Recently a customer asked us to track who sent an email, typically if this was done on an Exchange server I had a few more logs to look at, however the email was from a Gmail account. First thing I do to track an email is to check the SMTP header and verify it was sent from a specific server, which in this case (gmail.com) it appears to be. Short version of the story I don’t know of any way to track down a message but the client insisted we can so this is my story. Any tips would be greatly appreciate if I missed something.
The SMTP headers in the email only states it was sent from a Gmail server, it shows no reference that it was sent from any of the customer servers. If the message was sent from the customers server then we could see logs; the logs might show us the IP address of the device so long as it was on your network (mobile device, laptop etc…) and the time the message was sent, the user account logged in from that device but again the message headers of the email do not show any of that.
I have highlighted some parts of the message header that would be relevant.
The line below shows us that the spam filtering server, which acts as an SMTP relay received an SMTP request from a server called mail-ve0-f195.google.com at IP address 220.127.116.11 by our spam filter smtprelay.domain.com, being sent to firstname.lastname@example.org. A simple ping confirms the name resolution from the sending server. SMTP has a very simple authentication process, basically the SMTP server of the sender issues a series of commands (which as an aside are very easy to spoof with any free SMTP service). If in fact the person who sent the message spoofed a gmail address using a different SMTP server, such as smtp.fakedomain.com, we would see that as the sending server.
Received: from mail-ve0-f195.google.com (mail-ve0-f195.google.com [18.104.22.168]) by smtprelay.domain.com with ESMTP id XXXXXXXXXXXXXXXXX for email@example.com
To show the difference, you can see in the screenshot below I sent an email to an account I use for junk mail, firstname.lastname@example.org from email@example.com by spoofing the gmail.com domain through a generic SMTP server. It is actually very easy to “spoof” a from email address but the sending server, to my knowledge, can NOT be spoofed.
Now the difference here, since it wasn’t really sent from Gmail, the from server is NOT google.com, it was from startdedicated.com. As we see in the SMTP header from the message we were asked to investigate, it its coming from google.com.
Received: from 127.0.0.1 (EHLO zebra732.startdedicated.com) (22.214.171.124) by mta1367.mail.gq1.yahoo.com with SMTP; Thu, 16 May 2013 06:28:56 -0700
Also, the configuration of the Exchange server is such that it will only accept SMTP connections from specific IP address. This means the person trying this would have had to manually assign an IP address from the allowed server IP addresses in order to relay SMTP commands through the Exchange server. If we assume for a moment they were able to do that, they would have then had to issue SMTP commands on the Exchange server similar to the following:
The message would then be received and appear to be from gmail.com as pictured:
However, further investigating the SMTP header as we did with the Yahoo/Gmail example we would see that it came from yourserver.domain.com
Received: from yourserver.domain.com (yourserver.domain.com [nnn.nnn.nnn.nnn]) by smtprelay.domain.com with ESMTP id for ; Thu, 16 May 2013 10:34:22 -0400 (EDT).
Again, if anyone can teach me a thing or two on this I would be very appreciative.