Page 1 of 1

clarification from an IP trace I did

PostPosted: Mon Sep 25, 2006 10:55 am
by r67a68
Hi,

I have been receiving emails from a fake yahoo account. In the past, I did ip traces and all that came up was that it was from a sympatico/bell acct. Well, the last email that they sent, this actually came up: Does this tell me with certainty that this person is a government of Ontario employee? Any help would be great. I have not asked them yet to trace this person, as I am trying to see if this person will come forward on their own. I do not want someone to lose their job.


Computer 142.108.75.73 has been found. eMailTrackerPro has drawn information from its own database and from information specified by the owners of 142.108.75.73. Both sources tend to agree that the host is located around Toronto, ON, Canada

Network Contact Information: The following details refer to the network that the system is on.
Government of the Province of Ontario
[email protected]
+1-416-327-2700
155 University Ave 8th Floor Toronto ON M5H-3B7 CA


The sender claims to be Lori D at address [email protected], but this is very easily forged and as such not necessarily reliable.

Mandatory 'from' field is missing for a server along the route
There have been no apparent attempts to misdirect you as to the true sender of this email.

PostPosted: Mon Sep 25, 2006 11:19 pm
by robocoder
Are you certain the IP address wasn't forged in the email header?

That said, that IP address is assigned to the Government of Ontario -- moreover, it's from a netblock of 65000+ IP addresses assigned to them. However, the government has numerous offices both inside and outside of Toronto. You might be able to better narrow down the sender's location by geolocating IP addresses from previous email messages. (Still, over 56% of Ontario's population resides in the extended Golden Horseshoe...so Toronto isn't a bad guess.)

In any case, one can't say with 100% certainty who is at the other end of that IP address. If the content of the emails warrant outside intervention, then you should escalate the issue accordingly (with law enforcement, network contacts, etc).

I note that traceroute disappears into a blackhole (i.e., the router returns a private IP address).

PostPosted: Tue Sep 26, 2006 7:14 am
by r67a68
Hi

Thank you for the response. I am not certain that the ip wasn't forged in the header. This situation is very strange so I am not sure at all. Here is the original header from the email. In previous emails that were sent, the IP address would just come back that it was a bell ip in the Toronto area. The government ip is new, but I did suspect that the person who was sending these emails worked for the ontario government. Please take a look at the headers and let me know what you think. Thank you so much for your help. Once I have a good idea, I will be escalating the situation.

X-Gmail-Received: 96bec3bbf8fdff74c6febf38908c645e77e463ab
Delivered-To: [email protected]
Received: by 10.35.92.16 with SMTP id u16cs172475pyl;
Fri, 22 Sep 2006 11:58:14 -0700 (PDT)
Received: by 10.70.125.11 with SMTP id x11mr1569169wxc;
Fri, 22 Sep 2006 11:58:13 -0700 (PDT)
Return-Path: <loridreams23>
Received: from web58208.mail.re3.yahoo.com (web58208.mail.re3.yahoo.com [68.142.236.146])
by mx.gmail.com with SMTP id h8si4744034wxd.2006.09.22.11.58.13;
Fri, 22 Sep 2006 11:58:13 -0700 (PDT)
Received-SPF: neutral (gmail.com: 68.142.236.146 is neither permitted nor denied by best guess record for domain of [email protected])
DomainKey-Status: good (test mode)
Received: (qmail 51257 invoked by uid 60001); 22 Sep 2006 18:58:12 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.ca;
h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
b=MQp2nTMcoYKtiZn3PBHr6RHsX22TpcKbZUeZvKaVqBiZ9IXf4XhCWPUAWrUalhMBoeOHijJdx8Bf8IAVch1DBM1vdk7StSda5rhYyfk/ZfaKFGVn+qcrucswY6XJbW2OpgQ9Ogk2DjHTxledcpUPcZcoR9VSvUcmZZZuafOchKE= ;
Message-ID: <20060922185812>
Received: from [142.108.75.73] by web58208.mail.re3.yahoo.com via HTTP; Fri, 22 Sep 2006 14:58:12 EDT
Date: Fri, 22 Sep 2006 14:58:12 -0400 (EDT)
From: Lori D <loridreams23>
Subject: Re: Hi :-)
To: ANGELA MCKNIGHT <angela>
In-Reply-To: <8e6ea020609050842j459cd3c6s3a810cd029ae70c9>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-840612165-1158951492=:50160"
Content-Transfer-Encoding: 8bit

PostPosted: Sun Oct 08, 2006 8:32 pm
by robocoder
Yeah, 142.108.75.73 appears to be the source IP address of that email.