E-mail Ip locator
Results 1 to 9 of 9

Thread: E-mail Ip locator

  1. #1

    E-mail Ip locator

    Hello Friends,

    I was wondering if it is at all possible to track down an IP of an e-mail that was send to me with a virus attached to it. Or, if at all possible, is there some sort of command or prog that can relay a IP to you of the specific e-mail IP. I know this is possible...but I want the box IP. Not the pop3, or smtp server IP. Help!

    scat
    If the scatman can do it so can you.

  2. #2
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    You should be able to gleen some info from the header....if that doesn't give you what you want, NeoTrace Pro will let you enter an email addy and pull the registant info for the email server which would give you access the the admins email addy...drop him/her a line and complain...might or might not work, but it beats doing nothing.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  3. #3
    Junior Member
    Join Date
    Jul 2003
    Posts
    24
    Are you using your own SMTP server, is this your domain ?
    if so, there are many thech's that can be used to get the IP, but if this is
    a free email address or an address that gets emails from a non-local SMTP server
    it will be a little harder...

    listening....
    Ruslan K. Abu Zant
    eReg(c) Internet Services
    http://ereg.info/ | http://gold-directory.com/ | http://xui.info/

  4. #4
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,836
    Not sure, but, In some public Emails, such as Hotmail and stuff...you can set it up so that every email that you get, it would show at the header all the information you need, such as IP, Domain and a lot of other information. Then u could get the IP address and do a Neotrace as mentioned above. I dunno if this makes much sense sorry...but i'm a hurry *at work* lol. Good Luck

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Posts
    301
    When you view the full headers of your email The Ip of the sender will be either the first or last Received From line depending on how your email program displays it. This would be the ip address you would use when you do your neotrace or other ip lookup such as AO's ip locater. The other addresses are merely stops along the way. But if need be that your email was a forged email you could use the other ip addresses to contact the admins of the server incase they have an open port that allowed the person to send you the virus.

    PeacE
    -BoB
    #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
    ($k,$n)=@ARGV;$m=unpack(H.$w,$m.\"\\0\"x$w),$_=`echo \"16do$w 2+4Oi0$d*-^1[d2%
    Sa2/d0<X+d*La1=z\\U$n%0]SX$k\"[$m*]\\EszlXx++p|dc`,s/^.|\\W//g,print pack(\'H*\'
    ,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die\"$0 [-d] k n\\n\")&~1)/2)

  6. #6
    How bout this....I got the IP from the header...but, is this IP the actual IP of this persons box. The reason I ask is this...lets say 192.168.0.2 sends a mail. The mail then goes to the router...192.168.0.1 ------- the router has a public address of 66.68.x.x ... the question is...does the header contain the 192.168.0.2 .................or the router public 'WAN' IP. Hmmmm questions questions HELP.

    scat
    If the scatman can do it so can you.

  7. #7
    Junior Member
    Join Date
    May 2003
    Posts
    3
    For consideration: many of the newer virii have their own SMTP engine and spoof addresses from the victims PAB.
    So the information may not be accurate. I had some one accuse me of having a W32 virus...I run linux.

  8. #8
    Junior Member
    Join Date
    Aug 2003
    Posts
    1

    Originating Box IP

    Many headers do contain both the IP of the originating mail server and the originating box itself. The key is to determine which is which.

    Usually you'll find them listed in something resembling this format:

    Received: from xxx.xxx.xxx.xxx (HELO hostname) by smtp.mailservername.com (xxx.xxx.xxx.xxx) with SMTP; date.date.date:time.time

    This is not guaranteed and can be spoofed but if it was sent out over a normal mailserver (not a viral server hidden on the box itself) then there's a good chance this information will allow you to find the source.

    Hope this helps!
    Mental Fitness Depends On Physical Fitness - Improve Coding With Weights!

  9. #9
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    From memory, if you download sam spade's application - www.samspage.org/ssw there is part of the ap that will examine and report on email headers.

    It will tell you if the info you are looking at is reliable

    Last time I used it I found it useful.

    Try that.
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides