Tracing emails

How can I find out who is sending me email from a certain Hotmail account? Is there any free software tool for that? Please help...

You need to enable headers in whatever email software you're using (or in whichever web based service you're using). The headers will look something like this :

[code:1]
Received: from [66.98.142.44] (helo=kygeek.org)
by neptune.dnsprotect.com with smtp (Exim 4.24)
id 1AVHjb-00005o-2d
for xxxxx@firewall.cx; Sat, 13 Dec 2003 16:55:35 -0500
Received: (qmail 26108 invoked from network); 13 Dec 2003 21:52:17 -0000
Received: from localhost (HELO mail.thelocust.org) (127.0.0.1)
by localhost with SMTP; 13 Dec 2003 21:52:17 -0000
Received: from 13.230.205.114
(SquirrelMail authenticated user xxx@xxxlocust.org)
by xxxl.xxxlocust.org with HTTP;
Sat, 13 Dec 2003 16:52:17 -0500 (EST)
[/code:1]

Look at the last "Recieved" header, (last as in the bottom most one), that will tell you the IP address of the person who sent it. In this case, it is from 13.230.205.114. Now that you have this IP, you can do a whois lookup to see who owns this IP. If it is an ISP, you email them and tell them the IP as well as the time noted above (the time is shown with offset from GMT). Then they can tell you which user had that IP address at that particular time. They don't necessarily have to cooperate with you though.

If the emails are threatening, you could consider getting the police involved, they will make sure the ISP's hand over the logs. In some countries, not keeping logs can be considered a crime.

If you post the headers to this forum, I'll help you read them.


Cheers,

hi sahir how are u?
how do u enable the header? or how do u actually see it?

Hey inde, i'm fine, been a bit busy,
Where you find the email headers depends on what email client you're using.. if you use Outlook Express you right click on the message, then click properties, then 'details'..

If you use webmail such as yahoo or hotmail, then go to your preferences and one of the options is to view the full headers, I usually just leave it on as it can be quite informative.. for example a cousin of mine was mailing me from his university computer lab, and when i looked at the headers I saw the lab server name so I visited it and saw the homepage of their batch with the projects they were working on. He hadn't shown me the website yet and was surprised that I'd found it.

Let me simply add that there is a program available called "Email tracker pro" which will automatically do all the above Sahir showed with a click of a button...

If on the other hand your a hardcore networking admin/guru and like to know exactly how things work, then stick to Sahir's method!

Yep, it is usually fairly simple.. just read the last 'Recieved from:' line.. however if the person used a proxy or something similar then it may be a little bit more involved, but once you get the hang of it its really simple.