Is it possible to trace an email back to a specific location?

[geeklight]

A friend of mine has been getting dodgy emails from an unfamiliar email address for a few months now, and although they're nasty and very specific to her and her family they aren't threatening, so the police won't do anything about it.

I was wondering if anyone knows whether it's possible to trace where it's been sent from as it's most likely an alias account, and for her peace of mind it would be really good to figure out who is actually sending them so she can put a stop to it. Not sure if it makes a difference but they're being sent to a tmobile instant email address on a blackberry.

 

[Vonhelmet]

It really depends. Is your friend in an episode of csi or 24? If so, it's a doddle.

 

[Tetsujin]

If you can get the email source visible (such as by adding the email account to Outlook Express (NOT Outlook) as POP3 perhaps) then you may be able to see addresses of servers where it's been through, which you *may* be able to traceroute or slap into ip2location.com to get possible locations for. It's worth noting that converting IPs to geo locations in the UK isn't all that reliable, but it can be accurate.

 

[rodo]

Have the police actually said they won't do anything about it?

 

[teaboy5]

If you can get the email source visible (such as by adding the email account to Outlook Express (NOT Outlook) as POP3 perhaps) then you may be able to see addresses of servers where it's been through, which you *may* be able to traceroute or slap into ip2location.com to get possible locations for. It's worth noting that converting IPs to geo locations in the UK isn't all that reliable, but it can be accurate.

lol, that will only show you the location of the server the email has passed through. So the person could be sitting in Manchester, but the IP relates to one in London.

So it means nothing.

 

[Tetsujin]

lol, that will only show you the location of the server the email has passed through. So the person could be sitting in Manchester, but the IP relates to one in London.

So it means nothing.

I've seen some where the originating IP was present too, depends on the mail client, and isn't usually there, admittedly. But still, it's an avenue *I'd* be investigating, were it me in OP's homie's kicks, just on the off chance.

 

[Tetsujin]

Can't you do it so you send an email back, which sends you a notification when it's opened... and that can tell you where it was read?

Read Receipts always ask the reader if they want to send one, they aren't automatic.

However, if we're going down this route...

You *could* create an HTML email which includes an image, hosted on a web server you have access to. You send the email and look for when this image is accessed, checking the logs to see what IP requested it. If any scanning servers requested it they'd be easy to filter out with a bit more tracerouting. However *again* for the user's mail client to download the image he'd have to click a "do you want to download images?" thing so if he's savvy he wouldn't get caught out by it.

 

[geeklight]

Haha yes I did think as I was posting it that it seemed a bit spy drama-ey! She's just a bit stressed out about it and I wanted to see if the combined power of the super geeks on this forum could come up with something useful!!!

I might ask her to try that Tetsujin, thanks.

And yep, the police have said they can't do anything unless something threatening is in the emails, but this person is being very carefully to not explicitly be threatening.

 

[Sidney James]

Read Receipts always ask the reader if they want to send one, they aren't automatic.

However, if we're going down this route...

You *could* create an HTML email which includes an image, hosted on a web server you have access to. You send the email and look for when this image is accessed, checking the logs to see what IP requested it. If any scanning servers requested it they'd be easy to filter out with a bit more tracerouting. However *again* for the user's mail client to download the image he'd have to click a "do you want to download images?" thing so if he's savvy he wouldn't get caught out by it.

+1 If you send a message with 'I know this is you'with an image that's of an indistinct male figure in blue jeans and dark tshirt they won't be able to resist clicking on it.I say male because 99% this is a male,females tend to do this sort of think with 1 or more friends and having worked themselves up first,hence threats are made and are usually quite explicit!.A male tends to be doing this without having told anyone about doing it and will have thought about it and exactly what to put in each message.The composing provides a bigger thrill for this person than the actual typing and sending.The sender will be older than the recipient but by no more than 6-8 years UNLESS the recipient is married or in a strong relationship in which case the sender could be much older and be seen as a mature father figure/safe male friend and almost certainly is known by the recipient.You say not threatening and if true then is likely to be unrequited sexual desire or the mental replacing of a recently lost female family member....If however the letters make mention of the writer wanting to hurt themselves then be wary as violence comes in many forms and can easily switch direction.In this case print some off and make sure the police take record (this helps speed up response if things escalate)good luck and don't worry too much this is suprisingly common.

 

[Linda]

Bit off topic but...

Open a new email account from somewhere that allows you to spam filter, only tell close friends and family of this one, keep the other for junk stuff.

If the cyber bully finds the new email she knows she's got a leak.

On the other hand Add to block senders list if you have one on the server / programme don't open to read it, ignorance is bliss.

If I don't know who it's from i NEVER open the email I tick and immediatley delete.

Cyber-bullying not cool curiosity killed the cat, never read emails from an unknown address.

 

[kwerk]

I've seen some where the originating IP was present too, depends on the mail client, and isn't usually there, admittedly. But still, it's an avenue *I'd* be investigating, were it me in OP's homie's kicks, just on the off chance.

The original IP is in almost all email headers. In Gmail go to the down arrow next to reply and chose show original and it will show the headers.

The sender IP will usually be in one of the lines like received from SENDER-IP by MAILSERVER-IP blah blah blah.

Dont know if its against the rules but you could post the headers here with the email addresses removed and it will be easy to see where it came from.

 

[JBuk]

Why won't the police do anything if she is being harrassed?

 

[Aod]

lol, that will only show you the location of the server the email has passed through. So the person could be sitting in Manchester, but the IP relates to one in London.

So it means nothing.

you're dead wrong there.

this is the email-header content of an email i recieved from O&O Software:

Delivered-To: MY-EMAIL-ADDRESS
Received: by 10.231.10.75 with SMTP id o11cs75029ibo;
        Sat, 11 Dec 2010 01:57:10 -0800 (PST)
Received: by 10.216.165.74 with SMTP id d52mr1079936wel.36.1292061429199;
        Sat, 11 Dec 2010 01:57:09 -0800 (PST)
Return-Path: <[email protected]>
Received: from infomail.qsc.de (infomail.qsc.de [213.148.129.110])
        by mx.google.com with ESMTP id u9si6561629wes.145.2010.12.11.01.57.08;
        Sat, 11 Dec 2010 01:57:09 -0800 (PST)
Received-SPF: neutral (google.com: 213.148.129.110 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=213.148.129.110;
Authentication-Results: mx.google.com; spf=neutral (google.com: 213.148.129.110 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: from mail.oosoft.net (mail.oosoft.net [212.99.204.33])
	by infomail.qsc.de (Postfix) with ESMTP id E012A4DFB
	for <MY-EMAIL-ADDRESS>; Thu,  9 Dec 2010 10:25:50 +0100 (CET)
Received: from mail pickup service by mail.oosoft.net with Microsoft SMTPSVC;
	 Thu, 9 Dec 2010 10:24:17 +0100

as you can see, it contains ALL the source IPs for each node it was routed through.

there are many tools (like this one: http://www.mxtoolbox.com/EmailHeaders.aspx) that allow you to parse the header information into a more readable format.

if you end up with a source IP (in my case, 212.99.204.33), do a who.is on that address, and you're almost certain to find a "report abuse" email address that you can use, which for that IP is ([email protected])

 

[Vanilla]

Also try to see what the secret question is if it's a hotmail type account.

many many years ago I once found out who someone was by the fact they had chosen a very specific secret question..........which I was able to guess based upon who I thought it was

 

[rsatd]

if you end up with a source IP (in my case, 212.99.204.33), do a who.is on that address, and you're almost certain to find a "report abuse" email address that you can use, which for that IP is ([email protected])

Thats the mail server for a company though, not private internal ip. Sending from home would not help as it will show the mail servers ip that whatever account you have at home uses.

Usless unless the offender emails from work...

Edit: +1 on the image idea.

 

[kwerk]

Thats the mail server for a company though, not private internal ip. Sending from home would not help as it will show the mail servers ip that whatever account you have at home uses.

Usless unless the offender emails from work...

Edit: +1 on the image idea.

oosoft just has their mail server set to not show the client IP in the headers, which would probably be an internal 192. address anyway. All ISPs, gmail, hotmail,etc show the client IP in the headers mostly to track spammers. I don't know any public email service that doesn't show it except hushmail.

 

[Benihana]

Also try to see what the secret question is if it's a hotmail type account.

many many years ago I once found out who someone was by the fact they had chosen a very specific secret question..........which I was able to guess based upon who I thought it was

Isn't that illegal?

 

[rsatd]

oosoft just has their mail server set to not show the client IP in the headers, which would probably be an internal 192. address anyway. All ISPs, gmail, hotmail,etc show the client IP in the headers mostly to track spammers. I don't know any public email service that doesn't show it except hushmail.

Its not though random example, one of the companies directors sent email to my gmail account, who is on the ip returns to a UK company that they use to manage mail. He however was either in HK or Taiwan that evening. Probably using vnc, or logging into webmail, the point is, its not a very reliable method and tracking via image will provide a better result if at all.

Then again who ever is using email as cyber bullying is unlikely to really "hide" though. Anyway, OP needs to show us the header info for giggles/OcUK detectives boredom cure.

 

[csmager]

If you can get the email source visible (such as by adding the email account to Outlook Express (NOT Outlook) as POP3 perhaps) then you may be able to see addresses of servers where it's been through, which you *may* be able to traceroute or slap into ip2location.com to get possible locations for. It's worth noting that converting IPs to geo locations in the UK isn't all that reliable, but it can be accurate.

And you can't use Outlook because?

 

[rsatd]

It's worth noting that converting IPs to geo locations in the UK isn't all that reliable, but it can be accurate.

Yep, my old work ip returned me as from Manchester (based in Bristol at the time)