Tracing e-mail messages

Factual Questions
1

Hi. This is my first post. I hope it is appropriet for here.

My friend has gotten an anonymous email from somebody for the last month. Nothing serious. Just sort of secret admiror stuff.

Anyway, he wants to know who it is emailed him. The message is comes from a Yahoo mail account. The is this ID in the message header:

(I have replace the numbers for X to protect privacy)
Message-ID: <xxxxxxxxxxxx.xxxxxx.qmail@web12813.mail.yahoo.com>
Can Yahoo tell me who this is? Will they know if the person used a fake name to sign up?

2

I’m certain Yahoo won’t tell you. Plus, you don’t need a birth certificate to get a Yahoo mail account, so there’s no way to know if their user information is true, in any case.

However, all is not lost. A while back, I got an email informing me that Bill Gates had written an “email tracing program”, which he was paying every Internet user $5000 to test. The man is a business genius! No wonder he’s a billionaire! I forwarded it to everyone I know, but still haven’t gotten my check. :confused: I’m sure it’ll be on the market soon, though, at which point, you can use it to trace your friend’s admirer back to his/her home computer. It may even tell you what he/she looks like!

3

Giraffe,

What if we told Yahoo that my friend didn’t like getting this kind of anonymous stuff. Would they then saay that the admirer’s email was a “threat” and then tell us who it is??

And if we have this MessageID thing, can Yhaoo trace that to some user because of the cookies?

4

Can Yahoo? very probably they can at least get a handle on who it is. After all, when hackers do nasty stuff law enforcement agencies are able to track 'em down.

will they tell you? most probably not.

If it’s a criminal case (threats etc), contact your local police agency, and yahoo officials and they’ll work on it.

If it’s a case of flirting… neither place will want to devote the resources to it. (and I really don’t recommend pretending that it’s a threat so that they’ll look into it)>

5

That is not a complete message header. In order to track an email you need a complete header, that looks something like this:

Received: from smtp.xtalwind.net (smtp.xtalwind.net [205.160.242.11])
by ctc.swva.net (8.9.3/8.9.3) with ESMTP id VAA20832
for <XXXXXX@swva.net>; Thu, 8 Mar 2001 21:08:19 -0500
Received: from dell600 (xtal438.xtalwind.net [204.215.255.187])
by smtp.xtalwind.net (8.11.0/8.11.0) with SMTP id f28D7gk54286;
Thu, 8 Mar 2001 08:07:42 -0500 (EST)
Reply-To: <XXXXX@xtalwind.net>
From: “XXXX XXXX” <XXX@xtalwind.net>
To: <XXXX@xtalwind.net>

I’ve edited out the personal stuff from this header, but you get the idea. I’ve been an antispammer for years now and I’ve gotten pretty good at reading this stuff. And while you may not be able to find a name, you will be able to find the IP of the sending computer. That may give you enough of a clue to proceed.

The message ID is worthless for tracking because it is easily overwritten with anything you want it to say.

Best,
Dev

6

Dev,

We just checked and the IP address points to “Websafe”. It is masking the reel IP address I think.

Anyway, I don’t think this person would be chaning message ID. So, if the ID is something like:

<xxxxxxxxxxxx.xxxxxx.qmail@web12813.mail.yahoo.com>

is that enough - in Theory - for Yahoo to find the person’s IP address?

7

Okay, several things here (please forgive me if this sounds patronising, but I don’t know what your level of technical understanding is).

The bad news first: you are highly unlikely to get anywhere with this. Companies like Yahoo! and Hotmail loathe having to spend time surrendering details – remember, they don’t have thousands of staff dealing with the webmail services. They will do so when forced to by legal authorities, and may well take action if the email your friend received was threatening or abusive (most likely simply deleting the account). Since it wasn’t, though, they’re unlikely to give out any details.

Secondly, if the Yahoo! account is anything like my Hotmail account, they have no accurate details on the true user (according to Hotmail, my name is N/A and I live at 1 N/A Street, N/A, N/A). If this is the case, then for Yahoo! to begin tracing the real user, they would have to search through whatever IP logs they keep – a long and arduous task that they won’t start without a good reason.

Okay. So you trace the IP address used to compose the email. The next problem is this: it probably won’t resolve to an actual PC anywhere. The chances are that this person is using a PC at work, through an ISP at home, at school/university or at an internet cafe. In most examples I can think of, the PCs used in these locations usually use DHCP. Since there aren’t enough IP addresses for each PC or network device in the world to have a unique address, companies and organisations buy “blocks” of IP addresses. Assuming that not everyone will be surfing the web at the same time, they then assign these dynamically (DHCP) – so I may have a different IP number every time I connect via my ISP.

If this is the case, then you or Yahoo! would have to go to the ISP or administrator and ask them to go through their logs used to record which IP number was assigned to which hardware ID (the MAC number) at the point when the email was sent. Again, this may be a huge amount of effort for them.

And, lastly, even if you know which physical PC the email was sent from…well, you still don’t know who the user was. If it was at an internet cafe or a university PC lab, you’re out of luck.

Sorry to be a downer, but I really doubt that Yahoo! will play ball.

8

Id have to trace 20 anon emails per day!..one per month is nothing…

I ran web12813.mail.yahoo.com through some big search engines & it didn’t show up, so more likely than not its fake too.

9

No. Yahoo (assuming it came from them) would also need a timestamp to check through logs.

web12813.mail.yahoo.com is an actual machine name,
and resolves to what I’m guessing is a web-based email
host computer. There are a bunch of these along the lines of
webNNNNN.mail.yahoo.com, so it’s probably one of a bunch
of these web-email gateway machines. A quick search found
no websafes or web-safes, so that is may be bogus. Was
this message read via yahoo’s email? If not, and this
header line is not forged, then the sender is on yahoo.

Posting (or emailing) the full headers would sure help.

Best,
Dev

10

Thanks for the reply, Dev. A few more technical questions…

**
Received: from [216.104.228.158] by web12813.mail.yahoo.com;
Message-ID: <2****309153736.16808.qmail@web12813.mail.yahoo.com>
**

(I removed replaced some of the numbers above with ****)

The IP address appears to be from the Safeeweb server. So I guess, the person is using that anonymous server before logging on to the yahoo mail. But technically, can Yahoo id the person using simply the message-ID and some kind of cookie placed on their computer? Is just a thing technically do-able?

Or would the ID of the user have to come from Safeeweb?

11

I’m not sure where you are getting this safeeweb thing.
216.104.228.158 is downstream from exodus.net, at what appears to be fugunet.com. Try
postmaster@fugunet.com, and send the full headers.

Yahoo could indeed tell, if they are setting cookies to do this kind of thing, which they probably are not.