Identify hotmail user.


probobly a long shot, but is there any way to identify the sender of a hotmail user from a received message, even narrow down where it was sent from. Or will the trail end at the hotmail server the message was sent from. Below is the internet header from the received message.(email addresses and local servernames *ed out)

Received: from ([]) by isi-mail.****.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
 id W9SGYQH2; Fri, 21 Nov 2003 08:11:12 -0500
X-VirusChecked: Checked
X-Env-Sender: ******
X-StarScan-Version: 5.1.13; banners=-,-,
X-SpamReason: No, hits=-1.0 required=7.0 tests=CYNIC_B_GOOD
Received: (qmail 24266 invoked from network); 21 Nov 2003 13:11:24 -0000
Received: from ***** (HELO (
  by with SMTP; 21 Nov 2003 13:11:24 -0000
Received: from mail pickup service by with Microsoft SMTPSVC;
  Fri, 21 Nov 2003 05:11:23 -0800
Received: from by ******* with HTTP;
 Fri, 21 Nov 2003 13:11:23 GMT
X-Originating-IP: []
X-Originating-Email: [******]
From: "******"<i*******>
To: ******@****.com
Date: Fri, 21 Nov 2003 13:11:23 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <Law11-F590****>
X-OriginalArrivalTime: 21 Nov 2003 13:11:23.0059 (UTC) FILETIME=[F61E1030:01C3B030]
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

>> X-Originating-IP: []
>> X-Originating-Email: [******]

Both these headers are added by the hotmail machines, so you have
- the account used by the sender
- the IP address of the machine (or proxy) which the sender used to send that email (here apparently, some machine located in Ireland)

Now, although the stupid bot at replies to enquiries with things like :
Hotmail employs the following methods to help protect you against spam:

  - We limit the number of individual recipients for each e-mail message.
  - We don't allow numeric characters at the beginning of an e-mail address. Any Hotmail sign-in name beginning with a numeric character is a forgery.
  - We include "X-[Originating-IP]: []" in the header of each e-mail message that Hotmail delivers. Any e-mail message without this entry in its full header didn't come from Hotmail.
  - We use industry standard security technologies to help block our relay hosts from those who send spam.
  - We take legal action against senders of unsolicited bulk e-mail who forge Hotmail addresses.

... it doesn't seem to be able to understand forwarded headers. So I will possibly soon blacklist hotmail on my mail server... *sigh*
reidb2Author Commented:
an nslookup retuns


is there anything i can do with that???
Huh ? What DNS servers are you querying ?

# host
Host not found.

... ouch ! Take a look at

Looks like something really weird is happening in that network...

>> is there anything i can do with that???

Well, let's see :

# whois
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Rights restricted by copyright.
% See

inetnum: -
netname:      IE-ISI-930901
descr:        DELEGATED BLOCK
descr:        Provider Local Registry
country:      IE
admin-c:      ESAT1-RIPE
tech-c:       ESAT1-RIPE
status:       ALLOCATED PA
remarks:      formerly EUnet/IE, now Esat Net/Esat Telecom
mnt-by:       RIPE-NCC-HM-MNT
mnt-lower:    IEUNET-NOC
mnt-routes:   IEUNET-NOC
changed: 19950315
changed: 20020919
source:       RIPE

descr:        IEUNET-AGG-ROUTE-1
descr:        Principal address block of EUnet Ireland
origin:       AS2110
remarks:      Aggregated route covering multiple EUnet Ireland networks
mnt-by:       IEUNET-NOC
changed: 19961023
changed: 19980405
source:       RIPE

role:         Esat.Net NOC
address:      Unit 4029 National Digital Park, CityWest Business Campus,
address:      Naas Road, Co. Dublin, Ireland.
phone:        +353 1 2166300
fax-no:       +353 1 6790832
admin-c:      CA1690
admin-c:      CC1276-RIPE
admin-c:      DR2498
tech-c:       CB861-RIPE
tech-c:       CO123-RIPE
tech-c:       CD512-RIPE
tech-c:       DH655-RIPE
tech-c:       DV233-RIPE
tech-c:       GC776-RIPE
tech-c:       IH203-RIPE
tech-c:       LH305-RIPE
tech-c:       TK857-RIPE
nic-hdl:      ESAT1-RIPE
remarks:      Esat Net is the trading name for EUnet Ireland Ltd.
remarks:      Also formally known as IEUnet Ireland.
mnt-by:       IEUNET-NOC
changed: 19980402
changed: 20010128
changed: 20010418
changed: 20020514
changed: 20020527
changed: 20020801
changed: 20030220
source:       RIPE

You can try to contact these people... Not guaranteed to get you any results. Even if they'll communicate some informations (which I strongly doubt), it could be that this box is a compromised host, or a badly configured proxy that masqueraded the real sender...

Good luck.

Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference ithrough the Colors of STEM program.

u can try this site to track it down.
also try this site. it has great tool for this kind of stuff.
Dear _nn_

this may not be the proxy or machine ip address, it is mostly the ISP provider for that user who is sending the mail.
do collect more information about this u can send mail to this ISP provider and ask for the more help, if he has send u offending material or something.

shivsa, I've worked at a NOC for an ISP. I know very well what are the procedures, both technical and legal, in such kind of cases. An ISP won't give you informations (any kind of) that easily. My point was that an IP address found in a mail header is very far from being enough to prove that it was sent by a specific person. There are dozens of ways to hide, using a cascade of compromised or poorly administrated hosts is one of them.

The asker want to know if there is "any way to identify the sender" of some email. I'm telling him that if that sender was careful and really did the necessary to prevent being discovered, the chances are very close to 0 and already involves using legal ways to force the ISP to give access to the logs and customers databases.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.