Leo, if you were to log on to a Google GMail account from somewhere other
than your home computer (say work) and send an email from it… could it be
traced to the computer you sent it from, or is it all traced back to Google? I
have asked a few “experts”, one says yes… one says no, that Google uses
servers, and since its web based, that you can’t trace it back to a specific
computer. What do you think??
Boy, do I get a lot of questions about tracing email.
In this case, I think that both could be right, and both could be wrong.
The issue boils down to: is the information kept? is it available? and what
can you tell from it if you’re able to get it?
Become a Patron of Ask Leo! and go ad-free!
When you send email using a “normal” email program, like Outlook, Outlook
Express, Thunderbird, Eudora and the like, mail is sent using SMTP, or Simple
Mail Transport Protocol. That’s the same protocol that’s used from server to
server, as your mail makes its way from your machine, to your mail server, to
the recipients’s mail server to the recipient’s machine.
Each step of that journey typically adds information to the mail header that
documents which server (by name and IP address) received the message, from whom
(again, by server name and IP address) and at what time.
So you can see that on the first leg of that journey, the internet IP
address and machine name of the machine running your email program is typically
one of the first things added to the information accompanying each message.
That’s usually your machine, and the IP address is either the address of that
machine directly connected to the internet, or the internet IP address of any
NAT router that you might be behind.
When you use an web-based mail program, such as GMail or MSN HotMail, you’re
not actually sending mail from your machine at all. You’re using your browser
to interact with a service that they provide on their servers. When you finally
press send, the mail originates on the service’s server, not your computer. If
you take a look at the email headers for a message sent from a service such as
GMail, you’ll see only GMail servers and the servers required to deliver the
message to its destination.
So, one would think that the information about what computer was used to
access the web service in the first place is nowhere to be found. And, in fact,
in my own test of GMail, that’s what I found … nothing. Nothing about the
computer or IP address that I had used to compose and send the mail.
There are two things you should be aware of.
I have seen HotMail add an “X-Originating-IP:” line to the headers of email.
The “originating IP” is exactly that – the internet IP address of the computer
used to compose the email. It’s not always there, and I don’t know what causes
it to be placed there if it is. But if you’re sending email from HotMail, you
should know that it might be added to your outgoing email. I’ve not seen that
from GMail, but it raises the second point…
sent from … but law enforcement … may be able to.”
Web servers log who’s accessed them and when, by IP address. Services such
as HotMail and GMail are really just web servers, so you know that they do log
access, for both reading and sending mail. How long do they keep their logs? No
idea. Can they correlate their access logs with emails being sent? I would
assume so. Do they make this information public? Not without a court order.
And therein lies the issue … you may not be able to trace where
the email was sent from with only the information in the mail – but law
enforcement, with the help of the email providers, may be able to.
If (and it’s a big if), they believe it’s worth their time to do
So the bottom line is simply this: if the information is not in the email
headers, and it doesn’t appear to be for GMail, you and I, as “mere mortals”
cannot trace where email came from. However, the service providers can. But
because of all the privacy issues involved, I would expect, and even hope, that
they would only do so in response to legal action of some sort.