Trace the origin of an email abuser?

Over the weekend, I received a fascinating question from Infopackets Reader Ric J.:

" Hi Dennis!

I just read your email regarding the eBook, 'Email For Newbies v2.1', and have a question about email headers. I know that email headers show persons IP address, but, is there anyway that I can find out where a person lives? The reason I ask is because I been having a problem with a person and the only thing I have is the IP address of the individual. Any help would be great; thanks! "

My response:

The answer is that, yes, you can track the origin of an email to a certain extent -- providing that none of the headers have been forged. Finding out where the person lives is also doable, but only in a general manner (geographically). In your case, I will assume that the abuser has forged his email address and you are relying in IP information in the email header to track his origin.

As referenced in your letter, the Email For Newbies eBook has a chapter dedicated to the topic of Email Headers. I read through this chapter over the weekend and can tell you that Tom Glander does an excellent job explaining the what each header means -- specifically for the purpose of tracking the email's origin. In fact, Tom illustrates how he used email headers to track down an individual who repeatedly (and unsuspectingly) sent email viruses.

Assuming you understand how email headers are read and the email address has been forged, the next step in tracking someone is to:

a) Do a NameSever Lookup [NSLookup] and resolve the origin IP address to a web-based address (or "Domain Name"). Use the link below to do your search; note that the second IP address in the result window is the one you want.

b) Using the resolved domain name, type the URL [web address] into your web Browser and hopefully it will direct you to the Internet Service Provider home page of the abuser. If the IP resolved contains a sub-domain (I.E.: something.infopackets.com, rather than www.infopackets.com), eliminate part of the domain (from the left) and try the new URL in your browser. For example, the IP address 68.6.19.244 resolves to: www.fed1mtao01.cox.net --> modified and corrected URL = http://www.cox.net

c) On the ISP homepage, locate a contact an abuse / support email address with someone who can help your cause. If you can't get web page to pull up, you can also do a WhoIs Search which reveals the ownership of some domains (and may also include contact information).

http://www.internic.net/whois.html

PS: Chances are that email address, abuse@The_ISP.net (even if not listed online the ISP web site) will suffice. Side note: the domain "The_ISP.net" in the above example is the ISP home page of the abuser.

d) To find the geographical location of an IP address, you can use a Visual TraceRoute tool. Note: this method will not divulge the exact location of the IP address (I.E.: John Doe, 123 Main Street) -- but will display the approximate location on a map of the world.

http://www.nedcomp.nl/visualroute/

http://www.webattack.com/get/3dtraceroute.html

Good luck!