Sunday, July 22, 2012

IP Address Tracking Methods And Techniques For E-Mails

An Internet Protocol Address (IP Address) is the starting point for not only initiating communications across the Internet but also to trace back the same to a particular Computer System. Of course, an IP Address is not always as it seems to be and there may be instances of IP Address Spoofing where the IP Address is forged to mislead the Traceability exercise. This is also the reason why an IP Address should not be the exclusive criteria to arrest and convict an accused.

Nevertheless, tracing the “Real Culprit” essentially involves the exercise of IP Address Tracing as the first step. In this article I would discuss some of the issues connected with tracking of IP Address from an E-Mail. The scope of this article is not to explain how to obtain E-Mail Headers but to discuss how to “Interpret” E-Mail Headers. So I would presume that you are aware of the procedure to obtain E-Mail Headers from your respective E-Mail Clients. Reading of Anonymity and Traceability in Cyberspace (PDF) by Richard Clayton would be a good idea in this regard.

Generally, the details of IP Address can be found in Log Files, in the Received Header fields of an E-Mail, in Tcpdump Traces, by Pinging or doing a Whois Query of a Website, etc. Once the IP Address has been ascertained, it is imperative to Track who is using the concerned IP address.

With Static IP Addresses the problem of Tracking a person is comparatively easy. However, Dynamic IP Addresses keep on changing with every use. It is absolutely essential to “Correlate” the details of such Dynamic IP Address with “Exact Time” as well as concerned “Log Entries”. Further, IP Spoofing must also be kept in mind though it is primarily used for Distributed Denial of Service Attacks (DDOS).

However, the threat of “Spoofed E-mail Headers” is real and a special care must be taken while analysing E-Mail Headers as they may carry “Spoofed Information”. Mutual Authentication and Correlation of the E-Mail Header Information is required to reach a “Conclusive Decision” in this regard.

So before analysing the E-Mail Headers for relevant IP Address, one must ensure that there is no case of E-Mail Spoofing. In E-Mail Spoofing the sender of the E-mail forges the sender address and other parts of the E-Mail Header are altered to appear as though the email originated from a different source. This is possible when the Simple Mail Transfer Protocol (SMTP) fails to provide any Authentication and this allows sending of Spoofed E-Mails.

E-Mails generate “Received Headers” as they travel from different host and so by reading them in order, you can reconstruct the original source of the E-Mail. However, reading E-Mail Header fields to ascertain true IP Address of the sender requires good working knowledge in this regard. The most common and trusted method in this regard is to analyse the Headers from “Top to Bottom” till the “Chain of Coherence” is broken by a suspicious or forged entry. The “Last Trusted Received Header” field may tell you the IP Address of the sender of E-Mail. So instead of jumping directly to the last E-Mail Received Header in all cases to ascertain the IP Address of the sender it would be appropriate to work downwards though the First Header fields to the last and assess their “Integrity”.

In cases of Spoofed E-Mails, the “Last Received Header Rule” may not apply. In order to know the Authenticity of Headers of such Spoofed E-Mail, one must perform both “Reverse Lookup” and “Forward Lookup” of the IP Addresses in the E-Mail.

Another aspect to be noted is that in case of GMail generally it may not be possible to ascertain the IP Address of the sender of an E-Mail because Google puts the IP Address of its own Servers while a Gmail account holder sends an E-Mail. You have to get a “Court Order” to force Google to disclose the IP Address of the sender. However, if someone sends you an E-Mail from the GMail account using a client like Thunderbird, Outlook or Apple Mail, you may still find the “Originating IP Address”.

Finally, basic level “Alertness” is also essential on the part of Law Enforcement Agencies and their Technicians. For instance, Lakshmana Kailash K of India spent 50 days in Indian Jail because the Police/Internet Service Provider (ISP) made an “Apparent but very Common Mistake” while providing details of the person who used the IP Address that resulted in the commission of the offense.

The Indian Police and ISP were confused with what I call “AM/PM Syndrome” and did not bother to check the “Exact Time” of the commission of the crime. Mistakes like these have no space in the Cyber Forensics and Cyber Law fields.

While ascertaining the IP Address of an E-Mail all these factors must be kept in mind. Automatic Scripts/Software are good for ascertaining the IP Address but the end result originating out of such Automatic Scripts/Software must be “Corroborated” with manual inspection. I would share more on this issue in my subsequent articles.


  1. great article on cyber forensics

  2. Thank you very much for this very good contribution. I've been looking at email headers as well to track IP addresses. One important issue as well is the usage of free online web proxies to hide the originating IP address when using email clients. Looking forward to know the next part of your contribution :-)



  3. Great and accurate article. I would have liked the author to touch on tracking IP addresses on e-mails that were sent from cell phones.

  4. great article for a e-security expert