Computer Security & Viruses/tracing
QUESTION: If you cannot answer this, can you tell me where I can post to try to get an answer to this question?
When I jave received phishing emails in the past, I was told to foreard them to Comcast or whoever was being spoofed. However, I was told that once emails are forwarded the original IP cannot be obtained. Is that true?
ANSWER: You are correct, when you forward an email, in most cases the originating IP address from the headers is lost. I checked this out by forwarding an email from a GoDaddy server to a Gmail server and back again to the GoDaddy server, and checking the headers. Each email server deleted the originating IP address from the previous email server.
For the most up-to-date information on how to protect yourself from spam and prevent spammers from creating spam, see the U.S. Federal Government website on this topic at http://www.onguardonline.gov/articles/0038-spam
---------- FOLLOW-UP ----------
QUESTION: Thanks for the info. But if this is true, then why do ISPs ask you to forward spam and phishing emails? If the IP is lost, is there any other way to trace the email?
In my experience, no ISP has ever asked me to simply forward spam emails. As noted in the link in my previous answer, instead they ask that you provide a complete version of the email so the originating IP address is preserved. For example, Gmail has a button that automatically sends them the relevant data from any email you believe to be spam.
You can preserve the originating IP address by setting the view on your email client to reveal the "full headers" or "Source" depending upon how your email client program works. Then you can copy and paste the full headers into a document or a new email message. Here's an example from the Allexperts email to me about your question, using the "view source" option on a GoDaddy email client program:
Received: (qmail 13502 invoked by uid 30297); 4 Jun 2014 14:43:20 -0000
Received: from unknown (HELO p3plibsmtp01-08.prod.phx3.secureserver.net) ([10.6.12.195])
by p3plsmtp14-06.prod.phx3.secureserver.net (qmail-1.03) with SMTP
for <firstname.lastname@example.org>; 4 Jun 2014 14:43:20 -0000
Received: from nyrelay.about.com ([188.8.131.52])
by p3plibsmtp01-08.prod.phx3.secureserver.net with bizsmtp
id AEjL1o00f4H4cYF01EjLCh; Wed, 04 Jun 2014 07:43:20 -0700
X-Authority-Analysis: v=2.1 cv=S/5XwecP c=1 sm=1 tr=0
a=qpoA9NBbTwtsp9KH/QUbhA==:117 a=qpoA9NBbTwtsp9KH/QUbhA==:17 a=ByKQvyS0AAAA:8
a=TZb1taSUAAAA:8 a=HuSvHbNZLcoA:10 a=8nJEP1OIZ-IA:10 a=Y06chMaLAAAA:8
a=X3NA1LEnD8xPIf1PP_UA:9 a=wPNLvfGTeEIA:10 a=7hppzLmfVSoA:10 a=8pfRZ8cH78AA:10
Received: (qmail 76409 invoked from network); 4 Jun 2014 14:32:33 -0000
Received: from mxc1s.about.com (HELO tools1.ops.about.com) (184.108.40.206)
by nyrelay.about.com with SMTP; 4 Jun 2014 14:32:33 -0000
Date: 4 Jun 2014 14:32:33 +0000
Subject: AllExperts Question
Content-Type: text/plain; charset=ISO-8859-1
There is a question waiting for you in the category of "Computer Security & Viruses".
Thanks for the info. But if this is true, then why do ISPs ask you to forward spam and phishing emails? If the IP is lost, is there any other way to trace the email?
If your email provider does not provide a specific way to report spam, or if they simply ask you to forward it, that company might not be serious about blocking spam. It takes technical expertise to block spam because it is not usually obvious who the real culprit is. Most seriously, what if a spammer takes over your home computer to send spam? If an ISP ignorantly blocks your computer from accessing the Internet any more, thinking that the spam was something you intentionally sent, that would be unfair to you.