Please help me trace a suspicious e-mail!

[LazyLion]

Somebody in our offices received this e-mail...

Delivered-To: d*******.s****@gmail.com
Received: by 10.152.18.75 with SMTP id u11csp36743lad;
        Wed, 29 Feb 2012 22:21:40 -0800 (PST)
Return-Path: <f*****.f****@gmail.com>
Received-SPF: pass (google.com: domain of f*****.f****@gmail.com designates 10.229.78.134 as permitted sender) client-ip=10.229.78.134;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of f*****.f****@gmail.com designates 10.229.78.134 as permitted sender) smtp.mail=f*****.f****@gmail.com; dkim=pass header.i=f*****.f****@gmail.com
Received: from mr.google.com ([10.229.78.134])
        by 10.229.78.134 with SMTP id l6mr638676qck.55.1330582899624 (num_hops = 1);
        Wed, 29 Feb 2012 22:21:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=sU1eUhvavTrNQjPsFit0zExQChksDgNmsSMnuRwAJT8=;
        b=MYvLZcClp+nqCmQjFG6BOrZLmz37nDud44yplUKYG5QEV+MJO3GseNujXWH45y5aiJ
         ITkxuL6rFn7gGK1sRo0gkd5g49jRDV+xVGauUYZF0LumAYxoD9l5GARFKwmiqzfA+QKf
         IthOGBPZO8SuQClM1Cm1c3P3wG0zVd67iVSPA=
MIME-Version: 1.0
Received: by 10.229.78.134 with SMTP id l6mr638676qck.55.1330582899620; Wed,
 29 Feb 2012 22:21:39 -0800 (PST)
Received: by 10.229.124.140 with HTTP; Wed, 29 Feb 2012 22:21:39 -0800 (PST)
Date: Thu, 1 Mar 2012 08:21:39 +0200
Message-ID: <CALPq_ML=aq0OZJLWtOQcYw4ER6mkLjMb+ihrTnE71Lg-Ee2xcA@mail.gmail.com>
Subject: Warning
From: F_____ F____ <f*****.f****@gmail.com>
To: D_______ S____ <d*******.s****@gmail.com>
Content-Type: multipart/alternative; boundary=00235447044c137cdb04ba287999

--00235447044c137cdb04ba287999
Content-Type: text/plain; charset=ISO-8859-1

Hi Buti,

Your days are numbered. Look out!

--00235447044c137cdb04ba287999
Content-Type: text/html; charset=ISO-8859-1

Hi Buti,<div><br></div><div>Your days are numbered. Look out!</div>

--00235447044c137cdb04ba287999--

So at first glance this looks like it was sent from one computer at our offices to another, because these are both e-mail addresses used by people at our company.
It looks like it came from the secretary's computer to the stock controller's computer.
But the secretary swears she did not send it (she brought the suspicious e-mail to me after the stock controller showed it to her).
So I looked at the secretary's gmail (she is not all that clued up about computers), and there is no record that she sent it, not in her sent items or in her trash (but I guess it could have been erased completely).

So in the headers, I noticed this IP address... 10.229.78.134
Our external IP is in the range 196.215.....
Our internal range is 10.0.....
So can anyone tell me where that IP range is located?
Thanks!

 

[leakybucket]

The 10.* addresses in the Received: headers are all internal to Google.

Received: by 10.229.124.140 with HTTP indicates that the message was sent via the Web interface.

Is that all of the headers? Mail that I receive from GMail users seem to include an X-Originating-IP: header which contains the address seen by Google.

 

[bekdik]

All it takes to create an email message from anyone to anyone is a text editor, an open relay smtp server and a tiny bit of smtp protocol knowledge. All easily found.

 

[LazyLion]

Is that all of the headers? Mail that I receive from GMail users seem to include an X-Originating-IP: header which contains the address seen by Google.

Yes, that's all of the headers. But surely there should be somewhere in there that shows the originating IP address?

 

[bruce_the_loon]

I've looked at the headers of a couple of messages I received from GMail and it looks like the 10.229.x.x space is used by Google internally within their server farms. The Received: by 10.229.124.140 with HTTP; Wed, 29 Feb 2012 22:21:39 -0800 (PST) header line is the origin header, which indicates it came in via their Web interface. Unfortunately it doesn't tell you where the web interface was used from. I don't see an X-Originating-IP header in the messages I have received.

Given the origin address, I'd regard it as unlikely that someone faked this message by telneting into their SMTP gateway as that would stick a header with the IP of the telneting machine into the mail.

The message was sent at 08h21:39 on the 1st of March. Maybe looking at browser caches or proxy logs if you have them might point out where the PC was. Also, ascertaining what the secretary uses as a password, and get her to change her password immediately if you think someone might have logged in with her account. Might she have stepped out of the office at that time and left her PC unlocked with Gmail logged in?

 

[leakybucket]

Yes, that's all of the headers. But surely there should be somewhere in there that shows the originating IP address?

Yes, the missing X-Originating-IP header

Can you send yourself an email via the web interface, and check/post the headers?

 

[MagicDude4Eva]

All it takes to create an email message from anyone to anyone is a text editor, an open relay smtp server and a tiny bit of smtp protocol knowledge. All easily found.

Not true - look at the DKIM/SPF part - if this is the mail which arrived like this at the stock-controllers computer, then tampering can be excluded - the DKIM signature goes across "h=mime-version:date:message-id:subject:from:to:content-type;". The only way
the recipient could have tampered with it is to open the mail-file on the computer and then changed content. Google would have validated the DKIM signature as it goes across the network - hence the DKIM=pass.

In my mind, looking at the headers, the mail was sent and then possibly deleted from the sender from Google Apps/GMAIL.

 

[leakybucket]

I don't see an X-Originating-IP header in the messages I have received.

I stand corrected. I was looking at a GMail hosted domain, not an @gmail.com address. All the @gmail.com addresses seem to lack the X-Originating-IP header

 

[leakybucket]

Not true - look at the DKIM/SPF part - if this is the mail which arrived like this at the stock-controllers computer, then tampering can be excluded - the DKIM signature goes across "h=mime-version:date:message-id:subject:from:to:content-type;". The only way
the recipient could have tampered with it is to open the mail-file on the computer and then changed content. Google would have validated the DKIM signature as it goes across the network - hence the DKIM=pass.

In my mind, looking at the headers, the mail was sent and then possibly deleted from the sender from Google Apps/GMAIL.

Agreed.

 

[LazyLion]

Yes, the missing X-Originating-IP header

Can you send yourself an email via the web interface, and check/post the headers?

OK, I just did a test using two other Gmail accounts... and same thing.
There is no line that starts with X-Originating.

 

[LazyLion]

OK, thanks guys... I think it is fair to say that somebody (or herself) must have sent it from her computer.

 

[Nerfherder]

I bet its the secretary's husband who is doing this from her Gmail account at home.

 

[leakybucket]

OK, I just did a test using two other Gmail accounts... and same thing.
There is no line that starts with X-Originating.

Yeah, my bad, sorry for sending you down the wrong road.

As per bruce_the_loon's suggestion, get the secretary to change her password ASAP, and get her to lock her machine when she steps away from it.

 

[MagicDude4Eva]

OK, thanks guys... I think it is fair to say that somebody (or herself) must have sent it from her computer.

Since we answered your questions, what did Buti do?

 

[LazyLion]

Since we answered your questions, what did Buti do?

nothing, but we recently fired another staff member... and we suspect this is now her somehow telling him that he is next. or something like that.
I don't think she is threatening him, she is telling him that he is next in line to be fired.

 

[LazyLion]

Yeah, my bad, sorry for sending you down the wrong road.

As per bruce_the_loon's suggestion, get the secretary to change her password ASAP, and get her to lock her machine when she steps away from it.

Yes, we did that yesterday already, thanks!

 

[scudsucker]

Your secretary is threatening your stock controller?

Is she the boss's mistress or something? She's there to answer phones, not hire & fire!

 

[w1z4rd]

Yes, that's all of the headers. But surely there should be somewhere in there that shows the originating IP address?

Not with Gmail. They protect Chinese pro-democracy people and stuff and are very particular about protecting their users.

 

[LazyLion]

Your secretary is threatening your stock controller?
Is she the boss's mistress or something? She's there to answer phones, not hire & fire!

No, it's either the lady who was fired... or the guys who were behind getting her fired (and are now gunning for the stock controller next).
I don't think it was the secretary, she's not that clued up about computers and she has no reason to threaten him. They are good friends.

 

[LazyLion]

Not with Gmail. They protect Chinese pro-democracy people and stuff and are very particular about protecting their users.

Good to know, but not every useful in this situation!