Sunday, January 21, 2007

Finding an Email Address from an IP Address?

Is it possible to get an e-mail address by researching a known IP address? -JJ

++++

Generally, no.

In some circumstances, the IP address may be assigned to a company, in which case you will be able to trace it back to the company it's assigned to. Other IP addresses may lead you to the mailserver of a specific web site.

Failing that, if you have an IP address, exact date and time a message was sent, and your case warrants a subpoena, you will usually be able to get the actual person who was assigned that IP address at that particular time from the ISP.

But as for reversing an IP address to an email address, except in rare circumstances, it can't be done. -SA

++++

Let me add a comment to the last informative post.

IP addresses are not assigned to an individuals or businesses on a permanent basis, unless you purchase a static (does not change) IP address. Generally speaking an IP address say from an ISP like Comcast or Bellsouth, rotates occasionally, so you never maintain the same IP address.
This is why when you have a complaint about an address, you need the exact date and time of the incident, to lock down who or what company was using a particular address at that date and time. -PD

++++

If the origin of the email was from a company which operates a network, the IP address for that network will either (a) have been registered with NIC - in the case of the company having an Internet website, or (b) will have been provided by the company's ISP (Internet Service Provider). If it's a company which operates an intranet which has web & email access, it will probably also be a static IP address. Some individuals, or small businesses, also pay extra for static IP addresses if their work warrants it - but they're not cheap. Other than that, the IP address would be 'dynamic' - would change every time the subject logged onto the Internet. But their ISP's router would have a log showing who logged on and when, and what IP address was assigned to that particular session. It is also possible that the session would not only show the username, etc. for that session but also the MAC (hardware address) for the particular computer from which the session originated. But, depending on how cooperative the ISP is, as has been said, a subpeona would be needed.

Now, what I'm not certain about is this. If a user has a broadband connection, and leaves the computer turned on and connected to the Web 24/7 it's possible that the IP address with which their session began could remain static for the length of the session - until the computer is powered off, or until the broadband network connection is broken. I don't know that an ISP would 'refresh' the connection with a new IP address in the middle of the session - even if the session lasted for days. But even so, for most private, non-registered corporate users, the closest one could trace the IP address is to the node, or hop of the ISP - since it's through that ISP that the Internet, email, etc., connection is established. The ISP's router would then direct network traffic to the individual computer via "subnet masks." So, an examination of the ISP's logs would still robably be required.

I hope that helps, for what it's worth. -KG

++++

I need more information than you've provided to be able to give you an answer for your specific situation.

However, please understand that a person's IP address is not necessarily the same all the time. For example, dial-up users share a pool of IP addresses. Say a user has a dial-up account with AT&T. Each time he logs in, he will be assigned an IP address from that pool - it will vary each time. Now, AT&T does keep logs to know which user is associated with an IP address on a specific date and time. These logs can be subpoenaed if there is a lawsuit, for example. There are laws like the ECPA that govern what information may be obtained from ISPs about someone.

Also, please remember that it is entirely possible to use methods to falsify e-mail routing information. I have demonstrated on some of these mailing lists how easy it is to make it appear that an e-mail came from Peru, Chile or Uganda, merely by using a proxy. These types of e-mail messages are much more difficult to trace when you have jurisdictional issues to contend with, and you simply cannot just go ringing up foreign ISPs and demanding assistance. There are rules that must be observed. My book will also cover this.

Sometimes, it is just not possible to easily trace an e-mail using the routing information. In these cases, you must rely on what computer forensics expert Eoghan Casey refers to as "rough edges." For example, in once case an e-mail sender was caught because even though he didn't sign his name on his posts, he always used a particular signature at the bottom of his e-mail. A Usenet post was found with this same signature which also had an affiliate id in it. This man was then tracked using his affiliate id. (Now, bear in mind that it is also possible for people to masquerade as someone else by imitating signatures and such.) All of this will be discussed in my upcoming book.

Be very cautious about hiring someone to trace an e-mail. There are people offering this service who have no more idea what they are doing than the man in the moon. They may quote some huge figure without even looking at the e-mail in question. Be careful - ask for references from lawyers. -MA

1 comment:

goreseo at yahoo said...

I have IP Address, date and time it was used by verizon DSL. Can i get the address of person it was assigned to ? It is assigned to home address.