Re: OT: IP of the originating machine from a gmail email

[Ajay Agrawal <ac_agrawal () yahoo com>]

Nikhil,

What I understand from the question of Saqib -he is
asking if someone has sent mail using gmail account
how can you see the IP address of workstation/pc from
where it was sent. Gmail do not provide any IP details
but it do provide messange ID which is unique and
google have record for that message id belongs to
which IP.
--- Nikhil Wagholikar <visitnikhil () gmail com> wrote:

> Hello Saqib,
>
> Definitely you can know who within this world has
> sent you email. For
> this you need to perform email header analysis.
> Since you asked
> specifically for GMAIL, the way to see header
> information in Gmail is
> to click on "Show original" in the mail opened from
> inbox. This is the
> same place where you get the option of Reply, Reply
> to All, Forward
> etc.
> This is mostly possible if the sender has preferred
> to send email via
> a MUA and not through typical web-base of Gmail.
>
> In the header, you can check for the string named
>
> "Received: from [WWW.XXX.YYY.ZZZ]
> (helo=AAA.BBB.CCC.DDD)"
>
> OR
>
> "Received: from [WWW.XXX.YYY.ZZZ]
> (helo=hostname.domain)"
>
> where WWW.XXX.YYY.ZZZ is the public IP Address of
> the user who has
> sent the mail. You could go to DNS.com and find out
> who has registered
> this public IP Address.
>
> Now the "helo" string varies since different Mail
> User Agents (MUA)
> implement it differently.
>
> Some prefer to just send their internal/private IP
> Address i.e.
> pre-NAT Address (AAA.BBB.CCC.DDD) such as
> 192.168.0.75 and some prefer
> to send their hostname.domain information, whereas
> some others just
> prefer to send 127.0.0.1 as their identity for
> 'helo' string. This
> sometimes also depend on the mail server
> configurations.
>
> Like Mozilla Thunderbird in Microsoft Windows
> platform prefers to send
> the pre-NAT Address i.e. private IP Address and the
> same in Linux
> prefers to send the hostname.domain information.
>
> Besides "Received: from" you can also derive some
> juicy information
> about the sender like "User-Agent" which will tell
> you about the MUA
> used by the sender. It could be typically Microsoft
> Outlook 11 or 12
> or it could be Mozilla Thunderbird, K-Mail etc.
>
> ---
> NIKHIL WAGHOLIKAR
> Information Security Analyst
> NII Consulting
> Web: http://www.niiconsulting.com
> Security Products:
> http://www.niiconsulting.com/products.html
>
>
>
> On Dec 28, 2007 5:34 AM, Ali, Saqib
> <docbook.xml () gmail com> wrote:
> > Hello,
> >
> > I was wondering if there is a way to get the IP
> address of the machine
> > that was used to compose an email that was sent
> using gmail?
> > saqib
> > http://www.quantumcrypto.de/dante/


Thanks and best regards,

Ajay Agrawal 
+91 9886083116 

EnCE (EnCase Certified Computer Forensic Examiner) 
CISSP (Certified Information Systems Security Professional)
IBM Certified System Administrator Lotus Notes/Domino 6/6.5
MCP (Microsoft Certified Professional)



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ