I'm betting that the crime division in someplace like Lagos, Nigeria wouldn't be awfully interested. I wonder if anyone has tracked his IP addtress to see what country is leads to?
Since I love investigating I can show you how to figure out where an email came from.
First thing you do it look at the complete header. The header has all the information about what happens in the back end where the servers talk to each other and all that techy stuff...Since I use gmail here's how you get to the full header.
1. Open the message in question
2. Drop down the reply button
3. Click on show original
This will open the header in a new window...Here's what the header from his email looks like...
Delivered-To: @gmail.com
Received: by 10.216.167.77 with SMTP id h55cs258923wel;
Fri, 15 Oct 2010 16:39:25 -0700 (PDT)
Received: by 10.236.105.201 with SMTP id k49mr590463yhg.74.1287185965085;
Fri, 15 Oct 2010 16:39:25 -0700 (PDT)
Return-Path: <
[email protected]>
Received: from nm21-vm0.bullet.mail.sp2.yahoo.com (nm21-vm0.bullet.mail.sp2.yahoo.com [98.139.91.220])
by mx.google.com with SMTP id f46si22881756yhc.20.2010.10.15.16.39.23;
Fri, 15 Oct 2010 16:39:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
[email protected] designates 98.139.91.220 as permitted sender) client-ip=98.139.91.220;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of
[email protected] designates 98.139.91.220 as permitted sender)
[email protected]; dkim=pass (test mode)
[email protected]
Received: from [98.139.91.62] by nm21.bullet.mail.sp2.yahoo.com with NNFMP; 15 Oct 2010 23:39:21 -0000
Received: from [98.139.91.49] by tm2.bullet.mail.sp2.yahoo.com with NNFMP; 15 Oct 2010 23:39:21 -0000
Received: from [127.0.0.1] by omp1049.mail.sp2.yahoo.com with NNFMP; 15 Oct 2010 23:39:21 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id:
[email protected]
Received: (qmail 68301 invoked by uid 60001); 15 Oct 2010 23:39:20 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1287185960; bh=+JQwouGlreWeuHjX/us8fh9NIvDuNRC1ey9H5LUBDdM=; h=Message-ID:X-YMail-OSG:Received:X-Mailer
ate:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=emoHCvacZWQ+vSVsF8QGKCu5fiFDiHjTTnii6Banb1VcPWsvWm6FQIkCFxG7xTAvzzpF5GlM4rC3wJ1xJN5JqJHg6Sbzf6SaAwRuekDKUUp5dG2Dv5eG8gRfrXKlUMyUtDpG9jBuSytWJ82+5hboqJ1f5SyChpVs6ghIEJLwqRQ=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer
ate:From:Subject:To:In-Reply-To:MIME-Version:Content-Type;
b=6XWLytpUER9NFMu5FDnLvadnmlQqVT9ULatKaXrzCdGh462P3LIWU03PR8CJ1EexG49nfz1VTp/66td2j8QwQCGri52YYsnQ+L+Xpby0iuBDKtxm+iQrUpsZI62Qc1m8/oPybAdaupp5r/V5PsjvWWzHJFLmiRNlfvg0Syuqe84=;
Message-ID: <
[email protected]>
X-YMail-OSG: kvFEQL0VM1lg1MMcqykbrkYGWUJ23Q3oERD8smfB8aTIvr4
Hbc14wC9Pa9YN3fsCKSc8Cy45G7DpqNwDczXhmuV9ltj1J2iO1PrnldOLnE8
WrVhRVV4PiusS0ccvyYfdSxc29gEqXir_X4CERFdRdFVinEiC4KZvK0.pPVw
Nq3PEDNLK79bSFZI_kcwrIuabbaOdbnhab9y4Msw6jUGDD3AWJNyA09Xd9ni
WIvfPNS9j1W8b_XiziY6EJJ7_zG.jdHLWt7Mo61btZWh2r8xsoAPHY63fu95
FEdit__yynUU4
Received: from [82.128.2.61] by web113412.mail.gq1.yahoo.com via HTTP; Fri, 15 Oct 2010 16:39:20 PDT
X-Mailer: YahooMailClassic/11.4.9 YahooMailWebService/0.8.106.282862
Date: Fri, 15 Oct 2010 16:39:20 -0700 (PDT)
From: Nas Taylor <
[email protected]>
Subject: PAYMENT ALERT !!!
To: @gmail.com>
In-Reply-To: <
[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1911650784-1287185960=:64279"
--0-1911650784-1287185960=:64279
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
In all this gibberish the only thing we are concerned with is...
Received: from [82.128.2.61] by web113412.mail.gq1.yahoo.com via
so his IP is 82.128.2.61
Now that you have the number how do you determine where it's coming from?
well you goto google and type in 'nslookup' and click search...You will come across many sites that can take an ip and translate it into a name...in this case I used
KLOTH.NET - NSLOOKUP - DNS Look up - Find IP Address
Type in the IP in the domain section and click look it up...
The result is...
DNS server handling your query: localhost
DNS server's address: 127.0.0.1#53
Non-authoritative answer:
61.2.128.82.in-addr.arpa name = ml82.128.2.61.multilinks.com.
The key is the web address multilinks.com
So who is multilinks.com? Well they are the internet service provider for the user who sent out the email...
Go to multilinks.com and check their contact page for location...
HEAD OFFICE
231, Adeola Odeku Street
Victoria Island, P.O.Box 3453, Marina, Lagos, Nigeria
Phone (234)-1- 774 0000
Fax (234)-1- 791 2345
APAPA BRANCH
1st Floor, Modandola House, 42/44 Warehouse Road,
Apapa, Lagos.
Phone (234)-1- 7730100-104
Fax (234)-1- 791 2222
IKEJA BRANCH
Ground Floor, Block C
Motorways Center
1 Motorways Avenue, Lagos Ibadan Expressway, Alausa, Lagos
Phone (234)-1-773 0000
Fax (234)-1-791 1111
LAGOS BRANCH OFFICES
231 Adoela Odoeku Street, Victoria Island, Lagos
Phone - 7740005,7912345
Email -
[email protected]
1st Floor, Mandolay House, 42/44, Ware House Road
Phone - 7730101,7912222
Email -
[email protected]
Ground Floor, Block C, Motorways Centre, 1 Motorways Avenue, Alausa, Ikeja
Phone - 7730000,7911111
Email -
[email protected]
CONTACT POINT
C-9, 1st Floor, Folomo Shopping Complex, Awolowo Road, Ikoyi, Lagos
Phone - 7909111
Email -
[email protected]
Ground Floor, Centre Point, Town Planning Way, Iluoegu, Lagos
Phone - 7765545
Email -
[email protected]
First Floor, 79, Aboekuta Expressway, Dopemu, Lagos
Phone - 7910270
Email -
[email protected]
You may also contact Raji at 7901764 or write to
[email protected]
IBADAN BRANCH OFFICE
4 Town Planning Way, Oluyole Estate, Ring Road, Ibadan, Oyo State
Phone - 7511111
Email -
[email protected]
Contact Point
Phone - 7511888
Email -
[email protected]
he's in Nigeria... yay
scammers also. Needless to say i won't be doing alot of selling on ebay.
