• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 20724
  • Last Modified:

Identify hotmail user.

hi

probobly a long shot, but is there any way to identify the sender of a hotmail user from a received message, even narrow down where it was sent from. Or will the trail end at the hotmail server the message was sent from. Below is the internet header from the received message.(email addresses and local servernames *ed out)

 
Received: from mail40.messagelabs.com ([38.118.4.19]) by isi-mail.****.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
 id W9SGYQH2; Fri, 21 Nov 2003 08:11:12 -0500
X-VirusChecked: Checked
X-Env-Sender: ******@hotmail.com
X-Msg-Ref: server-2.tower-40.messagelabs.com!1069420283!2194620
X-StarScan-Version: 5.1.13; banners=-,-,isinet.com
X-SpamReason: No, hits=-1.0 required=7.0 tests=CYNIC_B_GOOD
Received: (qmail 24266 invoked from network); 21 Nov 2003 13:11:24 -0000
Received: from *****.hotmail.com (HELO hotmail.com) (64.4.17.59)
  by server-2.tower-40.messagelabs.com with SMTP; 21 Nov 2003 13:11:24 -0000
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
  Fri, 21 Nov 2003 05:11:23 -0800
Received: from 193.120.95.33 by *******.hotmail.msn.com with HTTP;
 Fri, 21 Nov 2003 13:11:23 GMT
X-Originating-IP: [193.120.95.33]
X-Originating-Email: [******@hotmail.com]
From: "******"<i*******@hotmail.com>
To: ******@****.com
Bcc:
Date: Fri, 21 Nov 2003 13:11:23 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <Law11-F590****d6QR00025a2e@hotmail.com>
X-OriginalArrivalTime: 21 Nov 2003 13:11:23.0059 (UTC) FILETIME=[F61E1030:01C3B030]
0
reidb2
Asked:
reidb2
  • 3
  • 3
1 Solution
 
_nn_Commented:
>> X-Originating-IP: [193.120.95.33]
>> X-Originating-Email: [******@hotmail.com]

Both these headers are added by the hotmail machines, so you have
- the account used by the sender
- the IP address of the machine (or proxy) which the sender used to send that email (here apparently, some machine located in Ireland)

Now, although the stupid bot at abuse@hotmail.com replies to enquiries with things like :
-----8<------------------------
Hotmail employs the following methods to help protect you against spam:

  - We limit the number of individual recipients for each e-mail message.
  - We don't allow numeric characters at the beginning of an e-mail address. Any Hotmail sign-in name beginning with a numeric character is a forgery.
  - We include "X-[Originating-IP]: [xxx.xxx.xxx.xxx]" in the header of each e-mail message that Hotmail delivers. Any e-mail message without this entry in its full header didn't come from Hotmail.
  - We use industry standard security technologies to help block our relay hosts from those who send spam.
  - We take legal action against senders of unsolicited bulk e-mail who forge Hotmail addresses.
-----8<------------------------

... it doesn't seem to be able to understand forwarded headers. So I will possibly soon blacklist hotmail on my mail server... *sigh*
0
 
reidb2Author Commented:
an nslookup retuns

Name:         shannon-adsl.adsl.esat.net
Address:      193.120.95.33

is there anything i can do with that???
0
 
_nn_Commented:
Huh ? What DNS servers are you querying ?

# host shannon-adsl.adsl.esat.net
Host not found.

... ouch ! Take a look at http://www.dnsreport.com/tools/dnsreport.ch?domain=esat.net

Looks like something really weird is happening in that network...

>> is there anything i can do with that???

Well, let's see :

# whois 193.120.95.33
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      193.120.0.0 - 193.120.255.255
netname:      IE-ISI-930901
descr:        DELEGATED BLOCK
descr:        Provider Local Registry
country:      IE
admin-c:      ESAT1-RIPE
tech-c:       ESAT1-RIPE
status:       ALLOCATED PA
notify:       noc@esat.net
remarks:      formerly EUnet/IE, now Esat Net/Esat Telecom
mnt-by:       RIPE-NCC-HM-MNT
mnt-lower:    IEUNET-NOC
mnt-routes:   IEUNET-NOC
changed:      roderik@ripe.net 19950315
changed:      hostmaster@ripe.net 20020919
source:       RIPE

route:        193.120.0.0/16
descr:        IEUNET-AGG-ROUTE-1
descr:        Principal address block of EUnet Ireland
origin:       AS2110
remarks:      Aggregated route covering multiple EUnet Ireland networks
notify:       noc@esat.net
mnt-by:       IEUNET-NOC
changed:      nick@eunet.ie 19961023
changed:      colma@esat.net 19980405
source:       RIPE

role:         Esat.Net NOC
address:      Unit 4029 National Digital Park, CityWest Business Campus,
address:      Naas Road, Co. Dublin, Ireland.
phone:        +353 1 2166300
fax-no:       +353 1 6790832
e-mail:       noc@esat.net
admin-c:      CA1690
admin-c:      CC1276-RIPE
admin-c:      DR2498
tech-c:       CB861-RIPE
tech-c:       CO123-RIPE
tech-c:       CD512-RIPE
tech-c:       DH655-RIPE
tech-c:       DV233-RIPE
tech-c:       GC776-RIPE
tech-c:       IH203-RIPE
tech-c:       LH305-RIPE
tech-c:       TK857-RIPE
nic-hdl:      ESAT1-RIPE
remarks:      Esat Net is the trading name for EUnet Ireland Ltd.
remarks:      Also formally known as IEUnet Ireland.
notify:       noc@esat.net
mnt-by:       IEUNET-NOC
changed:      colma@esat.net 19980402
changed:      colma@esat.net 20010128
changed:      dave@esat.net 20010418
changed:      dave@esat.net 20020514
changed:      dave@esat.net 20020527
changed:      dave@esat.net 20020801
changed:      dave@esat.net 20030220
source:       RIPE


You can try to contact these people... Not guaranteed to get you any results. Even if they'll communicate some informations (which I strongly doubt), it could be that this box is a compromised host, or a badly configured proxy that masqueraded the real sender...

Good luck.

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
shivsaCommented:
u can try this site to track it down.
http://www.abika.com/Forms/Verifyemailaddress.htm
0
 
shivsaCommented:
also try this site. it has great tool for this kind of stuff.
http://www.samspade.org/
0
 
shivsaCommented:
Dear _nn_

this may not be the proxy or machine ip address, it is mostly the ISP provider for that user who is sending the mail.
do collect more information about this u can send mail to this ISP provider and ask for the more help, if he has send u offending material or something.

thanks,
Shiv
0
 
_nn_Commented:
shivsa, I've worked at a NOC for an ISP. I know very well what are the procedures, both technical and legal, in such kind of cases. An ISP won't give you informations (any kind of) that easily. My point was that an IP address found in a mail header is very far from being enough to prove that it was sent by a specific person. There are dozens of ways to hide, using a cascade of compromised or poorly administrated hosts is one of them.

The asker want to know if there is "any way to identify the sender" of some email. I'm telling him that if that sender was careful and really did the necessary to prevent being discovered, the chances are very close to 0 and already involves using legal ways to force the ISP to give access to the logs and customers databases.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now