2

Is it possible to discover the creator or whereabouts of the creator of an email through reading the raw data of the email alone, using for example BT YAHOO WEBMAIL? Case in question involves emails that are being created by someone who has hacked the account and not the account holder. Time discrepancies have been seen on the raw data compared to the time stamp on the actual emails but to amateur eyes that is all that can be extrapolated so far.

Improve this question
5
  • 1
    can you check the senders IP in the mail headers ?
    – alfred
    Commented Aug 11, 2018 at 17:56
  • Possibly. edit the question to include the full mail headers.
    – DavidPostill
    Commented Aug 11, 2018 at 18:03
  • 1
    Do not post any actual IP
    – alfred
    Commented Aug 11, 2018 at 19:16
  • You need to read email header from bottom to top, Received field(s) will show you path how it went to the final destination. Actual submitter is in the first (from the bottom) Received field. Received-SPF field will disclose what was used in real From when servers talked to each other.
    – Alex
    Commented Aug 11, 2018 at 19:44
  • Comments actually not a good place to answer a question, so I expanded it and moved to the answer section.
    – Alex
    Commented Aug 11, 2018 at 23:28

1 Answer 1

Reset to default
2

You need to read email header from bottom to top.
Received: field(s) will show you path how email went to the final destination, all intermediate servers that email by passed. Actual submitter of email is in the first (from the bottom) Received: field.

Field From: not always can be trusted because it possible to forge it on some badly configured sending servers, so to reveal what was really used in communication protocol in place of
MAIL FROM: one can investigate header's field: Received-SPF: that will disclose real sender's email in sub-field: envelope-from=
(Of course this field would be available only if receiving server care to check SPF, that preventing email forging).
This field Received-SPF: also indicate status of SPF checking if it pass verification, that confirm email was sent really from email server that domain owner authorized to send emails.

If a sender's server care about its users, there also could be DKIM: field that is the digital sign and integrity mechanism that guarantee that email was truly sent via authorized email server and message itself wasn't forged. (It works kind of like HTTPS, but only used to protect only integrity of original email, so if some middle man would try to change something in email, than public key cryptography will trigger error)

Those fields above are most useful to identify real sender as well to be make sure that email wasn't forged.

Improve this answer
1
  • Once again Alex, thank you so much. You have really helped and made it easy to understand too!
    – Vesper007
    Commented Aug 12, 2018 at 4:58

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .