Computer Security & Viruses/tracing

Advertisement


Question
QUESTION: If you cannot answer this, can you tell me where I can post to try to get an answer to this question?
When I jave received phishing emails in the past, I was told to foreard them to Comcast or whoever was being spoofed. However, I was told that once emails are forwarded the original IP cannot be obtained. Is that true?

ANSWER: You are correct, when you forward an email, in most cases the originating IP address from the headers is lost. I checked this out by forwarding an email from a GoDaddy server to a Gmail server and back again to the GoDaddy server, and checking the headers. Each email server deleted the originating IP address from the previous email server.

For the most up-to-date information on how to protect yourself from spam and prevent spammers from creating spam, see the U.S. Federal Government website on this topic at  http://www.onguardonline.gov/articles/0038-spam

---------- FOLLOW-UP ----------

QUESTION: Thanks for the info. But if this is true, then why do ISPs ask you to forward spam and phishing emails? If the IP is lost, is there any other way to trace the email?

Answer
In my experience, no ISP has ever asked me to simply forward spam emails. As noted in the link in my previous answer, instead they ask that you provide a complete version of the email so the originating IP address is preserved. For example, Gmail has a button that automatically sends them the relevant data from any email you believe to be spam.

You can preserve the originating IP address by setting the view on your email client to reveal the "full headers" or "Source" depending upon how your email client program works. Then you can copy and paste the full headers into a document or a new email message. Here's an example from the Allexperts email to me about your question, using the "view source" option on a GoDaddy email client program:

Received: (qmail 13502 invoked by uid 30297); 4 Jun 2014 14:43:20 -0000
Received: from unknown (HELO p3plibsmtp01-08.prod.phx3.secureserver.net) ([10.6.12.195])
         (envelope-sender <experts@about.com>)
         by p3plsmtp14-06.prod.phx3.secureserver.net (qmail-1.03) with SMTP
         for <carolyn.meinel@cmeinel.com>; 4 Jun 2014 14:43:20 -0000
Received: from nyrelay.about.com ([207.241.149.198])
  by p3plibsmtp01-08.prod.phx3.secureserver.net with bizsmtp
  id AEjL1o00f4H4cYF01EjLCh; Wed, 04 Jun 2014 07:43:20 -0700
X-Authority-Analysis: v=2.1 cv=S/5XwecP c=1 sm=1 tr=0
a=qpoA9NBbTwtsp9KH/QUbhA==:117 a=qpoA9NBbTwtsp9KH/QUbhA==:17 a=ByKQvyS0AAAA:8
a=TZb1taSUAAAA:8 a=HuSvHbNZLcoA:10 a=8nJEP1OIZ-IA:10 a=Y06chMaLAAAA:8
a=X3NA1LEnD8xPIf1PP_UA:9 a=wPNLvfGTeEIA:10 a=7hppzLmfVSoA:10 a=8pfRZ8cH78AA:10
Received: (qmail 76409 invoked from network); 4 Jun 2014 14:32:33 -0000
Received: from mxc1s.about.com (HELO tools1.ops.about.com) (207.241.148.39)
 by nyrelay.about.com with SMTP; 4 Jun 2014 14:32:33 -0000
To: carolyn.meinel@cmeinel.com
Date: 4 Jun 2014 14:32:33 +0000
From:  <experts@about.com>
Subject: AllExperts Question
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: binary
X-Nonspam: None

There is a question waiting for you in the category of "Computer Security & Viruses".

Subject: tracing

Question:
Thanks for the info. But if this is true, then why do ISPs ask you to forward spam and phishing emails? If the IP is lost, is there any other way to trace the email?

If your email provider does not provide a specific way to report spam, or if they simply ask you to forward it, that company might not be serious about blocking spam. It takes technical expertise to block spam because it is not usually obvious who the real culprit is. Most seriously, what if a spammer takes over your home computer to send spam? If an ISP ignorantly blocks your computer from accessing the Internet any more, thinking that the spam was something you intentionally sent, that would be unfair to you.  

Computer Security & Viruses

All Answers


Answers by Expert:


Ask Experts

Volunteer


Carolyn Meinel

Expertise

I cover Windows, Linux, TCP/IP and Ethernet security questions. I do not cover Mac, smart phones, or other networking issues.

Experience

Books by Carolyn Meinel: wrote a chapter for The Hacking of America book (see http://www.amazon.com/exec/obidos/ASIN/1567204600/happyhacker) My article Code Red for the Web for Scientific American was reprinted in the book Best American Science Writing 2002 (see http://www.amazon.com/exec/obidos/ASIN/0060936509/happyhacker). My book The Happy Hacker: A Guide to Mostly Harmless Hacking is now in 4th edition with a Japanese edition (see http://happyhacker.org/hhbook/).

Organizations
IEEE, AAAS

Publications
See a list with some online links at http://cmeinel.com

Education/Credentials
MS, Industrial Engineering, The University of Arizona Took a course in computer forensics at the University of Texas at Austin/

Past/Present Clients
DARPA, SAIC, Palmer Labs

©2016 About.com. All rights reserved.