Everyone,
My uncle and I are in need of some expert help. My uncle is living and working in Iraq and just went through a nasty divorce. The ex-wife is just nuts...plain and simple. I used to like her until I found some things out.
Anyways, I got a call from him a few weeks ago asking if there was a way to trace where an email was sent from. He thinks it was his ex-wife, but we are not sure. Someone logged into his Yahoo! email account and sent everyone in his address list porno - just so happens the email "went" to his ex-wife and one of his daughters. Now the ex-wife has the judge basically saying that if it was him, he won't be allowed to see his children (when he returns from Iraq). He DID not send the email and so far all have pointed to her sending them from his email address (she knew his login information to Yahoo!).
Here are the email headers I was able to get from one of my cousins who actually received the email:
X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0x
X-Message-Status: n:0
X-SID-PRA: John Doe<XXXXX@YAHOO.COM>
X-Message-Info: R00BdL5giqp+ASWiiiiklSMzMa10fZupk3Fb9NiVmI5r4Po5armbqOI798wD/QZo6pVfBnc4AQL5Z7LdCPyN6042pfH/olZJ
Received: from web54504.mail.re2.yahoo.com ([206.190.49.154]) by bay0-mc3-f22.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Thu, 3 Apr 2008 19:58:36 -0700
Received: (qmail 17316 invoked by uid 60001); 4 Apr 2008 02:58:36 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received
ate:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
b=xnbKrZW8NRUf/6Mw+3/xueNpUW+WL+v3lCOw3xUA1F8OUctGCZdS/hXW2yEFTdFA4142A6iH8hwLls7IHDc6bSLs7NzbUwMCaN2cfZK9hc9A4FhWGw8m+QwdmFZF2PtChdSSkh60LYUxWUVsmGKLGlZR/zjoD5MBKReP997VDUg=;
X-YMail-OSG: GvyQS0YVM1k4lyNRxYtvqLfVTUM1tSQtMVzMfHFdMEE.Xr8bCJREyk7o0aLsmk6wL4TT_XMDvkdGOBen_MH81xU5vsUi4EYdG2DcdxnO5Q--
Received: from [24.153.180.26] by web54504.mail.re2.yahoo.com via HTTP; Thu, 03 Apr 2008 19:58:35 PDT
Date: Thu, 3 Apr 2008 19:58:35 -0700 (PDT)
From: John Doe<XXXXX@YAHOO.COM>
Subject: Fwd: Guess what today is ??
To: ALL EMAIL ADDRESSES, BUT I HAVE REMOVED THEM AS I DON'T WANT THEM GETTING INTO THE WRONG HANDS
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-421383848-1207277915=:16735"
Content-Transfer-Encoding: 8bit
Message-ID: <44922.16735.qm@web54504.mail.re2.yahoo.com>
Return-Path: XXXXX@yahoo.com
X-OriginalArrivalTime: 04 Apr 2008 02:58:36.0601 (UTC) FILETIME=[C6E2CA90:01C895FF]
--0-421383848-1207277915=:16735
Content-Type: multipart/alternative; boundary="0-712704726-1207277915=:16735"
--0-712704726-1207277915=:16735
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Now, if I am not mistaken, yahoo.com received the actual email from 24.153.180.26, correct? If so, a tracert shows the following information from my IP:
Tracing route to rrcs-24-153-180-26.sw.biz.rr.com [24.153.180.26]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.0.1
2 12 ms 12 ms 11 ms cpe-XXX.XXX.XXX.XXX.tx.res.rr.com [XXX.XXX.XXX.XXX]
3 10 ms 11 ms 12 ms gig1-2.dllatxcrl-rtr2.tx.rr.com [XXX.XXX.XXX.XXX]
4 8 ms 8 ms 11 ms gig4-0-0.dllatxchn-rtr6.tx.rr.com [70.125.217.101]
5 18 ms 18 ms 19 ms gig0-1-0.hstntxl3-rtr1.texas.rr.com [72.179.205.74]
6 25 ms 24 ms 22 ms gig3-0-0.austtxrdcsc-rtr1.austin.rr.com [72.179.205.79]
7 21 ms 21 ms 23 ms gig1-0-0.austtxa-10k1.austin.rr.com [24.27.13.117]
8 30 ms 32 ms 35 ms rrcs-24-153-180-26.sw.biz.rr.com [24.153.180.26]
I also did a lookup of the address on a few sites, but they were pretty inconsistent. Can anyone help me PINPOINT where this came from or a remote location of where it came from? As you can tell, he obviously didn't send the email since he is in IRAQ! Your help is greatly appreciated!
My uncle and I are in need of some expert help. My uncle is living and working in Iraq and just went through a nasty divorce. The ex-wife is just nuts...plain and simple. I used to like her until I found some things out.
Anyways, I got a call from him a few weeks ago asking if there was a way to trace where an email was sent from. He thinks it was his ex-wife, but we are not sure. Someone logged into his Yahoo! email account and sent everyone in his address list porno - just so happens the email "went" to his ex-wife and one of his daughters. Now the ex-wife has the judge basically saying that if it was him, he won't be allowed to see his children (when he returns from Iraq). He DID not send the email and so far all have pointed to her sending them from his email address (she knew his login information to Yahoo!).
Here are the email headers I was able to get from one of my cousins who actually received the email:
X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0x
X-Message-Status: n:0
X-SID-PRA: John Doe<XXXXX@YAHOO.COM>
X-Message-Info: R00BdL5giqp+ASWiiiiklSMzMa10fZupk3Fb9NiVmI5r4Po5armbqOI798wD/QZo6pVfBnc4AQL5Z7LdCPyN6042pfH/olZJ
Received: from web54504.mail.re2.yahoo.com ([206.190.49.154]) by bay0-mc3-f22.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Thu, 3 Apr 2008 19:58:36 -0700
Received: (qmail 17316 invoked by uid 60001); 4 Apr 2008 02:58:36 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received
ate:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;b=xnbKrZW8NRUf/6Mw+3/xueNpUW+WL+v3lCOw3xUA1F8OUctGCZdS/hXW2yEFTdFA4142A6iH8hwLls7IHDc6bSLs7NzbUwMCaN2cfZK9hc9A4FhWGw8m+QwdmFZF2PtChdSSkh60LYUxWUVsmGKLGlZR/zjoD5MBKReP997VDUg=;
X-YMail-OSG: GvyQS0YVM1k4lyNRxYtvqLfVTUM1tSQtMVzMfHFdMEE.Xr8bCJREyk7o0aLsmk6wL4TT_XMDvkdGOBen_MH81xU5vsUi4EYdG2DcdxnO5Q--
Received: from [24.153.180.26] by web54504.mail.re2.yahoo.com via HTTP; Thu, 03 Apr 2008 19:58:35 PDT
Date: Thu, 3 Apr 2008 19:58:35 -0700 (PDT)
From: John Doe<XXXXX@YAHOO.COM>
Subject: Fwd: Guess what today is ??
To: ALL EMAIL ADDRESSES, BUT I HAVE REMOVED THEM AS I DON'T WANT THEM GETTING INTO THE WRONG HANDS
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-421383848-1207277915=:16735"
Content-Transfer-Encoding: 8bit
Message-ID: <44922.16735.qm@web54504.mail.re2.yahoo.com>
Return-Path: XXXXX@yahoo.com
X-OriginalArrivalTime: 04 Apr 2008 02:58:36.0601 (UTC) FILETIME=[C6E2CA90:01C895FF]
--0-421383848-1207277915=:16735
Content-Type: multipart/alternative; boundary="0-712704726-1207277915=:16735"
--0-712704726-1207277915=:16735
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Now, if I am not mistaken, yahoo.com received the actual email from 24.153.180.26, correct? If so, a tracert shows the following information from my IP:
Tracing route to rrcs-24-153-180-26.sw.biz.rr.com [24.153.180.26]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.0.1
2 12 ms 12 ms 11 ms cpe-XXX.XXX.XXX.XXX.tx.res.rr.com [XXX.XXX.XXX.XXX]
3 10 ms 11 ms 12 ms gig1-2.dllatxcrl-rtr2.tx.rr.com [XXX.XXX.XXX.XXX]
4 8 ms 8 ms 11 ms gig4-0-0.dllatxchn-rtr6.tx.rr.com [70.125.217.101]
5 18 ms 18 ms 19 ms gig0-1-0.hstntxl3-rtr1.texas.rr.com [72.179.205.74]
6 25 ms 24 ms 22 ms gig3-0-0.austtxrdcsc-rtr1.austin.rr.com [72.179.205.79]
7 21 ms 21 ms 23 ms gig1-0-0.austtxa-10k1.austin.rr.com [24.27.13.117]
8 30 ms 32 ms 35 ms rrcs-24-153-180-26.sw.biz.rr.com [24.153.180.26]
I also did a lookup of the address on a few sites, but they were pretty inconsistent. Can anyone help me PINPOINT where this came from or a remote location of where it came from? As you can tell, he obviously didn't send the email since he is in IRAQ! Your help is greatly appreciated!
Facebook
Twitter