Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Finding the location, identity, or affiliation of email senders

By shinyobject in Internet
Fri Sep 30, 2005 at 12:11:03 PM EST
Tags: Internet (all tags)
Internet

Thanks to wireless networks, internet cafes, and web mail, it is now common to send email from just about anywhere. So, where was that friend, coworker, or stalker when she sent that message last night, and what else can we learn about her? Using simple techniques and a few well known, but often-overlooked email headers and internet tools, it's often easy to find out.

Likewise, the email you send may also include your location and school or employer, even if sent from a personal account. Do you or should you care?


Why care?

In general, you probably don't or shouldn't care where people are when they send mail. But other times it might be nice to know. What if you received a message like this one:

From: Bill
Subject: I've taken the cash and left town

See you never! Ha ha!
Well, you'll probably never get one like that, but maybe there's one of these in your inbox:
From: Jeff
Subject: Still stuck in Chicago

These meetings are taking forever. I'll need to stay all week.
Obviously that one is from Chicago, right? But who is your "Secret Satan"?
From: Secret Satan
Subject: It is time

Guess who!
How about this next person, is she really an Apple insider?
From: Alice
Subject: Details on the new Wi-Fi iPod

Are you interested?
And is this next anonymous source real?
From: Informant
Subject: The new iPod causes hurricanes

Apple is staging a massive cover-up! Warn your readers!
Although most of us don't operate a hot rumor site, we may nevertheless like to know what is hiding in the email we send and receive, and whether it matters to us. These fake messages are a little contrived, but they help us to consider the situations in which a little information can reveal a lot about a sender, using one of a few simple techniques.

Okay, okay, I care. Where are these people?

First you need to find the full message headers. If you don't know how to do this, just search for "<mail client> message headers". (e.g. outlook message headers or yahoo message headers) The headers should look something like this:

Received: from 66.163.179.137 (HELO web35513.example.com) (66.163.179.137)
by mta160.example.com with SMTP; Sun, 25 Sep 2005 05:52:35 -0700
Received: (qmail 98625 invoked by uid 60001); 25 Sep 2005 12:52:34 -0000
Received: from [216.99.217.141] by web32706.example.com via HTTP; Sun, 25 Sep 2005 05:52:34 PDT
Message-ID: <2005091234232423@example.com>
Date: Sun, 25 Sep 2005 05:52:34 -0700 (PDT)
From: Bill <sender@example.com>
Subject: I've taken the cash and left town
To: Ted <you@example.com>
Now find the line furthest from the top that starts with "Received:", as shown in bold below.
Received: from 66.163.179.137 (HELO web35513.example.com) (66.163.179.137)
by mta160.example.com with SMTP; Sun, 25 Sep 2005 05:52:35 -0700
Received: (qmail 98625 invoked by uid 60001); 25 Sep 2005 12:52:34 -0000
Received: from [216.99.217.141] by web32706.example.com via HTTP; Sun, 25 Sep 2005 05:52:34 PDT
Message-ID: <2005091234232423@example.com>
Date: Sun, 25 Sep 2005 05:52:34 -0700 (PDT)
From: Bill <sender@example.com>
Subject: I've taken the cash and left town
To: Ted <you@example.com>
The "received" header usually has a "from" section and a "by" section:
Received: from [216.99.217.141] by web32706.example.com via HTTP; Sun, 25 Sep 2005 05:52:34 PDT
The "from" shows which machine is sending the message, and the "by" shows which machine is accepting it. In this case, the "from" machine most likely belongs to the sender, while the "by" machine belongs to their ISP. If you can't find a "from", then this technique won't work.

Next you need to find the IP address in the "from" part. This will be a series of four numbers separated by periods.
Received: from [216.99.217.141] by web32706.example.com via HTTP; Sun, 25 Sep 2005 05:52:34 PDT
Sometimes there might be other information on the "received" line, but the "from" IP address should still be easy to spot.
Received: from mobile (c-67-176-46-122.hsd1.co.comcast.net[67.176.46.122])
by comcast.net (sccrmhc12) with SMTP
id <2005023423523rfw34>; Wed, 21 Sep 2005 20:12:33 +0000
Email generated by viruses and spammers will typically include false headers and other misleading information. Dissecting those headers is much more complex and is covered in greater detail elsewhere. However, for most normal personal mail, the simple technique described above is sufficient to find the originating IP address. The following examples demonstrate several different ways in which this IP address can be used to surmise the sender's location, identity, or affiliation.

A reverse DNS lookup will find the host name associated with the IP address. This will typically reveal who the user's ISP or employer is. There are many websites that offer free reverse DNS lookup. Continuing with the example, we see that the IP address "216.99.217.141" has the host name "216-99-217-141.dsl.aracnet.com". This tells you that the sender has DSL internet access from aracnet.com.

But you really wanted to find the user's location, not whether they use DSL. Luckily for you, there are also websites that will try to determine the geographic location of an IP address. This site shows that "216.99.217.141" is located in Portland, Oregon. So thanks to Bill's IP address, we have a pretty good idea of where he went with the money. These tools are not perfect, so it is sometimes helpful to get a second opinion.

Of course Portland is a pretty big place. It would be nice to narrow things down a little further. This is not as easy, but sometimes it is possible. Perhaps you know some of Bill's friends in Portland. If you received email from them in the past, then you might have the IP addresses of their computers. Maybe you find this message that Steve sent last week:
Received: from [216.99.217.141] by web32706.example.com via HTTP; Wed, 28 Sep 2005 03:54:11 PDT
From: Steve <steve@example.com>
Subject: things
To: Ted <you@example.com>
It was sent from the same IP address (216.99.217.141) as Bill's message! Bill most likely used Steve's computer to send the message. Now you know where to look for Bill.

Most home computers have temporary IP addresses, but with "always on" internet access, such as DSL and cable, "temporary" IP addresses can last for weeks or months. This is why the message that Bill sent using Steve's computer is likely to include the same IP address as the message that Steve sent using his computer last week.

Even when you can't discover exactly which computer was used to send the message, just knowing the city or even country could be enlightening. Let's move on to the second example email and take a look at the appropriate "received" header.
Received: from [81.66.12.180] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT
From: Jeff <jeff@example.com>
Subject: Still stuck in Chicago

These meetings are taking forever. I'll need to stay all week.
A geographic lookup on "81.66.12.180" shows that this message was most likely sent from Paris, France! No wonder Jeff is going to stay all week.

Can IP location help unmask the Secret Satan?
Received: from [81.66.66.66] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT
From: Secret Satan <secret@example.com>
Subject: It is time

Guess who!
The "anonymous" Secret Satan is likely someone you know, so search the headers of your old mail for his IP address, "81.66.66.66". You may find a message like this:
Received: from [81.66.66.66] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:11:52 PDT
From: Chris <chris@example.com>
Subject: Let's meet at noon

See you then
As in the first example, this shows that Chris is sharing a computer or internet connection with Secret Satan. They aren't necessarily the same person, but it's a good lead, and Secret Satan is a lot less anonymous.

Sometimes you may be more interested in the information returned by the reverse DNS lookup. This could be the case with the third example message.
Received: from [17.255.100.112] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT
From: Alice <alice@example.com>
Subject: Details on the new Wi-Fi iPod

Are you interested?
Is Alice in a position to know anything about a new Apple product? A reverse DNS lookup on "17.255.100.112" returns "A17-255-100-112.apple.com". The message appears to have been sent from inside of Apple! This can happen even if Alice used a public webmail system and not Apple's email.

How about the other iPod email?
Received: from [207.46.125.17] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT
From: Informant <informant@example.com>
Subject: The new iPod causes hurricanes

Apple is staging a massive cover-up! Warn your readers!
A reverse DNS lookup on "207.46.125.17" returns "tide17.microsoft.com". I'm suspicious. But what if this "informant" was a little less obvious and instead sent the email using his home computer?
Received: from [24.16.89.112] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT
From: Informant <informant@example.com>
Subject: The new iPod causes hurricanes

Apple is staging a massive cover-up! Warn your readers!
A geographic lookup says that "24.16.89.112" is in Bellevue, Washington, just down the street from Microsoft, so I would still suspect a connection.

Does this technique always work?

No. Some email providers do not include the sender's IP address in the email headers. Even if they do, the sender may be accessing the internet though an anonymizer, such as Tor. It is also possible to confuse the process of finding the correct "received" header by including fake "received" headers. This tactic is very common among spammers, but very rare in normal email. Even when you do get the sender's IP address, the geographic lookup can sometimes return the wrong location.

It is also possible that you will bump into an internal host or IP address that is part of a private network. In these cases you will need to examine the "received" headers closer to the top of the message. However, you will generally only see this in corporate email, in which case the organizational affiliation is already obvious and the geographic location would correspond to the corporat email servers, not the user.

And Finally...

Does your email include this information? To find out, simply send an email to yourself, and then follow the above process to see if it includes your IP address and location. If your message does not appear to have any "received" headers, then you are looking at a local copy in your outbox. You need to check the message returned by your mail server; it may be necessary to "check mail" before this appears.

Please post whether your email includes your IP address, and if so, how accurate the location information is. Of course email has been like this forever, but originally the IP address belonged to some server at your school or workplace, and so it didn't reveal much that wasn't already obvious from your email address. Thanks to webmail and laptops, email can now travel with you, but it may reveal more than you realize.

I'm would like to hear what others think about this. How many of you knew that this information may be included in your email, and do you care? How many of you have used this trick to discover the location of a sender?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Does your email include your location information
o No 7%
o Yes, and I don't care 76%
o Yes, but I wish that it didn't 15%
o Not anymore 0%

Votes: 13
Results | Other Polls

Related Links
o Yahoo
o outlook message headers
o yahoo message headers
o IP address
o greater detail elsewhere
o reverse DNS lookup
o host name
o free reverse DNS lookup
o This site
o second opinion
o Tor
o private network
o Also by shinyobject


Display: Sort:
Finding the location, identity, or affiliation of email senders | 87 comments (30 topical, 57 editorial, 0 hidden)
I did all this stuff years ago. (none / 0) (#6)
by mr strange on Thu Sep 29, 2005 at 04:02:26 AM EST

I used to have a bee in my bonnet about spammers. I'd track them back to their open mail-server and report the abuse to their service providers.

Eventually I learned from King Canute, and stopped wasting my time.

I like the IP address locator, although it's not very reliable. Apparently I'm in Brussels! The trouble with this sort of thing is that IP addresses might be given out by local organisations, but there's nothing to say where your machine should be.

omniEvents is a high availability messaging service for CORBA.

intrigued by your idea that fascism is feminine - livus

This is good. (none / 0) (#63)
by student on Fri Sep 30, 2005 at 07:05:15 PM EST

I work in a small college's computer services department.  We recently found out that a computer on our network was being used for spamming thanks to a complaint from outside.  We fixed it easily and educated the box's user (a student from Africa who had never used a computer before).  

Anyway, these reports are sometimes useful.


Simon's Rock College of Bard, a college for younger scholars.
[ Parent ]

EHLO - Show Me The Parameter (3.00 / 5) (#26)
by killmepleez on Thu Sep 29, 2005 at 11:34:07 AM EST

[oops, posted as editorial the first time]

I would bet most of the regular posters on K5 know how to intepret mail headers, although there are probably many in the legion of lurkers who do not. To beef up the article, consider also including some information on HELO/EHLO, which can give more specific information on the sending host/domain. It probably won't help against the jaded -1 dotcom-bust tech support monkeys here, but it goes right along with your topic.

In response to your last paragraph, here's one of my stories:
Any time one of the mass-mailing worms goes around, I use the headers to find out who has the infected machine so I can gently and helpfully rip them a new a-hole. In one particular incident, I was a member of a large [300+ members], non-technical social organization, and the leadership wasn't in the habit of bcc-ing when they needed to send general announcements. A few years back, everyone in the organization was being annoyed by a really active mail worm. The worm - I think it was a "soBig" variant - was one of those that searched the address book, previous messages, and the entire infected computer for any user@server.domain form and then sent multiple messages to everyone while randomly inserting those addresses in the "reply-to" field, which seems to be enough to confuse the average user into accusing all their friends/family of sending them infected mail. I started receiving 70-110 worm messages per day. I figured the infection would eventually die out, so I tweaked my filters and my sorting process and went on with my life.

A couple days later one of the board members asked me for advice; apparently people were now receiving hundreds of messages daily and he wanted to know if there was any technical solution to the problem. I went through my filtered trash and checked the headers on a few messages and quickly realized they were all coming from just one source. The IP told me the name of the company [a large marketing conglomerate]; I looked them up and found out they did indeed have a branch office in our city. Our organization's clerk went through the membership database and found one person who worked at the company in question. I then looked back at the EHLO parameter -- it just so happened that the company's internal naming convention quite helpfully included the city and user name [e.g. an employee named Juanita Ybarra using a Windows XP workstation in Tempe, Arizona, would have a hostname TEMJYBARRAXP], so I was able to confirm the source was indeed the member in question.

I contacted him and told him he should have his computer checked for viruses, and of course his response was "Huh? It can't be me because I'm receiving 600+ messages a day so it must be someone else!" I decided not to waste my time arguing and instead go straight to the source. I went back to WHOIS and found the technical contact information at the company headquarters, which was in NYC. I emailed that person a description of the problem and two full headers pointing out the origin, and suggested that a computer on their network sending out several hundred messages to several hundred people every day quickly adds up to a significant resource drain, and as both a member of the internet community and as a business it would be beneficial for his company to look into the matter. A day later, the messages stopped.

At the next social event, I asked the guy who had had the infected computer if he was still "receiving 600+ messages a day". He said, "Nope. In fact, funny you mention that, because the day after you emailed me about it they suddenly came by my cubicle and ran a whole bunch of stuff on my computer and I stopped getting all those other messages".

__
"I instantly realized that everything in my life that I thought was unfixable was totally fixable - except for having just jumped."
--from "J
EHLO Doesn't Tell You Anything. (none / 1) (#40)
by ewhac on Thu Sep 29, 2005 at 04:51:45 PM EST

consider also including some information on HELO/EHLO, which can give more specific information on the sending host/domain.

I have a little FreeBSD box at home, sitting at the end of my DSL line running NAT and minimal firewalling. It runs PostFix as the MTA, and I regularly get assholes trying to relay spam through it.

I get to see a complete log of the failed SMTP session, including the HELO/EHLO commands. In all cases, the argument supplied with HELO/EHLO is completely bogus. Sometimes it's a random string. Most times its my own IP number or domain name (yeah, that'll fool me).

So, no, I don't think having the HELO argument available will necessarily buy you anything.

Schwab
---
Editor, A1-AAA AmeriCaptions. Priest, Internet Oracle.
[ Parent ]

Anecdote (none / 0) (#41)
by killmepleez on Thu Sep 29, 2005 at 05:03:57 PM EST

You're right that the strings provided are completely voluntary [on the part of the originator] and thus not generally an absolute indicator -- there are about a bazillion smtp newsgroup/forum discussions brainstorming the various ins and outs of checking protocol/command arguments against each other as a method of spam reduction. Apropos of the article, however, I was sharing a specific incident when the information proved invaluable in confirming the source of the problem. And with a little more technical detail about the mail headers than "go look up the IP" the author would be more likely to have her article accepted by the Kommunity.

__
"I instantly realized that everything in my life that I thought was unfixable was totally fixable - except for having just jumped."
--from "J
[ Parent ]
well written and informative (3.00 / 4) (#30)
by circletimessquare on Thu Sep 29, 2005 at 12:30:35 PM EST

of course the next step is to contact their internet provider and socially engineer your way into getting them to reveal to you who was using that ip address from their pool at the time the email was sent... somehow

The tigers of wrath are wiser than the horses of instruction.

China, Korea... (none / 0) (#84)
by svampa on Thu Oct 06, 2005 at 06:21:11 PM EST

That's the problem of internet

Internet has no countries, but real world has. Bytes cross border lines, but police and laws don't.



[ Parent ]
Good info (none / 0) (#35)
by vqp on Thu Sep 29, 2005 at 02:39:56 PM EST

I use this other site , which seems to be more minimalist, my favourite option is the IP port tester, but when it comes to geographic location, only provides the country.

happiness = d(Reality - Expectations) / dt

yeah I use that (none / 0) (#69)
by livus on Sat Oct 01, 2005 at 09:53:04 PM EST

to find out who TF is google-stalking me. Seems to work.

---
HIREZ substitute.
be concrete asshole, or shut up. - CTS
I guess I skipped school or something to drink on the internet? - lonelyhobo
I'd like to hope that any impression you got about us from internet forums was incorrect. - debillitatus
I consider myself trolled more or less just by visiting the site. HollyHopDrive

[ Parent ]
Have you all gone retarded? (1.00 / 2) (#64)
by waxmop on Fri Sep 30, 2005 at 10:17:28 PM EST

A whole article about reverse DNS lookup? Christ, if this is educational, then wait until next week when I submit my article about the -l option for ls.
--
Saying Java is good because it works on all platforms is like saying anal sex is good because it works on all genders.
i wrote this with you in mind (none / 0) (#66)
by circletimessquare on Fri Sep 30, 2005 at 11:57:03 PM EST

http://www.kuro5hin.org/comments/2005/9/29/31457/0519/65#65

The tigers of wrath are wiser than the horses of instruction.

[ Parent ]
Congratulations. (none / 0) (#68)
by waxmop on Sat Oct 01, 2005 at 08:48:21 AM EST

After how many years on this site, you're finally stopping that annoying habit of copying and pasting the same rant into multiple comments.

Anyhow, I stand by my original critique. This article is insufficiently detailed.
--
Saying Java is good because it works on all platforms is like saying anal sex is good because it works on all genders. Parent ]

suck (1.33 / 3) (#72)
by circletimessquare on Sun Oct 02, 2005 at 11:05:50 AM EST

my

fucking

dick

you fucking fat autistic asocial asshole


The tigers of wrath are wiser than the horses of instruction.

[ Parent ]

Now say something else. (none / 0) (#75)
by waxmop on Sun Oct 02, 2005 at 04:34:54 PM EST


--
Saying Java is good because it works on all platforms is like saying anal sex is good because it works on all genders. Parent ]
open letter to all the fucking dweebs out there (1.78 / 14) (#65)
by circletimessquare on Fri Sep 30, 2005 at 11:56:23 PM EST

who are replying to this story about it being too simple and basic

yes, asshole, it is, for you

imagine this: some people don't live in the same world you do

they aren't as technologically astute

the thing is, you should tolerate that

learn what that magic word means, tolerance, and shut the fuck up next time

because this article is well written, and informative, for the non-dweebs out there

and believe it or not, some of those non-dweebs matter, they might *gasp*, know about shit you don't, and write an article about it

we don't want you unwashed stinking dweebs chasing them away, understand you fuck?

if you're lucky, they may even write an article that you might find interesting from their experience that you don't know about

like how to open a bra strap

something tells me that such an article will not attract the same linux dweeb snobbish assholes commenting underneath it like we find here

so shut the fuck up and deal with the horrible, horrible simplicity of this article next time

understand you fucking aspergers autistic assholes?

next time

just SHUT THE FUCK UP

we don't fucking care that you know this shit already

WE'RE NOT IMPRESSED YOU KNOW ABOUT THIS ALREADY

WHO FUCKING CARES

ATTACH YOUR FUCKING EGO TO SOMETHING ELSE BESIDES YOUR TECHNICAL KNOWLEDGE AND NEXT TIME JUST

SHUT

THE

FUCK

UP


The tigers of wrath are wiser than the horses of instruction.

That's what I was about to say (none / 1) (#70)
by nostalgiphile on Sat Oct 01, 2005 at 10:37:37 PM EST

But I couldn't figure out how to use all the expletives that rushed into my mind when thinking of the "yeah, everybody knows this already" geeks. All hail circletimes2

"Depending on your perspective you are an optimist or a pessimist[,] and a hopeless one too." --trhurler
[ Parent ]
Huh? (none / 1) (#74)
by Lisa Dawn on Sun Oct 02, 2005 at 01:43:54 PM EST

The article is decent as it is. It is painfully naive to someone who has the task of maintaining mail servers and hunting spammers, but that doesn't subtract for its merit to the casual user, which is the case you apper to be defending.

What I don't understand, though, is all the rage. Couldn't you maybe just ignore these people you're complaining about? You're suggesting that they ignore the stories they'd complain about.

Most of the comments on this story that seem to indicate a lcak actually provide more information rather than complain about the absence of it. Do you have a problem with that? Would you yell at me if I pointed out that there are better ways to get this done... some of which are actually simpler?

[ Parent ]

let me get this straight (none / 1) (#76)
by circletimessquare on Sun Oct 02, 2005 at 08:36:26 PM EST

you're complaining about me...

complaining about someone

okaaaay


The tigers of wrath are wiser than the horses of instruction.

[ Parent ]

To be fair, (none / 1) (#78)
by Lisa Dawn on Mon Oct 03, 2005 at 03:37:07 PM EST

You were complainging about someone complaining about something.

I know I'm still one more point guilty than you are, but I did find your complaint the more annoying.

[ Parent ]

you found me more annoying? (none / 0) (#81)
by circletimessquare on Tue Oct 04, 2005 at 05:19:40 AM EST

fine, no problem

now please explain to me why i should care

using a line of logic that doesn't nullify your entire rationale for complaining about me

or: suck my dick, and shut the fuck up


The tigers of wrath are wiser than the horses of instruction.

[ Parent ]

Hahaha (none / 0) (#83)
by Lisa Dawn on Wed Oct 05, 2005 at 08:57:03 AM EST

Lighten up. If I didn't know better, I'd think I was trolling.

[ Parent ]
A couple of years ago (none / 1) (#67)
by livus on Sat Oct 01, 2005 at 02:24:48 AM EST

a friend of mine started getting really abusive hate mail... and it turned out to be from one of their best friends.

---
HIREZ substitute.
be concrete asshole, or shut up. - CTS
I guess I skipped school or something to drink on the internet? - lonelyhobo
I'd like to hope that any impression you got about us from internet forums was incorrect. - debillitatus
I consider myself trolled more or less just by visiting the site. HollyHopDrive

Or (none / 0) (#71)
by trhurler on Sat Oct 01, 2005 at 11:44:09 PM EST

You could just admit that if you need an article like this, you're too dumb to interpret the results properly anyway and give up all hope.

--
'God dammit, your posts make me hard.' --LilDebbie

Yeah! (none / 0) (#77)
by tetsuwan on Mon Oct 03, 2005 at 07:02:19 AM EST

Either you know how emails are distributed and which protocols the servers use from birth, or you'll never know.

Or else you might consider the fact that I know a lot more about physics than you is because I've studied it a lot more than you.

Njal's Saga: Just like Romeo & Juliet without the romance
[ Parent ]

Anonymous remailers (none / 1) (#73)
by betasam on Sun Oct 02, 2005 at 01:31:47 PM EST

Tracing the location of an email sender purely with DNS lookups may seem possible and dependable so long as the sender had no malicious intent. The same task is infinitely difficult when one uses the tailored tools for identity concealing. The net is rife with anonymous remailers. Check mixmaster@sourceforge for one. There are several sites which provide these services claiming to "allow people to voice their opinion in hostile environments". These services however have been abused severely by cyber-stalkers, criminals involved in email-fraud or fake-mails. This paper on anonymous remailers has a lot of useful information on them. I have tried to help people who have received email threats or fake mails from such services, and in those instancesm DNS reverse lookups or geographical IP tracing were of absolutely no use. In comparison, anonymous internet access from WiFi hotspots is lesser of a threat.
--
-- "No Greater Friend, No Greater Enemy" - Lucius Cornelius Sulla
You can see this concept mapped in semi-realtime (none / 0) (#79)
by filenabber on Mon Oct 03, 2005 at 05:48:01 PM EST

at Mailinator's Spam Map.

Brian
http://myvogonpoetry.com
http://candyaddict.com.

yahoo & hotmail send browser IP, gmail doesn't (none / 0) (#82)
by remainingeye on Tue Oct 04, 2005 at 10:59:32 PM EST

It looks like both Hotmail and Yahoo include your browser IP in outgoing mail, but gmail seems to omit it. If you don't want people following you around, I guess you can just use gmail. If you're serious, you should use an anonymizer, though that can be a pain if you're at a friend's house or something.

I haven't checked the others.

shiny object??? (none / 0) (#85)
by wampswillion on Mon Oct 10, 2005 at 11:46:13 PM EST

as in shiny penny????? oh for pete's sake.

Nice guide (none / 0) (#86)
by bsoft on Sun Nov 06, 2005 at 12:05:51 AM EST

This is a nice quick HOWTO of how to do reverse-DNS lookups. Personally, I've used a tool called VisualRoute with some success - it acutually plots the routing on a map. Unfortunately, it's not free.

Interestingly, some ISPs (particularly universities) have public websites where you can look up an IP down to the port level. Quite useful if some university student is abusing your system.

Remember, though, that most spam nowadays is sent from spam zombies - people don't know that they are spamming.

I have a stalker (none / 0) (#87)
by NeedHelp on Fri Aug 11, 2006 at 12:39:12 AM EST

I have a stalker that is causing major havoc in our lives. This person is sending email to my wife and even though we're pretty sure who it is, I need to be 100% before going to the authorities. I've tried figuring out the IP thing but honestly its all Chinese to me. Is there someone out there that can please help us figure this out? At this point I'll even pay u for the info. Anything at this point is better than nothing. The persons who suspect is sending the emails I have a few of her IP which is 68.215.23.66  and  65.10.249.153  and  65.10.243.89 if that's any help.
My email address is  BryanMendes@aol.com
Below is the header to one of the emails. Thank you!!!

Return-Path: <bgsscm@yahoo.com>
Received: from  rly-xa05.mx.aol.com (rly-xa05.mail.aol.com [172.20.64.41]) by air-xa01.mail.aol.com (v111.7) with ESMTP id MAILINXA12-7544db533c5b; Thu, 10 Aug 2006 11:40:22 -0400
Received: from  mr129.mail.sc5.yahoo.com (mr129.mail.sc5.yahoo.com [216.136.130.105]) by rly-xa05.mx.aol.com (v111.7) with ESMTP id MAILRELAYINXA57-7544db533c5b; Thu, 10 Aug 2006 11:39:40 -0400
Received: (qmail 76310 invoked from network); 10 Aug 2006 15:39:40 -0000
Received: from web39810.mail.mud.yahoo.com (209.191.106.71)
  by mr1.mail.vip.sc5.yahoo.com with SMTP; 10 Aug 2006 15:39:39 -0000
Received: (qmail 64470 invoked by uid 60001); 10 Aug 2006 15:39:39 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type :Content-Transfer-Encoding;
  b=BxwtJLBIQbHcAx9SeqXHRow3viYxfDCVShFVrug5fENHseXOUog9dEmshtgMSpd4vOR/JpmfnNt6Om P0qW/0f3dv4wcNwnaCsSybynHfqxYMqIG4PrONxGJ+c8uwKJSHy0eIF5/8fbacOCG+Rn/jGipfkAbZ9M hn5G4e0wvtI+M=  ;
Message-ID: <20060810153939.64468.qmail@web39810.mail.mud.yahoo.com>
Received: from [69.165.166.11] by web39810.mail.mud.yahoo.com via HTTP; Thu, 10 Aug 2006 08:39:39 PDT
Date: Thu, 10 Aug 2006 08:39:39 -0700 (PDT)
From: scum bags <bgsscm@yahoo.com>
Subject: Re: (no subject)
To: CynthiaBruck@aol.com
In-Reply-To: <502.4ba3b12.320a3028@aol.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-167359433-1155224379=:64015"
Content-Transfer-Encoding: 8bit
X-AOL-IP: 216.136.130.105
X-AOL-SCOLL-SCORE: 1:2:444137683:11005853
X-AOL-SCOLL-URL_COUNT: 2


Finding the location, identity, or affiliation of email senders | 87 comments (30 topical, 57 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!