Many know that documents contain metadata that can be useful in legal and forensic contexts. But Emails also contain metadata. Lets have a quick look at one of the most useful pieces of information we can extract from Email metadata – the sender’s location.
When an email travels from the sender to the receiver, it gets transferred and redirected from one email server to another, eventually converging on the address of the receiver. Its a little like sending a letter. My local letterbox collection has no idea of the location of 32 Acacia Ave, Maryland 20912, USA, but it does know that as a first step it can forward the letter to the major distribution centre in the US. That hub doesn’t know the location of 32 Hickory Ave, but it does know to forward the letter to the Maryland distribution centre. And so it goes until the postie who get the letter actually does know the physical location of 32 Hickory Ave.
Emails are much the same except the location in physical space is replaced by a location in internet space. These locations are given as a series of 4 groups of up to 3 digits separated by periods. Here is an example “110.59.398.3”. Although the internet works in “Internet space”, each start and end URL is associated with a physical address, otherwise how would your internet service provider know where to send its bill every month!
It’s not unusual for the email to have the senders URL embedded in the metadata. And from this it is a simple matter to get the approximate location of the sender. Here is an extract from the header from an email I received from a friend –
"Received: from mailout10.t-online.de (mailout10.t-online.de [184.108.40.206]) by mail109.syd.optusnet.com.au (Postfix) with ESMTPS id E87BED67717 for <email@example.com>; Wed, 18 May 2016 01:37:57 +1000 (AEST) Received: from fwd24.aul.t-online.de (fwd24.aul.t-online.de [172.20.26.129]) by mailout10.t-online.de (Postfix) with SMTP id ADA3841E616B for <firstname.lastname@example.org>; Tue, 17 May 2016 17:37:51 +0200 (CEST) Received: from Praxis1 (SsakcvZd8h4XQuD1q8UKmzObttni6DP89Skd4yvllKDDFAdRLyhaySy8CsZLy5CwX1@[79.209.222.xx]) by fwd24.t-online.de with (TLSv1:DES-CBC3-SHA encrypted) esmtp id 1b2h49-0Y1wGW0; Tue, 17 May 2016 17:37:49 +0200"
Embedded in this are a number of URLs, one of which shows the location of the sender. It’s an easy matter to copy this URL into an email tracing service and within 10 seconds know the approximate location of the sender. In this case the location is near Stuttgart in Germany. This method usually gets you to within 10km of the actual location of the PC from which the email was sent. If you needed to get the street address (and the situation was serious e.g. an offense had been committed) then you would subpoena the information from the service provider.
So, if you weren’t sure that your partner really was in Darwin for that work conference, just contrive to have them send you an email.
At least it used to be that simple. I recently had a question from a lawyer about tracing the location of an email and I outlined what I’ve written above. But the information contained in the email metadata is dependent on the email provider and need not include the originating URL. So I decided to test a number of popular web mail services to see which still retained this useful piece of metadata. And the results were somewhat surprising.
I set up email accounts with the following 9 webmail providers –
and sent test emails to my personal email address.
Of the 10 emails, 6 retained the originating URL – optusnet.com.au; mail.com; tpg.com.au; me.com; netspace.net.au and gmx.com. The other 4 providers – hotmail.com; yandex.com; gmail.com; and outlook.com – removed that information. These details may still exist with the email providers but would be troublesome, if not impossible, to obtain under normal circumstances.
This is certainly an unwelcome result. That the three major USA based webmail providers, gmail, outlook and hotmail appear to strip out the originating URL is a disappointment. But that local ISPs such as tpg and netspace still seem to include it in their webmail is at least some compensation.