Tracking the Source of an Email

**theprez98** · 04-14-2008, 09:04 PM

Here is nice little tutorial on tracking the source IP of an email (this only works when the source of the email was Microsoft Outlook/Outlook Express as they encode the IP in the Message ID field).

Based on the header data:

Message-ID: <000701c89564$0115a292$cc4fb2bc@kagscc>

"kagscc" is the hostname of the source computer.

Break out the important portion (bolded between last $ and @):

cc 4f b2 bc

Reverse by octet and convert from hex:

bc = 188
b2 = 178
4f = 79
cc = 204

Source IP address is 188.178.79.204

Caveats:

1. Unless the message ID or original IP was spoofed (possible), this is the IP of the computer that originally sent the email.
2. If the email was sent using a private email address behind a router, you will get the private email address, which isn't exactly helpful.

**theprez98** · 04-18-2008, 01:24 PM

I copied the previous post to its own thread; please feel free to add any tips or tricks on tracking email. I will add to the thread as I can.

**amsterash** · 04-18-2008, 03:36 PM

nice, thanks for the tracking the source info, Extremley helpful!!

**slagg** · 04-18-2008, 03:48 PM

That's awesome! Thank you.

Something I've found to be semi-useful in the past is the free web-mail service by:

w w w .bigstring .com

They have an option in there where after you send an email from your account and it is viewed by the other party, you can see the IP address they viewed the email from. The email service also gives you the option to "masquerade" as another email you own (it will send a verification email to the other account you have to click on before it will let you do this.) Unfortunately, most email providers will mark your messages as spam if you do this.

The service, if nothing else, is interesting to tinker with and experiment. If anyone else know of another service like this, please list it as well.

**Archangel-Amael** · 04-19-2008, 03:40 AM

samspade whois info
samspade FAQ

DNS and email Blacklist IP check

google + email source tracking

Hope this helps out

**.lonewolf** · 04-19-2008, 09:20 AM

Thank theprez98... I was going to copy and paste this very useful trick into a text file, as reference... but now I won't have to

**Si2006** · 04-22-2008, 10:20 AM

How do i convert to hex format from octet.

Searched goggle and can't find a answer.

**imported_Speedy** · 04-22-2008, 10:27 AM

http://www.ascii.cl/conversion.htm

a la google

**|Trauma|** · 04-22-2008, 11:10 AM

How do I view the msg header in hotmail or outlook? I can't see this bit "Message-ID: <000701c89564$0115a292$cc4fb2bc@kagscc>"

**theprez98** · 04-22-2008, 01:10 PM

Originally Posted by Si2006

How do i convert to hex format from octet.

Searched goggle and can't find a answer.

If you're using Windows, simply use the scientific calculator.

Otherwise, there are many, many such conversions tools online.

BackTrack Linux - Penetration Testing Distribution

Thread: Tracking the Source of an Email

Thread Tools

Search Thread

Display

Posting Permissions