< Continued from Part 2: Geo-locate IP

Is the geolocation information found with this method always correct?

Depends. It need not be always correct. But most of the time, I have found this information to be incorrect in the following cases.

  • Somebody knows this technique and intentionally sends the mail through entirely different connection. I have not yet been able to trace such people through mail headers.

  • A mail is routed through many internal networks about which the external world has no information. Example. In a large organization, with offices in different parts of a country, they might be using a single server placed at the head office to send the mails. In that case you will only get the head-office location every time.

  • The mail providers like GMail hide this information from the receiver in some cases.

Warning: The information about the geographical location for an IP is available from the Internet IP registration authorities (this is not what these authorities are actually called). If the registration information is incomplete or incorrect or hidden, this method will yield incorrect results.

How to change the outgoing information?

Basically you cannot change the IP in the email headers until you use some kind of IP spoofing or VPN. But you can make use of an entirely different connection. How? Use the public proxies. When the mails are sent using public proxies, they originate from those public proxy IP addresses and therefore not possible to track directly. An exception is when a heavy use is monitored and statistical conclusions are derived.

A concept called Onion Routing disallows such analysis attacks too. Though at some advanced level, you may want to read about Tunneling and Onion Routing

What happens when mail is routed within the organization before being sent?

Again taking the example of the big organization “Infosys”. This company has a development center at Pune, India. Any mails coming from its Pune development center are sent to the Internet through their Bangalore facility.

small-PunITP-Details

As seen from the above header, there are many Received from headers, but last two of them are unreachable from the Internet, because they are internal to the organization. So we use the third last IP, which resolved to Bangalore India. That is incorrect. The mail is from Pune, but still we cannot use this method to find out the real location of the sender. But from the naming conventions like PUNITPMSG09.ad.infosys.com, we can assume that the IP is from Pune. Assumptions may be wrong, but fortunately in this case it was correct.

How GMail prevents geo-location?

To be clear, it does not exactly prevent geolocation on all emails. But I found that mails sent from one GMail to another GMail account does not have the Received From headers. This makes it really difficult to trace the sender. Only GMail authorities would be capable of doing so.

The image below shows how GMail blocks Received from headers:

GMail-To-GMail-Header

Note: Any example used in this article has scrambled data at many places. References to the organization “Infosys” are purely co-incidental.


< Part 1: Geo-locate Emails

< Part 2: Geo-locate IP