clarification from an IP trace I did

General Discussion about IP Address Lookup caveats, technology, ideas, etc.

Moderator: Moderators

clarification from an IP trace I did

Postby r67a68 on Mon Sep 25, 2006 10:55 am

Hi,

I have been receiving emails from a fake yahoo account. In the past, I did ip traces and all that came up was that it was from a sympatico/bell acct. Well, the last email that they sent, this actually came up: Does this tell me with certainty that this person is a government of Ontario employee? Any help would be great. I have not asked them yet to trace this person, as I am trying to see if this person will come forward on their own. I do not want someone to lose their job.


Computer 142.108.75.73 has been found. eMailTrackerPro has drawn information from its own database and from information specified by the owners of 142.108.75.73. Both sources tend to agree that the host is located around Toronto, ON, Canada

Network Contact Information: The following details refer to the network that the system is on.
Government of the Province of Ontario
[email protected]
+1-416-327-2700
155 University Ave 8th Floor Toronto ON M5H-3B7 CA


The sender claims to be Lori D at address [email protected], but this is very easily forged and as such not necessarily reliable.

Mandatory 'from' field is missing for a server along the route
There have been no apparent attempts to misdirect you as to the true sender of this email.
r67a68
n00b
 
Posts: 2
Joined: Mon Sep 25, 2006 10:47 am

Postby robocoder on Mon Sep 25, 2006 11:19 pm

Are you certain the IP address wasn't forged in the email header?

That said, that IP address is assigned to the Government of Ontario -- moreover, it's from a netblock of 65000+ IP addresses assigned to them. However, the government has numerous offices both inside and outside of Toronto. You might be able to better narrow down the sender's location by geolocating IP addresses from previous email messages. (Still, over 56% of Ontario's population resides in the extended Golden Horseshoe...so Toronto isn't a bad guess.)

In any case, one can't say with 100% certainty who is at the other end of that IP address. If the content of the emails warrant outside intervention, then you should escalate the issue accordingly (with law enforcement, network contacts, etc).

I note that traceroute disappears into a blackhole (i.e., the router returns a private IP address).
User avatar
robocoder
Veteran
 
Posts: 105
Joined: Sat Mar 25, 2006 8:10 pm
Location: Ontario, Canada

Postby r67a68 on Tue Sep 26, 2006 7:14 am

Hi

Thank you for the response. I am not certain that the ip wasn't forged in the header. This situation is very strange so I am not sure at all. Here is the original header from the email. In previous emails that were sent, the IP address would just come back that it was a bell ip in the Toronto area. The government ip is new, but I did suspect that the person who was sending these emails worked for the ontario government. Please take a look at the headers and let me know what you think. Thank you so much for your help. Once I have a good idea, I will be escalating the situation.

X-Gmail-Received: 96bec3bbf8fdff74c6febf38908c645e77e463ab
Delivered-To: [email protected]
Received: by 10.35.92.16 with SMTP id u16cs172475pyl;
Fri, 22 Sep 2006 11:58:14 -0700 (PDT)
Received: by 10.70.125.11 with SMTP id x11mr1569169wxc;
Fri, 22 Sep 2006 11:58:13 -0700 (PDT)
Return-Path: <loridreams23>
Received: from web58208.mail.re3.yahoo.com (web58208.mail.re3.yahoo.com [68.142.236.146])
by mx.gmail.com with SMTP id h8si4744034wxd.2006.09.22.11.58.13;
Fri, 22 Sep 2006 11:58:13 -0700 (PDT)
Received-SPF: neutral (gmail.com: 68.142.236.146 is neither permitted nor denied by best guess record for domain of [email protected])
DomainKey-Status: good (test mode)
Received: (qmail 51257 invoked by uid 60001); 22 Sep 2006 18:58:12 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.ca;
h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
b=MQp2nTMcoYKtiZn3PBHr6RHsX22TpcKbZUeZvKaVqBiZ9IXf4XhCWPUAWrUalhMBoeOHijJdx8Bf8IAVch1DBM1vdk7StSda5rhYyfk/ZfaKFGVn+qcrucswY6XJbW2OpgQ9Ogk2DjHTxledcpUPcZcoR9VSvUcmZZZuafOchKE= ;
Message-ID: <20060922185812>
Received: from [142.108.75.73] by web58208.mail.re3.yahoo.com via HTTP; Fri, 22 Sep 2006 14:58:12 EDT
Date: Fri, 22 Sep 2006 14:58:12 -0400 (EDT)
From: Lori D <loridreams23>
Subject: Re: Hi :-)
To: ANGELA MCKNIGHT <angela>
In-Reply-To: <8e6ea020609050842j459cd3c6s3a810cd029ae70c9>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-840612165-1158951492=:50160"
Content-Transfer-Encoding: 8bit
r67a68
n00b
 
Posts: 2
Joined: Mon Sep 25, 2006 10:47 am

Postby robocoder on Sun Oct 08, 2006 8:32 pm

Yeah, 142.108.75.73 appears to be the source IP address of that email.
User avatar
robocoder
Veteran
 
Posts: 105
Joined: Sat Mar 25, 2006 8:10 pm
Location: Ontario, Canada


Return to IP Address Lookup

Who is online

Users browsing this forum: No registered users and 3 guests

cron