Trace E-mail

[PHTech]

Hi there...

Is it possible to trace an e-mail from where an e-mail has originated, etc...?

There is someone sending mails to us requesting accounts to be changed (fraud) and would like to know how can we trace this person...?

I have the mail headers, but as it was send from a web-interface (like webmail, hotmail, etc.) it makes it a bit tricky to trace.

Any suggestions...?

 

[subculture]

Hi there...

Is it possible to trace an e-mail from where an e-mail has originated, etc...?

There is someone sending mails to us requesting accounts to be changed (fraud) and would like to know how can we trace this person...?

I have the mail headers, but as it was send from a web-interface (like webmail, hotmail, etc.) it makes it a bit tricky to trace.

Any suggestions...?

Good luck. Via web mail you will not succeed. All you will manage is to find the mail server. How and where that person connects to it will be difficult.

You can ask the person to come in to sign something maybe?

 

[bekdik]

The mail protocol is a simple text protocol and apart from the destination address, no checking takes place. This means that anyone with a little knowledge can create an email with any sender ID. This is commonly know as SPAM.

So in the case of the spam you received, unless the sender is incredibly stupid, you will not be able to track the mail.

The only real way to catch the people is to set up a sting operation in conjunction with the police. Be careful in messing with these people, there are some horryfing stories of those who have crossed them.

Best just hit the del key.

 

[Adenoid Hynkel]

Is the email beieng sent from a free email service? or is he/she/they using existing email addresses from clients? Like fake email?

Afaik if its free email provider you will have difficulties tracing the person, almost impossible.
Your chances are way better to get the clients ip when he used outlook, thunderbird via adsl or 3g. But even then, without charges you wont find out who that was.

I would say your chnaces in general are very low to find th person. People these days that send out faked account mails for absa etc anyway use faked ip's.

If you get a email again, check the ip and post it here.

 

[PHTech]

Is the email beieng sent from a free email service? or is he/she/they using existing email addresses from clients? Like fake email?

Afaik if its free email provider you will have difficulties tracing the person, almost impossible.
Your chances are way better to get the clients ip when he used outlook, thunderbird via adsl or 3g. But even then, without charges you wont find out who that was.

I would say your chnaces in general are very low to find th person. People these days that send out faked account mails for absa etc anyway use faked ip's.

If you get a email again, check the ip and post it here.

I have seen that in the message headers it stops where the sender sent the mail from the web-interface...

I have requested from Starmail / Webmail that the user sent fraudulant information, so hopefully the user was stupid enough to supply his/her whole pedigree upon registration... So hopefully if I can supply webmail with good enough motivation, they would send me the info...

Then, it was not SPAM as the sender replied to mail we sent him/her as well.

I have an IP address (last one in the message header): 165.146.48.33
It points to South-Africa, Gauteng. Then I have done a "ping" on the mail.starmail.co.za server. It resolved an IP of 196.25.211.166
That pointed to South-Africa, Western Cape. So (correct me if I am wrong) that the Webmail / Starmail servers is situated in the Western Cape..? Then that Gauteng IP - Could it possibly be from where the request of the sent mail originated (the 1st step of the route taken to the servers) or what do you think...?

 

[Nod]

From WhoIs:

% This is the AfriNIC Whois server.

% Note: this output has been filtered.

% Information related to '165.146.0.0 - 165.146.63.255'

inetnum: 165.146.0.0 - 165.146.63.255
netname: IPNET-BROADBAND
descr: Telkom SA Limited
descr: Integrated Network Planning
descr: Private Bag X74
descr: Pretoria
descr: Gauteng
descr: 0001
country: ZA
admin-c: MST95-AFRINIC
tech-c: PB455-AFRINIC
tech-c: JDU24-AFRINIC
status: ASSIGNED PA
mnt-by: TF-165-143-0-0-165-149-255-255-MNT
remarks: noc e-mail: [email protected], phone: +27-12-680-0224
remarks: abuse e-mail: [email protected], phone: +27-12-680-7561
source: AFRINIC # Filtered
parent: 165.143.0.0 - 165.149.255.255

person: Markus Stoltz
nic-hdl: MST95-AFRINIC
address: Integrated Network Planning
address: Private Bag X74
address: Gauteng
address: Pretoria 0001
address: South Africa
e-mail: [email protected]
phone: +27-12-311-1429
source: AFRINIC # Filtered

person: Johan Du Preez
address: NNOC
address: Oak Avenue
address: Centurion
address: Gauteng
address: 2000
address: ZA
phone: +1 012 6800067
e-mail: [email protected]
nic-hdl: JDU24-AFRINIC
remarks: Administrative Contact only, please contact
remarks: for Abuse queries
source: AFRINIC # Filtered

person: Pieter Bezuidenhout
address: Telkom SA Ltd SAIX
address: 151 Frans Conradie Ave
address: Parow
address: Western Cape
address: 7500
address: ZA
phone: +1 111 1111111
fax-no: +2721 9302789
e-mail:
e-mail:
nic-hdl: PB455-AFRINIC
remarks: Abuse complaints can be directed to
source: AFRINIC # Filtered

Maybe start there? They also have an abuse mail address.

 

[PHTech]

The only real way to catch the people is to set up a sting operation in conjunction with the police. Be careful in messing with these people, there are some horryfing stories of those who have crossed them.

Best just hit the del key.

I know there is a lot of risk involved with this type of situation. If we can get it so far as where we can leave it in the hands of higher operations, then it would be fine.

The thing is, is that this sender of this fraudulant mail, is requesting accounts to be changed within our company's contractor's information. So basicly he wants the account of the company to be changed so that it points to his account number (which he has specified for us). But then, no bank is giving us his personal info - they only say that the account exists or not.