April 22nd, 2004, 01:06 AM
Tracing that IP to the ISP
First before I go on, I want to say this tutorial is for the noob. Please dont flame me if you already know this because you are super l33t h4x0r. I also want to say that I take no responsibility what so ever for any actions you take using this knowledge. Don't make false reports just to kick somone off thier ISP or at least give them a bad reputation with their ISP. Or whatever else you can think of doing with this info.
Since the time I first came here, which was only about a week ago lol, I have already answered about 3 questions on this topic. For this reason I have decided to write a little tutorial on IP tacing in hopes that it will answer any more future question on this subject. At least reduce the amount .
So now that we got that out of the way I ask you, have any of you noob's been getting spammed latley? Has anyone been emailing you threats and you want this to stop? Well, then this tutorial is just for you!
What you do is open up the unwanted email and look for an option that says something like "View Full Headers". It will be a little different depending on your email client (Outlook, yahoo, hotmail, etc). Once you have found the option and clicked it you should look at the email again. Notice anything different? Now there is alot more info above the email. This is information of the sender that sent you the unwanted email. Now look for the "From:" or the "Received from:" line. There should be an IP address. Now take that IP address and do a WHO IS search. When the results come there should be a name of the hosting company. Under the name there should be an abuse email address (ie: email@example.com). If there isn't an abuse email address then go to their website and look up for the contact info. Sometimes if you contact firstname.lastname@example.org, they can take care of it. But wait, thats not all, you should also do a "tracert" (without quotes) in the command prompt on the IP address. In one of the last 2 hops there should be another name. That is also the hosting company. Most likely it will be the same as the one you found using the WHO IS search. But sometimes they are different. This is because the hosting company you found in the WHO IS search could be basically the ISP of the ISP of whoever sent you the unwanted email. Or they own the IP address ranges that the ISP (of whoever sent you the email) uses. If this is the case find their contact information by going to their website and send an email to them and the company you found using the WHO IS search. Be sure to send a polite email. Most likely they will ask you to send them an attachment of the unwanted email for proof.
Hope this helps and sorry for the sloppy grammer .
April 22nd, 2004, 01:39 AM
A friend of mine from school was actually receiving emails with viruses attached from a computer at my school. He tracked it down to the exact computer, updated the anti-virus software and ran it. Sure enough it had a virus. Apparently some students are checking email instead of listening in class. Anyways, he went to the IT department with his evidence and I guess they took care of it. Hopefully now they update their AV software more often. It was probably once a week at the time of the incident. If the originating ip of the email had not been from the school I go to, I'm sure that wouldn't have been possible to get to the exact computer sending the infected emails. Got lucky that time I guess. His AV software was catching the emails, but apparently this computer was sending emails in his name to other people, and I think that's what got him going on this vigilante mission. lol. Anyways, thanks for the info.
April 22nd, 2004, 02:33 AM
No problem . This info wont trace the IP right to the EXACT computer, but will trace it to their router and thats enough to get thier ISP. And when someone is abusing the worlds email system, an ISP is usually all you need.
April 22nd, 2004, 07:41 AM
In addition, for those in the windows world looking for a good all in one solution, check out NeoTrace. It's now owned by mcafee (http://www.mcafeestore.com) and can be had for around 30 bucks US.... I'tll do a ping trace and a whois for ya with all the contact info you probably dont want or need. Mailing abuse in retort to spam tends to be too cumbersome after a while, but in some cases it gets the job done.
As a note, I've rolled this out to a few people who confirm E-commerce orders with it, if someone is shipping to texas but they're IP traces out to Lagos... well it makes for an easier way of avoiding fraud.
I\'ll preach my pessimism right out loud to anyone that listens!
I\'m not afraid to be alive.... I\'m afraid to be alone.
April 22nd, 2004, 07:07 PM
Yes, I have heard of that program and it seems that people like it alot. I have heard that it will show a map and it will point where in the world that email abuser is, or at least their ISP's location. But im poor lol, WHO IS and tracert in the command prompt is the poor mans neotrace lol
April 22nd, 2004, 07:13 PM
I also use an add-on to Zone Alarm that performs similarly (not against spammers though). That was an excellent tutorial -- I learned something new! Yay! Now, if only I can figure out what's with spelling words with numbers....
April 22nd, 2004, 07:20 PM
Im glad you learned something new! Zone Alarm does come with a utility that lets you trace the IP address, but its only for computers or hackers that are trying to connect to you. It cant help you with anything Email related. lol, I cant figure out the words with numbers thing either :P I think those "super l33t h4x0rs like to do it though, it makes them sound so super l33t
April 22nd, 2004, 07:23 PM
Hmm...I'm gonna have to start spelling my name "J4M35" or something...So is "l33t" like a short form of "elite" or something?
Wow, goes to show how much I know about the culture! *hides face*
April 22nd, 2004, 07:30 PM
l33t 5p34k is when people substitute letters for numbers. and your right, l33t means elite. like l33t h4x0r = elite hacker. It's stupid though I highly recomend you not using l33t 5p34k, If you start using it, especially on this board, you will most likley be flammed and lose respect by the community. When I said this tutorial isnt for the super l33t h4x0r, I was being sarcastic because usually only noob script kiddies flame tutorials.
April 22nd, 2004, 08:27 PM
Indeed, they just need h00k3d on ph0n1c5...
Sorry folks, goofy sense of humor today...it's the lack of sleep, really!