Questions

Help.. to find out who sent me e-mail

+
0 Votes
Locked

Help.. to find out who sent me e-mail

dwillis
I need to know how I can determine where an e-mail came from. I know about the ctl then F3, in outlook express, and that is what I have. However, do not know how to read it and do not know if it can tell me where it came from. Can anybody out there help me? This was a stalker... who then started sending e-mails to freinds. It came from a made up YAHOO acct.
Please help me if you can. Any advice would be greatly appreciated.
Thanks.
+
0 Votes
Ken Wolf

are you able to view the header information for the
e-mail? Can you copy and paste the information in a
reply? If so, we can probably tell you at least what IP
address it originated from. The e-mail address can be
spoofed but not the originating IP address. With the
IP information you can determine who (ISP or
company) owns the address. That will give you the
information you are looking for.

+
0 Votes
dwillis

Return-Path: <iknowitried@yahoo.com>

Thank fo the help

+
0 Votes
Ken Wolf

I have pasted a sample of the header information I was referring too. This is from Yahoo web mail. I believe you said you were using Outlook Express as your e-mail client? If I remember correctly you can right click on the e-mail and from the context menu select to view header information. Or you may have to go to Options to turn on viewing of headers.
I've changed IP and domain name information :-)

If you read through the header you will see a line Received: from XXX.XXX.XXX.XXX (HELO Exchange.somedomain.net) (XXX.XXX.XXX.XXX) by mta449.mail.mud.yahoo.com with SMTP; Thu, 24 May 2007 07:29:31 -0700
This is the information you are looking for...

X-Apparently-To: ken_wolfXX@yahoo.com via 69.147.97.129; Thu, 24 May 2007 07:29:31 -0700
X-YahooFilteredBulk: XXX.XXX.XXX.XXX
X-Originating-IP: [XXX.XXX.XXX.XXX]
Return-Path: <kenw@somedomeain.com>
Authentication-Results: mta449.mail.mud.yahoo.com from=soomedomain.com; domainkeys=neutral (no sig)
Received: from XXX.XXX.XXX.XXX (HELO Exchange.somedomain.net) (XXX.XXX.XXX.XXX) by mta449.mail.mud.yahoo.com with SMTP; Thu, 24 May 2007 07:29:31 -0700
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C79E0C.21C42BCD"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: a test message
Date: Thu, 24 May 2007 10:02:14 -0400
Message-ID: <D37ED1680A39A54C8B8D73DE31B3A3C401A7584C@SLH-EXCH.southland.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: a test message
Thread-Index: AceeDCCj0M//zitoRdSsO+1uN9yRJw==
From: "Ken Wolf" <KenW@somedomain.com> View Contact Details View Contact Details Add Mobile Alert
To: ken_wolfXX@yahoo.com
Content-Length: 3611

+
0 Votes
perezy69

Hello Ken
How are you someone hawk my yahoo and I will like to know the IP and all the details.
Expecting your reply, so tha we could do more business together.
Cheers

+
0 Votes
Ken Wolf

Hello,
Sorry for the long delay in replying. If I understand your request, you are trying to find out the IP address of a particular person sending you email?
We should be able to at least determine the address of the server that was used to send the email. With that information you can find out who to contact and get information about the e-mail account.
If you still have the e-mail(s). Can you post the header information as described earlier?

+
0 Votes
chrisray169

X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPt3Mi6GgUSv7yYKHQgGfDe+2wCW4LegkYQqypIHu4uP4o=
Received: from bay0-omc3-s1.bay0.hotmail.com ([65.54.246.201]) by bay0-imc3-s26.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Thu, 25 Oct 2007 13:06:13 -0700
Received: from BLU106-W18 ([10.6.57.53]) by bay0-omc3-s1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 25 Oct 2007 13:05:46 -0700
Message-ID: <BLU106-W18C6D3B7DE3DB6201C8CC0A8950@phx.gbl>
Return-Path: yankeesfoxx@hotmail.com
Content-Type: multipart/alternative;
boundary="_9220b99c-d8d8-4731-9131-03562687f160_"
X-Originating-IP: [72.87.127.158]
From: Blah Blah <yankeesfoxx@hotmail.com>
To: Christine Warren <soxxfoxx@hotmail.com>
Subject: RE: CHEAP **** & LOOOSERRR
Date: Thu, 25 Oct 2007 14:05:45 -0600
Importance: Normal
In-Reply-To: <BAY118-W35A822FDBBFA2F1D4F3F4DDA940@phx.gbl>
References: <BLU116-W330A2C7D8B14ACE51B660AA8940@phx.gbl>
<BAY118-W155249CC9C5577F90873DDA940@phx.gbl>
<BLU106-W60C6D3F9A79A4A5A44944FA8940@phx.gbl>
<BAY118-W35A822FDBBFA2F1D4F3F4DDA940@phx.gbl>
MIME-Version: 1.0
X-OriginalArrivalTime: 25 Oct 2007 20:05:46.0135 (UTC) FILETIME=[6E07E270:01C81742]

+
0 Votes
Ken Wolf

chrisray
I would suggest downloading utility called sam spade that will help assist you in parsing the header. Here is a link to download from PC World:
http://www.pcworld.com/downloads/file/fid,4709-order,1-page,1-c,alldownloads/description.html
Or you can do a search on Google for "sam spade software" for other links.
As best as I can tell the e-mail originated from a computer named BLU106-W18 with an internal IP address of 10.6.57.53. I was able to validate the e-mail address yankeesfoxx@hotmail.com. That e-mail address does exist. The IP address the e-mail was sent from (72.87.127.158) is part of the IP block owned by Verizon. Which might be useful to know if you want to file an abuse complaint.
Here are a couple of links for on-line header parsing utilities that might be of use:
http://emailtrackerpro.visualware.com/
http://www.levinecentral.com/mail_parse/default.aspx
http://www.geobytes.com/SpamLocator.htm
The first one at emailtrackerpro will let you run one trace for free. I waited awhile and traced your header and it let me do it a second time, so there must be a timeout before you can run another.
Hope some of this is helpful. I would recommend getting the Sam Spade software and pasting your header into it and see what it comes up with.
Best of luck

+
0 Votes
sgt_shultz

www.microsoft.com has a pretty good read about what to do if victim of phishing or other email attack. I bet yahoo.com has also.
we can see plenty in what you posted, but not what seek.
Pleas edit your post and remove the header stuff you pasted in or you are gonna have spam AND stalkers.
If you wish to persue this, contact in this order: the police, Yahoo.com. they will direct you to sites where you can make additional complaints.
Do not respond at all to unfamiliar emails.
Save the email(s), print it out. Start making notes with dates etc.

+
0 Votes
dwillis

Thank you

+
1 Votes
samaneh32

hi ,
i have the same problem now, someone has send my contacts some emails from the fake id like my hotmail id, i wanna know where is it sending from , please help me.

regards,

samaneh

+
0 Votes

You probably should have started a new Q&A, as this one is over 5 years old.
In the meantime, change your email password in case someone did gain
access to your accounts.
Wizard57M-CNet
TR Moderator

+
0 Votes
samaneh32

yes i just faced this problem and also i changed my password.
but now i have to know the location where those emails were being sent , it is some kind of law matter now.
i would appreciate if u help me.

+
0 Votes

samaneh,
follow the links provided in the answers above. If your situation now
involves a legal action, I suggest you find appropriate legal counsel.
Wiz
Wizard57M
TR Moderator

+
0 Votes
seanferd

That sounds more like you had a system infected with malware. The mail would then be sent from potentially any bot (compromised computer) in the botnet.

Further for anyone wanting to find this information: What do you expect to do with it? You either have a legal issue or a malware problem, neither of which can be solved by you finding the IP address of the sender at that time.

+
0 Votes
samaneh32

it would be helpful if i give u the header of that sender, and check the location if possible,
it is not that much legal matter now, i just wanna prove things to my manager.
that would be great if u do this for me.

+
0 Votes
seanferd

static-72-87-127-158.prvdri.fios.verizon.net (Providence, RI)
The x-originating IP is static, so take that to the law now. And/or the abuse department at Verizon. (There should be a valid abuse@verizon.net mail address, but you can't always count on it.)