Is it possible....

In yahoo webmail you click on the link (to the upper right of the message text) that says "Full Headers".

This is what you'll get with Yahoo webmail:




This is the address that the email is received from. Usually yours.



This is the return path set by the sender. It can easily be forged (even more so than the other headers, which can be forged less easily).



This line details the transaction between the yahoo email server and the mail server that passed the message on.



This is another handoff.



This is the one to look at.

The format is:

user's computer name (the name the user gave to the puter in windows) (hostname[ip address]) with METHOD (e.g. SMTP) id EMAIL ID for <destinationemail> DATE

Where red = my comments and blue = variables.

The above can vary slightly. But think of it this way.

Sender > his email server > your email server > sometimes a relay to another server > you

The email header will list this backwards. When you are looking at webmail the email is really never sent to your computer, it's on the webmail server and is only displayed to you.

So as you read the "received" headers it will be going backwards and the last one will usually be the farthest back the email's trip can be traced.

The above headers say:

1) Received by Yahoo server the email from an AOL server.
2) Received by AOL server 2 from AOL server 1.
3) Received by AOL server 1 from COMPUTER (HOSTNAME[IP])

The last step is as far back as it can be traced. Sometimes (actually very frequently) it's not the hostname or IP address (hostnames are just an easier way to read an IP) of the sender.


This is usually enough but if you want you can run a whois on this ip.

Windows usually doesn't have a way to do this so I wrote my own utility (very simple, it just uses any online whois utility I specify).

But you can find plenty of web based whois tools.

Now what you really want is an easy tool that does all the network lookups at once.

Visualware has some commerical programs that combine DNS whois and a geographical traceroute that's easy enough for anyone to use.

They have an online version that's free.

http://visualroute.visualware.com/

So, all you ahve to do is learn how to see your email headers, then pick the last "recieved" and get the ip address and look it up there.

It'll trace it to the closest geographical location that it can.

-Apparently-To: [email protected] via 66.218.93.10; Mon, 01 Mar 2004 21:40:53 -0800
Return-Path: <[email protected]>
Received: from 216.136.174.143 (HELO web13125.mail.yahoo.com) (216.136.174.143) by mta126.mail.scd.yahoo.com with SMTP; Mon, 01 Mar 2004 21:40:52 -0800
Received: from [24.70.95.203] by web13125.mail.yahoo.com via HTTP; Tue, 02 Mar 2004 00:40:52 EST
Date: Tue, 2 Mar 2004 00:40:52 -0500 (EST)
From: "rosa gonzalez" <[email protected]>
Subject: I have something for you!!!
To:[email protected]
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1118161061-1078206052=:51896"
Content-Length: 826

This has gotten me confused now, i don't know what the real IP is. But I got it from this Rosa person. I dunno, maybe it's much harder then i thought it could be.

Here's another 2 free web based geographical traceroutes. They don't require an email registration but is not nearly as good as visualware.

Remember that they (inclusing the link above) are getting their data primarily from whois lookups and that is not necessarily anywhere near the real location.

http://www.sarangworld.com/TRACEROUTE/

http://netgeo.caida.org/perl/netgeo.cgi

I usually just run a whois or I'll tap into commercial databases I purchased. Mapping IPs to locations is a very commerical field in every sense of the word and is usually done for locational content and advertising. So a good utility needs to get data from a frequently updated database. The maintenance costs money and effort so some databases are less accurate than others.

Ok, that email came from:

24.70.95.203 (px1ar.ed.shawcable.net)

And the closest location it can be traced to is Alberta Canada.

Note that the location is not necessarily accurate. It could be the office locations for that ISP.

Also note that the IP address itself might not be from the sender. It's child's play to root a server real quick just to send out email and spammers do it all the time to avoid getting caught.

To trace further than what I just did requires access to logs from involved servers or the ISP. This usually means either hacking (low chance, because rooting specific boxes is required and you'll need to daisy chain along the email's path) or law enforecement.

standup...That IP address (px1ar.ed.shawcable.net) looks like Shaw Internet in Edmonton to me. (That is the ISP I presently use.) Anyone you know here? Or are you from here yourself?

It looks like Edmonton (ed in the hostname) but there's no requirement that it be Edmonton.

But I bet you're right. ISPs usually don't bother being cryptic and that's probably in the Edmonton area.

I do know a person from edm. but i'm pretty sure it's not her. But I guess one of her friends could have gotten my email addy from other emails sent to a bunch of her friends. Cool, well thanks for your help everybody, and the links and whatnot. Thank you

Ok, here's a question: If an IP # is 24.70.95.203, is that one computer, or could it be lot's of computers in the same area? I'll get an email from this IP one day, and the next day i'll get an email from the same person at this IP 24.70.95.204, and so on like this 24.70.95.206. I just don't get it.

I know that home customers from Shaw have pretty much the same IP address all the time. (It's called a static IP address.) So a business perhaps? If I were you, I would forward your e-mails (with full headers) to Shaw. The only e-mail address I could find was [email protected] as I didn't see a complaint address. Give it a try, good luck!

Thanks Caprice, i'll try that right now.