Identify hotmail user.

Posted on 2003-11-21
Last Modified: 2012-05-04

probobly a long shot, but is there any way to identify the sender of a hotmail user from a received message, even narrow down where it was sent from. Or will the trail end at the hotmail server the message was sent from. Below is the internet header from the received message.(email addresses and local servernames *ed out)

Received: from ([]) by isi-mail.****.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
 id W9SGYQH2; Fri, 21 Nov 2003 08:11:12 -0500
X-VirusChecked: Checked
X-Env-Sender: ******
X-StarScan-Version: 5.1.13; banners=-,-,
X-SpamReason: No, hits=-1.0 required=7.0 tests=CYNIC_B_GOOD
Received: (qmail 24266 invoked from network); 21 Nov 2003 13:11:24 -0000
Received: from ***** (HELO (
  by with SMTP; 21 Nov 2003 13:11:24 -0000
Received: from mail pickup service by with Microsoft SMTPSVC;
  Fri, 21 Nov 2003 05:11:23 -0800
Received: from by ******* with HTTP;
 Fri, 21 Nov 2003 13:11:23 GMT
X-Originating-IP: []
X-Originating-Email: [******]
From: "******"<i*******>
To: ******@****.com
Date: Fri, 21 Nov 2003 13:11:23 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <Law11-F590****>
X-OriginalArrivalTime: 21 Nov 2003 13:11:23.0059 (UTC) FILETIME=[F61E1030:01C3B030]
Question by:reidb2
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 16

Expert Comment

ID: 9797510
>> X-Originating-IP: []
>> X-Originating-Email: [******]

Both these headers are added by the hotmail machines, so you have
- the account used by the sender
- the IP address of the machine (or proxy) which the sender used to send that email (here apparently, some machine located in Ireland)

Now, although the stupid bot at replies to enquiries with things like :
Hotmail employs the following methods to help protect you against spam:

  - We limit the number of individual recipients for each e-mail message.
  - We don't allow numeric characters at the beginning of an e-mail address. Any Hotmail sign-in name beginning with a numeric character is a forgery.
  - We include "X-[Originating-IP]: []" in the header of each e-mail message that Hotmail delivers. Any e-mail message without this entry in its full header didn't come from Hotmail.
  - We use industry standard security technologies to help block our relay hosts from those who send spam.
  - We take legal action against senders of unsolicited bulk e-mail who forge Hotmail addresses.

... it doesn't seem to be able to understand forwarded headers. So I will possibly soon blacklist hotmail on my mail server... *sigh*

Author Comment

ID: 9797563
an nslookup retuns


is there anything i can do with that???
LVL 16

Expert Comment

ID: 9797669
Huh ? What DNS servers are you querying ?

# host
Host not found.

... ouch ! Take a look at

Looks like something really weird is happening in that network...

>> is there anything i can do with that???

Well, let's see :

# whois
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Rights restricted by copyright.
% See

inetnum: -
netname:      IE-ISI-930901
descr:        DELEGATED BLOCK
descr:        Provider Local Registry
country:      IE
admin-c:      ESAT1-RIPE
tech-c:       ESAT1-RIPE
status:       ALLOCATED PA
remarks:      formerly EUnet/IE, now Esat Net/Esat Telecom
mnt-by:       RIPE-NCC-HM-MNT
mnt-lower:    IEUNET-NOC
mnt-routes:   IEUNET-NOC
changed: 19950315
changed: 20020919
source:       RIPE

descr:        IEUNET-AGG-ROUTE-1
descr:        Principal address block of EUnet Ireland
origin:       AS2110
remarks:      Aggregated route covering multiple EUnet Ireland networks
mnt-by:       IEUNET-NOC
changed: 19961023
changed: 19980405
source:       RIPE

role:         Esat.Net NOC
address:      Unit 4029 National Digital Park, CityWest Business Campus,
address:      Naas Road, Co. Dublin, Ireland.
phone:        +353 1 2166300
fax-no:       +353 1 6790832
admin-c:      CA1690
admin-c:      CC1276-RIPE
admin-c:      DR2498
tech-c:       CB861-RIPE
tech-c:       CO123-RIPE
tech-c:       CD512-RIPE
tech-c:       DH655-RIPE
tech-c:       DV233-RIPE
tech-c:       GC776-RIPE
tech-c:       IH203-RIPE
tech-c:       LH305-RIPE
tech-c:       TK857-RIPE
nic-hdl:      ESAT1-RIPE
remarks:      Esat Net is the trading name for EUnet Ireland Ltd.
remarks:      Also formally known as IEUnet Ireland.
mnt-by:       IEUNET-NOC
changed: 19980402
changed: 20010128
changed: 20010418
changed: 20020514
changed: 20020527
changed: 20020801
changed: 20030220
source:       RIPE

You can try to contact these people... Not guaranteed to get you any results. Even if they'll communicate some informations (which I strongly doubt), it could be that this box is a compromised host, or a badly configured proxy that masqueraded the real sender...

Good luck.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 24

Expert Comment

ID: 9799170
u can try this site to track it down.
LVL 24

Expert Comment

ID: 9799205
also try this site. it has great tool for this kind of stuff.
LVL 24

Expert Comment

ID: 9799231
Dear _nn_

this may not be the proxy or machine ip address, it is mostly the ISP provider for that user who is sending the mail.
do collect more information about this u can send mail to this ISP provider and ask for the more help, if he has send u offending material or something.

LVL 16

Accepted Solution

_nn_ earned 500 total points
ID: 9799747
shivsa, I've worked at a NOC for an ISP. I know very well what are the procedures, both technical and legal, in such kind of cases. An ISP won't give you informations (any kind of) that easily. My point was that an IP address found in a mail header is very far from being enough to prove that it was sent by a specific person. There are dozens of ways to hide, using a cascade of compromised or poorly administrated hosts is one of them.

The asker want to know if there is "any way to identify the sender" of some email. I'm telling him that if that sender was careful and really did the necessary to prevent being discovered, the chances are very close to 0 and already involves using legal ways to force the ISP to give access to the logs and customers databases.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will describe some of the best ways to process an ex-employee from an Office 365 subscription. I will describe the methods I would recommend when the data needs to be kept for the ex-employee as well as how to manage any new email as we…
PHP contact form that lets the user to contact the company through email contact form. A button is fixed at the bottom of site, on clicking a new window will open where a user can send the email.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question