Hello,
Question: I have a friend that received an email from an anonymous user and would like to know if it can be traced.
Is this possible and what does it involve?
Thanks,
P.
:D
Printable View
Hello,
Question: I have a friend that received an email from an anonymous user and would like to know if it can be traced.
Is this possible and what does it involve?
Thanks,
P.
:D
Maybe it's anonymous E-mail? Not that it's extremely dangerous but, just make sure that the site he uses checks E-mail for viruses. Also, what was the e-mail about? that may be a clue as to who sent it.
Clients do not remove or block the headers.
It's just that some don't provide a convenient way of viewing it.
In particular, in many versions of M$ Outlook, the headers can be viewed by opening the message and going to "View->Options" on the menu, and look at the "Internet headers" section. (IIRC. If I'm wrong, someone please correct me, I don't use Outlook very often)
The ones you will be interested in is the "Received:" headers, which show the path of the message. Unfortunately it will only go as far as the IP address and/or hostname of the machine which sent it the first time. It does not identify the user who sent it.
However, if the message is illegal in your country and wasn't sent from abroad, the police will probably be able to force the ISP or instituion to reveal to them (not you) logs which will determine who did sent it, to prosecute them. However, unless they are the suspect ringleader of a kiddie porn syndicate, they will probably ignore it.
Also note, you can spoof any thing in an email header, so that isn't a very reliable way to track an email if you are dealing with someone that knows what they are doing. It would require coordination between you, your ISP, and any other ISP that the email bounced through, which if there are a number of hops between, will probably lead to a dead end. And as slarty said, unless there is pretty serious criminal issues with the email then it will probably be a dead-end to get the police to investigate it at as well (which would be required to get a subpeona of an uncooperative ISP).
Try to follow the headers first, if they make no sense or don't correlate, or even if they do, contact the ISP of the originator and explain the situation, what you have, and cross your fingers. If they don't respond, you are pretty much out of luck.
/nebulus
Hi,
Thanks for the replies.
I have a copy of the email header and know it comes from somewhere in Saudi Arabia. Here is what it says:
Received: from iobf.org by hotmail .......................date and time
Received: from web20513.mail.yahoo.com [216.136.174.44] by chekov.myinternetwebhost.com.........................
Received: from [62.145.83.133] by web20513.mail.yahoo.com via HTTP ..........date and time
From: Holy Land <[email protected]>
To: (my friends email address)
Any way to trace this?
Cheers,
P. ;)
Assuming nothing was forged (maybe a bad assumption), the apparent originator I think would be 62.145.83.133, which is registered to:
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-serv...copyright.html
inetnum: 62.145.83.128 - 62.145.83.255
netname: Interglobe-Communications-GulfWeb-hawalli
descr: Head Office GulfWeb-hawalli (INTERGLOBE customer)
country: SA
admin-c: SAR3-RIPE
tech-c: OH200-RIPE
status: ASSIGNED PA
notify: [email protected]
mnt-by: AS13126-MNT
changed: [email protected] 20020522
source: RIPE
route: 62.145.83.128/25
descr: GulfWeb-hawalli (INTERGLOBE customer)
origin: AS13126
notify: [email protected]
mnt-by: AS13126-MNT
changed: [email protected] 20020522
source: RIPE
person: Saad Abdel Razek
address: 3 Rashdan St, Dokki
address: Cairo-Egypt
phone: +202-7480351
fax-no: +202-7488558
e-mail: [email protected]
nic-hdl: SAR3-RIPE
notify: [email protected]
changed: [email protected] 20020311
source: RIPE
person: Osamah Hsanain
address: P.O.Box 521-1242-Kuwait
phone: +965-9701901
fax-no: +965-9701901
e-mail: [email protected]
nic-hdl: OH200-RIPE
mnt-by: AS13126-MNT
notify: [email protected]
changed: [email protected] 20020508
source: RIPE
/nebulus
Nebulous -- How did you get all that info? Just from whois?
where/how did u find that from?? what were you using to get that info??
what eva it is me like!!
Thanks Nebulus.
As you say some or most of the info can be froged but I will forward this to my friend and se if he recognizes any of this. :fact
Cheers,
P. :jump
Traces can be made, like the others said, but be careful if you as other things can be sent the same way mail is