Tracing the IP of an email

[deveraux]

I appologise if this is the wrong forum to post this in.

My friends and I have recently been receiving emails from a yahoo mail account and we are trying to trace the email back to the original sender. I have looked through the email headers and did several "tests" with various emails in an attempt to track the IP down. My main problem is that, I am wondering why some email headers store the DNS linked to the original sender whilst others just display the sender's IP itself?

The emails that my friends and I have been receiving are originating from a DNS and I'm wondering if there is any other way to trace the IP of the sender itself. Thank you for your time.

 

[bsobel]

a) Post an example please...
b) SMTP headers are not secure, you can't trust any from before the last server you trust or can confirm.

Bill

 

[JackMDS]

You are wasting your time, unless it is serious enough to be a legal matter.

If it is so complain to Yahoo, and or the adequate authorities.

Let say you would find the IP.

Next step you have the ask the ISP who used the IP at the specific time.

They would not tell you unless you have a signed legal subpoena.

:sun:

 

[deveraux]

Return-Path: <cambridge_kaypo@yahoo.com>
Received: from ppsw-7-intramail.csi.cam.ac.uk ([192.168.128.137])
by cyrus-6.csi.private.cam.ac.uk (Cyrus v2.1.16-HERMES)
with LMTP; Wed, 01 Jun 2005 23:26:51 +0100
X-Sieve: CMU Sieve 2.2
X-Cam-SpamScore: ss
X-Cam-SpamDetails: scanned, SpamAssassin (score=2.424, EXCUSE_3 0.10,
EXCUSE_7 0.15, FORGED_YAHOO_RCVD 2.17)
X-Cam-AntiVirus: No virus found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from web33704.mail.mud.yahoo.com ([68.142.201.201]:31448)
by ppsw-7.csi.cam.ac.uk (mx.cam.ac.uk [131.111.8.147]:25)
with smtp (csa=unknown) id 1Ddbff-0002Ix-Od (Exim 4.51) for sv261@cam.ac.uk
(return-path <cambridge_kaypo@yahoo.com>); Wed, 01 Jun 2005 23:26:43 +0100
Received: (qmail 73091 invoked by uid 60001); 1 Jun 2005 22:26:42 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:Receivedate:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
b=dVZo+3KqPhQ7FvL2uXpYSfKcIY2ZuzfzSOJcrCHyk24ayWGAbDeJlMdIVUOjGrNIg5M2sWmvvxKxg
zn8Vpf7Hns0TZb80MmLzxNIlLZ3zDAPqpYeDq/fSCLW3voUi8QWEkJuNSO/sIypewV+8HAQwAES7lCi
xjznuSd88U1hI= ;
Message-ID: <20050601222642.73089.qmail@web33704.mail.mud.yahoo.com>
Received: from [131.111.8.97] by web33704.mail.mud.yahoo.com via HTTP; Wed, 01 Jun 2005 15:26:42 PDT

The last line suggests that the mail originated from 131.111.8.97. But I know for a fact that all 131.111.8.xxx are reserved for servers. Even an IP trace on 131.111.8.97 returns a server type config.

 

[deveraux]

Originally posted by: JackMDS
You are wasting your time, unless it is serious enough to be a legal matter.

If it is so complain to Yahoo, and or the adequate authorities.

Let say you would find the IP.

Next step you have the ask the ISP who used the IP at the specific time.

They would not tell you unless you have a signed legal subpoena.

:sun:

I agree that its probably not worth my time. But eitherway, it would be a learning experience and that is definitely worth my time.

 

[Fardringle]

Originally posted by: deveraux
Message-ID: <20050601222642.73089.qmail@web33704.mail.mud.yahoo.com>
Received: from [131.111.8.97] by web33704.mail.mud.yahoo.com via HTTP; Wed, 01 Jun 2005 15:26:42 PDT

The part in bold is a key bit of information. It indicates that whoever sent the email probably did so via a web/HTTP email interface. The server with the IP address of 131.111.8.97 returns a name of beta.wwwcache.cam.ac.uk, which looks like a web caching/proxy server. It's entirely possible that the web email interface they used resides on that caching server (or is somewhere behind it), and if that is the case, there really isn't any way to find the true origin of the message unless you can convince the owner of that server to give it to you...

 

[Nothinman]

But I know for a fact that all 131.111.8.xxx are reserved for servers.

No, it's owned by Cambridge University.

Even an IP trace on 131.111.8.97 returns a server type config.

Probably because it's hostname suggests it's a web proxy, what kind of 'trace' did you do?

And unless that proxy is open to the world and if you believe the headers aren't completely forged, the mail came from someone at that school.

 

[deveraux]

Due to the content of the email itself, I am convinced that the email came from a person studying at Cambridge University. I did a TJPing on that IP and that's how I found out that it was a server. I am wondering if there is anyway to get the IP behind that proxy server, or this where the trace will end and its up to the authorities if they are willing to search through their servers and willingly give out the IP?

 

[LuckyTaxi]

Don't even bother. I had to do it for work once and I realize I was going around and around.

 

[Nothinman]

I did a TJPing on that IP and that's how I found out that it was a server.

Sorry for being dense, but the only tjping I could find via google was a tool that did nothing more than ping a remote host, it doesn't give any information about it's OS or purpose.

I am wondering if there is anyway to get the IP behind that proxy server, or this where the trace will end and its up to the authorities if they are willing to search through their servers and willingly give out the IP?

The only way you'll get the internal IP is if the proxy server is configured to add it to the email and if that was true, it would most likey be a misconfiguration that would be fixed eventually any way. Your only recourse is to contact the authorities, but if the proxy logs don't go back far enough there might not be anything they can do either.

 

[casper114]

What about using the same spade tool and doing a whois search on that ip or the website name and then contacting the registrar about your problem. If they are harrassing e-mails they may be willing to try to take care of it within there ranks. Just a suggestion, don't know if it's applicable here or not.

 

[Nothinman]

What about using the same spade tool and doing a whois search on that ip or the website name and then contacting the registrar about your problem

Seeing as how it's a school, I really doubt their registrar or upstream ISP is going to just cut them off.

 

[casper114]

I didn't say cut them off, but when stuff like this is coming out of a university they always want to uphold there good name. It was just a suggestion and another route to consider going down.

 

[deveraux]

Originally posted by: Nothinman

I did a TJPing on that IP and that's how I found out that it was a server.

Sorry for being dense, but the only tjping I could find via google was a tool that did nothing more than ping a remote host, it doesn't give any information about it's OS or purpose.

I am wondering if there is anyway to get the IP behind that proxy server, or this where the trace will end and its up to the authorities if they are willing to search through their servers and willingly give out the IP?

The only way you'll get the internal IP is if the proxy server is configured to add it to the email and if that was true, it would most likey be a misconfiguration that would be fixed eventually any way. Your only recourse is to contact the authorities, but if the proxy logs don't go back far enough there might not be anything they can do either.

You're right. It is just a program that does remote pinging and backtraces the routes back to the IP you are looking for. I'm sorry for not being clear earlier. I just knew that it was a server config because of the hostname itself (probably not the best way of telling).

I don't have much experience in this, hence why I am trying to learn more. However, since as you have said, it is behind the proxy, there is no other recourse except to inform the authorities. Thank you for your help anyway.

 

[Rottie]

I am curious when I had dial-up connection they could tell my IP address but now the broadband comes out can they tell IP address behind the router? I was like thinking that the router does not show any true IP address?

 

[skyking]

It would show your WAN IP, the one the ISP gives you.