Tracking down an anonymous email

Some time ago, a coworker got a problem. Her SO was getting anonymous emails from a webmail account, intended to make him question their relationship. He told her. She had a suspicion at her office colleague. And called me to investigate.

The webmail conserved the sender IP in the mail headers. Good. We traced the IP down to another place, a wireless ISP in a mid-sized town. The colleague was proved innocent.

It turned out that the place was her hometown. That led to a hypothesis that the sender is somebody she knows; underlined by what the sender knew and wrote to the mails.

We took her personal mail account, and went through the mail headers, one by one, looking for the IP to match. And after a while, we found a mail from her friend, another woman from that town, with a matching sender IP.

She openly confronted her. The other lady denied involvement. Emails stopped and never appeared again.

I did a similar thing before, on a mailinglist. There was a war between two of the list members. An email appeared, accusing one of something, attempting to ruin his reputation. As he was my friend, I took a look at the mailbox, attempted to match the IP address. And, found. The other listmember's posts from last couple days matched. (Beware of dynamic IPs on cable modems and DSL lines; they are quasi-persistent and can stay the same for days or even months.) Posted the findings on the list, attacks ceased.

Another email-related lookup was about a long-lost friend who resurfaced again. Her webmail account shown an IP address. The IP address geolocated to a large US city, the WHOIS shown a large ISP from that city. Reverse DNS lookup yielded no domain set for the IP. According to the coarse location and the zone time, the mail was likely sent from a work computer. Quick lookup with a script written for the purpose of assisting with identifying spam (an oneliner that tries a reverse lookup at the entire C-class, x.x.x.0 to x.x.x.255), and voila - in the sea of empty responses there was one mx.companyname.tld - a mailserver, just a few numbers from that one IP. (Mailservers have to have their reverse domain name set. Not doing so leads to a lot of spamfiltering.) Hypothesis: company having leased a small block of addresses, running own mailserver. A quick look at the company website, and from its parts not indexed by a search engine a list of employees was accessed - and she was there.