Is there a way to tell if an email sender is using an anonymizer?

Hello,

Is there a way to tell if an email sender used an anonymizer when sending an email to me?

Thanks,
Bonnie
LVL 1
Bonnie_KAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

maxis2cuteCommented:
look at the email header and see who the FROM is in the first received you see.  it will tell you what the ip address taht sent the eamil is and then go to who is on the internet to find out where that ip address originated from.  you may be able to get the person if it is a static ip but usually the best you will get is the ISP block of addresses.

so to really answer your question unless they have a static ip address to them or a range of address, you will not find out who sent it and there are so many   anonymizers that it is hard to tell, i would say NO
0
Bonnie_KAuthor Commented:
Well, the person keeps writing harrassing emails from different yahoo accounts.  Does that make a difference?
0
maxis2cuteCommented:
unfortunatley no, you can try to block that user to depending on who your email client is, you can try to report abuse to yahoo.

 http://help.yahoo.com/l/us/yahoo/mail/yahoomail/abuse.html

unfotunately email is still one of those mediums that is very hard to control since it is still based on old architecture.

0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

moorhouselondonCommented:
Usually in the email headers is an Originating IP address.  Even if the sender has a dynamic IP address, the chances are that the different messages from different accounts will all be from the same IP, unless their Router has been rebooted in the interim.  Even if it has, it's still possible to see whether it is from the same Dynamic IP Pool by consulting www.ripe.net or the equivalent website for the continent the originator is in.  If the IP address is in a different IP Pool then the chances are that it is from two different people.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
maxis2cuteCommented:
moorhouselondon explanation is correct, however, it will still not tell you who the sender is.  only the ip range, which will not help you find the user yourself, therefore i would contact yahoo abuse. they cn narrow down the abuser and follow up,



0
moorhouselondonCommented:
The other websites to try if the IP address you paste into RIPE shows "Worldwide" are as follows:-

AfriNIC | APNIC | ARIN | LACNIC
0
moorhouselondonCommented:
Sometimes you can strike lucky.  Many companies and educational establishments have their own IP ranges which can narrow things down quite considerably - RIPE or equivalent will show you this, if this is the case.
0
icky2000Commented:
All this talk about IP addresses is interesting but Bonnie already said the user is just using a number of different Yahoo accounts. You can certainly report this to Yahoo but I wouldn't hold your breathe on a response. The reality is that there are a ton of free email services out there and even if you get Yahoo to block them, they'll just create a new account there or on Hotmail or whatever. Email is a lot like regular mail in that anyone can send you anything and there isn't a lot you can do to block it.
0
moorhouselondonCommented:
We don't know the story behind this question.

Yahoo certainly aren't going to do any research on a user's behalf, but if there is adequate proof of harrassment by doing one's own research then it is possible to get the law involved, who can then subpoena Yahoo for the requisite information.  Even Anonymizer service providers will respond to that (depending where they are in the world, of course).  

No, it's not going to stop anyone opening up another email account, I agree, but if you are being stalked I think it is better to *prove* you are being stalked than to *claim* you are being stalked and everyone thinking you are paranoid.

An email server can certainly block emails emanating from the same "pipe" (account) in many instances, but care has to be taken to ensure an entire "block" of IP's aren't tarred with the same brush.
0
Bonnie_KAuthor Commented:
Hi,

Thanks for all of the responses.  The first IP address in the received header points to a yahoo mail server in the UK.  Doesn't this mean one of three things:

1. The sender lives in the UK and is sending the mail via yahoo

2. The sender is in the US logging into a server in the UK and is sending an email via yahoo

3. The sender is in the US using an anonymizer that is making it seem that he is in the UK so that the yahoo server that sends the email is a UK server (This is complete speculation on my part)

What I don't understand is how the IP address in the received header can reveal what institution the person is writing from if it is a yahoo mail server.  Am I missing something or is this the very reason harrassers use yahoo type accounts?

Thanks,
Bonnie
0
moorhouselondonCommented:
If you look further down the headers you should see other IP addresses in there.  I have found a Yahoo email I received and pasted these details in (I have anonymised with x's where necessary).  This is the line in the headers you need to be looking at:-

from [xxx.xxx.xxx.xxx] by webxxx.mail.ukl.yahoo.com via HTTP; Sun, 27 Jan 2008 19:42:50 GMT
0
moorhouselondonCommented:
[xxx.xxx.xxx.xxx]

The IP address that appears in brackets is the one you put into RIPE, etc.  This is the address that was assigned to the physical cable that the Sender's pc was physically plugged into at the time the email was sent.  As has been pointed out, this physical connection may have different IP addresses assigned to it at various times, but in general, if someone's connection to the internet is not unplugged, the IP address may remain the same for many days.

(Yahoo's IP address will appear in the Headers because that is where the email has passed through to get to you.)
0
moorhouselondonCommented:
To answer the last question in your comment (...reveal what institution...), I will give a concrete example using an email I recently received:-

[132.185.100.100]

(I've anonymised the last 2 numbers of the address)  Type that into RIPE and it tells me someone from the BBC, possibly in Maidenhead (this depends on how their IT systems are structured) emailed me.  RIPE also tells me that anything in the range

132.185.0.0 - 132.185.255.255

is also from the same source.  So if you see one address in that range one day, and another different address the following day, it might be the same person, but then again it might not, but you can guarantee it is someone from the same organisation.
0
Bonnie_KAuthor Commented:
Thanks moorhouselondon, I will try this when I get home.  I was misunderstanding the headers.  I thought it was the IP address of the yahoo mail server, not the originating PC.  
0
maxis2cuteCommented:
there is a great free program that will give you all the information you need

http://www.nirsoft.net.  its called ipnetinfo

from the ip it will give you the range of ip addresses, who owns it, it it is static or dynamic, etc..

i highly recommend this
0
moorhouselondonCommented:
The originating IP address appears in different places depending on the method of sending:  Trawling through some of my received emails, one emailer uses this:-

from blah (xxx-xxx-xxx-xxx.dsl.pipex.com [xxx.xxx.xxx.xxx])
That bit after the blah:  Have a look at Gibson Research website www.grc.com.  Go into the Shields Up section and look for the text:-

The text below might uniquely
identify you on the Internet

You will see the identity of *your* line at the time you ran Shields Up.  You can experiment with this (if you are that interested).  Come back in a few days and run it again, if you've not rebooted your Router your address may be the same.  Now reboot your Router and run the test again, see if it has changed.  If not it might be because you have a fixed IP.



Hotmail uses this:-

X-Originating-IP: [xxx.xxx.xxx.xxx]

Two points to note if you get an address in the range

172.128.0.0 - 172.191.255.255 (which is AOL),

(1) it may be that the sender has an AOL Broadband line, and you may find that the sender's IP address remains constant.

(2) Even though you use ARIN to look up the address, it doesn't follow that the sender is necessarily in USA.
0
Bonnie_KAuthor Commented:
Hi,

Sorry it has taken so long for me to get back here.  Lots of work and little sleep in the meantime.  The ip address is within this range 74.129.232.0 - 72.129.232.254.  I would put the exact address, but I'm not sure if that's appropriate.  


I was looking at the wrong ip addresses in the header before and now I can see that the different yahoo senders are sending from the same ip, hence proving that they are the same person.  However, it looks like this number belongs to a block of IP's owned by an ISP.  

I suppose the ISP would know exactly who it is, but I can't image they would tell...

Thanks for all your help and insight so far.
0
icky2000Commented:
No, the ISP won't tell you. If a criminal investigation were involved a court could subpoena the ISP for the info but not all ISPs can trace IPs back to the user anyway. This has been my general experience with trying to track down senders: they're either from China or Korea (spam) or from a giant ISP. Either way, it isn't very useful to you. Oh well, you did get some info and learned something in the process.
0
Bonnie_KAuthor Commented:
Yes, definately.  I hate to keep asking about the same thing, but is there a way to tell if someone is using an anonymizer from looking at the header?  

THanks,
Bonnie
0
icky2000Commented:
No, the anonymizer would simply have changed the source IP - nothing else would look different.

Go to http://www.dnsstuff.com and type the IP in the 'reverse DNS lookup' box. This will tell you if someone happens to have a DNS entry for that IP. If not, it will say no such PTR record exists. It's doubtful you'll find anything but takes just a second to look.

The only other thing is you could use a few basic network tools to poke at that IP address and see if you can find any servers running there. That stuff is a little more complicated than I can type about here but if you want to post the IP or send it to me directly on here I'll look for you (I think there is a way to get private messages from people on here isn't there? I seem to recall having done that in the past but maybe that was another site?).

I admire your persistence!
0
Bonnie_KAuthor Commented:
Below are the results from dnsstuff.   I don't see any harm in posting this exact info...  Hopefully I am not being naive.  I am not surprised by the city, so I don't think the person is using an anonymizer.

But now, what I would like to do is somehow write a rule to bounce back any message that has that person's IP in the header.  I will open another question on that if anyone thinks it is remotely possible.  What I would like is for the person to think that the email address they are sending to doesn't exist any more.  Then they would stop sending emails to it.  Since I am not running a mail server I doubt it is possible.


Location: United States [City: Bloomington, Indiana]

<information removed by Asker request>
0
moorhouselondonCommented:
If that IP has been the same for a while now, there is something else you can do, and that is to paste the IP address into Google.  You will often get pages of hits - some of them might give you an insight into the person behind that IP address - forums sometimes publish the IP addresses of the person posting, and logs of activity on certain websites are often not blocked from being spidered by google.  

But remember...  The validity of that IP is only guaranteed* between the first email you received with this IP embedded in it, and the last one.  For example: The sender's IP address might have been assigned to that person's "pipe" minutes before sending you that first email.

*Ok it could be possible that two different people sent you messages from two different locations that coincidentally had the same IP, but it is unlikely.  My use of the word guarantee also assumes the statistical probability of the address changing and then changing back to exactly the same address is diminishingly small.  It does however depend on the number of IP addresses within the ISP's Pool - btw there appears to be a typo in the range you have given?  

xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx

(I agree that it isn't good form to publish the exact address here)

The bigger the pool the less likely it is for a coincidence to occur.
0
moorhouselondonCommented:
Woops, crossed messages, ah well, a moderator can take a decision on whether to blank out the address.
0
moorhouselondonCommented:
A mail server can certainly bounce messages from a particular address, but that is an expense and it needs setting up.  Mdaemon is one product that will do it.

www.altn.com
0
moorhouselondonCommented:
On ARIN's site, this address is shown as

Direct Allocation

In their terminology, does that mean Fixed IP?  Good news if it does.
0
Bonnie_KAuthor Commented:
Thanks.  Right now the user getting the mails is using a pop account through a web hosting company.  I have used mdaemon before.  I might look onto that.

I will also ask a moderator to blank out the address.
0
icky2000Commented:
Note that mdaemon is a mail server. Since you don't manage the mail server that won't be an option for you. Your hosting company would have to do the IP block for you. Note also that most email systems are setup to do IP blocking but they only block based on the IP that is submitting the message to them which in this case would be an IP belonging to Yahoo so it isn't much help. Perhaps the hosting company can do this though if they're running something like mdaemon that can look deeper in the headers for the source IP. The other option is her mail client - some mail clients might be able to look at headers in a rule and delete it before she sees it. Outlook, Outlook Express, and Vista Windows Mail do not support that (most don't) but worth checking.
0
moorhouselondonCommented:
I have run mdaemon when fed from a domain pop account.  Okay there's not the same flexibility as with SMTP direct feed, but it is possible to either alert the recipient that this is an email from this IP address or to trash it, copy it to a special mailbox setup for the purpose, etc. using the Content Filter facility.   Creating a copy of the RAW email and archiving it is a good idea if further action might be taken in future against the sender.
0
maxis2cuteCommented:
I would have posted another question.  You really are not supposed to piggy back questions.

0
Bonnie_KAuthor Commented:
Yes, I meant to ask another question.  I will close this one out.  Thanks everyone for all of your help with this.  

-Bonnie
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet / Email Software

From novice to tech pro — start learning today.