Suped

How can I find the source and purpose of emails originating from unrecognized IP addresses?

6Marketer opinions7Expert opinions6Technical articles4Resources

Summary

Identifying the source and purpose of emails originating from unrecognized IP addresses involves a multi-faceted approach. Core techniques revolve around email header analysis, using tools to parse 'Received:' fields to trace the email's path. Services like SenderScore and Senderbase aid in identifying associated domains. Reverse DNS lookups and IP ownership research (using command-line tools or Google) can further pinpoint the source. Analyzing DMARC reports helps identify IPs failing authentication, while internal investigations can reveal the use of Oracle's services. Checking blacklists provides insights into the IP's reputation. Identifying IP ranges assists in pinpointing the originating email marketing service. Email tracking reveals delivery, opens, and location data. Preventing spoofing is best achieved by setting up DKIM, SPF, and DMARC. Understanding email header structures and authentication protocols is crucial.

Key findings

  • Email Header Analysis: 'Received:' headers and header analyzer tools are critical for tracing the path and source of emails.
  • IP Reputation Services: SenderScore and Senderbase help identify domains associated with an IP address.
  • IP Ownership Lookup: Command-line tools and Google can reveal the owner of the IP address.
  • DMARC Reports: DMARC reports highlight IPs failing authentication checks, indicating potential issues.
  • Blacklist Checks: Checking blacklists helps determine if the IP is associated with spam or malicious activity.
  • Authentication Protocols: DKIM, SPF, and DMARC are crucial for preventing spoofing and verifying email sources.
  • Email Tracking: Email tracking provides valuable data on delivery, opens, and user location.

Key considerations

  • Technical Proficiency: Effective email header analysis requires technical expertise and familiarity with various tools.
  • rDNS Limitations: Reverse DNS records might not always be accurate or provide useful information.
  • Holistic Approach: Combining various methods—header analysis, IP lookups, and blacklist checks—offers the most comprehensive understanding.
  • Spoofing Prevention: Implementing and maintaining DKIM, SPF, and DMARC records is essential for preventing email spoofing.

What email marketers say
6Marketer opinions

Identifying the source and purpose of emails from unrecognized IP addresses involves analyzing email headers, checking the 'Return-Path', using IP lookup tools, and employing header analyzer tools. Implementing email authentication protocols like DKIM, SPF, and DMARC is crucial for preventing spoofing and tracing legitimate sources. Email tracking techniques can provide information about delivery, opens, and geographical locations.

Key opinions

  • Header Analysis: Email headers contain vital routing information; tools can decode them.
  • Return-Path Check: The 'Return-Path' header reveals the actual sender, bypassing spoofed 'From' addresses.
  • IP Lookup: IP lookup tools identify the origin of the sending server.
  • Header Analyzers: Specialized tools parse headers, simplifying the process of identifying source IPs.
  • Email Tracking: Email tracking provides information on opens, location, and client.

Key considerations

  • DKIM/SPF/DMARC: Implementing DKIM, SPF, and DMARC prevents spoofing and assists in tracing emails.
  • Email Spoofing: Always be wary of potential email spoofing.
  • Tool Usage: Familiarize yourself with email header analysis tools for effective investigation.
Marketer view

Email marketer from Stack Overflow explains that examining the full email header is crucial, looking for 'Received:' fields to trace the path and identify originating servers. They advise using online tools to parse and analyze these headers.

November 2022 - Stack Overflow
Marketer view

Email marketer from WhatIs.com shares the definition of Email Tracking. This is the technique of monitoring delivery of email messages in order to learn if a message was delivered, opened, and read; what email client was used; and, sometimes, from what geographical location.

April 2023 - WhatIs.com
Marketer view

Email marketer from EmailToolTester shares a list of email header analyzer tools. They advise copying the email header from the original email and then pasting it into the tool, that will then give you insights into its origin.

May 2024 - EmailToolTester
Marketer view

Email marketer from Reddit says the best way to prevent email spoofing is to make sure you have set up DKIM, SPF, and DMARC on your domain.

November 2024 - Reddit
Marketer view

Email marketer from Reddit shares that checking the 'Return-Path' header can often reveal the actual sender's email address, even if the 'From' address is spoofed. They also recommend using IP lookup tools to investigate the IP address in the 'Received:' headers.

June 2021 - Reddit
Marketer view

Email marketer from Mailjet Support explains that email headers contain routing information. They recommend using a header analyzer tool to decode the headers, making it easier to identify the sending server's IP address and other relevant data.

September 2021 - Mailjet

What the experts say
7Expert opinions

Identifying the source and purpose of emails from unrecognized IP addresses can be achieved through various methods. These include using SenderScore, Senderbase, and reverse DNS (rDNS) lookups via Google. Command-line tools and Google searches can help find the IP address owner. DMARC reports, internal inquiries, and tech team consultations regarding DKIM selectors and key requisition information are useful. Querying blacklists and analyzing IP address ranges to identify email marketing services can also provide insights. Keep in mind not all IPs have helpful rDNS records.

Key opinions

  • Sender Reputation Services: Tools like SenderScore and Senderbase provide domain listings associated with an IP.
  • rDNS Lookups: Reverse DNS lookups can reveal the hostname, providing clues about the IP's purpose (although not always reliable).
  • IP Ownership Research: Command-line tools and Google can identify the owner of the IP address.
  • DMARC Reporting: DMARC reports can reveal sending IPs failing authentication checks.
  • Internal Investigation: Inquiring internally and consulting tech teams about DKIM records can uncover the source.
  • Blacklist Checks: Checking if the IP is on any blacklists can indicate if it's associated with spam or malicious activity.
  • IP Range Analysis: Identifying the IP range and associated email marketing service can reveal its intended use.

Key considerations

  • rDNS Reliability: Reverse DNS records might not always be accurate or helpful.
  • Internal Resources: Investigating internally and consulting with the tech team may require significant effort.
  • Context is Key: Gathering information from multiple sources provides a more complete understanding.
Expert view

Expert from Spam Resource explains the method of querying various blacklists to see if an IP address is listed. If it is, the listing notes will usually provide some insight as to the reasons it was blacklisted.

August 2021 - Spam Resource
Expert view

Expert from Word to the Wise shares the method of using IP address ranges to attempt to identify an email marketing service and then use tools to query their use policy.

February 2024 - Word to the Wise
Expert view

Expert from Spam Resource explains that doing a reverse DNS lookup on the IP address can sometimes reveal the hostname associated with it, which can provide clues about the organization or purpose behind the IP. They caution that not all IPs have helpful rDNS records.

August 2021 - Spam Resource
Expert view

Expert from Email Geeks recommends checking DMARC reports for the IPs, asking internally who is using Oracle to send mail, and talking to tech teams for DKIM selectors and key requisition information.

June 2022 - Email Geeks
Expert view

Expert from Email Geeks explains how to find the owner of an IP address using command line tools or a Google search.

February 2025 - Email Geeks
Expert view

Expert from Email Geeks reports seeing random Oracle activity in the specified IP range in their traps but nothing specific from that exact IP address in the last 45 days.

July 2021 - Email Geeks
Expert view

Expert from Email Geeks shares multiple methods to find emails being sent from an IP address, including using SenderScore, Senderbase, and rDNS lookups via Google.

June 2023 - Email Geeks

What the documentation says
6Technical articles

Identifying the source and purpose of emails from unrecognized IP addresses relies heavily on email header analysis and understanding authentication protocols. Examining 'Received:' headers, as detailed by Google Workspace Admin Help and Microsoft Support, can trace the email's path and reveal potential spoofing. RFC Editor provides technical specifications for interpreting these headers. DKIM.org explains how to identify the signing domain using the 'd=' tag in the DKIM-Signature header. IETF outlines SPF's role in preventing sender address forgery. DMARC.org details how DMARC builds upon SPF and DKIM to enhance email channel protection through reporting and authentication analysis.

Key findings

  • Received: Headers: 'Received:' headers trace the email's path and identify potential spoofing or forwarding.
  • Header Structure (RFC): RFC specifications provide a framework for understanding and interpreting email headers.
  • DKIM Signing Domain: The 'd=' tag in the DKIM-Signature header reveals the signing domain.
  • SPF Prevents Forgery: SPF verifies that sending mail servers are authorized by the domain.
  • DMARC Enhances Protection: DMARC builds on SPF and DKIM, adding reporting and authentication analysis.

Key considerations

  • Technical Expertise: Effective header analysis requires technical knowledge and experience.
  • Comprehensive Approach: Combining header analysis with SPF, DKIM, and DMARC checks offers the best protection.
  • Organizational Insight: Understanding internal email flow, as highlighted by Microsoft Support, is critical.
Technical article

Documentation from DKIM.org details how to identify the signing domain. Checking for the d= tag within the DKIM-Signature header field will display the domain that signed the message.

November 2022 - DKIM.org
Technical article

Documentation from IETF details the purpose of SPF, which is to prevent sender address forgery. The goal of SPF is to enable recipient mail systems to verify that a message purporting to originate from a specific domain was authorized by the domain's administrative management.

May 2022 - IETF
Technical article

Documentation from Google Workspace Admin Help explains that IP addresses within the 'Received:' headers can be used to identify the source of an email. They provide guidelines on how to interpret these headers and identify potential spoofing or forwarding.

July 2024 - Google Workspace Admin Help
Technical article

Documentation from DMARC.org details the purpose of DMARC, which is to enable email senders and receivers to improve and monitor protection of the email channel. DMARC builds upon SPF and DKIM by adding a reporting function that allows senders and receivers to analyze DMARC results and improve authentication.

December 2023 - DMARC.org
Technical article

Documentation from RFC Editor details the structure of email headers, including 'Received:' fields. It provides the technical specification for how these headers should be formatted and interpreted, which aids in understanding email routing.

December 2022 - RFC Editor
Technical article

Documentation from Microsoft Support shares that examining the 'Received:' headers in an email can reveal the path the email took. They also provide information on using message trace logs to investigate email flow within an organization.

July 2024 - Microsoft Support

Related resources
4Resources

Firewall Showing constant SMTP traffic from unknown IP - Security ...
Firewall Showing constant SMTP traffic from unknown IP - Security ...

Hi All I have a cloud based mail filtering solution that my MX records point to. This processes mail and forwards it on to my firewall - Exchange servers. There are a bunch of IPs I have added to allow traffic from the cloud service to my firewall. I have noticed a public IP that is constantly (last few weeks at least) hitting my firewall with SMTP traffic. I dont recognise the IP and doesnt belong to the cloud filtering solution. What can I do to track down the source of this traffic? I guess...

Spiceworks Community
Multiple attempts from Unknown source locking accounts using ...
Multiple attempts from Unknown source locking accounts using ...

Hey Guys, I need some help on this one. I am currently dealing with account lock out issues. We have narrowed it down to someone (something) is trying to log into 14 accounts. The accounts span from disabled accounts, distribution groups, and active employee’s. The reason why I know it is coming from our exchange server is that there is no logs on the DC server about account lockouts or Audit Failures besides the Exchange server. If we stop the IIS service the accounts stop getting locked out....

Spiceworks Community
Can emails be traced? | Proton
Can emails be traced? | Proton

Email providers, ISPs, and law enforcers have ways to trace and track you through your emails. Here’s how to stay private online.

Proton
Syslog device source IP Address - Graylog Central (peer support ...
Syslog device source IP Address - Graylog Central (peer support ...

Hello, I have setup a Graylog instance (4.2.8) on an Azure Virtual Machine. It works fine, I used to run another instance locally for several months. The issue I have is that every device that send syslogs to Graylog has its gl2_remote_ip as the WAN IP address and not the LAN IP address. This is an issue since in some cases I have multiple devices behind the same router and I can’t differentiate them. My question is, is there another hidden field that would allow me to know the LAN IP addre...

Graylog Community

Related questions