Recently a friends website was hacked and my friend reckons the guy who did it was the same guy who sent him a couple of insulting e-mails a few days previously. Is it possible to (a) find out someone’s IP address and (b) find someone’s real life location from an e-mail they sent you?
I think the best that you can do is come up with the IP Address of the Mail Server that the person used to send the email. So unless this person was dumb enough use their own mail server as the point of origin for their hacking attempts, there’s not a whole lot you can do with the IP Address.
The mail exchanger is using an alias that has been set-up in the DNS record. So take the part that comes after the @ (ex. “hotmail.com”).
From there you’ll need to use nslookup.
If you don’t already have it download it here --> http://www.trumphurst.com/dnsocx/nslookup.phtml.
Run ‘NSLOOKUP’, enter ‘set q=mx’ to check for Mail eXchangers, enter your domain, then ‘exit’.
Or you can do it through this website – just change the Query box to “mx”.
You’ll then see the IP Address for the mail server.
For a brief explanation of how to use ASP code to find out a Server’s geographic location with the IP Address -> http://www.armbrustconsulting.com/forums/viewtopic.php?t=72
(a) You can find an IP address of the sending party in the email headers, however there is no guarantee that this IP address will always be theirs, especially for dialup users. Also there are several ways to mask one’s true IP address from the internet, including NAT which is is built in to most router hardware.
(b) No. Unless you are a law-enforcement agency who can get that information from the sender’s ISP. Sometimes you can narrow down their physical location by doing a whois lookup of the IP address, but you’ll seldom get a very precise location. Usually the location you get this way will be the state, province or general region where the ISP gateway server the user is/was connected through is located, and ocassionally the city (which may or may not be the city from which the user is connected). The only time a whois lookup will nail the exact location is if the party happens to be their own ISP, or is accessing the internet from an ISP location.
You can get the region with a lot of IP finders. Maybe that will help. There are IP finders out there where you put in the domain name and it will convert it to an IP addy. I’ve even seen them show on a map what region the email originated.
You might want to check out eMailTrackerPro 3.0a. It is free to try, $30 to buy. I haven’t used it but it claims to track an email to the actual IP of the machine.
Many ISPs, as well as web-based email services (which a lot of jerks who want to hide themselves use), tack on the IP address of the sender as part of the header. It’s not required but it helps the ISPs track down spammers and such.
The bad news is that email headers are trivial to forge. The real information is in there somewhere, but it takes considerable expertise to distinguish the fake info from the real info. If they have found an “open relay”, it’s a mess to find the real ISP, let alone the real sender.
Set your email viewer to display all headers and start looking around.
As to the question of “physical location” of a user. That concept does not exist on the Internet. Go read Alan Watts on “mu”.
Thanks for the info guys. It’s all a bit over my head though. Can someone give me the dummies guide version to getting someone’s e-mail address from an e-mail?
P.S. - What’s a ‘header’?
Fuck. I meant “Can someone give me the dummies guide version to getting someone’s IP address from an e-mail?”
[sub]skulks off cursing the lack of an edit function[/sub]
If you are using Outlook Express (or Outlook, I believe), right-click on the subject line of the email.
Then select “Properties.”
Then click on the “Details” tab.
This will show you the header for that specific email.
For a detailed explanation of what an email header is, and what kind of information you can get from it, check out this link --> http://www.stopspam.org/email/headers.html
Note that IP addresses don’t mean everything as well. I can allow certain individuals to VPN through my network so they have my IP address while really they are coming in from somewhere completely different. This is done solely so the IP won’t trace back to where they’re really posting from. Also, someone using a proxy will typically only end up with the proxy IP, although there are ways around that.
My friend was using hotmail and I can’t seem to apply your method to hotmail. Sorry, I should have specified that in the OP. Is there still anything we can do?