PDA

View Full Version : Does Anybody knows how to track IPs?



visible11
11-13-2006, 10:18 AM
Hi:
Im using the headers to see the originating IPs but which one do I use? I see one next to the word HELO. I got 3 emails from prettty ladies in Global-date-com and one IP came from US, 1 from Germany and 1 from UKraine. wonder which girl is real! Does it make any difference what emai they are using? One is using googlemail.com, the other is using gmail and 3rd one is using a private email or work email. ANybody who knows can yu please tell me so I would be aware of scammers.
Thanks

Giles
11-13-2006, 10:37 AM
Post one of the Headers here and I'll tell you which one to use. Just edit out your information. So others can't see it.

No scammers will use any email address.

Giles

visible11
11-13-2006, 12:07 PM
1st Lady:
MIME-Version: 1.0
Received: from mail2.secureserver50.com ([67.15.229.9]) by bay0-mc6-f11.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Fri, 10 Nov 2006 05:03:50 -0800
Received: (qmail 19108 invoked by uid 399); 10 Nov 2006 13:03:42 -0000
Received: from unknown (HELO ?172.16.10.23?) (195.5.125.3) by web2.secureserver50.com with SMTP; 10 Nov 2006 13:03:42 -0000
X-Message-Info: LsUYwwHHNt3660MmjhEvYg2f34OAemlK3oXsmRrh6gU=
X-Mailer: The Bat! (v3.5.25) Professional
References: <BAY118-F1F583285976E6097E416FD6F00@phx.gbl>
Return-Path: yuli@ft-continental.com
X-OriginalArrivalTime: 10 Nov 2006 13:03:50.0731 (UTC) FILETIME=[AAB509B0:01C704C8
------------------------------------
2nd Lady:
MIME-Version: 1.0
Received: from ug-out-1314.google.com ([66.249.92.174]) by bay0-mc10-f7.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Fri, 10 Nov 2006 06:13:35 -0800
Received: by ug-out-1314.google.com with SMTP id m3so605118ugc for <latixxxx@hotmail.com>; Fri, 10 Nov 2006 06:13:35 -0800 (PST)
Received: by 10.66.244.10 with SMTP id r10mr3418419ugh.1163168014616; Fri, 10 Nov 2006 06:13:34 -0800 (PST)
Received: from 192.168.40.193 ( [82.211.136.14]) by mx.google.com with ESMTP id 30sm2435773ugf.2006.11.10.06.13.25; Fri, 10 Nov 2006 06:13:33 -0800 (PST)
X-Message-Info: LsUYwwHHNt3660MmjhEvYg2f34OAemlK3oXsmRrh6gU=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:x-mailer:reply-to:x-priority:message-id:to:subject:in-reply-to:references:mime-version:content-type; b=ppoDvT6OQlC3yzXVenLEh8d2s20mVtVxN007HKIwo+uRNwjM KQOM+ArFv+T14OkJZZIKZ7JbT6MK+BGTk8INNuuoJLKno+aFP9 pd1cfxqFVaHQVPigR7gcY5XCJCf9yYKqL9Tc7q+Ym6rzyInLdn 0rZpN+HnHxSTjIOilvHjWuk=
Return-Path: <esamoshina@gmail.com>
X-Mailer: The Bat! (v1.62r) UNREG / CD5BF9353B3B7091
References: <BAY118-F1075774C1751384C98510DD6F00@phx.gbl>
X-OriginalArrivalTime: 10 Nov 2006 14:13:35.0968 (UTC) FILETIME=[694D8600:01C704D2
------------------------------
3rd Lady:
MIME-Version: 1.0
Received: from nf-out-0910.google.com ([64.233.182.190]) by bay0-mc11-f18.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Fri, 10 Nov 2006 11:20:08 -0800
Received: by nf-out-0910.google.com with SMTP id q29so1262634nfc for <latixxxxx@hotmail.com>; Fri, 10 Nov 2006 11:20:07 -0800 (PST)
Received: by 10.49.91.6 with SMTP id t6mr5774699nfl.1163186407121; Fri, 10 Nov 2006 11:20:07 -0800 (PST)
Received: from ADSL ( [81.169.226.162]) by mx.google.com with ESMTP id n22sm5049789nfc.2006.11.10.11.18.50; Fri, 10 Nov 2006 11:20:03 -0800 (PST)
X-Message-Info: LsUYwwHHNt3rvZsz2Z/cVwAqF9JLFcco8NRp9CqN6gc=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:date:from:x-mailer:reply-to:x-priority:message-id:to:subject:mime-version:content-type; b=d2cwF4/YjZhdTap/0lsw+rWrOKeIXp1RKqdSs6znFnC+kg5P90kaBthQRHNfmRcrqe vbEutL5159XDFh5wh6A7ssGgrQ9+H18KncwD+VOlLfdicsvyfT nlBgYT/eoF+CcNOHmVlHzt93/GpvPGIoImdft1GTof2IyBmIaGXQs7I=
Return-Path: <lyudnalamila@googlemail.com>
X-Mailer: Voyager (v3.85.03) Professional
X-OriginalArrivalTime: 10 Nov 2006 19:20:08.0410 (UTC) FILETIME=[3C0D73A0:01C704FD
-----------------------------------------
None shows Ukraine or Russia. Are these potential scammers so I be on the lookout?
Thanks

imported_admin
11-13-2006, 12:35 PM
1) 195.5.125.3

inetnum: 195.5.124.0 - 195.5.125.255
netname: LUGANET
descr: LugaNet ltd network
country: UA
org: ORG-LL23-RIPE
admin-c: LDO15-RIPE
tech-c: LDO15-RIPE
status: ASSIGNED PI
mnt-by: LUGANET-MNT
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: LUGANET-MNT
mnt-domains: LUGANET-MNT
source: RIPE # Filtered

organisation: ORG-LL23-RIPE
org-name: Luganet Ltd
org-type: NON-REGISTRY
address: Mirniy 14/80, Lugansk, 91015, Ukraine
e-mail: matvey@luga.net.ua
mnt-ref: MIROTEL-MNT
mnt-by: MIROTEL-MNT
source: RIPE # Filtered

person: Likhno Dmitriy Olegovich
address: 91015 Ukraine, Lugansk, kv. Mirniy 14/80
phone: +380642335331
nic-hdl: LDO15-RIPE
source: RIPE # Filtered

% Information related to '195.5.124.0/23AS39728'

route: 195.5.124.0/23
descr: LUGANET Ltd.
descr: Lugansk, Ukraine
origin: AS39728
mnt-by: LUGANET-MNT
source: RIPE # Filtered

2) 82.211.136.14 (proxy)

inetnum: 82.211.128.0 - 82.211.191.255
org: ORG-NPEL1-RIPE
netname: CY-PLANETSKY-20031014
descr: PROVIDER Local Registry
descr: Net Planet Earth Lmited
country: CY
admin-c: PSKY-RIPE
tech-c: PSKY-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: NPE-MNT
mnt-routes: NPE-MNT
source: RIPE # Filtered

organisation: ORG-NPEL1-RIPE
org-name: Net Planet Earth Lmited
org-type: LIR
address: 6, Vasili Vryonides Str.
Gala Court Chambers, PO box 52080
address: 4060
address: Limassol
address: Cyprus
phone: +357 25 817 204
fax-no: +357 25 817 211
e-mail: lir@planetsky.com
admin-c: AP21455-RIPE
admin-c: AN9999-RIPE
admin-c: PC9999-RIPE
mnt-ref: NPE-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

role: Planetsky Ltd. Netmaster
org: ORG-NPEL1-RIPE
address: 6, Vasili Vryonides Str.
address: Gala Court Chambers
address: PO box 52080
address: 4060 Limassol, Cyprus
phone: +357 25 817204
fax-no: +357 25 817211
e-mail: ripe@planetsky.com
admin-c: ZAK-RIPE
tech-c: ZAK-RIPE
nic-hdl: PSKY-RIPE
remarks: Role Object for Planetsky Ltd.
remarks: For urgent operational issues, change requests, routing
remarks: policies, etc please contact noc@planetsky.com
remarks: For portscans, DoS attacks and spam complaints please
remarks: contact abuse@planetsky.com
remarks: Please include all headers and logs where appropriate.
mnt-by: NPE-MNT
source: RIPE # Filtered

% Information related to '82.211.136.0/22AS21455'

route: 82.211.136.0/22
descr: PlanetSky Com-tonet Teleport
origin: AS21455
mnt-by: NPE-MNT
source: RIPE # Filtered

3) 81.169.226.162 (proxy too)

inetnum: 81.169.224.0 - 81.169.239.255
netname: SKYDSL1
descr: SkyDSL
country: DE
admin-c: CM265-RIPE
tech-c: XX1-RIPE
tech-c: WB14-RIPE
status: ASSIGNED PA
mnt-by: STRATO-RZG-MNT
mnt-lower: STRATO-RZG-MNT
mnt-routes: STRATO-RZG-MNT
source: RIPE # Filtered

person: Christian Mueller
address: Cronon AG
address: Pascalstrasse 10
address: D-10587 Berlin
address: Germany
phone: +49 30 398020
fax-no: +49 30 39802222
abuse-mailbox: abuse@strato.de
nic-hdl: CM265-RIPE
remarks: see also: XX1-RIPE CM5081-NSI CM1-ABC SOUL-RIPE
mnt-by: CRONON-MNT
source: RIPE # Filtered

person: Christian Xaver Mueller
address: Cronon AG
address: Pascalstrasse 10
address: D-10587 Berlin
address: Germany
phone: +49 30 398020
fax-no: +49 30 39 802-222
abuse-mailbox: abuse@strato.de
nic-hdl: XX1-RIPE
remarks: see also: CM265-RIPE SOUL-RIPE
mnt-by: CRONON-MNT
source: RIPE # Filtered

person: Wilhelm Boeddinghaus
address: Strato Rechenzentrum GmbH
address: Pascalstrasse 10
address: D-10587 Berlin
address: Germany
phone: +49 30 39802-0
fax-no: +49 30 39802-222
nic-hdl: WB14-RIPE
remarks: see also INTERNIC: >WB131<
mnt-by: CRONON-MNT
source: RIPE # Filtered

% Information related to '81.169.192.0/18AS6724'

route: 81.169.192.0/18
descr: Strato Rechenzentrum
origin: AS6724
mnt-by: STRATO-RZG-MNT
source: RIPE # Filtered

Giles
11-13-2006, 12:50 PM
Ahh, Admin beat me to it anyway as I'd was just doing the message I'll post it.


Hi,

1st Lady.
Well for a start she is using ?The Bat? a lot of scammers use that, the IP 195.5.125.3 resolves to Luganet in the Ukraine.
Possible scammer, Where does she say she?s from ?

2nd Lady
Again using ?The Bat? the IP address 82.211.136.14 resolves to Limassol in Cyprus. IP 82.211.136.14 - this is a Cyprus Planetsky satellite provider that provides satellite Internet access for Mari El. When you see "Cyprus", that means Mari El?. That information is from a very good source.
So again I would say that is a scammer.
Mari EL is well known for a gang of scammers, they post fake profiles all over the internet.

3rd Lady
IP 81.169.226.162 resolves to Pascalstrasse 10, Berlin
She is using an email programme called Voyager which I don?t now anything about.
Not sure could be fake again.

The way to track an IP is to use the second IP address in the header, you can then goto this site to check the information of the IP :-
http://www.whois-search.com/

Another thing about the Internet in Russia is that the IP address should resolve to the location that the person says they are from, In Europe it usually goes to the Users ISP instead. My IP address resolves to a city 100 miles from where I live.

If you want to PM me more details where you meet them so I can see the profiles, I may even be able to find the Scam reports for them.

Bye

visible11
11-13-2006, 01:58 PM
Hello Admin:
So what does this tells me? 1st lady says she is in Crimea Region Simferopol, and internet is in Luganks, and next 2 ladies may be false. Humm...Im beginning to lose hope on online dating..hehehe

imported_admin
11-13-2006, 02:57 PM
Hi visible11,

> So what does this tells me?

She tells she is in Simferopol -> Letters come from Lugansk -> Scam!!!
She tells she is in Russia -> Letters come from Cyprus (Germany, ...) -> Scam!!!

Post them here: http://www.stop-scammers.com/scamreport.asp and don't waste time or play the game knowing they are scammers.

visible11
11-13-2006, 05:29 PM
X-Apparently-To: taxx85@yahoo.com via 209.73.179.70; Wed, 16 Aug 2006 11:22:20 -0700
X-Originating-IP: [64.233.162.205]
Return-Path: <tatyiana.sweety@gmail.com>
Authentication-Results: mta437.mail.mud.yahoo.com from=gmail.com; domainkeys=pass (ok)
Received: from 64.233.162.205 (EHLO nz-out-0102.google.com) (64.233.162.205) by mta437.mail.mud.yahoo.com with SMTP; Wed, 16 Aug 2006 06:27:20 -0700
Received: by nz-out-0102.google.com with SMTP id z6so82205nzd for <taxx85@yahoo.com>; Wed, 16 Aug 2006 06:27:13 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:x-mailer:reply-to:x-priority:message-id:to:subject:in-reply-to:references:mime-version:content-type; b=RgzIvb5jab26W+mxPvj4OZKOf0Rt7eevZlerQaWbrbyOB4Ph MSM7yMaLNu2RgJbRPYud7KKbyxr3jdHxxDwCW7h68a9Cp6kQ8m VIAn4iwUvjCrCrMlN1GrnC4AIks5NpMt3d7qqNEhjysk/7Pjthe8L0fx1BLvyIUZhOgo8jGDo=
Received: by 10.65.114.11 with SMTP id r11mr583808qbm; Wed, 16 Aug 2006 06:27:12 -0700 (PDT)
Return-Path: <tatyiana.sweety@gmail.com>
Received: from 192.168.0.160 ( [75.7.34.46]) by mx.gmail.com with ESMTP id a29sm221688qbd.2006.08.16.06.26.50; Wed, 16 Aug 2006 06:27:11 -0700 (PDT)
Date: Wed, 16 Aug 2006 11:08:52 +0400
From: "tatyiana.sweety" <tatyana.sweety@gmail.com> View Contact Details Add Mobile Alert
Yahoo! DomainKeys has confirmed that this message was sent by gmail.com. Learn more
X-Mailer: The Bat! (v1.62r)
Reply-to: "tatyiana.sweety" <tatyiana.sweety@gmail.com>
X-Priority: 3 (Normal)
Message-ID: <1353018244.20060816110852@gmail.com>
To: "taxx85" <taxx85@yahoo.com>
Subject: Hello my love Tony!
In-Reply-To: <20060815082024.2897.qmail@web61316.mail.yahoo.com >
References: <20060815082024.2897.qmail@web61316.mail.yahoo.com >
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------AC17F6B3B69EAAB"
Content-Length: 239259
--------------------------------------------------
This person is the most who has written letters (40) plus 52 pictures all the same girl, but by coincidence I saw one picture of her in the scammers list. I confronted her but she denied it but didnt explain. I was thinking hard on her due to the many letters almost every day but she never asked me for anything so far. Now she writes less as I also dont respond rapidly but I told her that I need to talk to her on the phone and she says its difficult. Well, now I use the headers and she is using the BAT. Last time, she wrote she was talking of planning meeting. Her english looks russian but Im surprised all IPs are from USA or am I wrong?. Kind of worried as I sent her my physical address but she never sent me hers and she says she is Kazan Russia, but in the scammer list the person named is one from Nigeria but the english is not nigerian as I now can distinguish this. They talk a lot about "baby" and "OK" phrases.
Let me see what you can find.
Thanks

davismccarn
11-17-2006, 03:37 PM
I'll answer the question so you can all find out for yourselves!
IpNetinfo (www.nirsoft.net) is a great little, no install, freeware app that prompts you to type in an IP Address (paste it from the E-Mail header) and then displays the whois information for you.

Computer-Help.Net for over 30 years now.

bond0007
12-07-2006, 04:16 PM
hallo I am also giving the header from a lady,I have been speaking from last few days,she is saying that she is from Chebosary, can you please tell me from IP , where these email coming from.Please reply me.

Return-Path: <xxxxxxxxxxxxxxx@rambler.ru>
Delivered-To: xxxxxxxxxxxxxxx@f4.p19.mail.in.rediffmail.com@redi ffmail.com
Received: (qmail 7892 invoked from network); 6 Dec 2006 14:31:10 -0000
Received: from unknown (HELO mxb.rambler.ru) (81.19.66.30)
by 0 with SMTP; 6 Dec 2006 14:31:10 -0000
Received: from mailc.rambler.ru (mailc.rambler.ru [81.19.66.27])
by mxb.rambler.ru (Postfix) with ESMTP id 1055043497
for <xxxxxxxxxxxxxxxxxxxxxxx>; Wed, 6 Dec 2006 17:34:50 +0300 (MSK)
Received: from comp3 (accel-de.planetsky.com [82.211.152.12] (may be forged))
(authenticated bits=0)
by mailc.rambler.ru (8.13.6/8.13.6) with ESMTP id kB6EYjxk015593
for <xxxxxxxxxxxxxxxxxxx>; Wed, 6 Dec 2006 17:34:48 +0300 (MSK)
Date: Wed, 6 Dec 2006 13:56:02 +0300
From: xxxxxxxxxxxxxxx <xxxxxxxxxxxxxxxxxx@rambler.ru>
X-Mailer: The Bat! (v3.85.03) Professional
Reply-To: xxxxxxxxxxxxxxxxxx<xxxxxxxxxxxxxxxxx@rambler.ru>
X-Priority: 3 (Normal)
Message-ID: <322205681.20061206135602@rambler.ru>
To: xxxxxxxxxxxxxxx<xxxxxxxxxxxxxxxxx.com>
Subject: Re: Re
In-Reply-To: <1165230756.S.2907.26694.webmail78.rediffmail.com. old.1165233443.17182@webmail.rediffmail.com>
References: <1165230756.S.2907.26694.webmail78.rediffmail.com. old.1165233443.17182@webmail.rediffmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-5
Content-Transfer-Encoding: quoted-printable

davismccarn
12-07-2006, 06:09 PM
"I'll answer the question so you can all find out for yourselves!
IpNetinfo (www.nirsoft.net) is a great little, no install, freeware app that prompts you to type in an IP Address (paste it from the E-Mail header) and then displays the whois information for you. Download it, install it, and then paste the IP Address from your suspect E-Mail into the window and click OK.

In an E-Mail, the actual sending machine is the bottommost IP Address. In your case it is:
Received: from comp3 (accel-de.planetsky.com [82.211.152.12] (may be forged))
Here is what IPNetInfo returned:
inetnum: 82.211.128.0 - 82.211.191.255
org: ORG-NPEL1-RIPE
netname: CY-PLANETSKY-20031014
descr: PROVIDER Local Registry
descr: Net Planet Earth Lmited
country: CY
admin-c: PSKY-RIPE
tech-c: PSKY-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: NPE-MNT
mnt-routes: NPE-MNT
source: RIPE # Filtered

organisation: ORG-NPEL1-RIPE
org-name: Net Planet Earth Lmited
org-type: LIR
address: 6, Vasili Vryonides Str.
Gala Court Chambers, PO box 52080
address: 4060
address: Limassol
address: Cyprus
phone: +357 25 817 204
fax-no: +357 25 817 211
e-mail: lir@planetsky.com
admin-c: AP21455-RIPE
admin-c: AN9999-RIPE
admin-c: PC9999-RIPE
mnt-ref: NPE-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

role: Planetsky Ltd. Netmaster
org: ORG-NPEL1-RIPE
address: 6, Vasili Vryonides Str.
address: Gala Court Chambers
address: PO box 52080
address: 4060 Limassol, Cyprus
phone: +357 25 817204
fax-no: +357 25 817211
e-mail: ripe@planetsky.com
admin-c: ZAK-RIPE
tech-c: ZAK-RIPE
nic-hdl: PSKY-RIPE
remarks: Role Object for Planetsky Ltd.
remarks: For urgent operational issues, change requests, routing
remarks: policies, etc please contact noc@planetsky.com
remarks: For portscans, DoS attacks and spam complaints please
remarks: contact abuse@planetsky.com
remarks: Please include all headers and logs where appropriate.
mnt-by: NPE-MNT
source: RIPE # Filtered



Computer-Help.Net for over 30 years now.

Computer-Help.Net for over 30 years now.

bond0007
12-07-2006, 07:45 PM
Is that means that this email from Cheboksary Russia ?

davismccarn
12-07-2006, 09:37 PM
No Cyprus

Computer-Help.Net for over 30 years now.

bond0007
12-08-2006, 07:07 AM
Thanks for your kind reply ......... "Cyprus", that means Mari El?. ? measn somewhere from Russia ?,

I guess this Scam ? I was told that he/she stay in Cheboksary from Internetcafe .IS it possible that IP may shows different ?

davismccarn
12-08-2006, 10:23 AM
Cyprus is an Island in the Medditeranean sea and is not part of Russia. Yes, it is most probably a scam.

Computer-Help.Net for over 30 years now.

bond0007
12-08-2006, 12:23 PM
Thank you very much for your information, I was also thinking same from many days. But now it is prove that he/she is not writing letters from Cheboksary.Now there will be a game from my side start :-),I will put her here also to know others.We have to do something for our friends who may have difficulties from such ****alls [}:)], thanks you .:)

Cecil_G_63
12-15-2006, 07:38 PM
Hi guys and gals. I am new. You may reach me at Cecil_G_63@Yahoo.com.

I am investingating a possible scammer.

I know the answer to questions that I am seeing posted here.

For info regarding Mari-El, Bat!, IP search go to Datingnmore.com
click on scam. Scroll down to scam menu.

Also, for IP search info and tools. Go to aruljohn.com

For plenty more go to Delphifaq.com. Click "Outside the Cube". Then "Dating Scams" And Scroll down the menu.

Welcome to the jungle. And be blessed.

Cecil G

ScamBuster1959
12-19-2006, 03:33 AM
IP ADDRESS TOOL :

Here is a link to anyone who wants to search an IP Address from Headers.

http://headertool.apelord.com/headers

Just copy and paste the whole header and hit Enter. Bingo...you've got your answer

ScamBuster - Canada