Solved

Identify hotmail user.

Posted on 2003-11-21
10
20,630 Views
Last Modified: 2012-05-04
hi

probobly a long shot, but is there any way to identify the sender of a hotmail user from a received message, even narrow down where it was sent from. Or will the trail end at the hotmail server the message was sent from. Below is the internet header from the received message.(email addresses and local servernames *ed out)

 
Received: from mail40.messagelabs.com ([38.118.4.19]) by isi-mail.****.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
 id W9SGYQH2; Fri, 21 Nov 2003 08:11:12 -0500
X-VirusChecked: Checked
X-Env-Sender: ******@hotmail.com
X-Msg-Ref: server-2.tower-40.messagelabs.com!1069420283!2194620
X-StarScan-Version: 5.1.13; banners=-,-,isinet.com
X-SpamReason: No, hits=-1.0 required=7.0 tests=CYNIC_B_GOOD
Received: (qmail 24266 invoked from network); 21 Nov 2003 13:11:24 -0000
Received: from *****.hotmail.com (HELO hotmail.com) (64.4.17.59)
  by server-2.tower-40.messagelabs.com with SMTP; 21 Nov 2003 13:11:24 -0000
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
  Fri, 21 Nov 2003 05:11:23 -0800
Received: from 193.120.95.33 by *******.hotmail.msn.com with HTTP;
 Fri, 21 Nov 2003 13:11:23 GMT
X-Originating-IP: [193.120.95.33]
X-Originating-Email: [******@hotmail.com]
From: "******"<i*******@hotmail.com>
To: ******@****.com
Bcc:
Date: Fri, 21 Nov 2003 13:11:23 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <Law11-F590****d6QR00025a2e@hotmail.com>
X-OriginalArrivalTime: 21 Nov 2003 13:11:23.0059 (UTC) FILETIME=[F61E1030:01C3B030]
0
Comment
Question by:reidb2
  • 3
  • 3
10 Comments
 
LVL 16

Expert Comment

by:_nn_
Comment Utility
>> X-Originating-IP: [193.120.95.33]
>> X-Originating-Email: [******@hotmail.com]

Both these headers are added by the hotmail machines, so you have
- the account used by the sender
- the IP address of the machine (or proxy) which the sender used to send that email (here apparently, some machine located in Ireland)

Now, although the stupid bot at abuse@hotmail.com replies to enquiries with things like :
-----8<------------------------
Hotmail employs the following methods to help protect you against spam:

  - We limit the number of individual recipients for each e-mail message.
  - We don't allow numeric characters at the beginning of an e-mail address. Any Hotmail sign-in name beginning with a numeric character is a forgery.
  - We include "X-[Originating-IP]: [xxx.xxx.xxx.xxx]" in the header of each e-mail message that Hotmail delivers. Any e-mail message without this entry in its full header didn't come from Hotmail.
  - We use industry standard security technologies to help block our relay hosts from those who send spam.
  - We take legal action against senders of unsolicited bulk e-mail who forge Hotmail addresses.
-----8<------------------------

... it doesn't seem to be able to understand forwarded headers. So I will possibly soon blacklist hotmail on my mail server... *sigh*
0
 

Author Comment

by:reidb2
Comment Utility
an nslookup retuns

Name:         shannon-adsl.adsl.esat.net
Address:      193.120.95.33

is there anything i can do with that???
0
 
LVL 16

Expert Comment

by:_nn_
Comment Utility
Huh ? What DNS servers are you querying ?

# host shannon-adsl.adsl.esat.net
Host not found.

... ouch ! Take a look at http://www.dnsreport.com/tools/dnsreport.ch?domain=esat.net

Looks like something really weird is happening in that network...

>> is there anything i can do with that???

Well, let's see :

# whois 193.120.95.33
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      193.120.0.0 - 193.120.255.255
netname:      IE-ISI-930901
descr:        DELEGATED BLOCK
descr:        Provider Local Registry
country:      IE
admin-c:      ESAT1-RIPE
tech-c:       ESAT1-RIPE
status:       ALLOCATED PA
notify:       noc@esat.net
remarks:      formerly EUnet/IE, now Esat Net/Esat Telecom
mnt-by:       RIPE-NCC-HM-MNT
mnt-lower:    IEUNET-NOC
mnt-routes:   IEUNET-NOC
changed:      roderik@ripe.net 19950315
changed:      hostmaster@ripe.net 20020919
source:       RIPE

route:        193.120.0.0/16
descr:        IEUNET-AGG-ROUTE-1
descr:        Principal address block of EUnet Ireland
origin:       AS2110
remarks:      Aggregated route covering multiple EUnet Ireland networks
notify:       noc@esat.net
mnt-by:       IEUNET-NOC
changed:      nick@eunet.ie 19961023
changed:      colma@esat.net 19980405
source:       RIPE

role:         Esat.Net NOC
address:      Unit 4029 National Digital Park, CityWest Business Campus,
address:      Naas Road, Co. Dublin, Ireland.
phone:        +353 1 2166300
fax-no:       +353 1 6790832
e-mail:       noc@esat.net
admin-c:      CA1690
admin-c:      CC1276-RIPE
admin-c:      DR2498
tech-c:       CB861-RIPE
tech-c:       CO123-RIPE
tech-c:       CD512-RIPE
tech-c:       DH655-RIPE
tech-c:       DV233-RIPE
tech-c:       GC776-RIPE
tech-c:       IH203-RIPE
tech-c:       LH305-RIPE
tech-c:       TK857-RIPE
nic-hdl:      ESAT1-RIPE
remarks:      Esat Net is the trading name for EUnet Ireland Ltd.
remarks:      Also formally known as IEUnet Ireland.
notify:       noc@esat.net
mnt-by:       IEUNET-NOC
changed:      colma@esat.net 19980402
changed:      colma@esat.net 20010128
changed:      dave@esat.net 20010418
changed:      dave@esat.net 20020514
changed:      dave@esat.net 20020527
changed:      dave@esat.net 20020801
changed:      dave@esat.net 20030220
source:       RIPE


You can try to contact these people... Not guaranteed to get you any results. Even if they'll communicate some informations (which I strongly doubt), it could be that this box is a compromised host, or a badly configured proxy that masqueraded the real sender...

Good luck.

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 24

Expert Comment

by:shivsa
Comment Utility
u can try this site to track it down.
http://www.abika.com/Forms/Verifyemailaddress.htm
0
 
LVL 24

Expert Comment

by:shivsa
Comment Utility
also try this site. it has great tool for this kind of stuff.
http://www.samspade.org/
0
 
LVL 24

Expert Comment

by:shivsa
Comment Utility
Dear _nn_

this may not be the proxy or machine ip address, it is mostly the ISP provider for that user who is sending the mail.
do collect more information about this u can send mail to this ISP provider and ask for the more help, if he has send u offending material or something.

thanks,
Shiv
0
 
LVL 16

Accepted Solution

by:
_nn_ earned 500 total points
Comment Utility
shivsa, I've worked at a NOC for an ISP. I know very well what are the procedures, both technical and legal, in such kind of cases. An ISP won't give you informations (any kind of) that easily. My point was that an IP address found in a mail header is very far from being enough to prove that it was sent by a specific person. There are dozens of ways to hide, using a cascade of compromised or poorly administrated hosts is one of them.

The asker want to know if there is "any way to identify the sender" of some email. I'm telling him that if that sender was careful and really did the necessary to prevent being discovered, the chances are very close to 0 and already involves using legal ways to force the ISP to give access to the logs and customers databases.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I tend toward trying the newest hardware and software.  Thiss sometimes works out to my benefit, and sometimes not.  Because I downloaded and installed Android 5.x (http://www.experts-exchange.com/articles/18084/Upgrading-to-Android-5-0-Lollipop.htm…
Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical princ…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now