INDENTIFYING THE SENDER OF AN E-MAIL FROM A FREE WEB BASED ACCOUNT

(MAIL HEADERS FROM RECEIVED EMAIL)

Received: from web21204.mail.yahoo.com [216.136.131.77] by thundercloud.net
(SMTPD32-7.04) id AF8B52D0080; Thu, 25 May 2006 17:00:43 -0500
Message-ID: <20031023220042.7524.qmail@web21204.mail.yahoo.com>
Received: from [208.29.180.114] by web21204.mail.yahoo.com via HTTP; Thu, 25 May 2006 15:00:42 PDT
Date: Thu, 25 May 2006 15:00:42 -0700 (PDT)
From: <xxx@yahoo.com>
Subject: TEST
To: tc <xxx@thundercloud.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-592404950-1066946442=:7478"
X-RCPT-TO: <xxx@thundercloud.net>
Status: U
X-UIDL: 353097907

--0-592404950-1066946442=:7478
Content-Type: text/plain; charset=us-ascii

This mail was received from someone using a Yahoo account (addresses disquised to prevent spam harvesters from picking up email addresses from this page and to protect the sender's privacy). The selection highlighted in red indicates the real sender's IP address. We ran a TraceRoute (tracert) on this IP to find out where they are located. If a hacker wanted to learn more about this person, he could learn more just by using the IP address.

10/23/03 18:10:03 Fast traceroute 208.29.180.114
Trace 208.29.180.114 ...
1 No Response * * *
2 10.50.224.1 10ms 12ms 11ms TTL: 0 (No rDNS)
3 24.164.96.66 10ms 14ms 13ms TTL: 0 (srp0-0.polkoh1-rtr2.neo.rr.com ok)
4 24.164.96.97 13ms 40ms 12ms TTL: 0 (srp0-0.ncntoh1-rtr1.neo.rr.com ok)
5 65.25.128.237 11ms 13ms 14ms TTL: 0 (son0-0-2.ncntoh1-rtr0.neo.rr.com ok)
6 65.25.128.246 23ms 31ms 22ms TTL: 0 (son0-1-3.mtgmoh1-rtr0.cinci.rr.com ok)
7 66.185.133.9 23ms 24ms 22ms TTL: 0 (pop1-cin-P3-0.atdn.net probable bogus rDNS: No DNS)
8 66.185.133.0 29ms 26ms 24ms TTL: 0 (bb1-cin-P0-0.atdn.net probable bogus rDNS: No DNS)
9 66.185.153.50 35ms 28ms 55ms TTL: 0 (bb1-chi-P3-0.atdn.net probable bogus rDNS: No DNS)
10 66.185.141.85 36ms 30ms 32ms TTL: 0 (pop1-chi-P0-0.atdn.net probable bogus rDNS: No DNS)
11 66.185.150.218 30ms 32ms 30ms TTL: 0 (Sprint.atdn.net bogus rDNS: host not found [authoritative])
12 144.232.20.83 29ms 42ms 31ms TTL: 0 (sl-bb21-chi-11-3.sprintlink.net ok)
13 144.232.26.77 30ms 31ms 31ms TTL: 0 (sl-bb24-chi-9-0.sprintlink.net ok)
14 144.232.20.161 94ms 101ms 93ms TTL: 0 (sl-bb21-sj-8-0.sprintlink.net ok)
15 144.232.3.157 94ms 94ms 93ms TTL: 0 (sl-bb20-sj-14-0.sprintlink.net ok)
16 144.232.20.98 104ms 99ms 103ms TTL: 0 (sl-bb20-stk-12-0.sprintlink.net ok)
17 144.232.27.34 96ms 95ms 103ms TTL: 0 (sl-gw22-stk-0-0.sprintlink.net ok)
18 160.81.9.110 129ms 109ms 110ms TTL: 0 (sl-jdrush-3-0.sprintlink.net ok)
19 208.29.180.114 114ms 112ms 117ms TTL:230 (intentionally left blank to protect sender)

The user was sending mail from a company called "J.D. Rush" located in Viriginia, USA. More information could be found about this person but for our purposes and for the person who sent this email's protection we won't go further. Accounts like Hotmail, Yahoo, and other Web-based free email accounts are great for protecting your real email address from Spammers, but they don't protect your real identity (there are ways this can be done but it's beyond the scope or purpose of this article).