Tracing email

[James McDonald]

Ed Jabbour wrote:
> If someone from a computer in, say, London enters his corporate network in, 
> say, Chicago (method unknown), and sends an email from that Chicago server, 
> is there some way of knowing that the process originated from the London IP?  
> The London IP would not show in the email, would it?
>
>   
I had an instance today where a guy was receiving abusive emails from 
bogus hotmail accounts however the hotmail server adds an 
X-Originating-IP header to it's emails which had the IP address of the 
client the browser was running from. In this case the IP address of the 
abusive mails in the X-Originating-IP where both the same despite the 
emails being sent weeks apart so we conclude it's the same person 
sending the email - Time to call the ISP abuse line.

However you are saying it's a corporate network ... If this is a VPN 
setup then the original connection is going to be logged by the VPN 
gateway and the authenticating user logged. However unless you know the 
fabric of how the network is put together and what is logged and what 
isn't and who to ask then it can be very hard to trace. You also don't 
mention what email infrastructure is in use so I'd be guessing at 
everything.

You can telnet to a mail server and send email as virtually anyone so 
long as you don't break the SMTP servers rules.

e.g.

telnet mailserverip 25
helo rupertshocking.com
mail from: someone at targetdomain.com
rcpt to: someoneelse at targetdomain.com
data
To: I hate you badly <someoneelse at targetdomain.com>
Subject: You should eat refuse
I hate you more than my 6th grade bully
.