Email and IP Addresses

I have a question about email and IP addresses. I know nothing about IP addresses, but I thought if you receive one in an email header that you could locate details about where a message was sent from.

I received a message from a friend who was supposed to be abroad. The message indicated that it came from an IP address in their hometown. I checked an earlier message sent from when they were at their home and it was the same IP address. Am I wrong in assuming they were emailing from home both times and I was being misled? Or is there some way the actual computer/phone can store home data and make it seem like a message sent from say germany through gmail shows up as their home ISP in the UK?

One thing you have to know about email is that there’s basically zero security involved in it. You can easily alter an outgoing email to claim to be from any email address, any IP, etc, there is no server that actually does a sanity check on this data (well, not necessarily). I can’t be sure of the exact reason, but I think that since there’s no sanity check, it’s possible that his email client just cached his old IP and appended it to the header without double-checking.

Edit: Huh, if it’s gmail it double checks. It’s possible that he’s going through a proxy, though I don’t know why he would.
Edit2: Aha! It turns out that gmail obfuscates the original IP address. Specifically, it uses the IP of the mail server, NOT the sender. I’m not sure why it would use the same mail server in both places, but it’s certainly possible.

So, just to be clear. If someone is using their personal computer, it could be taking old data from say when they were in their house, and re-using it on a current message because it’s stored. Does sending a message though gmail.com versus an iPhone versus outlook make any difference?

Some of the messages from that account go through that generic gmail server where I can’t easily tell where it comes from.

Basically, I want to assume this person is abroad but when the email message shows it came from their home ISP it’s a bit confusing.

Their email will commonly come to you from their home ISP no matter where they are. The exact details depends upon how they send email, and where their email account is. But assuming they have an email account managed by their ISP, it works like this:

If they went overseas with a computer (laptop, tablet, even a smart phone) and they use that to send email, their computer will be set up to connect back to the mail server their ISP provides. Usually this is over an authenticated link (to prevent people other than customers of the ISP from using the server to send spam.) Their ISP’s server receives the email, and then sends it on to your email account, wherever your email is managed. In order to work out the entire chain you need to look at the full set of headers in the email. Typically these will record all the hops involved. There will be a set of “Received:” lines in the header and you need to look at the list of these. Most mailers need to be explicitly told to expose all the header information, usually hiding it.

If they used webmail, then they will have sent the email from the webserver their ISP provides, and the email will simply come from their ISP’s webmail server. Unless the webmail service adds details of the browser’s IP address to the email, you will have no trace of where they sent it form.

Of course if they have a gmail or similar account you have very little hope.

How did you positively identify the (home) IP address the email was originally sent from?

If you use a mail client such as Outlook or Thunderbird and the email is delivered via SMTP, you should indeed be able to determine the IP address it was sent from. Forging a mail header with the intention to hide it’s path is something that serious hackers would do.

More likely than not, your friend sent his mail via the web. As far as I know, there is hardly a chance to determine the location it was sent from. For instance, I would guess, the first IP address you’ll find in the header of a mail which was sent via Gmail is always the same, i. e.:

Received: by 10.60.34.234 with HTTP; Sat, 21 Jul 2012 05:10:19 -0700 (PDT)

I have emails from Hotmail and Google Mail users which do have their browser IP address in the headers (i.e. the address given to them by their ISP, not the IP address of the originating mail server). As Francis Vaughan says, it is possible for webmail services to add this information to headers.
I am not sure that either Hotmail or Google still do that, though.

There are two IP addresses to worry about.

The first is the machine where the email was typed into, etc. Some mail servers, such as Hotmail, tack on the origination IP address to the email. There is no requirement for this to be done. But if the email company routinely does this and you are sure it came from that company’s servers, you are fairly certain of the origination.

The second is the actual email server. (Assuming that the person isn’t running a mail server.) While a lot of the email header can be faked, not all of it can. But spammers and such are good. They can bury the true origin in the middle of the header. E.g., they fake a header that says it started at whitehouse.gov, went thru a couple of other servers, landed at the destination server. One of the intermediate servers is the real one. An expert at header parsing can determine which one it is. (At some point it goes from from a fake path to a real one.)

Not as common as it used to be, but doable. (The idiots target spammers are so naive they click on stuff that clearly didn’t come form Facebook or their bank, so why bother going thru the trouble of faking the header so well.)

All bets are off if either the originating computer or the email server is infected with malware. Then it’s not a question of “what IP address” but who it is there that is really sending it.

Note: there’s the header and then there’s the header. Some email sites/programs will only show part of a header unless you click on “show original” or some such. I have no idea why they would want to hide this from people.

This is the main detail… but:

Nowadays, people access their home email from all over the world while on trips, using the webmail client (a web page that allows access to mail). If so, odds are the header will be no diferent than when the person sends mail from home… The header info contains only the trail of IP addresses from their email server to yours.

If they claim to be sending mail from @mygreatbritainmail.uk or some exotic server address but the IP address is USA, that would be suspicious but:

A lot of companies, instead of running their own server, contract to somewhere else. Gmail, MS Live, etc. will allow you, if you own a domain, to point it to their mail server; and mail to your domain name will be handled by them, the configure their servers to act like yours. So the email could be some exotic location like @jerusalemmailprovider.il but it’s possible they simply use MS Live and the server is in the USA even though the company “providing” the email address is in Israel.

SO IP address means next to nothing.

Go to MX toolbox - http://www.mxtoolbox.com/ReverseLookup.aspx - they have a lot of tools to figure out what domain is registered where, what IP addresses are, MX (mail) records in DNS, etc.

He could have been remote-controlling his home computer using LogMeIn, Windows Remote Desktop, Live Mesh or similar.