How can I find out who this customer is through there IP address. They have subscribed me to about 15 porn email subscriptions so far and I have there IP and would like to know how I can find out exactly who it is..... If anyone could help that would be great.

You can find out who owns the netblock, by using Arin whois.

nicersx,

What makes you so sure it was from a customer?

You must have really annoyed a customer for one to do that :eek:

Well I don't really know if it is but they are from New York and I don't really know anyone from there so I am just assuming. If I post the IP address can someone find out who it is??

http://www.arin.net
http://www.ripe.net

It will be in either records... it will show you who owns the IPblock, then report the IP to the abuse contact on it .. if there is one... include the header of the email and time with IP ...

Also .. post the IPblock information .. and see what happends :)

this here is advice to me from someone else

If you're running Windows, click the Start menu, then Run, and in the box that appears just type the word "command" (without the quotes).

An MS-DOS box will appear. From there, type (again without the quotes) "ping -a 123.123.123.123" and click enter (obviously replacing the numbers with the IP you want to find.

You'll get a message that then has lots of data... the bit you want is right up first - if you typed "ping -a 64.64.64.64" for example, you'll get "Pinging xxxxx.com [64.64.64.10] ....". Assuming it was able to get a 'hostname' (eg xxxx.com), that is about as much information as you're going to get.

Usually it will contain the name of the ISP that owns the IP - for example you might get something like "238aglk.router1.optusnet.com.au" - from that you know the person is using OptusNet as their ISP. Even if you don't recognise the domain name, you can get some information - for example if the hostname ends in ".uk", you can assume your visitor is from the UK.

Unfortunately, you're not going to be able to trace it back to a specific person without the cooperation of the ISP - and without a police warrant that's not going to happen.

and also

sorry, I made a typo and now I can't delete it .. back in one shake of a lamb's tail

tracert XXX.XXX.XXX.XXX

Do that through DOS/CMD ;)

the lamb's tail has shaken

http://www.analogx.com/contents/download/network/htrace.htm

here I meant

nicersx,

so of the 15 mails you got all of them came from the same IP? and you want to compare them to your cuurent client base?

it's going to be a headache, but if you provide CPANEL, it always records the last login address. You can match them that way.

No I use ensim, is there a way I can search my email logs or my outlook emails for a mail sent from that IP address? This is the guys IP address:

195.175.166.97

I have neotrace pro which gives you a map of where they are from, it says there from Ankara in Turkey... hmmm..

You can always search in your email headers for the ip 195.175

195.175.166.97
Is owned by:
inetnum: 195.174.0.0 - 195.175.255.255
netname: TR-TELEKOM-960902
descr: Provider Local Registry
role: TT Administrative Contact Role
address: Turk Telekom
address: Bilisim Aglari Dairesi
address: Aydinlikevler
address: 06103 ANKARA
phone: +90 312 313 1950
fax-no: +90 312 313 1949
e-mail: ipg@telekom.gov.tr

Good luck!

Mind you this could also be a proxy someone used ..

If it is a proxy, you will need to contact the proxy owners and get the clients IP :)

I don't understand this at all. If someone signed you up for porn emails, how did you get thier ip address in the first place? They don't visit your sites or send you the porn mails directly, they just type your email address into places here and there.

one of the signup emails it gave me there IP addresss.. It said someone from this ip just subscribed for our newsletter..

...

Originally posted by NiceRsx2002
How can I find out who this customer is through there IP address. They have subscribed me to about 15 porn email subscriptions so far and I have there IP and would like to know how I can find out exactly who it is..... If anyone could help that would be great.

This is where it's nice to know how e-mail messages work. I recommend to any company that you learn not only how to use what you offer, but how what you offer works in relation to the Internet. Sadly, I can't give you any sympathy points. My company intercepts and filters over 10,000 adult, spam, and virus related messages per day. I'd love to receive just 15.

Here is all the info I can find on it for you:


$ whois 195.175.166.97

OrgName: RIPE Network Coordination Centre
OrgID: RIPE

NetRange: 195.0.0.0 - 195.255.255.255
CIDR: 195.0.0.0/8
NetName: RIPE-CBLK3
NetHandle: NET-195-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS.RIPE.NET
NameServer: AUTH03.NS.UU.NET
NameServer: NS2.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: MUNNARI.OZ.AU
NameServer: NS.APNIC.NET
Comment: These addresses have been further assigned to users in
the RIPE NCC region. Contact information can be found in
the RIPE database at whois.ripe.net

RegDate: 1996-03-25
Updated: 1998-10-16

TechHandle: RIPE-NCC-ARIN
TechName: Reseaux IP European Network Co-ordination Centre S
TechPhone: +31 20 535 4444
TechEmail: nicdb@ripe.net

# ARIN Whois database, last updated 2002-09-10 19:05
# Enter ? for additional hints on searching ARIN's Whois database.
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 195.174.0.0 - 195.175.255.255
netname: TR-TELEKOM-960902
descr: Provider Local Registry
country: TR
admin-c: TTBA1-RIPE
tech-c: TTBA1-RIPE
status: ALLOCATED PA
notify: ipg@telekom.gov.tr
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: AS9121-MNT
mnt-routes: AS9121-MNT
changed: hostmaster@ripe.net 19960902
changed: hostmaster@ripe.net 19970605
changed: ipg@telekom.gov.tr 20000608
changed: hostmaster@ripe.net 20000609
changed: hostmaster@ripe.net 20020612
source: RIPE

route: 195.175.128.0/18
descr: TTnetTurkTelekom
origin: AS9121
mnt-by: AS9121-MNT
mnt-routes: AS9121-MNT
changed: ipg@telekom.gov.tr 20010529
changed: ipg@telekom.gov.tr 20020328
changed: ipg@telekom.gov.tr 20020612
source: RIPE

role: TT Administrative Contact Role
address: Turk Telekom
address: Bilisim Aglari Dairesi
address: Aydinlikevler
address: 06103 ANKARA
phone: +90 312 313 1950
fax-no: +90 312 313 1949
e-mail: ipg@telekom.gov.tr
admin-c: BADB3-RIPE
tech-c: ZA66-RIPE
tech-c: AO189-RIPE
tech-c: LA109-RIPE
tech-c: AC11071-RIPE
tech-c: NO638-RIPE
nic-hdl: TTBA1-RIPE
notify: ipg@telekom.gov.tr
mnt-by: AS9121-MNT
changed: ipg@telekom.gov.tr 20000608
changed: ipg@telekom.gov.tr 20001020
changed: ipg@telekom.gov.tr 20010615
changed: ipg@telekom.gov.tr 20020228
source: RIPE

That gives you some addresses to go from... Here is some more info:

$ nslookup 195.175.166.97
Server: localhost
Address: 127.0.0.1

Name: nwusr-22112.dial-in.ttnet.net.tr
Address: 195.175.166.97

So the address belongs to a dial-up pool... Make sure when reporting it you GIVE THE DATE AND EXACT TIMES, so they can find out who had that IP at any given time (I hate DHCP for this... but of course, without DHCP we would all be lost.)

You can also do a traceroute:
# traceroute 195.175.166.97
traceroute to 195.175.166.97 (195.175.166.97), 64 hops max, 40 byte packets

<<hop 1 and 2 deleted so I dont advertise myself>>

3 ge6-0-core1.nyc1.globix.net (209.10.1.129) 1.078 ms 1.366 ms 1.189 ms
4 so-5-3-0.core1.lhr2.globix.net (209.10.10.233) 76.487 ms 73.901 ms 72.785 ms
5 209.10.11.2 (209.10.11.2) 85.631 ms 79.539 ms 85.669 ms
6 isdnet.sfinx.tm.fr (194.68.129.250) 77.198 ms 86.461 ms 87.916 ms
7 pos20.tel-1.fr.cw.net (195.154.0.10) 72.457 ms 78.101 ms 76.113 ms
8 as0.junmtp2.fr.cw.net (195.154.0.6) 89.525 ms 78.470 ms 79.484 ms
9 ge000-1.junmtp1.fr.cw.net (195.154.10.9) 89.455 ms 80.182 ms 78.355 ms
10 ge010-4.junsat1.fr.cw.net (62.210.0.45) 69.152 ms 87.762 ms 79.435 ms
11 ttnet-gw.cust.fr.cw.net (195.154.10.2) 597.476 ms 597.123 ms 622.345 ms
12 fe-1-0-0-AnkJun2.ttnet.net.tr (195.175.8.57) 616.483 ms 625.263 ms 613.735 ms
13 ank-M160--ank-M20.ttnet.net.tr (195.175.10.1) 625.099 ms 614.262 ms 622.820 ms
14 195.175.7.6 (195.175.7.6) 621.281 ms 611.769 ms 608.807 ms
15 195.175.10.66 (195.175.10.66) 610.911 ms 629.306 ms 579.626 ms
16 212.156.28.180 (212.156.28.180) 609.359 ms !H 619.193 ms !H 622.105 ms !H


This didn't give me much more information than I already knew though.


Anyway - things you need to do:
1) Firewall this server out of your servers.
2) Unsubscribe yourself from the lists.
3) Report the user to the contacts listed in the whois outputs, along with all logs you have and any and all dates/times (especially because this is a dialup user.)

--
Travis Doherty
SysAdmin @ http://www.referable.com/

Try IPAtlas at http://my.enom.com/7705/. It will give you the location of this IP. This is what I got:
nwusr-22112.dial-in.ttnet.net.tr (195.175.166.97 ) is located in Ankara, Ic Anadolu (region), Turkey

Try using the real tools to find it out for yourself - they are much more flexible and powerful. Yes the learning curve is higher (you have to remember three commands instead of one URL) but its worth it.

EG - instead of finding out a location like NetworksData, I found a complete address with the real tools... (not to discount you NetworksData, its just the facts.)

address: Turk Telekom
address: Bilisim Aglari Dairesi
address: Aydinlikevler
address: 06103 ANKARA
phone: +90 312 313 1950
fax-no: +90 312 313 1949
e-mail: ipg@telekom.gov.tr

BTW - as I pointed out this is a dialup pool so I highly doubt this is the IP address of a proxy server.

Just delete the spam daily and get over it.

Get Mailwasher. http://www.mailwasher.net It is excellent for vetting and bouncing the spam email. :D

IN case anyone didn't understand my last posts on tracking things down.... I am making this public.


susannad wrote on 09-12-2002 09:10 AM:
I can't follow how you did this
if I'm trying to trace an address like this

66.77.73.147

how would I end up with similar results to you ?



Hi Susan,

I've been a network administrator for years now, so maybe it seems easier to me than it is... But:

From a UNIX Shell:
whois 66.77.73.147

When you run Whois on an IP address whois goes to ARIN's servers first and if Arin says the IP is delegated it goes on to the delegee's server.

Here are my results:

------------------
$ whois 66.77.73.147
Qwest Cybercenters QWEST-CYBERCENTER-2 (NET-66-77-0-0-1)
66.77.0.0 - 66.77.207.255
Fast Search, Inc. QWEST-MCC-FASTSRCH3 (NET-66-77-73-0-1)
66.77.73.0 - 66.77.73.255

# ARIN Whois database, last updated 2002-09-11 19:05
# Enter ? for additional hints on searching ARIN's Whois database.
------------------

Damn - as you can see I didnt get exact info... What did I get?? That IP is owned by Qwest Cybercenters, and then Qwest has re-assinged it to Fast Search, Inc. So we now have TWO contacts if there is abuse, as there are two owners of this IP.

So I do this now:
$ whois -h whois.arin.net QWEST-MCC-FASTSRCH3

CustName: Fast Search, Inc.
Address: 93 Worcester Street, 4th Floor Wellesley, MA 02481
Country: US
Comment:
RegDate: 2002-01-10
Updated: 2002-01-10

NetRange: 66.77.73.0 - 66.77.73.255
CIDR: 66.77.73.0/24
NetName: QWEST-MCC-FASTSRCH3
NetHandle: NET-66-77-73-0-1
Parent: NET-66-77-0-0-1
NetType: Reassigned
Comment:
RegDate: 2002-01-10
Updated: 2002-01-10

# ARIN Whois database, last updated 2002-09-11 19:05
# Enter ? for additional hints on searching ARIN's Whois database.


Notice that I specificially listed -h whois.arin.net. This tells the whois software that I want it to connect to the host at whois.arin.net as it won't know where to go when I just feed it a handle. (If I give a domain it goes to NetSol and then the Sub Delegated... and IP's it does the same with through Arin.)

The only other command I use is nslookup:
Name: cr008r01.sac2.fastsearch.net
Address: 66.77.73.147

That doesn't tell me much - pretty indescriptive name... But I am going to take the guess that it is a system in Sacramento #2 Data Center.


I did some further looking into this with dig - a command I didn't have to use on the Forum to find out the user was a dialup user and not a proxy user.

;; QUERY SECTION:
;; cr008r01.sac2.fastsearch.net, type = MX, class = IN

;; AUTHORITY SECTION:
sac2.fastsearch.net. 15M IN SOA as1.sac2.fastsearch.net. hostmaster.alltheweb.com. (
2002090800 ; serial
1H ; refresh
20M ; retry
2W ; expiry
15M ) ; minimum


;; ADDITIONAL SECTION:
. 0S 4096 OPT


OK - so fastsearch.net is related to alltheweb.com. Lets whois alltheweb.com.

They both come back to the same name:
Fast Search & Transfer, Inc (FASTSEARCH9-DOM)
1700 West Park Drive
Westborough, MA 01581
US

With contact records as:
Administrative Contact:
Lervik, John M (JL10638) John.Lervik@FAST.NO
Fast Search & Transfer ASA
P.O. Box 1677 Vika
Oslo
NO-0120
NO
+47 23 23 84 11 (FAX) +47 23 23 84 01
Technical Contact:
Juul, Arne H (AHJ54) Arne.Juul@FAST.NO
Fast Search & Transfer ASA
Postboks 1677 Vika
Oslo
n/a
0120
NO
+47 9343 9929


Now we have another name - FAST.NO... we can do the same here.

As you can see it is very easy to track things down. If you can't figure it out, my services are available for hire. Example: Reseller plans... have a host that says they run their own servers? Ever spent the hour to try tracking them down? Many of these resellers are just using private name servers and their host has done some work to cover them up with anonymity. This kind of skill allows you to track down resellers like that.

If you want to check and see if it is a customer. One way to do so would be to check your mail logs for existence of that client checking emails:

cat /var/log/maillog | grep 123.123.123.123

ah refcom

that's clear .. thanks