Privacy and identity theft via webmail

Already many years Identity theft considered as a crime in USA and EU countries. Of course, it’s not a act of stealing, which is prosecuted, identity can not be stolen, just copied. It’s the act of using this information for criminal purposes, like obtaining credit, writing cheques, paying with credit card via Internet, etc.

Free email services, also called webmail providers, provide opportunity for identity theft, which could be used by anybody in a couple of minutes. If I have an email, then somebody can just create and start sending email from my name. The protection level is almost zero.

Currently people don’t care much about this particular identity theft, because, again, it’s not the stealing, its using somebody’s identity which is important. If you can send emails from my name, you can’t earn much money. A con-artist, looking for a random victim in order to steal something using his identity doesn’t need an email address.

You can try to trash somebody’s reputation, sending insulting emails from (supposedly) their emails. Let’s look at this case closely. First of all, let’s consider we’re not talking about IT-engineers, who know how it works. If you’re a professional, you can protect your privacy or steal identities without being caught for a long time. But email is available to much wider audience. 95% of Internet population(and 9% of potential identity thieves) don know all the technical details. How does it usually happen?

Your ex-colleague or ex-friend has some strong negative feelings about you and want to do you some harm. So, he registered an email account with email address looking like your name and start sending porn to all your work contacts or friends. The email from this person must pass through a number of steps before reaching somebody.




A Person must use Computer to connect to and ISP and send email via one or more of Mail servers.

For example an identity thief is sitting at home and trying to use a bogus Gmail account to send emails

  • Person: identity thief
  • Computer: his home PC
  • ISP: his Internet Provider at home
  • Mail server: Google mail servers

Let’s try to track the email to you in reverse order:

Mail server

Normally all mailservers are identifying themselves  via headers in your email like this:


Received: from ( []) 
Received: by with SMTP id 27so770877wfd.15


It’s quite easy to identify the mail servers and track down all of them, from the first one to the last one. But, if a person used some webmail service, the last mail server will still be from  Google. And only Google knows the IP-address of the computer from the ISP.  


The next step will be to find which ISP and which IP-address your computer is using to connect to Internet. This is the most difficult step. Google will probably not tell us the IP-address of a person, who is sending emails via gmail. Google is not evil. But some others may well let us know. For example, this is the email headers, which were send via Yahoo account:

Here we have  a header X-Originating-IP with the IP-address of the person, who has sent us the email! This header is not mandatory and could be altered by a smart engineer. It’s not a proof, but it’s a lead.

If you don’t have this information in the email, you’re stuck. You can go to authorities, but, unless it’s about terrorism or child pornography, I doubt they’ll help you.


If we did find the IP-address of the computer, we can use WHOIS service trying to find out more about it. You can find that:

  • IP-address belongs to an organization or office
  • IP-address belongs to an Internet cafe
  • IP-address belongs to the pool of ADSL, cable or modem addresses from a provider

In all those situations you still have to find out the person


Even if we narrowed down our search to and Internet Cafe or an office, we still have to find out the actual person. There we may be lucky if the Internet Cafe has a surveillance cameras and is going to share the record. Or may be you find that only one person was at the office, when the email was send. But in most situations the possibilities are endless.


If you’re a victim of an identity theft via e-mail, it’s quite hard to find the thief  by yourself. Even if he made a lot of technical mistakes, there is information, which is only available to authorities. In this situation it’s better always report the incident to the police.  And let it known, of course. If the criminal is somebody you know, he’ll find out about the police and may be scared.

You can leave a response, or trackback from your own site.

Sorry, no posts matched your criteria.