Tracking email sender

Guides and useful links
User avatar
Dr Who
Rising from the depths
Rising from the depths
Posts: 200
Joined: 22 May 2008

Tracking email sender

Postby Dr Who » 26 Feb 2009, 10:45

Hey doods,

A friend of mine has been receiving some weird emails lately and would like to know where they are originating from. I have a vague recollection you can trace the route of an email via IP using the header information, but this is hidden in mailer applications (unless you are using a UNIX mailer????). Anyone know how I can dig up the IP trail? Be nice to know whether they originated from the same ISP, i.e. potentially traceable, or from internet cafes.

Cheers in advance
User avatar
scarbunny
Master of the Salmon Slap
Master of the Salmon Slap
Posts: 3070
Joined: 26 June 2008

Re: Tracking email sender

Postby scarbunny » 26 Feb 2009, 10:58

Depends on where he is reciveing them is it hotmail or outlook or other?
Image
User avatar
steffcip
1+1=1 ?!
1+1=1 ?!
Posts: 2034
Joined: 07 May 2008
Location: London
Contact:

Re: Tracking email sender

Postby steffcip » 26 Feb 2009, 12:02

in outlook is quite easy to check, same in gmail...
yahoo is got paid pop access so you can download the email using outlook... dont know about the web interface
User avatar
Dr Who
Rising from the depths
Rising from the depths
Posts: 200
Joined: 22 May 2008

Re: Tracking email sender

Postby Dr Who » 26 Feb 2009, 12:54

Just checking now. He has forwarded the mail to me, but I assume the header information is not sent? One of the emails was sent to his Yahoo.co.uk account and one to his work one, which he picks up on a Mac I believe. Just trying to find out now.
User avatar
Johnmcl7
Daemonhunter
Daemonhunter
Posts: 7999
Joined: 07 May 2008
Location: Inverness
Contact:

Re: Tracking email sender

Postby Johnmcl7 » 26 Feb 2009, 20:13

Quite a few web mail programs will show you the full headers, the Yahoo web interface definitely does:
From Amazon.co.uk Tue Jul 1 09:59:36 2008
Return-Path: <emailsenderapp+correios-rtfm-w0elvehyxl@bounces.amazon.com>
Authentication-Results: mta164.mail.ukl.yahoo.com from=amazon.co.uk; domainkeys=neutral (no sig)
Received: from 87.238.80.24 (EHLO mm-retail-out-13101.amazon.com) (87.238.80.24) by mta164.mail.ukl.yahoo.com with SMTP; Tue, 01 Jul 2008 09:59:49 +0000
Date: Tue, 1 Jul 2008 02:59:36 -0700 (PDT)
From: "Amazon.co.uk" <amazon-offers@amazon.co.uk> Add sender to Contacts
To: "myusername@yahoo.co.uk" <myusername@yahoo.co.uk>
Message-ID: <14144635.1067371214906376404.JavaMail.em-build@eu-mm-relay.amazon.com>
Subject: Amazon.co.uk: New one week only deals in Electronics
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_211166_3648649.1214906376400"
Bounces-to: emailSenderApp+Correios-RTFM-W0ElveHyxL ... amazon.com
Content-Length: 46422


The problem is you can't tell if it's genuine, there are e-mail redirecters out there that strip out this header information and replace it with their own so you can only see it came from them but not where it was before that.

John
Used correctly terrain is a second weapon in your arsenal, equal to your Titan itself. Make the battlefield work for you, or you will find it working for your opponent.
User avatar
Dr Who
Rising from the depths
Rising from the depths
Posts: 200
Joined: 22 May 2008

Re: Tracking email sender

Postby Dr Who » 26 Feb 2009, 20:38

Cheers John. How do I reveal the header? I need to give instructions to a technically useless friend.

I am aware that the email might have been bounced around, but not convinced, from the tone of the emails, that the person is necessarily that adept. Hoping to find a common domain at least, if not a common IP.
User avatar
steffcip
1+1=1 ?!
1+1=1 ?!
Posts: 2034
Joined: 07 May 2008
Location: London
Contact:

Re: Tracking email sender

Postby steffcip » 26 Feb 2009, 20:42

in yahoo: assuming he is got the new site template enabled right click on the email and click View Full Headers
User avatar
Dr Who
Rising from the depths
Rising from the depths
Posts: 200
Joined: 22 May 2008

Re: Tracking email sender

Postby Dr Who » 26 Feb 2009, 20:54

Thanks for the input chaps. I will relay that information.
User avatar
Dr Who
Rising from the depths
Rising from the depths
Posts: 200
Joined: 22 May 2008

Re: Tracking email sender

Postby Dr Who » 28 Feb 2009, 13:54

Right, my fired is using Entourage via pop and has downloaded the email from Yahoo and deleted it from their server. Any idea how to display the info in Entourage?
User avatar
Dr Who
Rising from the depths
Rising from the depths
Posts: 200
Joined: 22 May 2008

Re: Tracking email sender

Postby Dr Who » 28 Feb 2009, 14:37

Figured it out. Got some information, but need to wait until Monday to get more. But does anyone know what any of this means?

In-Reply-To: <BAY124-W4824B121E4945381B22A34A3AC0@phx.gbl>
References: <42d7401c7f44f$dfd89ceb$7b8f15ac@NOE.Nokia.com>
<BAY124-W4824B121E4945381B22A34A3AC0@phx.gbl>
User avatar
steffcip
1+1=1 ?!
1+1=1 ?!
Posts: 2034
Joined: 07 May 2008
Location: London
Contact:

Re: Tracking email sender

Postby steffcip » 28 Feb 2009, 19:44

you need more info
see http://whatismyipaddress.com/forum/view ... opic=17752
maybe this could help
User avatar
Dr Who
Rising from the depths
Rising from the depths
Posts: 200
Joined: 22 May 2008

Re: Tracking email sender

Postby Dr Who » 28 Feb 2009, 22:55

Cheers Steff. I have got the IP from one of their emails - just need to check whether they are on a static or dynamic for the same host. Either way, probably enough to report abuse. Just wondered what the in-reply-to and references meant - this person forwarded my friend a confidential email my friend had sent to a third party. Trying to figure out where this person got the email from - whether it was sent to them in error, or whether they have somehow compromised my friends account.

That forum looks useful though, and once I have checked the header from multiple emails I may post there on Monday.

EDIT: Great link Steff! Just run a check and now have a geographical location for the server that the IP address belongs to. Very interesting.

Return to “Useful Info”

Who is online

Users browsing this forum: No registered users and 1 guest