Results 1 to 29 of 29
  1. #1

    *HELP!!!* Find out who customer is through IP address

    How can I find out who this customer is through there IP address. They have subscribed me to about 15 porn email subscriptions so far and I have there IP and would like to know how I can find out exactly who it is..... If anyone could help that would be great.

  2. #2
    Join Date
    Mar 2002
    Location
    Philadelphia, PA
    Posts
    2,508
    You can find out who owns the netblock, by using Arin whois.
    Linux junkie | steward.io

  3. #3
    nicersx,

    What makes you so sure it was from a customer?
    YourCheapHost.com - Low cost multi domain hosting solutions. [Legal adult content friendly]
    Reliable web site hosting is our motto. We have Alertra stats to back that up.
    Proven provider of high quality shared and reseller accounts since 2002.

  4. #4
    Join Date
    Jul 2002
    Posts
    924
    You must have really annoyed a customer for one to do that
    Unlimited Space & Bandwidth
    http://localhost/
    Providing hosting since 17/99/3003

  5. #5
    Well I don't really know if it is but they are from New York and I don't really know anyone from there so I am just assuming. If I post the IP address can someone find out who it is??

  6. #6
    Join Date
    Jul 2002
    Posts
    924
    http://www.arin.net
    http://www.ripe.net

    It will be in either records... it will show you who owns the IPblock, then report the IP to the abuse contact on it .. if there is one... include the header of the email and time with IP ...

    Also .. post the IPblock information .. and see what happends
    Unlimited Space & Bandwidth
    http://localhost/
    Providing hosting since 17/99/3003

  7. #7
    Join Date
    Mar 2002
    Location
    Melbourne Downunder
    Posts
    2,296
    this here is advice to me from someone else

    If you're running Windows, click the Start menu, then Run, and in the box that appears just type the word "command" (without the quotes).

    An MS-DOS box will appear. From there, type (again without the quotes) "ping -a 123.123.123.123" and click enter (obviously replacing the numbers with the IP you want to find.

    You'll get a message that then has lots of data... the bit you want is right up first - if you typed "ping -a 64.64.64.64" for example, you'll get "Pinging xxxxx.com [64.64.64.10] ....". Assuming it was able to get a 'hostname' (eg xxxx.com), that is about as much information as you're going to get.

    Usually it will contain the name of the ISP that owns the IP - for example you might get something like "238aglk.router1.optusnet.com.au" - from that you know the person is using OptusNet as their ISP. Even if you don't recognise the domain name, you can get some information - for example if the hostname ends in ".uk", you can assume your visitor is from the UK.

    Unfortunately, you're not going to be able to trace it back to a specific person without the cooperation of the ISP - and without a police warrant that's not going to happen.
    Last edited by susannad; 09-12-2002 at 08:59 AM.

  8. #8
    Join Date
    Mar 2002
    Location
    Melbourne Downunder
    Posts
    2,296
    and also

    sorry, I made a typo and now I can't delete it .. back in one shake of a lamb's tail

  9. #9
    Join Date
    Aug 2002
    Location
    Australia
    Posts
    771
    tracert XXX.XXX.XXX.XXX

    Do that through DOS/CMD

  10. #10
    Join Date
    Mar 2002
    Location
    Melbourne Downunder
    Posts
    2,296
    the lamb's tail has shaken

    http://www.analogx.com/contents/down...ork/htrace.htm

    here I meant

  11. #11
    nicersx,

    so of the 15 mails you got all of them came from the same IP? and you want to compare them to your cuurent client base?

    it's going to be a headache, but if you provide CPANEL, it always records the last login address. You can match them that way.
    YourCheapHost.com - Low cost multi domain hosting solutions. [Legal adult content friendly]
    Reliable web site hosting is our motto. We have Alertra stats to back that up.
    Proven provider of high quality shared and reseller accounts since 2002.

  12. #12
    No I use ensim, is there a way I can search my email logs or my outlook emails for a mail sent from that IP address? This is the guys IP address:

    195.175.166.97

  13. #13
    I have neotrace pro which gives you a map of where they are from, it says there from Ankara in Turkey... hmmm..

  14. #14
    You can always search in your email headers for the ip 195.175
    YourCheapHost.com - Low cost multi domain hosting solutions. [Legal adult content friendly]
    Reliable web site hosting is our motto. We have Alertra stats to back that up.
    Proven provider of high quality shared and reseller accounts since 2002.

  15. #15
    Join Date
    Jun 2002
    Location
    The Netherlands
    Posts
    393
    195.175.166.97
    Is owned by:
    inetnum: 195.174.0.0 - 195.175.255.255
    netname: TR-TELEKOM-960902
    descr: Provider Local Registry
    role: TT Administrative Contact Role
    address: Turk Telekom
    address: Bilisim Aglari Dairesi
    address: Aydinlikevler
    address: 06103 ANKARA
    phone: +90 312 313 1950
    fax-no: +90 312 313 1949
    e-mail: [email protected]

    Good luck!

    Mind you this could also be a proxy someone used ..
    Alexander

  16. #16
    Join Date
    Aug 2002
    Location
    Australia
    Posts
    771
    If it is a proxy, you will need to contact the proxy owners and get the clients IP

  17. #17
    Join Date
    May 2002
    Location
    monkey
    Posts
    166
    I don't understand this at all. If someone signed you up for porn emails, how did you get thier ip address in the first place? They don't visit your sites or send you the porn mails directly, they just type your email address into places here and there.

  18. #18
    one of the signup emails it gave me there IP addresss.. It said someone from this ip just subscribed for our newsletter..

  19. #19
    ...

  20. #20
    Join Date
    Sep 2002
    Location
    perl -le '$_=`man perlfaq1`;print/"(j.*)"/'
    Posts
    280

    Re: *HELP!!!* Find out who customer is through IP address

    Originally posted by NiceRsx2002
    How can I find out who this customer is through there IP address. They have subscribed me to about 15 porn email subscriptions so far and I have there IP and would like to know how I can find out exactly who it is..... If anyone could help that would be great.
    This is where it's nice to know how e-mail messages work. I recommend to any company that you learn not only how to use what you offer, but how what you offer works in relation to the Internet. Sadly, I can't give you any sympathy points. My company intercepts and filters over 10,000 adult, spam, and virus related messages per day. I'd love to receive just 15.
    Richard Ward
    1 NET LANE, LLC.
    http://www.1NL.net
    The low cost data center.

  21. #21
    Here is all the info I can find on it for you:


    $ whois 195.175.166.97

    OrgName: RIPE Network Coordination Centre
    OrgID: RIPE

    NetRange: 195.0.0.0 - 195.255.255.255
    CIDR: 195.0.0.0/8
    NetName: RIPE-CBLK3
    NetHandle: NET-195-0-0-0-1
    Parent:
    NetType: Allocated to RIPE NCC
    NameServer: NS.RIPE.NET
    NameServer: AUTH03.NS.UU.NET
    NameServer: NS2.NIC.FR
    NameServer: SUNIC.SUNET.SE
    NameServer: MUNNARI.OZ.AU
    NameServer: NS.APNIC.NET
    Comment: These addresses have been further assigned to users in
    the RIPE NCC region. Contact information can be found in
    the RIPE database at whois.ripe.net

    RegDate: 1996-03-25
    Updated: 1998-10-16

    TechHandle: RIPE-NCC-ARIN
    TechName: Reseaux IP European Network Co-ordination Centre S
    TechPhone: +31 20 535 4444
    TechEmail: [email protected]

    # ARIN Whois database, last updated 2002-09-10 19:05
    # Enter ? for additional hints on searching ARIN's Whois database.
    % This is the RIPE Whois server.
    % The objects are in RPSL format.
    % Please visit http://www.ripe.net/rpsl for more information.
    % Rights restricted by copyright.
    % See http://www.ripe.net/ripencc/pub-serv...copyright.html

    inetnum: 195.174.0.0 - 195.175.255.255
    netname: TR-TELEKOM-960902
    descr: Provider Local Registry
    country: TR
    admin-c: TTBA1-RIPE
    tech-c: TTBA1-RIPE
    status: ALLOCATED PA
    notify: [email protected]
    mnt-by: RIPE-NCC-HM-MNT
    mnt-lower: AS9121-MNT
    mnt-routes: AS9121-MNT
    changed: [email protected] 19960902
    changed: [email protected] 19970605
    changed: [email protected] 20000608
    changed: [email protected] 20000609
    changed: [email protected] 20020612
    source: RIPE

    route: 195.175.128.0/18
    descr: TTnetTurkTelekom
    origin: AS9121
    mnt-by: AS9121-MNT
    mnt-routes: AS9121-MNT
    changed: [email protected] 20010529
    changed: [email protected] 20020328
    changed: [email protected] 20020612
    source: RIPE

    role: TT Administrative Contact Role
    address: Turk Telekom
    address: Bilisim Aglari Dairesi
    address: Aydinlikevler
    address: 06103 ANKARA
    phone: +90 312 313 1950
    fax-no: +90 312 313 1949
    e-mail: [email protected]
    admin-c: BADB3-RIPE
    tech-c: ZA66-RIPE
    tech-c: AO189-RIPE
    tech-c: LA109-RIPE
    tech-c: AC11071-RIPE
    tech-c: NO638-RIPE
    nic-hdl: TTBA1-RIPE
    notify: [email protected]
    mnt-by: AS9121-MNT
    changed: [email protected] 20000608
    changed: [email protected] 20001020
    changed: [email protected] 20010615
    changed: [email protected] 20020228
    source: RIPE

    That gives you some addresses to go from... Here is some more info:

    $ nslookup 195.175.166.97
    Server: localhost
    Address: 127.0.0.1

    Name: nwusr-22112.dial-in.ttnet.net.tr
    Address: 195.175.166.97

    So the address belongs to a dial-up pool... Make sure when reporting it you GIVE THE DATE AND EXACT TIMES, so they can find out who had that IP at any given time (I hate DHCP for this... but of course, without DHCP we would all be lost.)

    You can also do a traceroute:
    # traceroute 195.175.166.97
    traceroute to 195.175.166.97 (195.175.166.97), 64 hops max, 40 byte packets

    <<hop 1 and 2 deleted so I dont advertise myself>>

    3 ge6-0-core1.nyc1.globix.net (209.10.1.129) 1.078 ms 1.366 ms 1.189 ms
    4 so-5-3-0.core1.lhr2.globix.net (209.10.10.233) 76.487 ms 73.901 ms 72.785 ms
    5 209.10.11.2 (209.10.11.2) 85.631 ms 79.539 ms 85.669 ms
    6 isdnet.sfinx.tm.fr (194.68.129.250) 77.198 ms 86.461 ms 87.916 ms
    7 pos20.tel-1.fr.cw.net (195.154.0.10) 72.457 ms 78.101 ms 76.113 ms
    8 as0.junmtp2.fr.cw.net (195.154.0.6) 89.525 ms 78.470 ms 79.484 ms
    9 ge000-1.junmtp1.fr.cw.net (195.154.10.9) 89.455 ms 80.182 ms 78.355 ms
    10 ge010-4.junsat1.fr.cw.net (62.210.0.45) 69.152 ms 87.762 ms 79.435 ms
    11 ttnet-gw.cust.fr.cw.net (195.154.10.2) 597.476 ms 597.123 ms 622.345 ms
    12 fe-1-0-0-AnkJun2.ttnet.net.tr (195.175.8.57) 616.483 ms 625.263 ms 613.735 ms
    13 ank-M160--ank-M20.ttnet.net.tr (195.175.10.1) 625.099 ms 614.262 ms 622.820 ms
    14 195.175.7.6 (195.175.7.6) 621.281 ms 611.769 ms 608.807 ms
    15 195.175.10.66 (195.175.10.66) 610.911 ms 629.306 ms 579.626 ms
    16 212.156.28.180 (212.156.28.180) 609.359 ms !H 619.193 ms !H 622.105 ms !H


    This didn't give me much more information than I already knew though.


    Anyway - things you need to do:
    1) Firewall this server out of your servers.
    2) Unsubscribe yourself from the lists.
    3) Report the user to the contacts listed in the whois outputs, along with all logs you have and any and all dates/times (especially because this is a dialup user.)

    --
    Travis Doherty
    SysAdmin @ http://www.referable.com/
    Travis Doherty
    Web Hosting Services
    http://www.referable.com/

  22. #22
    Try IPAtlas at http://my.enom.com/7705/. It will give you the location of this IP. This is what I got:
    nwusr-22112.dial-in.ttnet.net.tr (195.175.166.97 ) is located in Ankara, Ic Anadolu (region), Turkey
    AceWebHosting.Com
    Cheap Web Hosting - Multiple Domain Hosting - Reseller Hosting - Virtual Private Server

  23. #23
    Try using the real tools to find it out for yourself - they are much more flexible and powerful. Yes the learning curve is higher (you have to remember three commands instead of one URL) but its worth it.

    EG - instead of finding out a location like NetworksData, I found a complete address with the real tools... (not to discount you NetworksData, its just the facts.)

    address: Turk Telekom
    address: Bilisim Aglari Dairesi
    address: Aydinlikevler
    address: 06103 ANKARA
    phone: +90 312 313 1950
    fax-no: +90 312 313 1949
    e-mail: [email protected]
    Travis Doherty
    Web Hosting Services
    http://www.referable.com/

  24. #24
    BTW - as I pointed out this is a dialup pool so I highly doubt this is the IP address of a proxy server.
    Travis Doherty
    Web Hosting Services
    http://www.referable.com/

  25. #25

  26. #26
    Join Date
    Jul 2002
    Location
    My Place
    Posts
    135
    Get Mailwasher. http://www.mailwasher.net It is excellent for vetting and bouncing the spam email.
    COMPUTERS CAN DO THAT?
    http://www.computerscandothat.com

  27. #27
    IN case anyone didn't understand my last posts on tracking things down.... I am making this public.

    susannad wrote on 09-12-2002 09:10 AM:
    I can't follow how you did this
    if I'm trying to trace an address like this

    66.77.73.147

    how would I end up with similar results to you ?

    Hi Susan,

    I've been a network administrator for years now, so maybe it seems easier to me than it is... But:

    From a UNIX Shell:
    whois 66.77.73.147

    When you run Whois on an IP address whois goes to ARIN's servers first and if Arin says the IP is delegated it goes on to the delegee's server.

    Here are my results:

    ------------------
    $ whois 66.77.73.147
    Qwest Cybercenters QWEST-CYBERCENTER-2 (NET-66-77-0-0-1)
    66.77.0.0 - 66.77.207.255
    Fast Search, Inc. QWEST-MCC-FASTSRCH3 (NET-66-77-73-0-1)
    66.77.73.0 - 66.77.73.255

    # ARIN Whois database, last updated 2002-09-11 19:05
    # Enter ? for additional hints on searching ARIN's Whois database.
    ------------------

    Damn - as you can see I didnt get exact info... What did I get?? That IP is owned by Qwest Cybercenters, and then Qwest has re-assinged it to Fast Search, Inc. So we now have TWO contacts if there is abuse, as there are two owners of this IP.

    So I do this now:
    $ whois -h whois.arin.net QWEST-MCC-FASTSRCH3

    CustName: Fast Search, Inc.
    Address: 93 Worcester Street, 4th Floor Wellesley, MA 02481
    Country: US
    Comment:
    RegDate: 2002-01-10
    Updated: 2002-01-10

    NetRange: 66.77.73.0 - 66.77.73.255
    CIDR: 66.77.73.0/24
    NetName: QWEST-MCC-FASTSRCH3
    NetHandle: NET-66-77-73-0-1
    Parent: NET-66-77-0-0-1
    NetType: Reassigned
    Comment:
    RegDate: 2002-01-10
    Updated: 2002-01-10

    # ARIN Whois database, last updated 2002-09-11 19:05
    # Enter ? for additional hints on searching ARIN's Whois database.


    Notice that I specificially listed -h whois.arin.net. This tells the whois software that I want it to connect to the host at whois.arin.net as it won't know where to go when I just feed it a handle. (If I give a domain it goes to NetSol and then the Sub Delegated... and IP's it does the same with through Arin.)

    The only other command I use is nslookup:
    Name: cr008r01.sac2.fastsearch.net
    Address: 66.77.73.147

    That doesn't tell me much - pretty indescriptive name... But I am going to take the guess that it is a system in Sacramento #2 Data Center.


    I did some further looking into this with dig - a command I didn't have to use on the Forum to find out the user was a dialup user and not a proxy user.

    ;; QUERY SECTION:
    ;; cr008r01.sac2.fastsearch.net, type = MX, class = IN

    ;; AUTHORITY SECTION:
    sac2.fastsearch.net. 15M IN SOA as1.sac2.fastsearch.net. hostmaster.alltheweb.com. (
    2002090800 ; serial
    1H ; refresh
    20M ; retry
    2W ; expiry
    15M ) ; minimum


    ;; ADDITIONAL SECTION:
    . 0S 4096 OPT


    OK - so fastsearch.net is related to alltheweb.com. Lets whois alltheweb.com.

    They both come back to the same name:
    Fast Search & Transfer, Inc (FASTSEARCH9-DOM)
    1700 West Park Drive
    Westborough, MA 01581
    US

    With contact records as:
    Administrative Contact:
    Lervik, John M (JL10638) [email protected]
    Fast Search & Transfer ASA
    P.O. Box 1677 Vika
    Oslo
    NO-0120
    NO
    +47 23 23 84 11 (FAX) +47 23 23 84 01
    Technical Contact:
    Juul, Arne H (AHJ54) [email protected]
    Fast Search & Transfer ASA
    Postboks 1677 Vika
    Oslo
    n/a
    0120
    NO
    +47 9343 9929


    Now we have another name - FAST.NO... we can do the same here.

    As you can see it is very easy to track things down. If you can't figure it out, my services are available for hire. Example: Reseller plans... have a host that says they run their own servers? Ever spent the hour to try tracking them down? Many of these resellers are just using private name servers and their host has done some work to cover them up with anonymity. This kind of skill allows you to track down resellers like that.
    Travis Doherty
    Web Hosting Services
    http://www.referable.com/

  28. #28
    If you want to check and see if it is a customer. One way to do so would be to check your mail logs for existence of that client checking emails:

    cat /var/log/maillog | grep 123.123.123.123
    *AlphaOmegaHosting.Com* - Hosting since 1998
    Managed Dedicated Servers and VPS
    Hosted Exchange 2010 Email Service

  29. #29
    Join Date
    Mar 2002
    Location
    Melbourne Downunder
    Posts
    2,296
    ah refcom

    that's clear .. thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •