Page 1 of 1

How does SG help Law Enforcement trace original email add

PostPosted: Sat Jan 23, 2016 5:23 pm
by wh
1. Will SG assist any law enforcement or lawyer or aggrieved recipient party when someone uses a SG disposable address to engage in cyber-bullying, etc?

2. Will SG release the original email address when requested?

3. If the disposable SG address is hosted by a non-SG domain, like for example, how can one trace the original email address of the sender of such emails?

4. Does SG collect the ip address of where the original email address is sending the email through its SG disposable email address?

Re: How does SG help Law Enforcement trace original email ad

PostPosted: Mon Jan 25, 2016 6:48 am
by Jim27106
I'm sure a moderator will give you an 'official' reply in a little bit. For now, I see this on Reddit:

caractacuspotts 2 points 4 years ago:
How often do you get law enforcement wanting information? Do you ever give it out, if you have anything? What kind of logs do you keep?

spamgourmet 3 points 4 years ago:
Maybe once or twice a year. It has mostly been the German police, but on one occasion it was US DHS and more recently the FBI. I verify the identity of the person requesting (if it's law enforcement), and then, provided the request is proper (perhaps including a subpoena or some equivalent) surgical and reasonable (and all verified requests have been), I pretty much roll over like a puppy dog. No one has ever asked me about more than one user, much less any significant portion of the database. In all cases but one, they merely requested the forwarding address. There's not much other information anyway. I don't provide any info to lawyers or other non-law enforcement folks. They can get a subpoena if they want, but no one ever has. Our mail server keeps mail server logs that we rotate using the default rotation (a week or so?) and we record the IP address of a user who signs up. Our code logs errors, but other than that no other logs. No one has ever asked for logs, come to think of it, not that they'd help much.

Re: How does SG help Law Enforcement trace original email ad

PostPosted: Mon Jan 25, 2016 7:03 am
by Jim27106
(Hopefully the official people can clarify or confirm what I write. If I am totally wrong hopefully they will delete this so I am not permanently embarassed.

You will want to read how little saves or you might think they don't cooperate. The service is
set up so even if hacked, cracked, or taken over, it won't do anyone much good.

And now to formulate what I think are answers:

1. If they are properly identified or have a subpoena then assistance will be given. However, it is still very easy to 'forge' email addresses and one would need to check the headers to verify has anything.

2. If the request is reasonable, proper, and official.

3. I believe is on the same server as and therefore one would assume so. However, the code to spamGourmet is open source, and if someone else is running a server I don't see what assistance could be given.

4. I would assume that is in log files, but they get rotated out.

Two notes:

A. It would much easier to just 'forge' email address than use sg email addresses. If the bully needs a reply she could just set up a silly yahoo account.

B. In my experience law enforcement has been less than helpful unless there is loss of a serious amount of cash. I've not been bullied, so I don't know what it would take for law enforcement to get involved. I do have 30 spam messages from LAW-EASY and think could sue them for $25,000 per message. If interested, hit me up.

Good luck and I hope it works out. I trust you have tried telling the bully to stop because if they don't you will contact an attorney.

Re: How does SG help Law Enforcement trace original email ad

PostPosted: Mon Jan 25, 2016 4:59 pm
by wh
You pique my interest now. I don't quite understand Note A: "It would much easier to just 'forge' email address than use sg email addresses. If the bully needs a reply she could just set up a silly yahoo account."

How and what is "forge email address" and why yahoo account? What is so special about yahoo account?

Re: How does SG help Law Enforcement trace original email ad

PostPosted: Tue Jan 26, 2016 6:39 am
by Jim27106
>> Forge email

Many email clients allow the user to put whatever they want in as the sending address. More advanced techniques involve scripting. You may have noticed that most spam comes from a fairly bogus address.

>> yahoo

There is nothing special about yahoo. They are just the first provider of email addresses that came to mind.

To stop a bully

PostPosted: Tue Jan 26, 2016 6:46 am
by Jim27106
I know this isn't PC, but ...

If you know who the bully is then I find the most successful strategy is to bully back. It is worth a try, but asking nicely doesn't usually work. For example, if they make fun of my hair, I make fun of their dress. Many bullies get the message when the shoe is on the other foot.

I dare say with young boys if it is physical it still works. Most bullies stop after they get one good punch. Pyscho babble alert ... bullies just want respect. If you respond to them on their level that gives them validation. At that point in time the relationship can often move to the next level. Hopefully the next level is friendship. If there isn't friendship there is usually a peace.

Re: How does SG help Law Enforcement trace original email ad

PostPosted: Tue Jan 26, 2016 9:33 pm
by wh
Email clients give off your IP address in the headers.
Gmail web-based is the only email provider that does not. Even Yahoo web-based reveals your IP.

I'm suggesting a hypothetical situation of cyber bullying. It is not true I'm a victim of it.

email headers have IP addresses

PostPosted: Thu Jan 28, 2016 10:18 pm
by Jim27106
I've looked at IP addresses in headers before but never done detailed research. Are we sure we want to give anyone the hint that gMail doesn't reveal your IP? They might already know - I am getting an increase amount of crap from gMail.

If I had lost serious money or suffered serious bodily harm I would be looking at everything. I'm not sure which ISP's fight requests for customer information and which ISP's roll over. Earthlink used to pledge cooperation, but then be a pain. I wonder if gMail keeps track of the connecting IP.

Note to moderators: I don't think the spammers read these boards much. If they do, then this message and the one above it should be deleted with a courtesy apology and explanation to the writers.

Re: How does SG help Law Enforcement trace original email ad

PostPosted: Sat Jan 30, 2016 4:52 am
by jamesd
One of the easiest things for a spammer to do is forge the from address in an email because the old standard protocols do nothing to verify it in any way. A gmail from address does not mean that the email started out by being sent through gmail. The headers provide the information that can help to prove it either way, via the chain of IP addresses of the servers involved, remembering also that headers are forged by spammers at times as well so once you reach the first untrusted address the rest is probably bogus or useless.

Consider this from the headers of a recent virus containing email:

From: "copier@ - copier@one of the spamgourmet domains"
<ok rest censored, ok was added to one of my disposables>

You can be pretty sure that the email was not sent from the spamgourmet address in the email. The spammer just used copier @ whatever domain they were sending to as their from address to try to get through spam traps and because the virus payload was a document claiming to be a scan.

The header which says where that one really came from was:

Received: from [] (
by with esmtp (Exim 4.80)
(envelope-from <>)
id 1aP7SC-0005lm-7b
for my SG address censored; Fri, 29 Jan 2016 11:43:05 +0000

So source was computer in India which connected to the SG mail server and pretended to be sending email from SG. From the IP lookup the dsl part probably means a DSL connection so it's probably part of a botnet or otherwise compromised group of consumers. Though a new spammer might be foolish enough to use their own IP what this one is might be the IP of someone who previously was infected by the virus the email contained.

This in the header is a clue that it's from a spammer using a consumer's IP, rather than a normal mail server:

X-Host-Lookup-Failed: Reverse DNS lookup has failed for (failed)

Nothing wrong with consumers running their own mail servers on their internet connections but the email may have trouble getting through sometimes. One thing I did before using SG was write a plugin to a Windows-based spam filtering proxy server that looked up the IP addresses in a header to see whether they were from ranges known to be end user IPs, then marked them as likely to be spam based on that origin. That was more than fifteen years ago.

This doesn't mean that emails claiming to be from gmail always didn't start at gmail, though. Virus payloads can harvest connection details and allow sending from a gmail account until gmail notices and bans the source.

No need to worry about the discussion telling spammers anything new.

So far as that particular virus email went, here's what would have happened to anyone who used it, according to a virus analysis tool: ... onmentId=1 . Not the exact one necessarily, I looked up based on the names of the computer programming contained in the attachment, a Word macro that would run as soon as the document opened, then create the underlying malicious payload. The reason I posted that was so that you can see that the apparent trail of connections made by the virus ended up in Russia so it may well have been a Russian criminal gang trying to steal account information. Or not, there are many ways to make money via viruses besides that one.