Tracking origin of an email sent via Gmail

[Magnet]

These is an issue in my company where a persons reputation is at stake. The need is to find out, if the email sender, logged into the gmail account from which country around the globe? I just need to track the country IP ranges from where the sender logged into gmail account.

When I do a test and study the headers of the gmail ( I sent an email via my own gmail account to my own another account), I failed to find mention of my IP address. Seems like gmail masks that information.

If there a tool within backtrack to help us out in this case?

[lupin]

If the senders IP address is not included in the email headers (as it is in the case of certain other web based email providers), then you wont be able to access it via BackTrack. BackTrack can't magic up information from places where it does not exist. If you want to find out the IP Address of a user who sent an email via gmail, you need to subpoena Google - they will have kept a record of the IP Address of the person who sent the email.

[Magnet]

BackTrack can't magic up information from places where it does not exist.

I was going thorugh a thread which reached nowhere:
How to find Gmail Sender IP address ? - Black Hat Forum Black Hat SEO

From what I see in my headers is indeed a hashed up entry like:
-----

Received: (qmail 5669 invoked from network); 9 Jun 2010 05:48:21 -0000
Received: from mail-vw0-f43.google.com (HELO mail-vw0-f43.google.com) (209.85.212.43)
by server-11.tower-206.messagelabs.com with SMTP; 9 Jun 2010 05:48:21 -0000
Received: by mail-vw0-f43.google.com with SMTP id 3so8189957vws.16
for <myname@mymail.com>; Tue, 08 Jun 2010 22:48:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:received:date:message-id
:subject:from:to:content-type;
bh=PQtFR9WvFYyLIMoqNwTlfGV1n1b+Oi0dU//GpAk0hZg=;
b=DLIgS6i982N8PCGP5XZz1wpfnOuMp7TiBVmK0HcdhwiMmJkn 8MiYYCJC8SNHLhrpD0
IF12IGnOLPcxTBHQKOkwZLS+AlppeO4IGQz6780re/kdiOiK84Tvygzd3vmeGvaH23aS
lnzdhBx8K3NKQYHD2o4+YZypGkvfhCW24zXTY=
----

Messagelabs is our email security hosted gateway and mymail.com is my official email address. This is the header of an email that I sent to mymail.com account from my gmail web interface.

I was wondering if gmail uses base64 for encoding the IP address in header and with a decoder its possible to see the original ip address, as someone mentioned in the thread on Blackhat.

[phangs]

These is an issue in my company where a persons reputation is at stake. The need is to find out, if the email sender, logged into the gmail account from which country around the globe? I just need to track the country IP ranges from where the sender logged into gmail account.

When I do a test and study the headers of the gmail ( I sent an email via my own gmail account to my own another account), I failed to find mention of my IP address. Seems like gmail masks that information.

If there a tool within backtrack to help us out in this case?

I don't get it. Why take the hassle of doing so much when you can just prove that it is not the email account of the person you are saying is at stake? This is assuming the person at stake is being accused of sending an email to someone that he should not. For me, just tell them it is not his account, they couldn't prove it otherwise, right? In this world where any one can open up free anonymous email account, email can not be said as definite proof of accusing someone. The easier path is just point out this argument to them.

But if you insist on really finding out the IP address of the sender, then I doubt this cry for help is a noble cause...

[s3ni0r]

hi Magnet & lupin,

i think you can trace a mail in gmail following these steps :

1-



2-

[lupin]

phangs - the issue might be one of libel, you need to identify a person who sent an email to one of your organisations staff members (or rule out a particular person having sent that message). We have had a similar issue in the past where I work.

s3ni0r - it looks like that particular email you are sending has been forwarded via an Exchange server, and you're identifying the sending IP via the received headers. When you send an email via the gmail web interface it does not add the same received headers (I just tried it then to confirm) - you instead see something more or less exactly like what the OP showed in post 3 above.

Magnet - Yes that is Base64 encoded stuff in those fields (or it looks like it at least). There are things you can use to decode it in BackTrack, but you dont need BackTrack to Base64 decode something - there are web pages that can do that for you. If you want to do it in BT one easy way to do so would be to use the Decoder tab in the Burp proxy. I Base64 decoded the data shown in your headers and in my header from my test email and it decodes to binary data, and in the case of my headers I didnt see my IP address there in either ASCII or Hex format.

[ubt4me]

Just a side note:
I open web based mail accounts the same way I view Forum pages, behind proxy servers from all over the world. The only downside to jumping proxy servers is the need to log in to post and halt the jump while you are logged in.
I guess the point I am trying to make here is, you can't prove anything.

Try and find me LOL.

[hhmatt]

Just a side note:
I open web based mail accounts the same way I view Forum pages, behind proxy servers from all over the world. The only downside to jumping proxy servers is the need to log in to post and halt the jump while you are logged in.
I guess the point I am trying to make here is, you can't prove anything.

Try and find me LOL.

So, you think that by using a proxy server that you do not have any administrative control over that you can't be found?

Oh and just a side note, your ISP knows everything you do, proxy or not.

[ubt4me]

So, you think that by using a proxy server that you do not have any administrative control over that you can't be found?

First, i filter by and only use 3 dot security proxy servers that have a return ping of less that 2.5 sec.

Oh and just a side note, your ISP knows everything you do, proxy or not.

Second, I do not do illegal activities over the internet so am ok with my ISP knowing everything I do, I simply use proxies as a way to prevent a direct link back to me for malicious attacks in forum and mail environments, I just wanted to point out as lupin suggested the need to subpoena Google, you may also need to keep up with that same process to find the true sender and that just won't happen.

[spawn]

it can be interesting

MaxMind - GeoIP Perl API

MaxMind - GeoIP | IP Address Location Technology

-> backtrack Main site ( 208.68.234.100 )

spawn@alucard ~ $ perl geocity.pl
US USA United States FL Florida Hollywood 26.0097 -80.2593

not is 100% precise .