blueygirl said:
Apologies for hijacking the thread but I wonder if anyone can explain (in very simple language I am a bit of a luddite) if it is possible to find out which machine, country, etc an email came from?
I have a received a couple of vey nasty emails from the account of someone I know. They have stated categorically that they did not send them, but have said that their account has been hacked in the past. I am not sure I believe them but being a trusting sort of girl have taken this at face value. I did however take the precaution of telling them that if this happens again I will have no hesitation in informing the email provider and the police. Any advice (even if it is that there is nothing I can do) would be most helpful.
The email protocol doesn't carry any information about the PC (operating system et al) like a normal web page HTTP request. It does have IP addresses though as it's not fire-and-forget; the receiver communicates back to the sender "hello a", "hello b", "got an email for..", "that's cool, send it" etc, and to do this you need IP addresses. You'll get a chain of them as the email was forwarded through intermediaries called mail exchangers.
However it's much easier to hide the true originating IP address as the system effectively uses the proxy system I mentioned in my first post. The second 'however' is that most people have dynamic IP addresses, given to them by their service provider (ISP) from a pool of addresses shared with all customers. The upshot is that the IP will likely only give you a rough geographic area and the ISP. You may be lucky and get a company (not just the ISP), but even then you won't know where it came from within that. The third 'however' is that you probably won't get the originating IP at all as most private PCs don't actually send mail, but just pass it to the computer (owned by your service provider, or hotmail etc) that first properly transmits the email.
Anyway, somewhere in your email client you'll find the option to show you the full email headers. This looks something like (spam to us):
X-Yahoofilteredbulk: 217.146.97.5
X-Ymailisg: akHaKt4tYB3Jj4eShfrMCib9Ii0wItJqJ_87MR6Ua13w8N49hkfDrpmwWZj5KHY3.EKcEPuwwzgOYNwE7ApRvN80lM3a9UGoXQQW.Dnn09Bj5_eT2c29G_K945eKUfC53DltPtYgJoZMCdxFSXGir15_8Jy39HmKB.3CdHD151nsmrTzsDoG_K3sXkO5jDdQnOJXutQl9dVD_kJs2X3TsG8RKApVDrxgXKi17rBar94RgOTSSa1XeWMo74Qw
X-Originating-Ip: [217.146.97.5]
Authentication-Results: mta137.mail.ukl.yahoo.com from=arrse.co.uk; domainkeys=neutral (no sig)
Received: from 217.146.97.5 (EHLO gawain.merula.net) (217.146.97.5) by mta137.mail.ukl.yahoo.com with SMTP; Fri, 02 Jan 2009 11:28:18 +0000
Received: from athedsl-395321.home.otenet.gr (athedsl-395321.home.otenet.gr [79.131.96.55]) by gawain.merula.net (8.14.1/8.14.1) with ESMTP id n020M2RC029817 for <yabbadabbadoo@arrse.co.uk>; Fri, 2 Jan 2009 00:22:03 GMT
Date: Fri, 2 Jan 2009 00:22:02 GMT
Message-ID: <200901020022.n020M2RC029817@gawain.merula.net>
To: <yabbadabbadoo@arrse.co.uk>
Subject: She's writhing in pleasure
From: <yabbadabbadoo@arrse.co.uk>
..........
It starts at the most recent and works back down the chain of intermediaries, so the last "received: from" is the one you want. Type the ip address in to samspade.org and you'll get some information - probably useless.
*** health warning *** I'm not as good on the email process as on web page transfer. This post may have errors, but only minor ones I think - these will be in the exact forwarding details and terminology.