What can be found out from gmail headers?
April 18, 2017 6:27 AM Subscribe
For reasons, I need to send anonymous emails from a throwaway account. Assuming I use incognito mode in Chrome when using Gmail, what can the recipient find out about me?
What information is there that can be traced to me or my IP address? Please note this is not for anything criminal, unethical, or dangerous. If it were traced to me it would be merely embarrassing, not anything life changing.
Some facts:
The recovery email I used when setting up the throwaway account is my main, personal account. I assume this is not visible to anyone.
If I try to do "forget password" for this account it shows the last two digits of my cell number. I'm not too worried about that.
I set up this account on my home computer.
Assume I used a strong password and this account will not be hacked.
My ISP uses dynamic IP addresses and I am on a home network (192.168.x.x).
Assume I don't screw up and use this gmail account to register for any other social media, or use it anywhere else on the web. The password will not be used anywhere else.
I will only ever use the web gmail client in incognito mode. (I realize this is not really what incognito mode is for and it probably offers little or no protection in this case)
Chances are, nobody will really care about this whole thing, though it's possible it could get some local press.
I will most likely only be replying to a few, select emails that are sent to this account.
Questions:
1) What can the average person find out? Let's say a newspaper reporter or curious individual wanted to track me down? How close could they get?
2) What if a bunch of nerds on Reddit put their little hacker brains together and tried to track me using only information in the gmail?
3) Is this the sort of thing where all you need is to know a guy who works at Google?
4) If it's possible to track someone from the gmail headers, what (easy) steps could I take to make it more difficult?
Again, this is not for a crime, an affair, or anything dangerous. If I was found out it would blow over in a week but I would just mostly feel dumb.
What information is there that can be traced to me or my IP address? Please note this is not for anything criminal, unethical, or dangerous. If it were traced to me it would be merely embarrassing, not anything life changing.
Some facts:
The recovery email I used when setting up the throwaway account is my main, personal account. I assume this is not visible to anyone.
If I try to do "forget password" for this account it shows the last two digits of my cell number. I'm not too worried about that.
I set up this account on my home computer.
Assume I used a strong password and this account will not be hacked.
My ISP uses dynamic IP addresses and I am on a home network (192.168.x.x).
Assume I don't screw up and use this gmail account to register for any other social media, or use it anywhere else on the web. The password will not be used anywhere else.
I will only ever use the web gmail client in incognito mode. (I realize this is not really what incognito mode is for and it probably offers little or no protection in this case)
Chances are, nobody will really care about this whole thing, though it's possible it could get some local press.
I will most likely only be replying to a few, select emails that are sent to this account.
Questions:
1) What can the average person find out? Let's say a newspaper reporter or curious individual wanted to track me down? How close could they get?
2) What if a bunch of nerds on Reddit put their little hacker brains together and tried to track me using only information in the gmail?
3) Is this the sort of thing where all you need is to know a guy who works at Google?
4) If it's possible to track someone from the gmail headers, what (easy) steps could I take to make it more difficult?
Again, this is not for a crime, an affair, or anything dangerous. If I was found out it would blow over in a week but I would just mostly feel dumb.
Turns out Gmail doesn't​ put your IP in emails you send through it (at least using the Android client), so you should be fairly safe assuming the people you don't want to associate the two accounts don't have subpoena power and aren't Google employees with access to Gmail records who want to lose their job. (And you follow the practices you say you plan to, otherwise)
I thought they did include your IP address in the headers as many webmail services do, but no.
posted by wierdo at 7:10 AM on April 18, 2017
I thought they did include your IP address in the headers as many webmail services do, but no.
posted by wierdo at 7:10 AM on April 18, 2017
You might want to send an email to yourself first (or to another throwaway account, if you want to be particularly paranoid). This will then show you the information that is being passed around.
posted by oclipa at 7:14 AM on April 18, 2017 [2 favorites]
posted by oclipa at 7:14 AM on April 18, 2017 [2 favorites]
I could be wrong, but I think Google will show part of the recovery email if you try to recover an email. Something like:
Enter your recovery email: [******mous@somedomain.com]
and they expect you to fill in the rest of the email and then they send the message.
Pretty sure I've seen this at some point, but maybe not recently. Same goes for recovery phone:
We'll send a recovery text to [555-***-**33]
and then you fill out the rest of the number and they send.
posted by backwards guitar at 7:36 AM on April 18, 2017 [3 favorites]
Enter your recovery email: [******mous@somedomain.com]
and they expect you to fill in the rest of the email and then they send the message.
Pretty sure I've seen this at some point, but maybe not recently. Same goes for recovery phone:
We'll send a recovery text to [555-***-**33]
and then you fill out the rest of the number and they send.
posted by backwards guitar at 7:36 AM on April 18, 2017 [3 favorites]
Sounds like you're pretty safe. It really depends on how paranoid you want to be.
If you want to be more paranoid you could: Buy a brand new cheap laptop. Setup a privacy minded linux live operating system on a flash drive. Setup a free account with one of private email providers like ProtonMail. Only use your paranoia-laptop at coffee shops, libraries, open wifi, etc. Do not access anything on this laptop besides your private email account. Don't check the news, don't check the weather, don't go to Ask MetaFIlter, etc.
I like the idea of having a second computer that you only do your private stuff, because it reduces the possibility that you make the mistake of forgetting which computer you're on.
posted by gregr at 7:41 AM on April 18, 2017 [1 favorite]
If you want to be more paranoid you could: Buy a brand new cheap laptop. Setup a privacy minded linux live operating system on a flash drive. Setup a free account with one of private email providers like ProtonMail. Only use your paranoia-laptop at coffee shops, libraries, open wifi, etc. Do not access anything on this laptop besides your private email account. Don't check the news, don't check the weather, don't go to Ask MetaFIlter, etc.
I like the idea of having a second computer that you only do your private stuff, because it reduces the possibility that you make the mistake of forgetting which computer you're on.
posted by gregr at 7:41 AM on April 18, 2017 [1 favorite]
I believe that as part of the recover password one can get gmail to prompt to send a recovery email. I think it shows something like
xy******@domain.tld
and asks you to fill in the email address for it to check, and if they match, then send a recovery message. Where xy are the first few letters of the address. Obviously if domain.tld is your personal domain that's an issue. If it's another gmail account, little is revealed (which is really fun when you have three accounts all begin with XY***@gmail.com . I seem to recall that actual length of the account isn't revealed.
Via the web client gmail does not reveal the public IP of the account used to send, so you don't need to worry about your ISP being discovered via gmail headers (again, google will have this IP preserved, but absent subpeonas this won't be revealed).
If one uses account X which is setup to be able to send emails as address Y, then gmail includes in the headers that account X was used. You do not describe this setup.
posted by nobeagle at 7:42 AM on April 18, 2017
xy******@domain.tld
and asks you to fill in the email address for it to check, and if they match, then send a recovery message. Where xy are the first few letters of the address. Obviously if domain.tld is your personal domain that's an issue. If it's another gmail account, little is revealed (which is really fun when you have three accounts all begin with XY***@gmail.com . I seem to recall that actual length of the account isn't revealed.
Via the web client gmail does not reveal the public IP of the account used to send, so you don't need to worry about your ISP being discovered via gmail headers (again, google will have this IP preserved, but absent subpeonas this won't be revealed).
If one uses account X which is setup to be able to send emails as address Y, then gmail includes in the headers that account X was used. You do not describe this setup.
posted by nobeagle at 7:42 AM on April 18, 2017
Note: never ever load images from your anonymous email. This is the trap that might expose an ip address for most users.
posted by advicepig at 7:45 AM on April 18, 2017 [6 favorites]
posted by advicepig at 7:45 AM on April 18, 2017 [6 favorites]
That really should be extended to never visit any URL sent in an email. A unique URL can expose your IP to anyone who can read the logs. It also reveals when you loaded the resource.
posted by Mitheral at 11:05 AM on April 18, 2017 [2 favorites]
posted by Mitheral at 11:05 AM on April 18, 2017 [2 favorites]
Gmail proxies images in emails so this won't expose your ip address : https://gmail.googleblog.com/2013/12/images-now-showing.html?m=1
posted by JonB at 11:31 AM on April 18, 2017 [3 favorites]
posted by JonB at 11:31 AM on April 18, 2017 [3 favorites]
« Older Does it sound like sibling rivalry? | Visiting the Louvre and looking for good reading... Newer »
This thread is closed to new comments.
posted by R a c h e l at 6:34 AM on April 18, 2017 [8 favorites]