How to find real user IP behind given proxy IP?

-1

I opened my Gmail account and saw new message in Spam. I always want to know where these malicious emails are from, so I display origin of the email and search for default IP address from which the email was sent. I opened IP tracker and result points to some place in a desert in Senegal (West Africa). So I have a suspicion user (ab)used a proxy to hide his real IP address and location.

So I ask - Is there any chance to get user's real IP address and location finding the IP in proxies database and checking tracklist if available? In case using multiple proxies (proxy behind proxy), checking out also these proxies...

Just for info, that email says she loves me :D She was browsing through my Facebook profile and saw my email - which I has another suspicion: the spam sender just discovered a way to find hidden email address used to login (I hid it for others) or just guessed and hit the target.

Polda18

Posted 2015-07-26T07:58:25.997

Reputation: 35

You don't. That is the entire idea behind using a proxy. – Ramhound – 2015-07-26T08:03:02.837

Well, I should then check my privacy setting on Facebook and in case contact Facebook to make security stronger... – Polda18 – 2015-07-26T10:29:45.683

You are putting to much wait on Spam. There isn't an actual person. – Ramhound – 2015-07-26T10:52:56.510

1You do realize everyone gets that same spam message right? Starting from a@aol.com to z@aol.com and then a1@aol.com and so on right? Claiming she saw the facebook profile etc :P (or my favourite which is there is some nigerian business big shot wanted to give me some millions of nigerian dollars for helping him to smooth out his business..) – Darius – 2015-07-26T13:40:33.223

Yeah, that's right :D Anyway, I had to laugh, when I saw it. I never got an email from a girl where she says she's in love with me, until then :D Well, if I should count all the spam I ever got, I had to be about hundreds times a millionaire, fifty times I shall die and just once some incognito lover appeared. I do not receive much spam and if I do some, it always jumps right in the Spam folder :D Nothing really harmful, though :) – Polda18 – 2015-07-27T14:38:02.083

Answers

0

Why do you think it comes from proxy ? It could be an infected computer of your neighbor. Spammers business is well established these days, they rent huge range of IPs on very expensive data-centers and use perfectly legitimate setup on email servers, they changing every day domain names (that they buying everyday new). They use infected computers as well a lot. Antispam solutions are very complex and use redistributed networks across globe to flag spam and it useless to block proxy. They usually doesn't have MX DNS record and messages from such IPs will be simply dropped by receiving sever.

Sometime hackers(well, to be correct - crackers) use pawned perfectly legitimate servers and use them as relay. This way you need to open email message as raw source and follow email header to spot originator. That is actually is very important in such situations. Bunch of people get infected every day when they see email notification@irs.gov... but don't pay attention that it is a subdomain of some u2iu3iu23ui34y54.com

Alex

Posted 2015-07-26T07:58:25.997

Reputation: 5 606

Well, I said I tracked the IP address and it points to some place in Senegal's desert in Africa. While there's no city and house number , nor the postal code specified, it points just in the middle of the state, which is in this case the desert showed up... There is nothing, so it had to be sent from another place (maybe in the same state, but in copletely different part). And I do not say it's not from infected computer, I just say sender (infected or not) used proxy (maybe more than one), which seems to be anonymous and providing false geolocation. – Polda18 – 2015-07-27T14:28:46.217

Anyway, I am using free, but pretty powerful antivirus Avast, which includes protection against phishing and spam malware. That email I receive is labeled as from Yahoo mail service (to be correct, it looks like sent by some user of this service). It had some short alhpanumeric code after the @ sign, but was followed by .yahoo.com string. Anyway, that email was already in Spam folder and I already deleted it, so the question is only about to be informed. If something will happed (I get somewhere banned for sending spam or what, I'll let you know)... – Polda18 – 2015-07-27T14:31:15.137

IP geolocation is way too far from perfect. It better to resolve who is a owner of that IP and its registrar by query whois IP.IP.IP.IP from any Unix box or through online whois services. Most of ISP has abuse email listed in such databases, so they usually take pretty quick action to block such spam even they are looks from desert. The point that I tried to make is that no one normal email server will accept emails from any dynamic IPs. Public proxies.are in blacklists, so usually it is infected comp that send via free email services such yahoo on behalf of infected owner. – Alex – 2015-07-27T19:00:15.277

There is a problem: I do not have Unix based system and online service providing that whois app is eighter paid or provides that inacurrate geolocation. I used that online whois tool to get the geolocation information, of course free service (I don't want and I won't pay for such tools). If you mean the mailbox can get infected, I'll search through some blacklists for my email address being listed to see, if it is actualy infected... – Polda18 – 2015-07-29T09:52:03.193

Thee is clone of Unix whois utility available free of charge on Microsoft site: https://technet.microsoft.com/en-us/sysinternals/bb897435.aspx

– Alex – 2015-07-29T18:51:29.730

Thank you, but it looks only for american domains. I need to identify all domains and IP addresses around the world. It's rare that spam comes right from USA or sites with US domains. Sorry to say that, but it's useless for me :( Anyway, it's not hot topic for me right now. I will look for abuse email address for such ISP, if it will be listed :) I am using whois service on cqcounter.com which gives pretty good results most time. But if that IP has some masks, that prevent revealing most of informations or do not contain any of these (blank page), then I can't do anything... – Polda18 – 2015-07-31T08:04:51.010

Asked: 2015-07-26T07:58:25.997

Viewed: 858 times

Active: 2015-07-26T15:53:00.893