Questions about locating an IP address from an email

**chitown** · 05-01-2010, 04:33 PM

Once you open full headers. is senders IP address found in the 1st or 2nd line that says X-Originating-IP

1st

X-Apparently-To
Return-Path
X-YMailISG
X-Originating-IP 65.**.***.***

2nd

Authentication-Results
Received
Received
Message-ID
Return-Path:
Content-Type
X-Originating-IP 119.**.**.***

**Muadib** · 05-01-2010, 04:36 PM

Just look at the header info on the email... Source IP & routing email server will be in the header...

**chitown** · 05-01-2010, 04:38 PM

There are two ip addresses listed. Which one the 1st or 2nd?

**filch** · 05-01-2010, 04:39 PM

You usually have to locate the button that says view headers, pretty easy to spot if using Hotmail, Yahoo, Gmail etc...

But if it's in Outlook or Outlook Express right mouse click on the email and choose option>view headers - or something along those lines. Maybe just Options alone will display headers. Can't quite remember now.

**filch** · 05-01-2010, 04:40 PM

First I believe.

**chitown** · 05-01-2010, 04:42 PM

Of these tow which is it? 65.**.***.*** or 119.**.**.*** ???

1st

X-Apparently-To
Return-Path
X-YMailISG
X-Originating-IP 65.**.***.***

2nd

Authentication-Results
Received
Received
Message-ID
Return-Path:
Content-Type
X-Originating-IP 119.**.**.***

**filch** · 05-01-2010, 04:43 PM

Have a read here Chi:

Reading email headers

**filch** · 05-01-2010, 04:45 PM

Generally, in the "Received" section is where you want to look. You may need to run a "whois" to determine if you might have the right IP address (usually you have a good idea of where it should be coming from)... this can be done at this web address:

http://www.arin.net/index.shtml

**baldrick** · 05-01-2010, 05:05 PM

the 65 IP is their reported mail server and the 119 IP is your mail server.

remember the path is - their machine -> their mail server -> your mail server -> your machine

their mail server IP is easy spoofed if they want

**Norton** · 05-01-2010, 05:16 PM

Originally Posted by chitown

65.55.111.***

IP is US. Prolly in mid west, Kansas, Nebraska?

**dirtydog** · 05-01-2010, 05:27 PM

^They have the internet there?

**Norton** · 05-01-2010, 05:32 PM

Only the latest and greatest. Voice on data too. Use the same system here in Isaan.

**baldrick** · 05-01-2010, 06:11 PM

^ is that fibre I see there ?

**Norton** · 05-01-2010, 07:19 PM

Originally Posted by baldrick

is that fibre I see there ?

Only the best. Titanium coated fibre. Only thing to have in Isaan. Buffalo can't eat the string.

**harrybarracuda** · 10-01-2010, 02:26 PM

the 65 IP is their reported mail server and the 119 IP is your mail server.

remember the path is - their machine -> their mail server -> your mail server -> your machine

their mail server IP is easy spoofed if they want

If it was only always that simple. Send me an email, and it will probably go like this:

Your machine -> your ISP's Spam and AV filters (if they have them, before or after your mail server) -> Your ISP's mail server -> My ISP's Spam and AV gateways -> My first AV/Spam gateway -> My second content filtering gateway -> My third malware gateway -> My Mail Server -> My machine.

And all of those add header information.

**baldrick** · 10-01-2010, 05:59 PM

^ come on be gentle with chitown , he only needed the basics

though as the email starts and originates in the USofA we can add the stop for when the NSA gives it a scan.

Thread: Questions about locating an IP address from an email

Thread Tools

Display

Questions about locating an IP address from an email

Thread Information

Users Browsing this Thread

Posting Permissions