Tracing emails

[Abs]

Hi guys....I was wondering is it pssible to find out where the person who sends email to you is. I know the person and he send me an email, can I found out the country he is in when he send that email? Thanks.

[Sparky]

If you run nslookup and query the mx record of the domain you can then put the IP into an application such as neotrace. This should give you some more info to where the email is originating from.

[Abs]

Sparky

Thanks for that answer. Only problem is Im a noob and the answer totally went over my head lool. How do I do NSlookup and query the mx record of the domain? And is neotrace a free application that can be downloaded free from the internet? Thanks

[UCHEEKYMONKEY]

Quote:

Originally Posted by Abs

Sparky

Thanks for that answer. Only problem is Im a noob and the answer totally went over my head lool. How do I do NSlookup and query the mx record of the domain? And is neotrace a free application that can be downloaded free from the internet? Thanks

Using the command window (MS DOS) then enter the commands shown by sparky!

Also just incase - to get to the command window press windows key and the letter R on the keyboard or select the run command under the start menu. then type the following letting CMD and press enter to get the command window up

[Sparky]

Start>run

Type cmd and then the command window should appear. Type nslookup.

Then type ‘set type=mx’ and then type in the domain you are trying to query (e.g hotmail.com). It should come back with the IP address of where mail records are pointing to. If it displays something like mail.hotmail.com then type ‘set type=a’ and then type mail.hotmail.com (or whatever the A record is) and that will give you the IP address.

It is worth noting that the MX records might be pointing to a completely different server to where the email is actually originating from. In some cases the email can go to separate server to be scanning for viruses and then forwarded to the mail server.

You have to pay for neotrace (I think!) but you may be able to get a trial version.

[Fergal1982]

ummm. that doesnt really work. That will tell you the IP address of the mailserver the domain in question uses. But it doesnt tell you where the user actually sends it from. For example, my work mail server is based in Aberdeen, if I use pop3 on my laptop to connect to that server, and send an email from my account whilst im in nigeria, Sparky's method will tell you im in Aberdeen.

The mail server in question likely records the ip address of the sender, but im not entirely sure if that is captured in the email headers to be honest.

[Sparky]

Yeah, it’s based on the assumption that the user is located in the same office as the mail server. I just thought the OP was asking where the email was originating from (the actual domain that is).

There are other points to consider as well, the mail server might use a smarthost therefore the email will originate from the ISPs IP address and not the IP of the mail server.

[UCHEEKYMONKEY]

I think he wanted to know which country the emailer was from.

ABS - you could use a program called track and trace or use the Email Internet Headers


Right-click on the mail message that is still in your Outlook Inbox
Select 'Options...' from the resulting popup menu
Examine the 'Internet Headers' in the resulting 'Message Options' dialog
TIP: Right-click in the 'Internet Headers' field and click on 'Select All' in the popup menu (or type ctrl-A). Then right-click again and click on 'Copy' in the popup menu (or type ctrl-C). Finally, paste all the Internet Headers into your favorite text editor for full examination (such as 'Notepad', included with Windows).

Source:Email tracer

[JonnyMX]

The non-technical answer is 'why do you want to know?' and 'isn't there an easier way of finding out?'.

The first things that come to mind are:

1) Your boyfriend/girlfriend etc have gone on a business trip and you want to make sure they really HAVE gone to Slough and aren't with their ex down the road.

2) You're a 419 scammer who had been baited and wants to send someone around to kick the culprit's head in.

3) Er, stuck now.

[hbroomhall]

The first port of call in deciding where an email has come from is in the headers of that email.

That will tell you (perhaps - but see below) the route it took to get you you. Nothing else will get close to that info.

*BUT*

There are well known ways of 'preloading' the headers, and spoofing info.

What you have to do is decide where the spoof ends and the real info begins. Not easy, and takes experience.

Harry.