Hello,
Question: I have a friend that received an email from an anonymous user and would like to know if it can be traced.
Is this possible and what does it involve?
Thanks,
P.
:D
Printable View
Hello,
Question: I have a friend that received an email from an anonymous user and would like to know if it can be traced.
Is this possible and what does it involve?
Thanks,
P.
:D
Maybe it's anonymous E-mail? Not that it's extremely dangerous but, just make sure that the site he uses checks E-mail for viruses. Also, what was the e-mail about? that may be a clue as to who sent it.
Clients do not remove or block the headers.
It's just that some don't provide a convenient way of viewing it.
In particular, in many versions of M$ Outlook, the headers can be viewed by opening the message and going to "View->Options" on the menu, and look at the "Internet headers" section. (IIRC. If I'm wrong, someone please correct me, I don't use Outlook very often)
The ones you will be interested in is the "Received:" headers, which show the path of the message. Unfortunately it will only go as far as the IP address and/or hostname of the machine which sent it the first time. It does not identify the user who sent it.
However, if the message is illegal in your country and wasn't sent from abroad, the police will probably be able to force the ISP or instituion to reveal to them (not you) logs which will determine who did sent it, to prosecute them. However, unless they are the suspect ringleader of a kiddie porn syndicate, they will probably ignore it.
Also note, you can spoof any thing in an email header, so that isn't a very reliable way to track an email if you are dealing with someone that knows what they are doing. It would require coordination between you, your ISP, and any other ISP that the email bounced through, which if there are a number of hops between, will probably lead to a dead end. And as slarty said, unless there is pretty serious criminal issues with the email then it will probably be a dead-end to get the police to investigate it at as well (which would be required to get a subpeona of an uncooperative ISP).
Try to follow the headers first, if they make no sense or don't correlate, or even if they do, contact the ISP of the originator and explain the situation, what you have, and cross your fingers. If they don't respond, you are pretty much out of luck.
/nebulus
Hi,
Thanks for the replies.
I have a copy of the email header and know it comes from somewhere in Saudi Arabia. Here is what it says:
Received: from iobf.org by hotmail .......................date and time
Received: from web20513.mail.yahoo.com [216.136.174.44] by chekov.myinternetwebhost.com.........................
Received: from [62.145.83.133] by web20513.mail.yahoo.com via HTTP ..........date and time
From: Holy Land <[email protected]>
To: (my friends email address)
Any way to trace this?
Cheers,
P. ;)
Assuming nothing was forged (maybe a bad assumption), the apparent originator I think would be 62.145.83.133, which is registered to:
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-serv...copyright.html
inetnum: 62.145.83.128 - 62.145.83.255
netname: Interglobe-Communications-GulfWeb-hawalli
descr: Head Office GulfWeb-hawalli (INTERGLOBE customer)
country: SA
admin-c: SAR3-RIPE
tech-c: OH200-RIPE
status: ASSIGNED PA
notify: [email protected]
mnt-by: AS13126-MNT
changed: [email protected] 20020522
source: RIPE
route: 62.145.83.128/25
descr: GulfWeb-hawalli (INTERGLOBE customer)
origin: AS13126
notify: [email protected]
mnt-by: AS13126-MNT
changed: [email protected] 20020522
source: RIPE
person: Saad Abdel Razek
address: 3 Rashdan St, Dokki
address: Cairo-Egypt
phone: +202-7480351
fax-no: +202-7488558
e-mail: [email protected]
nic-hdl: SAR3-RIPE
notify: [email protected]
changed: [email protected] 20020311
source: RIPE
person: Osamah Hsanain
address: P.O.Box 521-1242-Kuwait
phone: +965-9701901
fax-no: +965-9701901
e-mail: [email protected]
nic-hdl: OH200-RIPE
mnt-by: AS13126-MNT
notify: [email protected]
changed: [email protected] 20020508
source: RIPE
/nebulus
Nebulous -- How did you get all that info? Just from whois?
where/how did u find that from?? what were you using to get that info??
what eva it is me like!!
Thanks Nebulus.
As you say some or most of the info can be froged but I will forward this to my friend and se if he recognizes any of this. :fact
Cheers,
P. :jump
Traces can be made, like the others said, but be careful if you as other things can be sent the same way mail is
I first when to ARIN's web page and did a standard whois request off of there. I always start at ARIN because it will at least tell you what Registrar that space is assigned to (whereas the others in my experience don't). It then said the space was registered with RIPE (Reseaux IP Europeens) and issued a standard query based on the IP.
There are other things you can do to modify your query, but the reason I supplied what I did was that it provides who to contact in the ISP from which the email purports to have originated from. That is who your friend would have to contact to track it further (or police or your ISP, depending on how you want to do it...)
/nebulus
What about a mailer?
Just figured I'd put this link up. Its about reading e-mail headers. Explains pretty well.
www.stopspam.org/email/headers/headers.html
What I actually ment was an independent mailer program on the web, sorry I have no examples as they are illegal.
Look at the raw email, if you're using outlook express, right click on the email and click properties, then over to the 2nd tab.. If it was sent by a "anon email" application, you can find the ip of the person. IEQuote:
Originally posted here by dontpanic
Hello,
Question: I have a friend that received an email from an anonymous user and would like to know if it can be traced.
Is this possible and what does it involve?
Thanks,
P.
:D
Recieved from: dumbho.st [1.2.3.4]
what is ARIN?
ARIN is a database of domain names and their respective owners. More specifically, whois.arin.net.
Here is what the ARIN database has to say about AO:
[root@hax0r]#whois -h whois.arin.net www.antionline.com
Registrant:
Jupitermedia Corporation (ANTIONLINE2-DOM)
23 Old Kings Highway S.
Darien, CT 06820
US
Domain Name: ANTIONLINE.COM
Administrative Contact, Technical Contact:
Jupitermedia Corporation (ZFBKBPQRAO) [email protected]
23 Old Kings Highway S.
Darien, CT 06820
US
203-662-2800
Record expires on 04-Sep-2005.
Record created on 05-Sep-1997.
Database last updated on 16-Jun-2004 06:28:46 EDT.
Domain servers in listed order:
NS1.INTERNET.COM 63.236.72.133
NS3.INTERNET.COM 63.236.72.135
PS, if you look closely at this thread, it is over a year old. Blinking dates indicate that the thread is old and it is generally understood that no further posts will be made. Since you are new, I answered your question even though, technically, this thread is dead.
--TH13
lovebugz
When the dates are flashing on a thread that indicates that the thread is old. Try not to reopen threads that are this old 5-11-2003.
google is packed with a wealth of information and to access this bank of knowledge, type in www.google.com and the enter your question. Here's the very first link that turned up after entering Arin in the search engine.
http://www.arin.net/
It means: American Registry for Internet Numbers
cheers
edit: guess I'll just have to type faster theHorse :D
thankz u guys all
Lovebugs, Welcome to AO! :)
As an afterthought, a great, and often reccomended site for use of the Arin, who is, ect...
Try- www.samespade.org
It is a nice test drive, and a great Web Tool.
Good luck, have a great weekend!
:cool:
Edit Kudos to Horse, and Rey for not flaming a thread ressurection. :p