Finding IP address

[dpuckett]

Is there a way to find the IP address of an email sent to someone, from either a hotmail, aol, or yahoo account? A friend of mine is receiving emails from an unknown source, and thinks he knows who it is, but can't verify it. The only way I can think to do this is through the IP, and compare that to an email from the person he thinks it is. Sounds like kind of a goofy situation, I know. Any help that can be provided is greatly appreciated.

Dave

[mairving]

Not too sure if you can actually view the mail headers in hotmail. Probably wouldn't help all that much since it would just show the IP address of the mail server that sent out the message not the IP address of the computer that sent out the email. If they weren't with a major ISP, i.e. sending an email from their own mail server, it would be easier to determine.

[dpuckett]

Thanks for your help. So, there really is no way to track it? I thought I heard about a tracer software once upon a time that could track back to the physical location's IP address...could have heard wrong though. Any other thoughts about how this could be traced?

[doctorgonzo]

Log into Hotmail, then go to Options, then Mail Display Settings. Under header information, set to "Full" or "Advanced". This will display them, although their usefulness may not be great, as mairving pointed out.

[mairving]

Quote:

Originally Posted by dpuckett I thought I heard about a tracer software once upon a time that could track back to the physical location's IP address...could have heard wrong though. Any other thoughts about how this could be traced?

Maybe that was in that movie 'The Net' with Sandra Bullock. Not in the real world though.

[dpuckett]

lol...you're probably right. Don't know where I originally heard that. So, technically with yahoo or hotmail or any of those, someone could send a completely annonymous email?? I got in and expanded the headers to the emails. Would there be one main hotmail IP address? He gave me his login info and I am looking at the email right now...it looks like the IP address from this person (a hotmail email address) is different than that of another person with a hotmail email address. I'm sorry that I don't know that much about this stuff...just trying to think about possibilities and figure this out.

[rightcoast]

No way, there is enough info in that header to at least get geographical approximation, maybe even a city/town. Unless this a experienced user who is telnetting to mailserver or something, you might even be able whois the the info in the "recieved:from" and other stuff in the header after googling around for a stray message.

With Hotmail, it'll be a "X-Originating-IP" line just below the Received lines
With Yahoo group mail: it'll be an "X-Originating-IP" line below the X-Mailer
In regular Yahoo mail: there will usually be another "Received" line below "Message ID"

It may be forged if this is a spammer or something, and this is where one distinct feature of Received: lines comes into play. Every server will not only note who it is but also where it got the message from (in IP address form).

You can simply compare who the server claims to be with what the server one notch up in the chain says it really is. If the two don't match, the earlier Received: line has been forged.

In this case, the origin of the email is what the server immediately after the forged Received: line has to say about who it got the message from.

You can always post a header somewhere, there is bound to be someone who will help you if you can convince them its legitimate. I doubt this is the right forum for that. To be honest though, your best bet will be to email abuse[at]whateverwhoistellsu if there is cause, have thier ISP admin worry about it.

[dpuckett]

Thanks for the info, but you totally lost me there. Below is the info in yahoo:

Authentication-Results: mta350.mail.scd.yahoo.com from=hotmail.com; domainkeys=neutral (no sig)
X-Originating-IP: [65.54.247.2]
Return-Path:
Received: from 65.54.247.2 (EHLO hotmail.com) (65.54.247.2) by mta350.mail.scd.yahoo.com with SMTP; Wed, 16 Mar 2005 06:53:52 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 16 Mar 2005 06:53:52 -0800
Message-ID:
Received: from 64.12.116.195 by by2fd.bay2.hotmail.msn.com with HTTP; Wed, 16 Mar 2005 14:53:52 GMT
X-Originating-IP: [64.12.116.195]
X-Originating-Email: [xxx@hotmail.com]
X-Sender: xxx@hotmail.com
In-Reply-To: <20050316132322.23876.qmail@web50206.mail.yahoo.com>

Below is an email from the person he thinks is sending it:

Authentication-Results: mta132.mail.dcn.yahoo.com from=aol.com; domainkeys=neutral (no sig)
X-Originating-IP: [64.12.137.3]
Received: from 64.12.137.3 (EHLO imo-m22.mx.aol.com) (64.12.137.3) by mta132.mail.dcn.yahoo.com with SMTP; Fri, 11 Feb 2005 05:04:46 -0800
Received: from XXX@aol.com by imo-m22.mx.aol.com (mail_out_v37_r3.8.) id k.1a8.313ca4c3 (4539); Fri, 11 Feb 2005 08:04:43 -0500 (EST)
Message-ID: <1a8.313ca4c3.2f3e076b@aol.com>

Again, I really don't know that much about this stuff, and I know it is asking for alot to look at these and see if it came from the same person. It is very greatly appreciated to anyone that can help, and let me know what you looked at to figure it out. Thanks again.

Dave

P.S. The email addresses aren't xxx@aol.com or whatever, I just didn't want to include those in my post.

[rightcoast]

The emails are both coming from the same AOL Server, with the same network ID. Not conclusive but I would say there is real good chance they are the same.

See how the Hotmail's X-Originating-IP: [64.12.116.195] has the same first 16 bits (two decimal places) as the AOL one?

X-Originating-IP: [64.12.137.3]

That would be all I would need to be pretty sure. It wouldn't convince a court. But it's good enough for me.

[Jaggannath]

What is it you wanted to know for?? Are these emails just a nuisance, or is it something more malignant??

[dpuckett]

Thanks alot for your reviewing that...I really appreciate it!!

The emails are a little bit of both. There is a gal emailing my buddy saying that he did things that he didn't do, and is causing problems with his wife. One of his ex-girlfriends has done this in the past, and he is now receiving emails from sombody he doesn't know saying that he was with her. The first email was from the ex...the second is from this new gal he doesn't know. He was looking at pressing charges for harrassment, but we're mainly trying to prove to his wife that it's the same gal. It's a big drama!!! (Geez, I need a beer after talking about that one!!).

Thanks again to everyone for their input! I guess there's really no other way to track it to be absolutely sure (as in, something that would hold up in court if he wants to take that route).

Dave

[rightcoast]

A lawyer would have no problem calling AOL and finding out who sent both mails. Without they step, they will not hold up, but it is as simple as that. AOL is notorious for retaining member privacy, but not against court order.

The same person sent both mails...a good analogy would be this is enough for a civil case, but not a criminal one. That isn't literal, just figurative.

Have his wife read the thread, I am 95% sure.

[dpuckett]

You're great rightcoast!!! Thanks!

[glc]

X-Originating-IP: [64.12.116.195]

DNS lookup:

Host name: cache-mtc-ad01.proxy.aol.com
IP address: 64.12.116.195
Alias(es): None

All this proves is that the person who used Hotmail was connected to the Internet through AOL - and being that it used a proxy, there's no way to trace that back.

X-Originating-IP: [64.12.137.3]

That's one of AOL's mail servers.

Received: from XXX@aol.com

That's the only thing in the whole mess that points to an account, and it can't be crossed to the Hotmail abuse.