Questions

Help.. to find out who sent me e-mail

Tags:
+
0 Votes
Locked

Help.. to find out who sent me e-mail

dwillis
I need to know how I can determine where an e-mail came from. I know about the ctl then F3, in outlook express, and that is what I have. However, do not know how to read it and do not know if it can tell me where it came from. Can anybody out there help me? This was a stalker... who then started sending e-mails to freinds. It came from a made up YAHOO acct.
Please help me if you can. Any advice would be greatly appreciated.
Thanks.
  • +
    0 Votes
    Ken Wolf

    are you able to view the header information for the
    e-mail? Can you copy and paste the information in a
    reply? If so, we can probably tell you at least what IP
    address it originated from. The e-mail address can be
    spoofed but not the originating IP address. With the
    IP information you can determine who (ISP or
    company) owns the address. That will give you the
    information you are looking for.

    +
    0 Votes
    dwillis

    Return-Path: <iknowitried@yahoo.com>

    Thank fo the help

    +
    0 Votes
    Ken Wolf

    I have pasted a sample of the header information I was referring too. This is from Yahoo web mail. I believe you said you were using Outlook Express as your e-mail client? If I remember correctly you can right click on the e-mail and from the context menu select to view header information. Or you may have to go to Options to turn on viewing of headers.
    I've changed IP and domain name information :-)

    If you read through the header you will see a line Received: from XXX.XXX.XXX.XXX (HELO Exchange.somedomain.net) (XXX.XXX.XXX.XXX) by mta449.mail.mud.yahoo.com with SMTP; Thu, 24 May 2007 07:29:31 -0700
    This is the information you are looking for...

    X-Apparently-To: ken_wolfXX@yahoo.com via 69.147.97.129; Thu, 24 May 2007 07:29:31 -0700
    X-YahooFilteredBulk: XXX.XXX.XXX.XXX
    X-Originating-IP: [XXX.XXX.XXX.XXX]
    Return-Path: <kenw@somedomeain.com>
    Authentication-Results: mta449.mail.mud.yahoo.com from=soomedomain.com; domainkeys=neutral (no sig)
    Received: from XXX.XXX.XXX.XXX (HELO Exchange.somedomain.net) (XXX.XXX.XXX.XXX) by mta449.mail.mud.yahoo.com with SMTP; Thu, 24 May 2007 07:29:31 -0700
    Content-class: urn:content-classes:message
    MIME-Version: 1.0
    Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C79E0C.21C42BCD"
    X-MimeOLE: Produced By Microsoft Exchange V6.5
    Subject: a test message
    Date: Thu, 24 May 2007 10:02:14 -0400
    Message-ID: <D37ED1680A39A54C8B8D73DE31B3A3C401A7584C@SLH-EXCH.southland.net>
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    Thread-Topic: a test message
    Thread-Index: AceeDCCj0M//zitoRdSsO+1uN9yRJw==
    From: "Ken Wolf" <KenW@somedomain.com> View Contact Details View Contact Details Add Mobile Alert
    To: ken_wolfXX@yahoo.com
    Content-Length: 3611

    +
    0 Votes
    perezy69

    Hello Ken
    How are you someone hawk my yahoo and I will like to know the IP and all the details.
    Expecting your reply, so tha we could do more business together.
    Cheers

    +
    0 Votes
    Ken Wolf

    Hello,
    Sorry for the long delay in replying. If I understand your request, you are trying to find out the IP address of a particular person sending you email?
    We should be able to at least determine the address of the server that was used to send the email. With that information you can find out who to contact and get information about the e-mail account.
    If you still have the e-mail(s). Can you post the header information as described earlier?

    +
    0 Votes
    chrisray169

    X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPt3Mi6GgUSv7yYKHQgGfDe+2wCW4LegkYQqypIHu4uP4o=
    Received: from bay0-omc3-s1.bay0.hotmail.com ([65.54.246.201]) by bay0-imc3-s26.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
    Thu, 25 Oct 2007 13:06:13 -0700
    Received: from BLU106-W18 ([10.6.57.53]) by bay0-omc3-s1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
    Thu, 25 Oct 2007 13:05:46 -0700
    Message-ID: <BLU106-W18C6D3B7DE3DB6201C8CC0A8950@phx.gbl>
    Return-Path: yankeesfoxx@hotmail.com
    Content-Type: multipart/alternative;
    boundary="_9220b99c-d8d8-4731-9131-03562687f160_"
    X-Originating-IP: [72.87.127.158]
    From: Blah Blah <yankeesfoxx@hotmail.com>
    To: Christine Warren <soxxfoxx@hotmail.com>
    Subject: RE: CHEAP **** & LOOOSERRR
    Date: Thu, 25 Oct 2007 14:05:45 -0600
    Importance: Normal
    In-Reply-To: <BAY118-W35A822FDBBFA2F1D4F3F4DDA940@phx.gbl>
    References: <BLU116-W330A2C7D8B14ACE51B660AA8940@phx.gbl>
    <BAY118-W155249CC9C5577F90873DDA940@phx.gbl>
    <BLU106-W60C6D3F9A79A4A5A44944FA8940@phx.gbl>
    <BAY118-W35A822FDBBFA2F1D4F3F4DDA940@phx.gbl>
    MIME-Version: 1.0
    X-OriginalArrivalTime: 25 Oct 2007 20:05:46.0135 (UTC) FILETIME=[6E07E270:01C81742]

    +
    0 Votes
    Ken Wolf

    chrisray
    I would suggest downloading utility called sam spade that will help assist you in parsing the header. Here is a link to download from PC World:
    http://www.pcworld.com/downloads/file/fid,4709-order,1-page,1-c,alldownloads/description.html
    Or you can do a search on Google for "sam spade software" for other links.
    As best as I can tell the e-mail originated from a computer named BLU106-W18 with an internal IP address of 10.6.57.53. I was able to validate the e-mail address yankeesfoxx@hotmail.com. That e-mail address does exist. The IP address the e-mail was sent from (72.87.127.158) is part of the IP block owned by Verizon. Which might be useful to know if you want to file an abuse complaint.
    Here are a couple of links for on-line header parsing utilities that might be of use:
    http://emailtrackerpro.visualware.com/
    http://www.levinecentral.com/mail_parse/default.aspx
    http://www.geobytes.com/SpamLocator.htm
    The first one at emailtrackerpro will let you run one trace for free. I waited awhile and traced your header and it let me do it a second time, so there must be a timeout before you can run another.
    Hope some of this is helpful. I would recommend getting the Sam Spade software and pasting your header into it and see what it comes up with.
    Best of luck

    +
    0 Votes
    sgt_shultz

    www.microsoft.com has a pretty good read about what to do if victim of phishing or other email attack. I bet yahoo.com has also.
    we can see plenty in what you posted, but not what seek.
    Pleas edit your post and remove the header stuff you pasted in or you are gonna have spam AND stalkers.
    If you wish to persue this, contact in this order: the police, Yahoo.com. they will direct you to sites where you can make additional complaints.
    Do not respond at all to unfamiliar emails.
    Save the email(s), print it out. Start making notes with dates etc.

    +
    0 Votes
    dwillis

    Thank you

    +
    1 Votes
    samaneh32

    hi ,
    i have the same problem now, someone has send my contacts some emails from the fake id like my hotmail id, i wanna know where is it sending from , please help me.

    regards,

    samaneh

    +
    0 Votes

    You probably should have started a new Q&A, as this one is over 5 years old.
    In the meantime, change your email password in case someone did gain
    access to your accounts.
    Wizard57M-CNet
    TR Moderator

    +
    0 Votes
    samaneh32

    yes i just faced this problem and also i changed my password.
    but now i have to know the location where those emails were being sent , it is some kind of law matter now.
    i would appreciate if u help me.

    +
    0 Votes

    samaneh,
    follow the links provided in the answers above. If your situation now
    involves a legal action, I suggest you find appropriate legal counsel.
    Wiz
    Wizard57M
    TR Moderator

    +
    0 Votes
    seanferd

    That sounds more like you had a system infected with malware. The mail would then be sent from potentially any bot (compromised computer) in the botnet.

    Further for anyone wanting to find this information: What do you expect to do with it? You either have a legal issue or a malware problem, neither of which can be solved by you finding the IP address of the sender at that time.

    +
    0 Votes
    samaneh32

    it would be helpful if i give u the header of that sender, and check the location if possible,
    it is not that much legal matter now, i just wanna prove things to my manager.
    that would be great if u do this for me.

    +
    0 Votes
    seanferd

    static-72-87-127-158.prvdri.fios.verizon.net (Providence, RI)
    The x-originating IP is static, so take that to the law now. And/or the abuse department at Verizon. (There should be a valid abuse@verizon.net mail address, but you can't always count on it.)

  • +
    0 Votes
    Ken Wolf

    are you able to view the header information for the
    e-mail? Can you copy and paste the information in a
    reply? If so, we can probably tell you at least what IP
    address it originated from. The e-mail address can be
    spoofed but not the originating IP address. With the
    IP information you can determine who (ISP or
    company) owns the address. That will give you the
    information you are looking for.

    +
    0 Votes
    dwillis

    Return-Path: <iknowitried@yahoo.com>

    Thank fo the help

    +
    0 Votes
    Ken Wolf

    I have pasted a sample of the header information I was referring too. This is from Yahoo web mail. I believe you said you were using Outlook Express as your e-mail client? If I remember correctly you can right click on the e-mail and from the context menu select to view header information. Or you may have to go to Options to turn on viewing of headers.
    I've changed IP and domain name information :-)

    If you read through the header you will see a line Received: from XXX.XXX.XXX.XXX (HELO Exchange.somedomain.net) (XXX.XXX.XXX.XXX) by mta449.mail.mud.yahoo.com with SMTP; Thu, 24 May 2007 07:29:31 -0700
    This is the information you are looking for...

    X-Apparently-To: ken_wolfXX@yahoo.com via 69.147.97.129; Thu, 24 May 2007 07:29:31 -0700
    X-YahooFilteredBulk: XXX.XXX.XXX.XXX
    X-Originating-IP: [XXX.XXX.XXX.XXX]
    Return-Path: <kenw@somedomeain.com>
    Authentication-Results: mta449.mail.mud.yahoo.com from=soomedomain.com; domainkeys=neutral (no sig)
    Received: from XXX.XXX.XXX.XXX (HELO Exchange.somedomain.net) (XXX.XXX.XXX.XXX) by mta449.mail.mud.yahoo.com with SMTP; Thu, 24 May 2007 07:29:31 -0700
    Content-class: urn:content-classes:message
    MIME-Version: 1.0
    Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C79E0C.21C42BCD"
    X-MimeOLE: Produced By Microsoft Exchange V6.5
    Subject: a test message
    Date: Thu, 24 May 2007 10:02:14 -0400
    Message-ID: <D37ED1680A39A54C8B8D73DE31B3A3C401A7584C@SLH-EXCH.southland.net>
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    Thread-Topic: a test message
    Thread-Index: AceeDCCj0M//zitoRdSsO+1uN9yRJw==
    From: "Ken Wolf" <KenW@somedomain.com> View Contact Details View Contact Details Add Mobile Alert
    To: ken_wolfXX@yahoo.com
    Content-Length: 3611

    +
    0 Votes
    perezy69

    Hello Ken
    How are you someone hawk my yahoo and I will like to know the IP and all the details.
    Expecting your reply, so tha we could do more business together.
    Cheers

    +
    0 Votes
    Ken Wolf

    Hello,
    Sorry for the long delay in replying. If I understand your request, you are trying to find out the IP address of a particular person sending you email?
    We should be able to at least determine the address of the server that was used to send the email. With that information you can find out who to contact and get information about the e-mail account.
    If you still have the e-mail(s). Can you post the header information as described earlier?

    +
    0 Votes
    chrisray169

    X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPt3Mi6GgUSv7yYKHQgGfDe+2wCW4LegkYQqypIHu4uP4o=
    Received: from bay0-omc3-s1.bay0.hotmail.com ([65.54.246.201]) by bay0-imc3-s26.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
    Thu, 25 Oct 2007 13:06:13 -0700
    Received: from BLU106-W18 ([10.6.57.53]) by bay0-omc3-s1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
    Thu, 25 Oct 2007 13:05:46 -0700
    Message-ID: <BLU106-W18C6D3B7DE3DB6201C8CC0A8950@phx.gbl>
    Return-Path: yankeesfoxx@hotmail.com
    Content-Type: multipart/alternative;
    boundary="_9220b99c-d8d8-4731-9131-03562687f160_"
    X-Originating-IP: [72.87.127.158]
    From: Blah Blah <yankeesfoxx@hotmail.com>
    To: Christine Warren <soxxfoxx@hotmail.com>
    Subject: RE: CHEAP **** & LOOOSERRR
    Date: Thu, 25 Oct 2007 14:05:45 -0600
    Importance: Normal
    In-Reply-To: <BAY118-W35A822FDBBFA2F1D4F3F4DDA940@phx.gbl>
    References: <BLU116-W330A2C7D8B14ACE51B660AA8940@phx.gbl>
    <BAY118-W155249CC9C5577F90873DDA940@phx.gbl>
    <BLU106-W60C6D3F9A79A4A5A44944FA8940@phx.gbl>
    <BAY118-W35A822FDBBFA2F1D4F3F4DDA940@phx.gbl>
    MIME-Version: 1.0
    X-OriginalArrivalTime: 25 Oct 2007 20:05:46.0135 (UTC) FILETIME=[6E07E270:01C81742]

    +
    0 Votes
    Ken Wolf

    chrisray
    I would suggest downloading utility called sam spade that will help assist you in parsing the header. Here is a link to download from PC World:
    http://www.pcworld.com/downloads/file/fid,4709-order,1-page,1-c,alldownloads/description.html
    Or you can do a search on Google for "sam spade software" for other links.
    As best as I can tell the e-mail originated from a computer named BLU106-W18 with an internal IP address of 10.6.57.53. I was able to validate the e-mail address yankeesfoxx@hotmail.com. That e-mail address does exist. The IP address the e-mail was sent from (72.87.127.158) is part of the IP block owned by Verizon. Which might be useful to know if you want to file an abuse complaint.
    Here are a couple of links for on-line header parsing utilities that might be of use:
    http://emailtrackerpro.visualware.com/
    http://www.levinecentral.com/mail_parse/default.aspx
    http://www.geobytes.com/SpamLocator.htm
    The first one at emailtrackerpro will let you run one trace for free. I waited awhile and traced your header and it let me do it a second time, so there must be a timeout before you can run another.
    Hope some of this is helpful. I would recommend getting the Sam Spade software and pasting your header into it and see what it comes up with.
    Best of luck

    +
    0 Votes
    sgt_shultz

    www.microsoft.com has a pretty good read about what to do if victim of phishing or other email attack. I bet yahoo.com has also.
    we can see plenty in what you posted, but not what seek.
    Pleas edit your post and remove the header stuff you pasted in or you are gonna have spam AND stalkers.
    If you wish to persue this, contact in this order: the police, Yahoo.com. they will direct you to sites where you can make additional complaints.
    Do not respond at all to unfamiliar emails.
    Save the email(s), print it out. Start making notes with dates etc.

    +
    0 Votes
    dwillis

    Thank you

    +
    1 Votes
    samaneh32

    hi ,
    i have the same problem now, someone has send my contacts some emails from the fake id like my hotmail id, i wanna know where is it sending from , please help me.

    regards,

    samaneh

    +
    0 Votes

    You probably should have started a new Q&A, as this one is over 5 years old.
    In the meantime, change your email password in case someone did gain
    access to your accounts.
    Wizard57M-CNet
    TR Moderator

    +
    0 Votes
    samaneh32

    yes i just faced this problem and also i changed my password.
    but now i have to know the location where those emails were being sent , it is some kind of law matter now.
    i would appreciate if u help me.

    +
    0 Votes

    samaneh,
    follow the links provided in the answers above. If your situation now
    involves a legal action, I suggest you find appropriate legal counsel.
    Wiz
    Wizard57M
    TR Moderator

    +
    0 Votes
    seanferd

    That sounds more like you had a system infected with malware. The mail would then be sent from potentially any bot (compromised computer) in the botnet.

    Further for anyone wanting to find this information: What do you expect to do with it? You either have a legal issue or a malware problem, neither of which can be solved by you finding the IP address of the sender at that time.

    +
    0 Votes
    samaneh32

    it would be helpful if i give u the header of that sender, and check the location if possible,
    it is not that much legal matter now, i just wanna prove things to my manager.
    that would be great if u do this for me.

    +
    0 Votes
    seanferd

    static-72-87-127-158.prvdri.fios.verizon.net (Providence, RI)
    The x-originating IP is static, so take that to the law now. And/or the abuse department at Verizon. (There should be a valid abuse@verizon.net mail address, but you can't always count on it.)