trace email from online-dating members

[phantom]

hey guys,
i'm a newbe here and do not know much about computers. i've been reading quite a bit about ip addresses and stuff. here's the deal. i've been emailing a chick (supposedly) in omsk, russia. well, from her email (nansym at rocketmail dot com) ip: 87.248.110.112 it says it's from uk. she did in fact say that russians have trouble registering there in russia and all that. actually, i noticed that most of the emails she sent me have slightly different ip numbers. anyway, would it be possible for someone in russia to get and account or email from the uk and still be able to email from russia? yes, i did read about online dating scams, too. i just want to show these idiots (if they in fact are messing with me) that we're smarter than them! i even tested my own ip and got my ip coordinates (lat and long) and entered those numbers on a website where will give you a map or even satellite image form those coordinates, but it showed a "point" pretty far from my real address. kind of close, though. is it possible to get a physical address from an ip? i'd love to be able to do that. i heard law enforcement agencies are able to pinpoint a physical address. i wonder how they do it. i just want to track them down. it's unbelievable how many people those bastards scam! they pretend to be pretty girls and fool and convince innocent lonely guys to send money thru western union and crap! although no matter how hot a chick could be i'd never send a cent! but, lots of folks fall for it! anyway, if someone interested in helping me out i's appreciate it. thanx guys.

[wimiadmin]

Hi Phantom,

In my opinion, it's really impossible to get a physical address to where an IP is tied. The way the cops do it is they go straight to the ISP with the IPs with dates/times when they were assigned to the particular person they are after. The ISP checks their IP assignment logs and see which customer had the IP at the time the cops are inquiring about and then give them the physical address from their customer records.

The best we, as everyday surfers can do is pretty much just narrow it down to a city...and sometimes that's not very accurate.

The IP you've posted, 87.248.110.112 is assigned to Yahoo! Europe. And I believe Rocketmail uses Y!'s servers to send/receive. The IP is also blacklisted at SORBS and a couple of others, but not the majority of blacklist providers.

Check the email header for the line X-Originating IP and see what that address is....if that's available. We've tested here and you can get the originating IP from Hotmail but not Google....we haven't tested Yahoo!

The X-Originating IP will tell you the location the person is coming from....unless of course they're connected via a proxy....then it may just give you the proxy IP.

My suggestion would be to create another email address and alias for yourself. Email this "girl" and when "she" replies, say "hey, I see you're emailing from Italy" or another country other than the UK. If/when "she" says yes, then you've caught her in a lie. If "she" says "no....my email comes through the UK", then that'll be tough to decipher.

If you could get "her" to go to our homepage and tell you what the IP says, that would be a good way. We show the originating IP and not the proxy IP. Maybe you can tell "her" that you're going to help "her" sign straight on from Russia without having to go through the UK, but you need "her" IP.

Or....tell "her" you're going to send "her" you're going to send her money, but need a physical address.

Good luck. I'm interested to know how this turns out.

[AboveTheLogic]

Lots of good ideas.

I like the idea of having "her" grab something off of a server you control, that's usually a good reliable way to get someone's IP and approximate location...

...USUALLY

[phantom]

thanks. i wanted to ask you cuple of things that i still don't have very clear. like i said, i'm learning about ips and stuff.
is there any way to get her isp to track her down?
also, you said the ip i listed was blacklisted at sorbs. what's sorbs?
you said some about the x-originating ip, what's that?
im gonna do what you said about emailing her with a diff. email address and mention another country.
finally, how can you tell the right ip when there're multiple ips? i read somewhere that the bottom most ip [within brackets] is the right one. another thing i noticed is that in the full headers sometimes email address shows a number eg; (nansym@91.186.10.81 with plain). what's this ip number, then?
below i copied two headers from supposedly to diff. girls. (nansy and melissa). I sent each of them an email from two diff email addresses i use, and, i noticed a common ip [127.0.0.1]. does that mean that it's the same scammer? check it out.
aside from the fact that i want to bust these scammers, all this stuff about ip is really interesting...
thanks again and happy new year!


From [removed email] Fri Jan 2 12:52:11 2009
Return-Path: [removed email]
Authentication-Results: mta231.mail.mud.yahoo.com from=rocketmail.com; domainkeys=pass (ok) ; from=rocketmail.com; dkim=neutral (no sig)
Received: from 217.146.183.155 (HELO n7a.bullet.ukl.yahoo.com) (217.146.183.155) by mta231.mail.mud.yahoo.com with SMTP; Fri, 02 Jan 2009 04:56:11 -0800
Received: from [217.12.4.214] by n7.bullet.ukl.yahoo.com with NNFMP; 02 Jan 2009 12:55:23 -0000
Received: from [87.248.110.113] by t1.bullet.ukl.yahoo.com with NNFMP; 02 Jan 2009 12:55:23 -0000
Received: from [127.0.0.1] by omp218.mail.ukl.yahoo.com with NNFMP; 02 Jan 2009 12:55:23 -0000
Received: (qmail 46726 invoked from network); 2 Jan 2009 12:55:22 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=rocketmail.com; h=Received:X-YMail-OSG:X-Yahoo-Newman-Propertyate:From:X-Mailer:Reply-To:X-Priority:Message-ID:To:Subject:In-Reply-To:References:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ULQanrsy+csTtqhSDDU5DT0fnCIiscR4etqj6vBBD/gtiHX03kUjRwjqQOncZ6a8CE2MdwHfVGJI635PrY6zEm7N6O7t QIU5Igl3uqseGCb7jnhHPDl80e9LpL8u3Bt/Tg1yra0cbi+0+CjZoDLVXMijBIHGs4PebmrBdVcQ5Jo= ;
Received: from unknown (HELO COMP5) (removed email with plain) by smtp104.mail.ukl.yahoo.com with SMTP; 2 Jan 2009 12:55:22 -0000
Date: Fri, 2 Jan 2009 12:52:11 +0000
From: This sender is DomainKeys verified [removed email] Add sender to Contacts
Reply-To: [removed email]
Message-ID: <removed email>
To: "Sergio B." <removed email>
Subject: hi dear Sergio
In-Reply-To: <removed email>
References: <removed email> <removed email>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Length: 205


From Melissa Stone Fri Jan 2 02:00:12 2009
Return-Path: <removed email>
Authentication-Results: mta489.mail.mud.yahoo.com from=yahoo.com; domainkeys=pass (ok)
Received: from 68.142.206.160 (HELO n21.bullet.mail.mud.yahoo.com) (68.142.206.160) by mta489.mail.mud.yahoo.com with SMTP; Fri, 02 Jan 2009 02:00:13 -0800
Received: from [68.142.194.244] by n21.bullet.mail.mud.yahoo.com with NNFMP; 02 Jan 2009 10:00:03 -0000
Received: from [68.142.201.66] by t2.bullet.mud.yahoo.com with NNFMP; 02 Jan 2009 10:00:13 -0000
Received: from [127.0.0.1] by omp418.mail.mud.yahoo.com with NNFMP; 02 Jan 2009 10:00:13 -0000
Received: (qmail 54630 invoked by uid 60001); 2 Jan 2009 10:00:13 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailerate:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Message-ID; b=31Sz6IAiq8AVNSq24SGahExmNYdNeoFhBRErnAgPH4EkmCJa bLPrmchmVxhbWzgz6M8yPWIMT2A96odwV9rqkse4J1SinUvjGN qnX/mpTtFmUsmQd6dqLDImbJm+Nh3mjTqIPhu+WjxEVlax4SS3ap7c 7Ss+5TgEeEQ/NVQSErQ=;
Received: from [41.211.226.173] by web46409.mail.sp1.yahoo.com via HTTP; Fri, 02 Jan 2009 02:00:12 PST
Date: Fri, 2 Jan 2009 02:00:12 -0800 (PST)
From: This sender is DomainKeys verified Melissa Stone <melissapaul61@yahoo.com> Add sender to Contacts
Reply-To: <removed email>
Subject: I MUST STICK WITH YOU
To: <removed email>
In-Reply-To: <removed email>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1822432132-1230890412=:53587"
Message-ID: <212238.53587.qm@web46409.mail.sp1.yahoo.com>
Content-Length: 10342

[wimiadmin]

I'll answer the easy ones first....

I doubt the ISP will help you unless you're a cop.

SORBS (and others) provide IPs of mail servers that are known spammers. Our mail server incorporates the use of SORBS and other blacklists so when we receive an email, it adds ***SPAM*** to the email subject. These blacklists work pretty good, but aren't 100%. So, by that particular IP being listed at SORBS, they've sent SPAM.

The X-Originating IP would be part of the email header that you've pasted in this post. Apparently, Yahoo! doesn't offer/record the X-Originating IP. If you've got a Hotmail account and email something to yourself and take a look at the email header, you'll see the X-Originating IP and see what I'm talking about.

The 127.0.0.1 IP is one of the local IPs assigned to every computer. If I go to my browser and put in http://127.0.0.1 , I'm referring to my own computer. If you go to your browser and put in the same link, you'll be referring to your own computer. You can also ping 127.0.0.1 and get a response from yourself. So it's not THE IP of the local computer, but one of the local IPs the computer is assigned. Think of it as the IP of the home computer. So now when you see one of the tshirts that says "There's no place like 127.0.0.1", you'll know the translation is "There's no place like home".

The email from Nansy came from the first IP listed: 217.146.183.155. This IP belongs to Yahoo. So, unless someone else sees something in the header I'm missing, that's the end of the road for tracing this one.

The email from Melissa came from the first IP listed: 68.142.206.160. This IP belongs to Yahoo as well. Again, unless someone sees something I'm missing, you can't trace it any further.

[nmesisgeek]

Send the "girl" a link to a photo of "yourself". The link would go to a PHP script on a server you control, looking something like this:

<?php
send_email_to_me($client_ip_address);

header("Content-Type: image/jpeg");
readfile("junk.jpg");
?>

This is a very effective technique for tracking down people who don't know much about networking. A more savvy target may open the link through a proxy.

(There are a few nasty tricks you can use against Webmail but I won't go into detail here. Google "cross site scripting" for one of them.)