I wrote this article to help you on how to determine if the person you are communicating with is in the country they said they are.
I see that the scammer use the BAT as the e-mail client to send their e-mail.
Here is some information about the BAT.
The Bat Description: X-Mailer: The Bat! (v3.80.06) This is their prefered e-mail client.
The Bat is an e-mail application that supports multiple POP3 accounts, multithreading, MIME and UUencode standards, multimedia, APOP authorization, and PGP. You also will find a fast and comfortable message editor with text highlighting, as well as a mail dispatcher for managing messages on servers. English, Russian, German, Dutch, Polish, Swedish, Italian, Lithuanian, and Romanian interfaces are built in, as is a multilingual spelling checker.
The application's other features include automatic dial-up networking (configurable for multiple accounts) and the option to include a photo with each address-book entry. There also are enhancements, such as message coloring, flagging, advanced filtering, speed improvements, and virus protection
The procedure to trace the e-mail to the sender is as follow :
e-mail ==> header ==> Public IP addres use by mail client==>identify Network or ISP
ISP==> Assign Public IP this IP is tide to the telephone # and finally to a user name & password to connect to the ISP ===> The ISP can identify who is the user.
How to trace an e-mail
Whenever you get online your computer is assigned a Public IP address by your ISP. IP address is the Internet Protocol (IP) address given to every computer connected to the Internet. An IP address is needed to route information much like a street address or PO box is needed to receive regular mail. email addresses are not IP addresses.
Each computer on the Internet has a unique numeric address similar to a phone number. This address is usually assigned to the user's Internet service provider, a university or a company. A database matches such assignments to the location the network has registered.
Every time anyone connects to the internet they are leaving their Public IP fingerprint and ISP domain name and other bits of information behind.
Here is the procedure to trace an e-mail using headers and the IP address of the network the scammer is using.
1. Locate the IP address from the e-mail the scammer sent you.
Different e-mails clienbts have different procedures.
This link will explain how to show the headers for the different e-mail clients.
Here is the e-mail I received with the header
Delivered-To: e-mail of recipient
Received: by 10.90.116.9 with SMTP id o9cs194683agc;
Wed, 10 Oct 2007 07:41:14 -0700 (PDT)
Received: by 10.70.11.1 with SMTP id 1mr1262696wxk.1192027266194;
Wed, 10 Oct 2007 07:41:06 -0700 (PDT)
Received: from smtp118.plus.mail.mud.yahoo.com (smtp118.plus.mail.mud.yahoo.com [220.127.116.11])
by mx.google.com with SMTP id h39si2202328wxd.2007.10.10.07.41.05;
Wed, 10 Oct 2007 07:41:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of Sun_loving_girl@yahoo.com designates 18.104.22.168 as permitted sender) client-ip=22.214.171.124;
DomainKey-Status: good (test mode)
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
Sun_loving_girl@yahoo.com designates 126.96.36.199 as permitted sender) smtp.mail=Sun_loving_girl@yahoo.com; domainkeys=pass (test mode) header.From=Sun_loving_girl@yahoo.com
Received: (qmail 85042 invoked from network); 10 Oct 2007 14:41:05 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
b= StZevyutK2lDqx0cxRtP16uyKBIal0e2gCpWOLbCYo0H691iVaDonUADd3T3RSp3rmQWNK4riccG5w+ kRu91iz27Gj/yErvoO0KjuY2mLytCKE4d+89253W53W+M3ohEpWxs1dZMw+e2HZESfsNx2HkQ+6WFUlr2mDT/bsRq5KO5Ts= ;
Received: from unknown (HELO 127.0.0.1) (email@example.com with plain)
by smtp118.plus.mail.mud.yahoo.com with SMTP; 10 Oct 2007 14:40:57 -0000
Date: Wed, 10 Oct 2007 17:59:58 +0400
From: Sveta <Sun_loving_girl@yahoo.com>
To: e-mail recipient < email recipient>
X-Mailer: The Bat! (v3.80.06)
Content-Type: multipart/mixedboundary= '--_-01C80B67-_-70F5D113-_-5EF8EFAE-_-'
Content-Type: text/plain; charset='windows-1251'
2. The next step is to locate the Public IP of the e-mail client the scammer is using. Since the header has private IP address and Public IP address we need to know how to differentiate one from the other.
Private IP Addresses
Q. What are private IP addresses?
A. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets (local networks):
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Also, IP addresses in the range of 169.254.0.0 -169.254.255.255 are reserved for Automatic Private IP Addressing.
127.0.0.1 Loop back .
Any IP that fall in the above group we do not pay attention.
Since an e-mail client use The SMTP (Simple mail transfer protocol ) to send e-mail. We look for anything that said SMTP and look before or after for the IP that is next to it.
in this case it says Cient IP : 188.8.131.52 This IP will be a public IP.
In this case Sveta that is supposed to be in Russia is not in Russia, her e-mail client is using the public IP address 184.108.40.206 that will give us the location from where the e-mail was sent. This IP address will reveal also the Network she is using or the ISP service provider.
Go to the geobytes link and enter IP address to locate : 220.127.116.11 this address will reveal that The location is in the USA, California, and the city is Wrightwood.
See attached map.
Sometimes the location of the city is not correct, but the location of the Public IP address for the country is correct.
The service provider or ISP is the one asigning the Public IP address so you can connect to the Internet. If you have a DSL or Dial up connection your phone number is tide to Internet service and they can find out to what phone number a certain Public IP address was assigned on a certain date by the DHCP server, if you have been assigned a dynamic ip .
3. The next step is to find out which network or ISP this scammer is using and he/she can be identified by the Network administrator who assign the Public IP address.
This link tell you the different organization for the geographical regions for IP 's around the world.
Since the Public IP is registered to a Network or ISP and this is an IP for the USA, ARIN is the WHOIS database we need to search with the IP address of 18.104.22.168 .
Here we will find out where to report the abuse.
Address: 701 First Ave
NetRange: 22.214.171.124 - 126.96.36.199
NetType: Direct Allocation
RAbuseName: Network Abuse
OrgAbuseName: Network Abuse
OrgTechName: Netblock Admin
# ARIN WHOIS database, l