Hey all,
I am attempting to ascertain how it is possible that an e-mail header I am reviewing in a case only has 10.xxx.xxx.xxx IP addresses in it. This e-mail was coming from a Gmail account. So, perhaps the sender is using POP, but how are they able to completely hide the actual WAN IP address?
I believe that's typical if the sender is using either the web interface or one of Google's mobile apps. Only if the sender is using a 'fat' client like Outlook, Thunderbird or Apple Mail would I expect to see the WAN address.
ah, so you're right! I just checked with other known e-mails. That must make e-mail forensics quite difficult, then. Webmail used to always show the originating IP – I remember with Hotmail it would be quite simple
X-Originating IP XXX.XXX.XXX.XXX
When did this change and get all anonymous?
X-Originating IP is an optional field and always has been. As far as I am aware GMail has never shown it, in fact they used to explicitly say they wouldn't show it to protect users privacy.
aha! well… it certainly seems to be working! )
Thank you.
Hi came across a scenario, where a suspect hide his IP by sending an email from Gmail to his same email address, and the target as a secondary receiver in the Cc field
Example
Suspect address susp@gmail.com
Target address targ@gmail.com
From susp@gmail.com to susp@gmail.com
Cc targ@gmail.com