Email Trace

I wonder if anyone out there could advise me.

I’m rather disturbed by some anonymous but suggestive email that has been coming to my hotmail account. I’ve got a vague idea who it is, as the content is to do with an online group I belong to, but as I’ve never had any email contact with the person I think it is, I can’t compare the IP numbers.

Is there anyway I can trace the IP number from the hotmail message back to exactly who it belongs to? Or even a location? I don’t want to say anything unless I’m very, very sure, but I’d like to know for my own peace of mind and any future dealings with this person.

You can do a traceroute on the IP in the email header. That will get you at least the general area of the server the message came from, and possibly the city. But the actual location of the sender would be known only to the sender’s ISP. To reiterate, the IP address in the email header is not usually the true IP of the sender, but the gateway IP address of the ISP server the sendor was connected to at the time.

Thank you Q.E.D.

Also please note that is someone is sophisticated about how email works he can fabricate the header so that you will see fake info (called “spoofing”).

Why don’t you just use one that goes up to 10 and then set it to 9?

Depending on how much effort you want to go to, here is a technique to get their real IP address:

To do this, you’ll need to have a web server and access to it’s logs.

Send him back an email. It could be from you, or from anyone else for that matter. The content doesn’t matter. It just needs to be something he’ll open, so give it a subject that will interest him and not be discarded.

Put the email together as an html doc. Somewhere inside the email, include a tag like this:

<img src=“http://mywebserver.com/trace.gif” height=“1” width=“1” alt="" border=“0”>

Of course, replace “mywebserver.com” with your webservers address. You don’t need to actually have the trace.gif on the web server.

Because the image is one pixel by one pixel, the user won’t see it or see anything else different from a regular email.

Now just search through your access log for the text “trace.gif”. The request will be from his IP address. From that you can traceroute back to him.

The above will only work on email clients that allow HTML and the user has that turned on. And it still will not get you the user’s true IP address, any more that an directly sent email without a spoofed header.

Actually, it will get you their true IP address*. The HTML-enabled email client will make a direct request for trace.gif, so the loss of the IP address at the SMTP server will not be a factor; The request for the file will come directly from the person’s computer.

*Assuming that they’re not doing all their web browsing through a proxy.

Bill, very nice.

Now how 'bout this: receive a report tracing all the hops an email made to get to its intended recipient. I would be fascinated to see how my email regularly gets to Jakarta.

You need to submit an Abuse complaint to the network of origin to get any of your questions answered. Only the sender’s ISP is going to be able to link your e-mail to a particular account. The originating IP address is valuable evidence, but only when it is combined with the date/time/timezone that the mail was sent, as well as the ISP’s logs, will the account of origin be known.

Depending on how “abusive” the content of the e-mail is, the Abuse folks at the ISP could take a variety of action.

The first thing they’ll probably tell you is that they can’t release their customer’s information without a subpoena. Depending on how you feel about the situation, you can consider a civil suit and aquire a subpoena as part of your civil action.

The next thing they’ll probably tell you is to send a ‘cease and desist’ request in response to the mail, asking the sender to cease all contact with you, and to copy them on that request. At that point, further e-mail from the same source can be considered harassment and the cease and desist on file will give them the leverage to take further action on the account.

Depending on their customer’s “history” and the abusive nature of the e-mail, they might decide to disable or terminate the sender’s account, but they won’t tell you who’s account was used to send it without legal grounds.

Without taking this “official” route, all you’d be able to determine about the originating IP from the headers is that it is probably from a large dynamic pool, say from UUNet or SBC. A traceroute might tell you the general region of where the mail was sent from, but more than likely it will just show you how the owners of the originating IP organize/name their IP space, and nothing more.

But then of course anyone who truly intends to be “annonymous” just uses someone elses cracked account or a compromised host to do their dirty work, so you really should take this up with the administrators of the implicated ISP if you want any sort of investigation to take place.

For a start, try Sam Spade.

Here are some other resources:

http://www.earthlink.net/home/tools/epa/about/cybercop/

http://support.earthlink.net/support/TUTORIALS/email/mbx_interpret_headers.jsp

Thanks to all for sharing your knowledge with someone un-blessed in tech.

There is a very good reason why I am loath to report this person to their ISP. I don’t think it’s dangerous, I think they’re just trying to f**k with my head (and failing) BUT I would like to be able to take them to one side at some point and say 'look, I know that was you and if you do it again…(insert threat of choice).

Someone asked a friend to trace it for me a couple of months back, and they told me it came from Kos, in Greece, which was baffling, so I’ll think through your suggestions and see if I can do anything with my own fair hands.

Cheers! :slight_smile:

Well people, thanks to your help I am now probably 85-90% certain that I’ve established the identity of my emailer. Not only that but I now know several of his other aliases.

It’s a huge relief to know that my suspicions were correct, and I’m going to have a quiet (jokey but making my point) word with him face to face next week.

You’ve all been great and I thank you profusely.:slight_smile: