Question about Geo-Location information when tracing email header.

Post your questions about tracing the source IP address of an email here.
Locked
srpottershouse
New Member
Posts: 1
Joined: Tue Aug 23, 2016 6:29 am

Question about Geo-Location information when tracing email header.

Post by srpottershouse » Tue Aug 23, 2016 6:37 am

Hello. I have been receiving some emails from a sender who will not identify themselves because of the content they are sending me. They are using a "hotmail" account and i know that Microsoft blocks the original sending IP. When i past the header into your email trace it does give me the ip address of the sender which is Microsoft's servers. If i do a direct lookup of the IP Address alone it will point to their servers in Redmond Washington but if i use the Email tracing tool that analysis the header it gives me a Geo-location of Moreno Valley California. Is their something it's looking at in the header that would give this location? I just want to verify that it may be incorrect or is their more information in the header that would give this Geo-Location that other tools are missing. Here is the header to look at: Thanks.


Delivered-To: {removed}@gmail.com
Received: by 10.28.236.80 with SMTP id k77csp1550858wmh;
Mon, 15 Aug 2016 10:44:56 -0700 (PDT)
X-Received: by 10.66.12.9 with SMTP id u9mr23632034pab.113.1471283095900;
Mon, 15 Aug 2016 10:44:55 -0700 (PDT)
Return-Path: <{removed}@hotmail.com>
Received: from COL004-OMC4S2.hotmail.com (col004-omc4s2.hotmail.com. [65.55.34.204])
by mx.google.com with ESMTPS id pl3si27560338pac.22.2016.08.15.10.44.55
(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Mon, 15 Aug 2016 10:44:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of {removed}@hotmail.com designates 65.55.34.204 as permitted sender) client-ip=65.55.34.204;
Authentication-Results: mx.google.com;
dkim=pass header.i=@hotmail.com;
spf=pass (google.com: domain of {removed}@hotmail.com designates 65.55.34.204 as permitted sender) smtp.mailfrom={removed}@hotmail.com;
dmarc=pass (p=NONE dis=NONE) header.from=hotmail.com
Received: from EUR01-DB5-obe.outbound.protection.outlook.com ([65.55.34.201]) by COL004-OMC4S2.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008);
Mon, 15 Aug 2016 10:44:39 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=SxJ9c4F9ybL76j3Ks5mrlRXqhxoaP1terbm7inA+jxE=;
b=ShdrZqi0G7sQvA/sSJDhA0d/8l+W5sKljb7R9+070v/cKA666lzDHlAA3C19obcD7XV7N+uC+56ksP9Z3lFo6b14hgvMPujy648nORD+SM9KV1s6/+/8WljeFXCq0YjcdWlIRDI7hxg3DwUweTWvXxG2+lu0C/ZjFeo16gGHKlPFNbkN1ikaaB0N85QyfjpDHoidDtF25bRR5W67B2TQoRBk9OUDjJyw8JYdb4iAeH1mjEgceH4/icwsUPT8oakuBsrOFp+y2km0bLuxFFytd8VUQVoXmwPwRjDOjbPIhrD8JhhBqW5bqZRQzRSd76A9f+dKWTTPYxOBllcXgl+SeQ==
Received: from VE1EUR01FT064.eop-EUR01.prod.protection.outlook.com
(10.152.2.56) by VE1EUR01HT041.eop-EUR01.prod.protection.outlook.com
(10.152.3.59) with Microsoft SMTP Server (version=TLS1_0,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.567.7; Mon, 15 Aug
2016 17:44:27 +0000
Received: from DBXPR05MB511.eurprd05.prod.outlook.com (10.152.2.56) by
VE1EUR01FT064.mail.protection.outlook.com (10.152.3.34) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
15.1.577.8 via Frontend Transport; Mon, 15 Aug 2016 17:44:17 +0000
Received: from DBXPR05MB511.eurprd05.prod.outlook.com ([10.242.138.27]) by
DBXPR05MB511.eurprd05.prod.outlook.com ([10.242.138.27]) with mapi id
15.01.0544.023; Mon, 15 Aug 2016 17:44:11 +0000
From: PH Insider <{removed}@hotmail.com>
Subject: Fw: The Mitchells....
Thread-Topic: The Mitchells....
Thread-Index: AQHR9xyhE+VPBW/1xEexpFxN8QutZQ==
Date: Mon, 15 Aug 2016 17:44:11 +0000
Message-ID: <DBXPR05MB51131708DF87B30E3AC89A2B9090@DBXPR05MB511.eurprd05.prod.outlook.com>
References: <DB3PR05MB5053BBE61775A4E0EC1572EB93D0@DB3PR05MB505.eurprd05.prod.outlook.com>,<DBXPR05MB511DEB475537795AB268DC1B9320@DBXPR05MB511.eurprd05.prod.outlook.com>,<DBXPR05MB51122BAC2CCE1BA027E9065B9090@DBXPR05MB511.eurprd05.prod.outlook.com>,<DBXPR05MB5117C53DD646952E930A52BB9090@DBXPR05MB511.eurprd05.prod.outlook.com>
In-Reply-To: <DBXPR05MB5117C53DD646952E930A52BB9090@DBXPR05MB511.eurprd05.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=softfail (sender IP is 10.152.2.56)
smtp.mailfrom=hotmail.com; gmail.com; dkim=none (message not signed)
header.d=none;gmail.com; dmarc=fail action=none header.from=hotmail.com;
received-spf: SoftFail (protection.outlook.com: domain of transitioning
hotmail.com discourages use of 10.152.2.56 as permitted sender)
x-tmn: [Wn29la9yoPW5PSblac9HcPeHvEY3aKKt]
x-eopattributedmessage: 0
x-forefront-antispam-report: CIP:10.152.2.56;IPV:NLI;CTRY:;EFV:NLI;SFV:NSPM;SFS:(10019020)(98900003);DIR:OUT;SFP:1102;SCL:1;SRVR:VE1EUR01HT041;H:DBXPR05MB511.eurprd05.prod.outlook.com;FPR:;SPF:None;LANG:en;
x-microsoft-exchange-diagnostics: 1;VE1EUR01HT041;5:79FFD60fdja1+P9dmhj+I4lyJVzGsJGf/pjeFQmRBZ+etcC/fqK3hFrCelxK2iPdcl33c/GmaTjYpUhSLosMceD/AxyCzzQFxZA/I0X6Fujcqi8O93VLol38zlg6BB43w/sy1xuk8L1W8XXBF6X27A==;24:MZMOwpCjz1YClEEiuXhFNRBUhCSMf6nCsSRkcLJB+dddaoAP1ol6jfxyaEi1NuF1mMp2bt2xv3jDTm//R1m34VT0MVQVB0AyJoR4a7+ZCC0=;7:Q5tuGEbq+Kbvu4BT4fh74KjamOCQ1OF+glKMNBv9oAMAmtlP9vUd/47dvuDLL2agVAg9j16jxRrqVIuaHEbGxN+72FnMwjDLCO3SyAVaW+rRwN54sQomdbLPmlq2yIEA17EmjCoBVf6PCaMdPYkhiieoNEylclRksszP/m5NShN/5CSi6TC39H+1EshulzUMc/Pu1c3mnx33jNkg8BewPTfI0kqiAFllxnvO/OIicsIjgIPTmvOGBHrI4v61/W9q
x-ms-office365-filtering-correlation-id: 99f6930b-542f-4472-4abe-08d3c533c47f
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(1601124038)(1601125047);SRVR:VE1EUR01HT041;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(432015012)(102415321)(82015046);SRVR:VE1EUR01HT041;BCL:0;PCL:0;RULEID:;SRVR:VE1EUR01HT041;
x-forefront-prvs: 0035B15214
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/mixed;
boundary="_004_DBXPR05MB51131708DF87B30E3AC89A2B9090DBXPR05MB511eurprd_"
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Aug 2016 17:44:11.5677
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1EUR01HT041
Bcc:
Return-Path: {removed}@hotmail.com
X-OriginalArrivalTime: 15 Aug 2016 17:44:39.0760 (UTC) FILETIME=[B2935500:01D1F71C]

--_004_DBXPR05MB51131708DF87B30E3AC89A2B9090DBXPR05MB511eurprd_
Content-Type: multipart/alternative;
boundary="_000_DBXPR05MB51131708DF87B30E3AC89A2B9090DBXPR05MB511eurprd_"

--_000_DBXPR05MB51131708DF87B30E3AC89A2B9090DBXPR05MB511eurprd_
Content-Type: text/plain; charset="iso-8859-1"

User avatar
Chrispcritters
Forum Administrator
Posts: 2445
Joined: Tue Mar 02, 2010 5:41 pm
Location: 127.0.0.1 | ::1
Contact:

Re: Question about Geo-Location information when tracing email header.

Post by Chrispcritters » Tue Aug 23, 2016 7:29 am

Unfortunately Hotmail/Outlook emails now longer contain the sender's IP address. It will take a court order (subpoena) for them to reveal the IP address of their customer.
Founder & CEO of WhatIsMyIPAddress.com.
You can follow me on Twitter and Facebook for some behind the scenes info.

Locked

Who is online

Users browsing this forum: No registered users and 1 guest