reidb2
asked on
Identify hotmail user.
hi
probobly a long shot, but is there any way to identify the sender of a hotmail user from a received message, even narrow down where it was sent from. Or will the trail end at the hotmail server the message was sent from. Below is the internet header from the received message.(email addresses and local servernames *ed out)
Received: from mail40.messagelabs.com ([38.118.4.19]) by isi-mail.****.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id W9SGYQH2; Fri, 21 Nov 2003 08:11:12 -0500
X-VirusChecked: Checked
X-Env-Sender: ******@hotmail.com
X-Msg-Ref: server-2.tower-40.messagel
X-StarScan-Version: 5.1.13; banners=-,-,isinet.com
X-SpamReason: No, hits=-1.0 required=7.0 tests=CYNIC_B_GOOD
Received: (qmail 24266 invoked from network); 21 Nov 2003 13:11:24 -0000
Received: from *****.hotmail.com (HELO hotmail.com) (64.4.17.59)
by server-2.tower-40.messagel
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Fri, 21 Nov 2003 05:11:23 -0800
Received: from 193.120.95.33 by *******.hotmail.msn.com with HTTP;
Fri, 21 Nov 2003 13:11:23 GMT
X-Originating-IP: [193.120.95.33]
X-Originating-Email: [******@hotmail.com]
From: "******"<i*******@hotmail.
To: ******@****.com
Bcc:
Date: Fri, 21 Nov 2003 13:11:23 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <Law11-F590****d6QR00025a2
X-OriginalArrivalTime: 21 Nov 2003 13:11:23.0059 (UTC) FILETIME=[F61E1030:01C3B03
probobly a long shot, but is there any way to identify the sender of a hotmail user from a received message, even narrow down where it was sent from. Or will the trail end at the hotmail server the message was sent from. Below is the internet header from the received message.(email addresses and local servernames *ed out)
Received: from mail40.messagelabs.com ([38.118.4.19]) by isi-mail.****.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id W9SGYQH2; Fri, 21 Nov 2003 08:11:12 -0500
X-VirusChecked: Checked
X-Env-Sender: ******@hotmail.com
X-Msg-Ref: server-2.tower-40.messagel
X-StarScan-Version: 5.1.13; banners=-,-,isinet.com
X-SpamReason: No, hits=-1.0 required=7.0 tests=CYNIC_B_GOOD
Received: (qmail 24266 invoked from network); 21 Nov 2003 13:11:24 -0000
Received: from *****.hotmail.com (HELO hotmail.com) (64.4.17.59)
by server-2.tower-40.messagel
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Fri, 21 Nov 2003 05:11:23 -0800
Received: from 193.120.95.33 by *******.hotmail.msn.com with HTTP;
Fri, 21 Nov 2003 13:11:23 GMT
X-Originating-IP: [193.120.95.33]
X-Originating-Email: [******@hotmail.com]
From: "******"<i*******@hotmail.
To: ******@****.com
Bcc:
Date: Fri, 21 Nov 2003 13:11:23 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <Law11-F590****d6QR00025a2
X-OriginalArrivalTime: 21 Nov 2003 13:11:23.0059 (UTC) FILETIME=[F61E1030:01C3B03
ASKER
an nslookup retuns
Name: shannon-adsl.adsl.esat.net
Address: 193.120.95.33
is there anything i can do with that???
Name: shannon-adsl.adsl.esat.net
Address: 193.120.95.33
is there anything i can do with that???
Huh ? What DNS servers are you querying ?
# host shannon-adsl.adsl.esat.net
Host not found.
... ouch ! Take a look at http://www.dnsreport.com/tools/dnsreport.ch?domain=esat.net
Looks like something really weird is happening in that network...
>> is there anything i can do with that???
Well, let's see :
# whois 193.120.95.33
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 193.120.0.0 - 193.120.255.255
netname: IE-ISI-930901
descr: DELEGATED BLOCK
descr: Provider Local Registry
country: IE
admin-c: ESAT1-RIPE
tech-c: ESAT1-RIPE
status: ALLOCATED PA
notify: noc@esat.net
remarks: formerly EUnet/IE, now Esat Net/Esat Telecom
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: IEUNET-NOC
mnt-routes: IEUNET-NOC
changed: roderik@ripe.net 19950315
changed: hostmaster@ripe.net 20020919
source: RIPE
route: 193.120.0.0/16
descr: IEUNET-AGG-ROUTE-1
descr: Principal address block of EUnet Ireland
origin: AS2110
remarks: Aggregated route covering multiple EUnet Ireland networks
notify: noc@esat.net
mnt-by: IEUNET-NOC
changed: nick@eunet.ie 19961023
changed: colma@esat.net 19980405
source: RIPE
role: Esat.Net NOC
address: Unit 4029 National Digital Park, CityWest Business Campus,
address: Naas Road, Co. Dublin, Ireland.
phone: +353 1 2166300
fax-no: +353 1 6790832
e-mail: noc@esat.net
admin-c: CA1690
admin-c: CC1276-RIPE
admin-c: DR2498
tech-c: CB861-RIPE
tech-c: CO123-RIPE
tech-c: CD512-RIPE
tech-c: DH655-RIPE
tech-c: DV233-RIPE
tech-c: GC776-RIPE
tech-c: IH203-RIPE
tech-c: LH305-RIPE
tech-c: TK857-RIPE
nic-hdl: ESAT1-RIPE
remarks: Esat Net is the trading name for EUnet Ireland Ltd.
remarks: Also formally known as IEUnet Ireland.
notify: noc@esat.net
mnt-by: IEUNET-NOC
changed: colma@esat.net 19980402
changed: colma@esat.net 20010128
changed: dave@esat.net 20010418
changed: dave@esat.net 20020514
changed: dave@esat.net 20020527
changed: dave@esat.net 20020801
changed: dave@esat.net 20030220
source: RIPE
You can try to contact these people... Not guaranteed to get you any results. Even if they'll communicate some informations (which I strongly doubt), it could be that this box is a compromised host, or a badly configured proxy that masqueraded the real sender...
Good luck.
# host shannon-adsl.adsl.esat.net
Host not found.
... ouch ! Take a look at http://www.dnsreport.com/tools/dnsreport.ch?domain=esat.net
Looks like something really weird is happening in that network...
>> is there anything i can do with that???
Well, let's see :
# whois 193.120.95.33
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 193.120.0.0 - 193.120.255.255
netname: IE-ISI-930901
descr: DELEGATED BLOCK
descr: Provider Local Registry
country: IE
admin-c: ESAT1-RIPE
tech-c: ESAT1-RIPE
status: ALLOCATED PA
notify: noc@esat.net
remarks: formerly EUnet/IE, now Esat Net/Esat Telecom
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: IEUNET-NOC
mnt-routes: IEUNET-NOC
changed: roderik@ripe.net 19950315
changed: hostmaster@ripe.net 20020919
source: RIPE
route: 193.120.0.0/16
descr: IEUNET-AGG-ROUTE-1
descr: Principal address block of EUnet Ireland
origin: AS2110
remarks: Aggregated route covering multiple EUnet Ireland networks
notify: noc@esat.net
mnt-by: IEUNET-NOC
changed: nick@eunet.ie 19961023
changed: colma@esat.net 19980405
source: RIPE
role: Esat.Net NOC
address: Unit 4029 National Digital Park, CityWest Business Campus,
address: Naas Road, Co. Dublin, Ireland.
phone: +353 1 2166300
fax-no: +353 1 6790832
e-mail: noc@esat.net
admin-c: CA1690
admin-c: CC1276-RIPE
admin-c: DR2498
tech-c: CB861-RIPE
tech-c: CO123-RIPE
tech-c: CD512-RIPE
tech-c: DH655-RIPE
tech-c: DV233-RIPE
tech-c: GC776-RIPE
tech-c: IH203-RIPE
tech-c: LH305-RIPE
tech-c: TK857-RIPE
nic-hdl: ESAT1-RIPE
remarks: Esat Net is the trading name for EUnet Ireland Ltd.
remarks: Also formally known as IEUnet Ireland.
notify: noc@esat.net
mnt-by: IEUNET-NOC
changed: colma@esat.net 19980402
changed: colma@esat.net 20010128
changed: dave@esat.net 20010418
changed: dave@esat.net 20020514
changed: dave@esat.net 20020527
changed: dave@esat.net 20020801
changed: dave@esat.net 20030220
source: RIPE
You can try to contact these people... Not guaranteed to get you any results. Even if they'll communicate some informations (which I strongly doubt), it could be that this box is a compromised host, or a badly configured proxy that masqueraded the real sender...
Good luck.
u can try this site to track it down.
http://www.abika.com/Forms/Verifyemailaddress.htm
http://www.abika.com/Forms/Verifyemailaddress.htm
also try this site. it has great tool for this kind of stuff.
http://www.samspade.org/
http://www.samspade.org/
Dear _nn_
this may not be the proxy or machine ip address, it is mostly the ISP provider for that user who is sending the mail.
do collect more information about this u can send mail to this ISP provider and ask for the more help, if he has send u offending material or something.
thanks,
Shiv
this may not be the proxy or machine ip address, it is mostly the ISP provider for that user who is sending the mail.
do collect more information about this u can send mail to this ISP provider and ask for the more help, if he has send u offending material or something.
thanks,
Shiv
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>> X-Originating-Email: [******@hotmail.com]
Both these headers are added by the hotmail machines, so you have
- the account used by the sender
- the IP address of the machine (or proxy) which the sender used to send that email (here apparently, some machine located in Ireland)
Now, although the stupid bot at abuse@hotmail.com replies to enquiries with things like :
-----8<-------------------
Hotmail employs the following methods to help protect you against spam:
- We limit the number of individual recipients for each e-mail message.
- We don't allow numeric characters at the beginning of an e-mail address. Any Hotmail sign-in name beginning with a numeric character is a forgery.
- We include "X-[Originating-IP]: [xxx.xxx.xxx.xxx]" in the header of each e-mail message that Hotmail delivers. Any e-mail message without this entry in its full header didn't come from Hotmail.
- We use industry standard security technologies to help block our relay hosts from those who send spam.
- We take legal action against senders of unsolicited bulk e-mail who forge Hotmail addresses.
-----8<-------------------
... it doesn't seem to be able to understand forwarded headers. So I will possibly soon blacklist hotmail on my mail server... *sigh*