUARANTINE dis=NONE) header.from=example.com
Received: from [spam#gmail.com] (unknown [[gmail.com]])
by mail.example.com (Postfix) with ESMTPSA id 7D2CB12164B
for <spam#gmail.com>; Tue, 16 Jun 2015 06:43:36 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.example.com;
s=default; t=1434451416;
bh=EmposAsl9Yoxe9cb6dijtNnJsjZ0DuYCuwTZhRF2GXU=;
h=Date:From:To:Subject:From;
b=cjR7tpLvJ1JFVPf/ddLM4rpooeo95kFlu3ybHSHW8IK6oOTA1QfKy/Q14U9CojrDL
IDf9s2fqNIBBAhH81ivwdNQQFo64hw4/rstljealG1lNQRiIl0zUvD3bm8WbC1CfWb
i3/d8CgiAYkixStNSYEYQhNaUEixWMmznk/bUJJg=
Message-ID: <557FFDD8.2070201#example.com>
Date: Tue, 16 Jun 2015 13:43:36 +0300
From: =?UTF-8?B?TcSBcnRpxYbFoSBFZ2zEq3Rpcw==?= <me#example.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: spam#gmail.com
Subject: Some test subject
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
This is some message, however the mail is put to Spam folder...
DNS
MX 50 mail.example.com.
TXT # "v=spf1 a mx ip4:[example.com] -all"
TXT _dmarc "v=DMARC1; p=quarantine; rua=mailto:postmaster#example.com"
TXT default._domainkey.mail "v=DKIM1; k=rsa; p=[some_long_string]"
Outro
Was following an quite nice tutorial and related posts here and here. Also checked DNS setup with public tools - everything was fine.
Update
The same email sent to yahoo was put into Inbox folder...
The answer to the problem is this line:
TXT _dmarc "v=DMARC1; p=quarantine; rua=mailto:postmaster#example.com"
As stated here the policy can be one of
none - the so-called monitor mode
quarantine - to treat the message with suspicion according to the receiver capabilities
reject - to reject the message outright
My website, all written in PHP, has an automatic system to notify users via email. Everything worked perfectly until i moved everything on a new less expensive dedicated server (new IP, also). Now, from the new server, all the emails are sent to the spam folder. Why? What happened? Gmail says it's marked as spam because it violates these guidelines about the sender. Here is the message header of one of the emails
Delivered-To: fontanavideostudios#gmail.com
Received: by 10.64.224.200 with SMTP id re8csp1701580iec;
Sun, 1 Feb 2015 07:30:19 -0800 (PST)
X-Received: by 10.140.22.5 with SMTP id 5mr1380826qgm.72.1422804619177;
Sun, 01 Feb 2015 07:30:19 -0800 (PST)
Return-Path: <noreply#racebooking.net>
Received: from ns362512.ip-91-121-174.eu ([2001:41d0:1:ef28::1])
by mx.google.com with ESMTP id e3si21772874qaf.113.2015.02.01.07.30.18
for <fontanavideostudios#gmail.com>;
Sun, 01 Feb 2015 07:30:19 -0800 (PST)
Received-SPF: none (google.com: noreply#racebooking.net does not designate permitted sender hosts) client-ip=2001:41d0:1:ef28::1;
Authentication-Results: mx.google.com;
spf=none (google.com: noreply#racebooking.net does not designate permitted sender hosts) smtp.mail=noreply#racebooking.net
Received: by ns362512.ip-91-121-174.eu (Postfix, from userid 504)
id DFE0916074; Sun, 1 Feb 2015 16:28:52 +0100 (CET)
To: fontanavideostudios#gmail.com
Subject: Qualcuno ha commentato il tuo post
X-PHP-Originating-Script: 504:new_notification.php
From: Racebooking <noreply#racebooking.net>
Reply-To: no-reply
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Message-Id: <20150201152852.DFE0916074#ns362512.ip-91-121-174.eu>
Date: Sun, 1 Feb 2015 16:28:52 +0100 (CET)
The domain, racebooking.net, has a good reputation and MX, mail, smtp point to the same ip: 91.121.174.40 which is the same IP of racebooking.net (here is a test)
Any idea?
Check this line in the header:
Received-SPF: none (google.com: noreply#racebooking.net does not designate permitted sender hosts) client-ip=2001:41d0:1:ef28::1;
Authentication-Results: mx.google.com;
spf=none (google.com: noreply#racebooking.net does not designate permitted sender hosts) smtp.mail=noreply#racebooking.net
I think you have not correctly configured the SPF entries in your DNS.
See this Google Products thread about this: https://productforums.google.com/forum/#!topic/apps/nvGcYDjONfc
I can see that you have no SPF entries defined for "racebooking.net":
$ dig +short racebooking.net txt
"1|www.racebooking.net"
You need to define an SPF entry like:
"v=spf1 mx a:mail0.racebooking.net -all"
You also need to include any other host from which you might be sending email (ie web applications sending email from #racebooking.net).
More info about what SPF is: http://en.wikipedia.org/wiki/Sender_Policy_Framework
I have a problem with all the mails sent from my company, often ending up in the recipients spam folder. It's from approximately 5-6 different mail adresses sending from the same mail server. We have a dedicated server that is both hosting out website aswell as managing all mails and so forth.
We usually don't get any error messages when the mails either never arrives, or ends up in the recipients spam folder.
But we received this 1 error message, so i hope you have an idea of what to do to keep our mails out of the spam folders. We might have to hire external developers to take care of the problem, i just want to get an idea of what the problem is, so i know if i can fix it, or tell the developers what to do.
"ANON" is put in, to keep mails involved anonymous. Should i delete anything else?
Error message:
-----Oprindelig meddelelse-----
Fra: Mail Delivery Subsystem [mailto:mailer-daemon#googlemail.com]
Sendt: 27. september 2013 08:26
Til: support#example.com
Emne: Delivery Status Notification (Failure)
Delivery to the following recipient failed permanently:
ANON#ANON.dk
Technical details of permanent failure:
Message rejected by Google Groups. Please visit
http://mail.google.com/support/bin/answer.py?hl=en&answer=188131 to review our Bulk Email Senders Guidelines.
----- Original message -----
X-Received: by 10.14.109.66 with SMTP id r42mr7804640eeg.43.1380263171652;
Thu, 26 Sep 2013 23:26:11 -0700 (PDT)
Return-Path: <support#example.com>
Received: from server.example.com ([2a01:4f8:121:267::2])
by mx.google.com with ESMTPS id
o7si4443732eep.48.1969.12.31.16.00.00
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Thu, 26 Sep 2013 23:26:11 -0700 (PDT)
Received-SPF: neutral (google.com: 2a01:4f8:121:267::2 is neither permitted nor denied by best guess record for domain of support#example.com) client-ip=2a01:4f8:121:267::2;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 2a01:4f8:121:267::2 is neither permitted nor denied by best guess record for domain of support#example.com) smtp.mail=support#example.com;
dkim=neutral (bad format) header.i=#example.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=example.com; s=default;
h=Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To:References:T
o:From; bh=E5v2ubiy1T/bYA8pEndEZlZwb928MRpgJuoPSy8WsQE=;
b=AbAc/65Y88xmhdGHxUUs3kK/1rOvTH0uEpPAVEN1sv8KNdJvzvRqiO72gqXan0M7wXRVeev6IJ
0iumBwj875irmYAaST9hzm+eIF02whaZDgkzRr2jjJKN9bn11tBmtlTK0JzTGDUMf1Ij+qmI
0iumBwj875irmYAaST9hzm+eIF02whaZDgkzRr2jjJKN9bn11tBmtlTK0JzTGDUMf1Ij+vdF
0iumBwj875irmYAaST9hzm+eIF02whaZDgkzRr2jjJKN9bn11tBmtlTK0JzTGDUMf1Ij+f
64lUpYIyyaqlNUYnaPt28=;
Received: from post.ABCDEFGHIJK.com ([xxx.xxx.xxx.xxx]:49696
helo=WIN7UVQT1EBIRO)
by server.example.com with esmtpa (Exim 4.80.1)
(envelope-from <support#example.com>)
id 1VPRUi-0008Dh-Os
for ANON#ANON.dk; Fri, 27 Sep 2013 06:25:41 +0000
From: "ANON - example.com" <support#example.com>
To: "'XYZ ABC'" <a.bcd#efg.hi>
References: <E1VORD0-0007hu-Jn#server.example.com>
<CACyHzxudCSh+4NOEu-_QR1yQYA=uR0DOrTTcgDsg9KcRLTWDFQ#mail.gmail.com>
In-Reply-To:
<CACyHzxudCSh+4NOEu-_QR1yQYA=uR0DOrTTcgDsg9KcRLTWDFQ#mail.gmail.com>
Subject: SV: example.com: Ordre # 700003820 opdatering
Date: Fri, 27 Sep 2013 08:25:38 +0200
Message-ID: <00d501cebb4a$637159b0$2a540d10$#example.com>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_00D6_01CEBB5B.26FF0BB0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGYr839QgwXgZ5pAdux+XF0Yh5W4AHfGYRhmjY70GA=
Content-Language: da
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.example.com
X-AntiAbuse: Original Domain - ANON.dk
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - example.com
X-Get-Message-Sender-Via: server.example.com: authenticated_id:
support#example.com
X-Source:
X-Source-Args:
X-Source-Dir:
I needed to edit the MX records for the domains sending the mails, as the domains and websites were on the same server the mail server couldn't comprehend it.
We have an application sending mail with reply-to addresses in the form of NNN#email.example.com. The mail is sent via Sendgrid and replies are parsed using Sendgrid's Parse API. The problem is some email doesn't get back to us because the reply-to address has been changed to NNN#sendgrid.net. Sendgrid support says they never touch the reply-to and we've confirmed by a Gmail logging account that our application sends mail out correctly. So that leaves me suspecting certain mail servers are switching the domain name with that of the MX host. Our MX records for email.example.com are:
mx3.sendgrid.net 20
mx4.sendgrid.net 20
mx5.sendgrid.net 20
mx.sendgrid.net 10
mx2.sendgrid.net 20
Are there any mail servers or clients that are known to modify reply-to addresses? Or is there any other possible explanation?
Edit Headers from an email send by our app and logged with a Gmail account (sanitized to remove client information):
Delivered-To: logger#company.com
Received: by 10.112.62.41 with SMTP id v9csp143404lbr;
Tue, 31 Jul 2012 04:25:29 -0700 (PDT)
Received: by 10.182.51.37 with SMTP id h5mr22717342obo.35.1343733928944;
Tue, 31 Jul 2012 04:25:28 -0700 (PDT)
Return-Path: <Editors#domain.com>
Received: from o1.email.domain.com (o1.email.domain.com. [208.117.48.105])
by mx.google.com with SMTP id m6si10752851oec.6.2012.07.31.04.25.27;
Tue, 31 Jul 2012 04:25:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of Editors#domain.com designates 208.117.48.105 as permitted sender) client-ip=208.117.48.105;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of Editors#domain.com designates 208.117.48.105 as permitted sender) smtp.mail=Editors#domain.com; dkim=pass header.i=#Domain.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=Domain.com; h=date
:from:reply-to:to:message-id:subject:mime-version:content-type
:content-transfer-encoding; s=smtpapi; bh=+VZlU9LWGUpMR4neAk/JMo
1DD2E=; b=T3Be3k1Gp+shIGgQZPJ1vtx1kUCRMCRAqRgf8LxVUdvQ1/7YWRKnls
+zrXi6dhJXaLrEyVmt7MyYgxvkVvnJqWYy4tAQABtANQHdLSle4AK1+BY+/m2h4E
fj91rMgQySNbrVV+mhaiE5Q7NxvIa35azUUO0/zRYpluDUt6UBEcQ=
Received: by 10.16.69.117 with SMTP id mf20.27729.5017C0A66
Tue, 31 Jul 2012 06:25:26 -0500 (CDT)
Received: from email.domain.com (unknown [10.60.208.17])
by mi15 (SG) with ESMTP id 5017c0a6.202a.a5e396
Tue, 31 Jul 2012 06:25:26 -0500 (CST)
Date: Tue, 31 Jul 2012 07:25:25 -0400
From: Editors <Editors#domain.com>
Reply-To: 5005#email.domain.com,
Editors <Editors#domain.com>
To: user#example.com
Message-ID: <5017c0a5d4365_e294729d8c86360#app02.manuscripts.domain.com.mail>
Subject: Invitation
Mime-Version: 1.0
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Sendgrid-EID: lcSu+eeYyj7byVT4rUR8IwFlWv7xwmQ9mjigbpHftFWQeg+HlxpNd7F1nbL2uoqLRAg4sHwj57Rrx78FZhDo2L2DCVfamQm0+wEFzkMnensGOv19JFRIAeDMZY53SVpKMwm4Klqcm6L6s9+UaFtqnRUE3/jexZ6uJAFc5x57JG4=
So you see the reply-to is set properly in these headers, but when the recipient replied we saw the reply-to address change to 5005#sendgrid.net.
We have the exact same issue. I'm no Exhange guru so I can't validate this - but I'm willing to bet the company you are sending mail to has a configuration flag that states to NOT use a 'reply to' command. Our application sends out as ourcompany#appmail.com with the reply to address set to user#mycompany.com. I can test with gmail and yahoo and it works great!
But certain companies we email always come back t the 'ourcompany#appmail.com' address as if there was no reply to set. Think about all the junk mail you get where the reply address is your own email address. I can only imagine MS and Novell have flags to force replies to the actual sender.
Now if we could just get clarification from a real expert as to whether or not this flag is out there.