Finding the location, identity, or affiliation of email senders || kuro5hin.org


	create account \| help/FAQ \| contact \| links \| search \| IRC \| site news

Everything

We need your support: buy an ad | premium membership

Finding the location, identity, or affiliation of email senders

By shinyobject in Internet
Fri Sep 30, 2005 at 12:11:03 PM EST
Tags: Internet (all tags)

Thanks to wireless networks, internet cafes, and web mail, it is now common to send email from just about anywhere. So, where was that friend, coworker, or stalker when she sent that message last night, and what else can we learn about her? Using simple techniques and a few well known, but often-overlooked email headers and internet tools, it's often easy to find out.

Likewise, the email you send may also include your location and school or employer, even if sent from a personal account. Do you or should you care?

Why care?
In general, you probably don't or shouldn't care where people are when they send mail. But other times it might be nice to know. What if you received a message like this one:
From: Bill Subject: I've taken the cash and left town See you never! Ha ha!
Well, you'll probably never get one like that, but maybe there's one of these in your inbox:
From: Jeff Subject: Still stuck in Chicago These meetings are taking forever. I'll need to stay all week.
Obviously that one is from Chicago, right? But who is your "Secret Satan"?
From: Secret Satan Subject: It is time Guess who!
How about this next person, is she really an Apple insider?
From: Alice Subject: Details on the new Wi-Fi iPod Are you interested?
And is this next anonymous source real?
From: Informant Subject: The new iPod causes hurricanes Apple is staging a massive cover-up! Warn your readers!
Although most of us don't operate a hot rumor site, we may nevertheless like to know what is hiding in the email we send and receive, and whether it matters to us. These fake messages are a little contrived, but they help us to consider the situations in which a little information can reveal a lot about a sender, using one of a few simple techniques.
Okay, okay, I care. Where are these people?
First you need to find the full message headers. If you don't know how to do this, just search for "<mail client> message headers". (e.g. outlook message headers or yahoo message headers) The headers should look something like this:
Received: from 66.163.179.137 (HELO web35513.example.com) (66.163.179.137) by mta160.example.com with SMTP; Sun, 25 Sep 2005 05:52:35 -0700 Received: (qmail 98625 invoked by uid 60001); 25 Sep 2005 12:52:34 -0000 Received: from [216.99.217.141] by web32706.example.com via HTTP; Sun, 25 Sep 2005 05:52:34 PDT Message-ID: <2005091234232423@example.com> Date: Sun, 25 Sep 2005 05:52:34 -0700 (PDT) From: Bill <sender@example.com> Subject: I've taken the cash and left town To: Ted <you@example.com>
Now find the line furthest from the top that starts with "Received:", as shown in bold below.
Received: from 66.163.179.137 (HELO web35513.example.com) (66.163.179.137) by mta160.example.com with SMTP; Sun, 25 Sep 2005 05:52:35 -0700 Received: (qmail 98625 invoked by uid 60001); 25 Sep 2005 12:52:34 -0000 Received: from [216.99.217.141] by web32706.example.com via HTTP; Sun, 25 Sep 2005 05:52:34 PDT Message-ID: <2005091234232423@example.com> Date: Sun, 25 Sep 2005 05:52:34 -0700 (PDT) From: Bill <sender@example.com> Subject: I've taken the cash and left town To: Ted <you@example.com>
The "received" header usually has a "from" section and a "by" section:
Received: from [216.99.217.141] by web32706.example.com via HTTP; Sun, 25 Sep 2005 05:52:34 PDT
The "from" shows which machine is sending the message, and the "by" shows which machine is accepting it. In this case, the "from" machine most likely belongs to the sender, while the "by" machine belongs to their ISP. If you can't find a "from", then this technique won't work.

Next you need to find the IP address in the "from" part. This will be a series of four numbers separated by periods.
Received: from [216.99.217.141] by web32706.example.com via HTTP; Sun, 25 Sep 2005 05:52:34 PDT
Sometimes there might be other information on the "received" line, but the "from" IP address should still be easy to spot.
Received: from mobile (c-67-176-46-122.hsd1.co.comcast.net[67.176.46.122]) by comcast.net (sccrmhc12) with SMTP id <2005023423523rfw34>; Wed, 21 Sep 2005 20:12:33 +0000
Email generated by viruses and spammers will typically include false headers and other misleading information. Dissecting those headers is much more complex and is covered in greater detail elsewhere. However, for most normal personal mail, the simple technique described above is sufficient to find the originating IP address. The following examples demonstrate several different ways in which this IP address can be used to surmise the sender's location, identity, or affiliation.

A reverse DNS lookup will find the host name associated with the IP address. This will typically reveal who the user's ISP or employer is. There are many websites that offer free reverse DNS lookup. Continuing with the example, we see that the IP address "216.99.217.141" has the host name "216-99-217-141.dsl.aracnet.com". This tells you that the sender has DSL internet access from aracnet.com.

But you really wanted to find the user's location, not whether they use DSL. Luckily for you, there are also websites that will try to determine the geographic location of an IP address. This site shows that "216.99.217.141" is located in Portland, Oregon. So thanks to Bill's IP address, we have a pretty good idea of where he went with the money. These tools are not perfect, so it is sometimes helpful to get a second opinion.

Of course Portland is a pretty big place. It would be nice to narrow things down a little further. This is not as easy, but sometimes it is possible. Perhaps you know some of Bill's friends in Portland. If you received email from them in the past, then you might have the IP addresses of their computers. Maybe you find this message that Steve sent last week:
Received: from [216.99.217.141] by web32706.example.com via HTTP; Wed, 28 Sep 2005 03:54:11 PDT From: Steve <steve@example.com> Subject: things To: Ted <you@example.com>
It was sent from the same IP address (216.99.217.141) as Bill's message! Bill most likely used Steve's computer to send the message. Now you know where to look for Bill.

Most home computers have temporary IP addresses, but with "always on" internet access, such as DSL and cable, "temporary" IP addresses can last for weeks or months. This is why the message that Bill sent using Steve's computer is likely to include the same IP address as the message that Steve sent using his computer last week.

Even when you can't discover exactly which computer was used to send the message, just knowing the city or even country could be enlightening. Let's move on to the second example email and take a look at the appropriate "received" header.
Received: from [81.66.12.180] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT From: Jeff <jeff@example.com> Subject: Still stuck in Chicago These meetings are taking forever. I'll need to stay all week.
A geographic lookup on "81.66.12.180" shows that this message was most likely sent from Paris, France! No wonder Jeff is going to stay all week.

Can IP location help unmask the Secret Satan?
Received: from [81.66.66.66] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT From: Secret Satan <secret@example.com> Subject: It is time Guess who!
The "anonymous" Secret Satan is likely someone you know, so search the headers of your old mail for his IP address, "81.66.66.66". You may find a message like this:
Received: from [81.66.66.66] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:11:52 PDT From: Chris <chris@example.com> Subject: Let's meet at noon See you then
As in the first example, this shows that Chris is sharing a computer or internet connection with Secret Satan. They aren't necessarily the same person, but it's a good lead, and Secret Satan is a lot less anonymous.

Sometimes you may be more interested in the information returned by the reverse DNS lookup. This could be the case with the third example message.
Received: from [17.255.100.112] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT From: Alice <alice@example.com> Subject: Details on the new Wi-Fi iPod Are you interested?
Is Alice in a position to know anything about a new Apple product? A reverse DNS lookup on "17.255.100.112" returns "A17-255-100-112.apple.com". The message appears to have been sent from inside of Apple! This can happen even if Alice used a public webmail system and not Apple's email.

How about the other iPod email?
Received: from [207.46.125.17] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT From: Informant <informant@example.com> Subject: The new iPod causes hurricanes Apple is staging a massive cover-up! Warn your readers!
A reverse DNS lookup on "207.46.125.17" returns "tide17.microsoft.com". I'm suspicious. But what if this "informant" was a little less obvious and instead sent the email using his home computer?
Received: from [24.16.89.112] by web32706.example.com via HTTP; Wed, 28 Sep 2005 09:12:52 PDT From: Informant <informant@example.com> Subject: The new iPod causes hurricanes Apple is staging a massive cover-up! Warn your readers!
A geographic lookup says that "24.16.89.112" is in Bellevue, Washington, just down the street from Microsoft, so I would still suspect a connection.
Does this technique always work?
No. Some email providers do not include the sender's IP address in the email headers. Even if they do, the sender may be accessing the internet though an anonymizer, such as Tor. It is also possible to confuse the process of finding the correct "received" header by including fake "received" headers. This tactic is very common among spammers, but very rare in normal email. Even when you do get the sender's IP address, the geographic lookup can sometimes return the wrong location.

It is also possible that you will bump into an internal host or IP address that is part of a private network. In these cases you will need to examine the "received" headers closer to the top of the message. However, you will generally only see this in corporate email, in which case the organizational affiliation is already obvious and the geographic location would correspond to the corporat email servers, not the user.
And Finally...
Does your email include this information? To find out, simply send an email to yourself, and then follow the above process to see if it includes your IP address and location. If your message does not appear to have any "received" headers, then you are looking at a local copy in your outbox. You need to check the message returned by your mail server; it may be necessary to "check mail" before this appears.

Please post whether your email includes your IP address, and if so, how accurate the location information is. Of course email has been like this forever, but originally the IP address belonged to some server at your school or workplace, and so it didn't reveal much that wasn't already obvious from your email address. Thanks to webmail and laptops, email can now travel with you, but it may reveal more than you realize.

I'm would like to hear what others think about this. How many of you knew that this information may be included in your email, and do you care? How many of you have used this trick to discover the location of a sender?

Sponsors

Managed Hosting
VoxCAST Content Delivery
Raw Infrastructure

Poll

Does your email include your location information

No 7%

Yes, and I don't care 76%

Yes, but I wish that it didn't 15%

Not anymore 0%

Votes: 13
Results | Other Polls

Finding the location, identity, or affiliation of email senders | 87 comments (30 topical, 57 editorial, 0 hidden)

I did all this stuff years ago. (none / 0) (#6)
by mr strange on Thu Sep 29, 2005 at 04:02:26 AM EST

I used to have a bee in my bonnet about spammers. I'd track them back to their open mail-server and report the abuse to their service providers.

Eventually I learned from King Canute, and stopped wasting my time.

I like the IP address locator, although it's not very reliable. Apparently I'm in Brussels! The trouble with this sort of thing is that IP addresses might be given out by local organisations, but there's nothing to say where your machine should be.

omniEvents is a high availability messaging service for CORBA.

_{intrigued by your idea that fascism is feminine - livus}

This is good. by student, 09/30/2005 07:05:15 PM EST (none / 0)

EHLO - Show Me The Parameter (3.00 / 5) (#26)
by killmepleez on Thu Sep 29, 2005 at 11:34:07 AM EST

_{[oops, posted as editorial the first time]}

I would bet most of the regular posters on K5 know how to intepret mail headers, although there are probably many in the legion of lurkers who do not. To beef up the article, consider also including some information on HELO/EHLO, which can give more specific information on the sending host/domain. It probably won't help against the jaded -1 dotcom-bust tech support monkeys here, but it goes right along with your topic.

In response to your last paragraph, here's one of my stories:
Any time one of the mass-mailing worms goes around, I use the headers to find out who has the infected machine so I can gently and helpfully rip them a new a-hole. In one particular incident, I was a member of a large [300+ members], non-technical social organization, and the leadership wasn't in the habit of bcc-ing when they needed to send general announcements. A few years back, everyone in the organization was being annoyed by a really active mail worm. The worm - I think it was a "soBig" variant - was one of those that searched the address book, previous messages, and the entire infected computer for any user@server.domain form and then sent multiple messages to everyone while randomly inserting those addresses in the "reply-to" field, which seems to be enough to confuse the average user into accusing all their friends/family of sending them infected mail. I started receiving 70-110 worm messages per day. I figured the infection would eventually die out, so I tweaked my filters and my sorting process and went on with my life.

A couple days later one of the board members asked me for advice; apparently people were now receiving hundreds of messages daily and he wanted to know if there was any technical solution to the problem. I went through my filtered trash and checked the headers on a few messages and quickly realized they were all coming from just one source. The IP told me the name of the company [a large marketing conglomerate]; I looked them up and found out they did indeed have a branch office in our city. Our organization's clerk went through the membership database and found one person who worked at the company in question. I then looked back at the EHLO parameter -- it just so happened that the company's internal naming convention quite helpfully included the city and user name [e.g. an employee named Juanita Ybarra using a Windows XP workstation in Tempe, Arizona, would have a hostname TEMJYBARRAXP], so I was able to confirm the source was indeed the member in question.

I contacted him and told him he should have his computer checked for viruses, and of course his response was "Huh? It can't be me because I'm receiving 600+ messages a day so it must be someone else!" I decided not to waste my time arguing and instead go straight to the source. I went back to WHOIS and found the technical contact information at the company headquarters, which was in NYC. I emailed that person a description of the problem and two full headers pointing out the origin, and suggested that a computer on their network sending out several hundred messages to several hundred people every day quickly adds up to a significant resource drain, and as both a member of the internet community and as a business it would be beneficial for his company to look into the matter. A day later, the messages stopped.

At the next social event, I asked the guy who had had the infected computer if he was still "receiving 600+ messages a day". He said, "Nope. In fact, funny you mention that, because the day after you emailed me about it they suddenly came by my cubicle and ran a whole bunch of stuff on my computer and I stopped getting all those other messages".

__
"I instantly realized that everything in my life that I thought was unfixable was totally fixable - except for having just jumped."
--from "J

EHLO Doesn't Tell You Anything. by ewhac, 09/29/2005 04:51:45 PM EST (none / 1)

Anecdote by killmepleez, 09/29/2005 05:03:57 PM EST (none / 0)

well written and informative (3.00 / 4) (#30)
by circletimessquare on Thu Sep 29, 2005 at 12:30:35 PM EST

of course the next step is to contact their internet provider and socially engineer your way into getting them to reveal to you who was using that ip address from their pool at the time the email was sent... somehow

The tigers of wrath are wiser than the horses of instruction.

China, Korea... by svampa, 10/06/2005 06:21:11 PM EST (none / 0)

Good info (none / 0) (#35)
by vqp on Thu Sep 29, 2005 at 02:39:56 PM EST

I use this other site , which seems to be more minimalist, my favourite option is the IP port tester, but when it comes to geographic location, only provides the country.

_{happiness = d(Reality - Expectations) / dt}

yeah I use that by livus, 10/01/2005 09:53:04 PM EST (none / 0)

Have you all gone retarded? (1.00 / 2) (#64)
by waxmop on Fri Sep 30, 2005 at 10:17:28 PM EST

A whole article about reverse DNS lookup? Christ, if this is educational, then wait until next week when I submit my article about the -l option for ls.
--
_{Saying Java is good because it works on all platforms is like saying anal sex is good because it works on all genders. i wrote this with you in mind by circletimessquare,}09/30/2005 11:57:03 PM EST (none / 0)

Congratulations. by waxmop, 10/01/2005 08:48:21 AM EST (none / 0)

suck by circletimessquare, 10/02/2005 11:05:50 AM EST (1.33 / 3)

Now say something else. by waxmop, 10/02/2005 04:34:54 PM EST (none / 0)

open letter to all the fucking dweebs out there (1.78 / 14) (#65)
by circletimessquare on Fri Sep 30, 2005 at 11:56:23 PM EST

who are replying to this story about it being too simple and basic

yes, asshole, it is, for you

imagine this: some people don't live in the same world you do

they aren't as technologically astute

the thing is, you should tolerate that

learn what that magic word means, tolerance, and shut the fuck up next time

because this article is well written, and informative, for the non-dweebs out there

and believe it or not, some of those non-dweebs matter, they might *gasp*, know about shit you don't, and write an article about it

we don't want you unwashed stinking dweebs chasing them away, understand you fuck?

if you're lucky, they may even write an article that you might find interesting from their experience that you don't know about

like how to open a bra strap

something tells me that such an article will not attract the same linux dweeb snobbish assholes commenting underneath it like we find here

so shut the fuck up and deal with the horrible, horrible simplicity of this article next time

understand you fucking aspergers autistic assholes?

next time

just SHUT THE FUCK UP

we don't fucking care that you know this shit already

WE'RE NOT IMPRESSED YOU KNOW ABOUT THIS ALREADY

WHO FUCKING CARES

ATTACH YOUR FUCKING EGO TO SOMETHING ELSE BESIDES YOUR TECHNICAL KNOWLEDGE AND NEXT TIME JUST

SHUT

THE

FUCK

UP

The tigers of wrath are wiser than the horses of instruction.

That's what I was about to say by nostalgiphile, 10/01/2005 10:37:37 PM EST (none / 1)
Huh? by Lisa Dawn, 10/02/2005 01:43:54 PM EST (none / 1)

let me get this straight by circletimessquare, 10/02/2005 08:36:26 PM EST (none / 1)

To be fair, by Lisa Dawn, 10/03/2005 03:37:07 PM EST (none / 1)

you found me more annoying? by circletimessquare, 10/04/2005 05:19:40 AM EST (none / 0)

Hahaha by Lisa Dawn, 10/05/2005 08:57:03 AM EST (none / 0)

A couple of years ago (none / 1) (#67)
by livus on Sat Oct 01, 2005 at 02:24:48 AM EST

a friend of mine started getting really abusive hate mail... and it turned out to be from one of their best friends.

---
_{HIREZ substitute.

be concrete asshole, or shut up. - CTS

I guess I skipped school or something to drink on the internet? - lonelyhobo

I'd like to hope that any impression you got about us from internet forums was incorrect. - debillitatus

I consider myself trolled more or less just by visiting the site. HollyHopDrive}

Or (none / 0) (#71)
by trhurler on Sat Oct 01, 2005 at 11:44:09 PM EST

You could just admit that if you need an article like this, you're too dumb to interpret the results properly anyway and give up all hope.

--
'God dammit, your posts make me hard.' --LilDebbie

Yeah! by tetsuwan, 10/03/2005 07:02:19 AM EST (none / 0)

Anonymous remailers (none / 1) (#73)
by betasam on Sun Oct 02, 2005 at 01:31:47 PM EST

Tracing the location of an email sender purely with DNS lookups may seem possible and dependable so long as the sender had no malicious intent. The same task is infinitely difficult when one uses the tailored tools for identity concealing. The net is rife with anonymous remailers. Check mixmaster@sourceforge for one. There are several sites which provide these services claiming to "allow people to voice their opinion in hostile environments". These services however have been abused severely by cyber-stalkers, criminals involved in email-fraud or fake-mails. This paper on anonymous remailers has a lot of useful information on them. I have tried to help people who have received email threats or fake mails from such services, and in those instancesm DNS reverse lookups or geographical IP tracing were of absolutely no use. In comparison, anonymous internet access from WiFi hotspots is lesser of a threat.
--
-- "No Greater Friend, No Greater Enemy" - Lucius Cornelius Sulla

You can see this concept mapped in semi-realtime (none / 0) (#79)
by filenabber on Mon Oct 03, 2005 at 05:48:01 PM EST

at Mailinator's Spam Map.

Brian
http://myvogonpoetry.com
http://candyaddict.com.

yahoo & hotmail send browser IP, gmail doesn't (none / 0) (#82)
by remainingeye on Tue Oct 04, 2005 at 10:59:32 PM EST

It looks like both Hotmail and Yahoo include your browser IP in outgoing mail, but gmail seems to omit it. If you don't want people following you around, I guess you can just use gmail. If you're serious, you should use an anonymizer, though that can be a pain if you're at a friend's house or something.

I haven't checked the others.

shiny object??? (none / 0) (#85)
by wampswillion on Mon Oct 10, 2005 at 11:46:13 PM EST

as in shiny penny????? oh for pete's sake.

Nice guide (none / 0) (#86)
by bsoft on Sun Nov 06, 2005 at 12:05:51 AM EST

This is a nice quick HOWTO of how to do reverse-DNS lookups. Personally, I've used a tool called VisualRoute with some success - it acutually plots the routing on a map. Unfortunately, it's not free.

Interestingly, some ISPs (particularly universities) have public websites where you can look up an IP down to the port level. Quite useful if some university student is abusing your system.

Remember, though, that most spam nowadays is sent from spam zombies - people don't know that they are spamming.

I have a stalker (none / 0) (#87)
by NeedHelp on Fri Aug 11, 2006 at 12:39:12 AM EST

I have a stalker that is causing major havoc in our lives. This person is sending email to my wife and even though we're pretty sure who it is, I need to be 100% before going to the authorities. I've tried figuring out the IP thing but honestly its all Chinese to me. Is there someone out there that can please help us figure this out? At this point I'll even pay u for the info. Anything at this point is better than nothing. The persons who suspect is sending the emails I have a few of her IP which is 68.215.23.66 and 65.10.249.153 and 65.10.243.89 if that's any help.
My email address is BryanMendes@aol.com
Below is the header to one of the emails. Thank you!!!

Return-Path: <bgsscm@yahoo.com>
Received: from rly-xa05.mx.aol.com (rly-xa05.mail.aol.com [172.20.64.41]) by air-xa01.mail.aol.com (v111.7) with ESMTP id MAILINXA12-7544db533c5b; Thu, 10 Aug 2006 11:40:22 -0400
Received: from mr129.mail.sc5.yahoo.com (mr129.mail.sc5.yahoo.com [216.136.130.105]) by rly-xa05.mx.aol.com (v111.7) with ESMTP id MAILRELAYINXA57-7544db533c5b; Thu, 10 Aug 2006 11:39:40 -0400
Received: (qmail 76310 invoked from network); 10 Aug 2006 15:39:40 -0000
Received: from web39810.mail.mud.yahoo.com (209.191.106.71)
by mr1.mail.vip.sc5.yahoo.com with SMTP; 10 Aug 2006 15:39:39 -0000
Received: (qmail 64470 invoked by uid 60001); 10 Aug 2006 15:39:39 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type :Content-Transfer-Encoding;
b=BxwtJLBIQbHcAx9SeqXHRow3viYxfDCVShFVrug5fENHseXOUog9dEmshtgMSpd4vOR/JpmfnNt6Om P0qW/0f3dv4wcNwnaCsSybynHfqxYMqIG4PrONxGJ+c8uwKJSHy0eIF5/8fbacOCG+Rn/jGipfkAbZ9M hn5G4e0wvtI+M= ;
Message-ID: <20060810153939.64468.qmail@web39810.mail.mud.yahoo.com>
Received: from [69.165.166.11] by web39810.mail.mud.yahoo.com via HTTP; Thu, 10 Aug 2006 08:39:39 PDT
Date: Thu, 10 Aug 2006 08:39:39 -0700 (PDT)
From: scum bags <bgsscm@yahoo.com>
Subject: Re: (no subject)
To: CynthiaBruck@aol.com
In-Reply-To: <502.4ba3b12.320a3028@aol.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-167359433-1155224379=:64015"
Content-Transfer-Encoding: 8bit
X-AOL-IP: 216.136.130.105
X-AOL-SCOLL-SCORE: 1:2:444137683:11005853
X-AOL-SCOLL-URL_COUNT: 2

Finding the location, identity, or affiliation of email senders | 87 comments (30 topical, 57 editorial, 0 hidden)

All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.