Hi all

[EDITED since I've got some more info from my sister]

My sister asked me to trace an email. She isn't sure the person (Jess) she's talking to, is who he claims to be. She's afraid that Jess is an ex partner of hers. She hopes that she could rule that out by knowing what country the mail was sent from. If Jess is who he claims to be, it should come from somewhere in the US, if he's not it's probably from Belgium.

Path from the email: @hotmail (sister) --> @outlook (jess old) --> @gmail (jess new) --> @hotmail (sister)

My sis is really private about everything dating related and I'm respecting this. I'm aware that this isn't the easiest or most reliable way to check if Jess is telling the truth but it's what she asked for. She doesn't want Jess knowing about the fact that she doesn't trust it 100% either.

Thanks for the answers already supplied!!! I'll look into all of them, probably later today. Also decided to put the header online with redacted adresses and body.

Email Header

Just trying to help her out
Thank you
I love you guys :)

3 weeks ago*

Comment has been collapsed.

Can't she just say, "Send me a picture of you: I want to see you" or something?

3 weeks ago
Permalink

Comment has been collapsed.

pic holding today's newspaper ;)

3 weeks ago
Permalink

Comment has been collapsed.

Its useless, how you want to know then if its really the Person? They can send you any Pics and you cant be sure if its the Person behind it or not. People can fake everything and most People have Pics from other People as Profile Pic or so for example, thats why always warned if want to chat with People on sites or so. No one can be 100% aure if its true or just a faker.

Never believe it right away if someone send you a Pic, still can be a different Person in End. ^^

Also for Example, i get many Times spam Mails, bad English with Pics and im 100% sure, that its not them, that they just want to get Informations and much more. I just delete them. ;-)

3 weeks ago*
Permalink

Comment has been collapsed.

They meant a selfie of the person (Jess) holding today's newspaper.
I've also seen something similar but with random objects like "send me a selfie holding a fork and a banana". It's highily unlikely the person has received a request like this before so the picture would be the proof that the photo is new and that the person sending the e-mail is indeed Jess.

3 weeks ago
Permalink

Comment has been collapsed.

Even that can everyone fake, Photohop, find right Pic in Google and all, that is still no Proof. You all need to learn still much about it.

There is NEVER 100% Proof. Like i said. Even if request with holding todays Newspaper. If People want, they can Fake EVERYTHING.

Think about it, use all your brains please. Dont take this bad now, but it is so. ^^

3 weeks ago
Permalink

Comment has been collapsed.

Yes, of course... we - creatures that don't use brain - can never notice the use of photoshop and such. People change reality with those, right? It's sorcery I tell ya!
Besides it's very common for people to take selfies with the daily newspaper and upload on public websites. I've just uploaded mine this very moment on 3 different websites so random people can use it as raw material for their photoshopping-selfie-proof.

Hopefully next time I'll "think about it" and "use all my brain"(SIC).

View attached image.
3 weeks ago*
Permalink

Comment has been collapsed.

Well there are people who are genuinely wizards with photoshop but they're rarely the ones going around pretending to be other people to scam girls. Unless they are but yeah probably they use their skills to make money in bigger ways lol

3 weeks ago
Permalink

Comment has been collapsed.

Exactly. On the same note even the most stupid scammer know it's better (as in higher chances of profit per work) to go by numbers rather than wasting their time working hard to have a slight chance at catching one sole individual in a particularized scam attempt. However, if one wants to wear a tintoil hat indeed anything can be faked - even voice, video, or you know it can always be a conspiracy and even the scammer can use a disguise and make up to look like someone else so "there is NEVER 100% PROOF"!!!!!1!!!! ~RUN TO THE HILLS!!!1!!!11!! šŸ˜±

3 weeks ago
Permalink

Comment has been collapsed.

Heh for real. Especially now when 90% of most people's lives is available to the public.

Without knowing much about the situation, though, there could be a reason other than a monetary scam. People are weird.
I've had some personal experience with a stalker and the lengths to which that person went were a bit of a shock at the time. That being said, yeah photoshopping to a professional level? Nah. Takes actual skills.

3 weeks ago
Permalink

Comment has been collapsed.

If you are super paranoid, there's truepic.com, I think it's used by reddit IAmA mods to verify picture/video proofs.

3 weeks ago
Permalink

Comment has been collapsed.

Nice, not that I need it but always love finding/hearing about interesting sites like that one, thanks.

3 weeks ago
Permalink

Comment has been collapsed.

I'm sorry, my sister doesn't want him knowing that she doesn't trust it 100%. My initial post wasn't that clear. She has had photo's send to her. These pictures could just be any American though.

3 weeks ago
Permalink

Comment has been collapsed.

Does she have no other way of contacting them to verify the new email address?

3 weeks ago
Permalink

Comment has been collapsed.

Translation did not work.
Do you need something like this?
Forget if irrelevant.

Is it an email alias?
[gmail]
Add or remove an email alias - G Suite Admin Help
https://support.google.com/a/answer/33327?hl=en
[hotmail]
Add or remove an email alias in Outlook.com - Outlook
https://support.office.com/en-us/article/add-or-remove-an-email-alias-in-outlook-com-459b1989-356d-40fa-a689-8f285b13f1f2

Isn't this the case?

Also, in the case of simply using Gmail or smartphones such as Android, after creating the transfer and transmission contents, selecting transmission, it waits for a while until the transmission queue is processed.
To send it quickly, you need to select the remaining tasks in the ā€œScheduled Folderā€ and select Send.

3 weeks ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 3 weeks ago.

3 weeks ago
Permalink

Comment has been collapsed.

Take all this with a grain of salt, because it's quite easy to forge all the data inside an email to look as if it came from the official mail servers from the White House and passed by the Kremlin. Also, due to the nature of the data you have to examine, you can't rule out the possibility that even if things look weird, the email is 100% legit.

First step is locating another email she knows comes from Jess, the most recent one, as recent as possible. If there has happened a long time between both, then this method would not work, and she should inquiry Jess directly about a proof of identity - something they two only know, a pic, whatever. Actually, if a lot of time has passed since last contact from Jess - that's what she should do anyway, instead of trying to figure out if the email is legit.

Another method is answering the email but sending it back to the original outlook address and see if Jess receives it - if she does, 'oops it' was just an accident'. If she doesn't, insist that you sent something to the original address by mistake, and if Jess can't access it - the forward thingy was forged. I've suggested this method before at least once with good results, and it should work for you since Jess is claiming to still have access to the old email.

Ok, you have an recent email you know it's from Jess, and the new one. Open both emails and view their source code (original format). To do this, there are several methods - Exporting to .eml and opening with a text editor like Notepad - in Thunderbird it's Ctrl+U - you must have a way to view the headers and such.

On the headers, look for something like this:
X-UI-Sender-Class: 214cdeff-fd2f-45c7-a636-f5d79ae31a79
Received: from [xxx.xx.25.162] ([xxx.xx.25.162]) by web-mail.xxxxx.com
(3c-app-xxxxxxxx-lxa02.server.lan [xxx.xx.45.3]) (via HTTP); Wed, 16 Oct 2019
14:45:22 +0200

There are several Received fields showing the path of the mail, but the one under X-UI-Sender-Class should be the last one, and the first in the path. Since these headers are often done in many ways, it is possible you don't have the X-UI-Sender-Class part - in this case look at the last Received field (from the non-forwarded part). It will show the IP that the mail server saw from the sender of the email (censored with xxxx). Note that it has some extra data like 'via HTTP'. It usually means it has been sent not from an email client but from a web client.

If the IP after Received is the same in both emails, you know they have been sent from the same computer, regardless of the method they used to send the email. If it's similar, then they have been sent from the same provider in the same area. As nowadays most user IPs are semi-static/semi-dynamic, it is still possible it's the same person but for some reason there was a new IP assigned. It is also possible Jess could have done it from other device (phone, public computer, whatever). As I said earlier, it is possible to forge all this stuff so there is never full certainty, as email was never designed and it's pretty uncapable of doing any kind of authentication for this kind of forging.

You can take that IP and use any geolocation service, to see if at least it comes from the area you expect, or it comes from some shady place. You probably can expect Jess to be somewhere near, and not in Nigeria or Russia or Spain (all shady places!)

Bottom line is: if every piece of data in the email is consistent, you can't say the email is legit coming from Jess - if pieces of data in the email are inconsistent or wrong, it doesn't mean it couldn't come from Jess.

I hope that helps.
(Edited with some more caveats)

3 weeks ago*
Permalink

Comment has been collapsed.

I agree, but there standards like DKIM and SPF that can help to detect email spoofing.

3 weeks ago
Permalink

Comment has been collapsed.

Thank you for going to such lengths. Adding you to give you a key.

3 weeks ago
Permalink

Comment has been collapsed.

You can view the message source, the headers will be something like:

Received: from foo.com ([111.111.111.111]) by bar.com ... for <xxx@baz.com>
Received: ....
DKIM-Signature: ...
Date: ...
From: ...
To: ...
Subject: ...

bla bla
3 weeks ago*
Permalink

Comment has been collapsed.

This
check "X-Envelope-From:". If email was spoofed it should show real sender

3 weeks ago
Permalink

Comment has been collapsed.

Since the email providers involved are Gmail and Hotmail/Outlook, they should provide DKIM/SPF/DMARC verification.

One should simply look for Authentication-Results header which would contain something like spf=pass, dkim=pass, and/or dmarc=pass if there was no spoofing.

The idea behind them is that a domain publishes entries to its DNS records that tell who is authorized to send emails on its behalf, as well as public keys which can be used to verify DKIM signatures included in received email headers (i.e hashes of important fields like the FROM header, signed with sending domain's private key).

3 weeks ago
Permalink

Comment has been collapsed.

Webcam chat.
Can't forge that quite so easily. ^^)

3 weeks ago
Permalink

Comment has been collapsed.

Is this person someone your sister actually knows in real life? If so, why not just call? It's harder to fake a voice you know.

3 weeks ago
Permalink

Comment has been collapsed.

I've got very little info to go on myself. She hasn't met Jess in real life, got into contact with him through someone else. Jess seems to be suffering from anxiety/ depression and claims to be in a hospital right now. I think that's the reason for not video calling.

3 weeks ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 2 weeks ago.

3 weeks ago
Permalink

Comment has been collapsed.

Recording info through a link sounds like a good alternative. Can you disguise those links to look like something else? time zone or IP would be enough. Honestly all she needs to know is if Jess is in Belgium or in the US.

3 weeks ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 2 weeks ago.

3 weeks ago
Permalink

Comment has been collapsed.

Don't take it wrong but you can write here anything and it CAN be the truth but MUST NOT.

Because you are a internet stranger for me i can't proof as your intention is really a good one or if you want to find someone that don't want to be found.
divorce, stalking... whatever.

Your sentences "...who he claims to be.." implying a male Jess and later "Jess send this mail from her old account to her new one and then forwarded it to my sister." a female one.
Such little things let me look and think twice.

3 weeks ago
Permalink

Comment has been collapsed.

Playing devil's advocate for the gender switching, I notice this occasionally for people who aren't native English speakers.

But yes, agree that anyone helping out here shouldn't implicitly trust any part of it.

(Also +1 to the DKIM / SPF header checking.)

3 weeks ago
Permalink

Comment has been collapsed.

My sister is bisexual. Jess = Jesster. Jess sounds female to me. That's why I made the her/he mistake.

I'm not asking for any delicate info. Just the country is enough. I get what you're saying though.

Thanks for your reply :)

3 weeks ago
Permalink

Comment has been collapsed.

Why wouldn't this person be able to take a video with their phone and email it? Send it by phone? Facetime? Skype? Facebook video chat? This entire thing seems an odd request since there are a variety of much simpler ways for this person to prove they're who they say they are.

3 weeks ago
Permalink

Comment has been collapsed.

Jess seems to be a person suffering from anxiety/ depression and is currently in the hospital. She did receive pictures in the past, has a phone nr and talked through chat messenger. She doesn't want Jess knowing she doesn't 100% trust it. I'm with you on this one, it's an odd request.

3 weeks ago*
Permalink

Comment has been collapsed.

I don't understand this. Is the person someone she only knows from the internet? If this is the case, there isn't really a way to verify that they are who they say they are.

But, if it's someone that she knows or even knew from the past in real life, it's simple, just email the person and give them the details for a brand new Skype account or something that you can easily throw away. I wouldn't give them her real account info in case they get extra ways to harass her. People can't fake a video call/voice call. Problem solved.

3 weeks ago
Permalink

Comment has been collapsed.

I'd forget technology and just have your sister ask "Jess" a personal detail. Better if it's something that never was discussed by email because if Jess's email has been hacked...

3 weeks ago
Permalink

Comment has been collapsed.

Or that's easily found on Facebook or any other social media, since those companies know much more about their users than those users' friends.

3 weeks ago
Permalink

Comment has been collapsed.

Heh sad but true. What a sad life we lead.

3 weeks ago
Permalink

Comment has been collapsed.

Why not just send an email to her "old" outlook account asking her to verify the new gmail address? What am I missing here.

3 weeks ago
Permalink

Comment has been collapsed.

I am guessing, if the person is a nice European kid, or a 55 year old looking for pictures/money?

3 weeks ago
Permalink

Comment has been collapsed.

Yes, I'm aware that's the problem. My solution is fundamentally the same as ormax3's below. But I see that OP is now edited to clarify that his sister does not want Jess to know that she doesn't trust the new email, which makes that solution untenable, I guess.

3 weeks ago
Permalink

Comment has been collapsed.

I've looked at the headers posted, what can be said is this:

  • (JESSNEW@gmail.com) sent an email to (SISTER@hotmail.com)
  • in this email, (JESSNEW@gmail.com) quoted a previous email which was sent from (SISTER@hotmail.com) to (JESSOLD@outlook.com)

Note the emphasis on "quoted", anybody can pretend to quote anything.
Here's an example in top-posting style of a forged email I could send you pretending to be Jess:

Hey SISTER, it's me your old buddy JESS.
I'm writing you from my new email address!
I'm quoting a previous email you sent me so that you believe me :)

Sincerely,
JESS

> -------- Original Message --------
> From: Sister <SISTER@hotmail.com>
> Sent: Monday, October 17, 2017 10:10 AM
> To: Jess <JESSOLD@outlook.com>
> Subject: hello
>
> hello JESS, its SISTER
> bye
>

So we can't conclude based on the email alone that (JESSNEW) and (JESSOLD) are the same person. It may well be the same person, only they changed their primary email address or lost access to the old one, or it may be someone pretending to be the old Jess by creating a new email address with the same name but on a different provider (gmail vs outlook)!

What (SISTER) should do is email (JESSOLD) asking them to verify the new address of (JESSNEW), of course I'm assuming the old email address was not compromised to begin with...

3 weeks ago
Permalink

Comment has been collapsed.

I think this is the best option. If the old email address is compromised, we'll, it's basically impossible to verify, since that person would have access to all the exchanges between sister and oldjess

3 weeks ago
Permalink

Comment has been collapsed.

Oh I forgot to mention even though all IP address mentioned in the headers are not useful (they belong to the mail servers of Google and Microsoft), there is one piece of info that can tell you something about the sender, namely the DATE header:

Date: Tue, 15 Oct 2019 18:47:00 +0200

It includes the timezone GMT+2 which coincides with Belgium.
And if we check the DKIM signature, we see that this header is included in the list of fields that has been signed, so we know it is true.

So mystery solved? :)

3 weeks ago
Permalink

Comment has been collapsed.

Thank you for taking the time and stating everything so clearly. Mystery solved, I'm adding you on steam to give you a POE key :)

3 weeks ago
Permalink

Comment has been collapsed.

Great work!

3 weeks ago
Permalink

Comment has been collapsed.

Closed 3 weeks ago by thehornyhippo.