How to Detect the Provider by IP Using FOFA, IPinfo, and IP2Location Introduction

When conducting email marketing or managing infrastructure services, it’s essential to monitor and understand the IPs that interact with your systems. Platforms like Gmail, Hotmail, and other ISPs provide details in email headers, which can be used to track IPs and identify the hosting provider or service used.

In this article, we’ll explore:

1. How to extract the IP address from email headers.
2. Using FOFA, IPinfo, and IP2Location to detect the provider or service linked to an IP.
3. Using FOFA queries to find PowerMTA monitoring dashboards or similar information.

Extracting IP Addresses from Email Headers

When analyzing emails, Gmail, Outlook, and other providers add the IP addresses of the sending infrastructure in the message headers. Follow these steps:

1. Gmail:

   • Open the email you want to analyze.
   • Click on the three dots in the upper right corner.
   • Select “Show Original.”
   • Search for lines starting with SPF or Received headers to find the IP.

2. Outlook/Hotmail:

   • Open the email.
   • Click File > Properties.
   • In the "Internet headers" section, look for Received or SPF entries to find the sender’s IP.

Example:
In the header, a line like Received: from [209.85.220.73] shows the IP address.

How to Use FOFA to Search for Providers (FOFA Query Example)

FOFA is a powerful search engine that allows you to query internet-facing systems based on their titles, open ports, banners, and more.

1. PowerMTA Monitoring Query: Use the following FOFA query to find PowerMTA monitoring dashboards:

    

   title=="PowerMTA monitoring"

   This query searches for systems exposing PowerMTA dashboards with the title "PowerMTA monitoring". You can analyze the returned IPs to find out which providers are hosting these dashboards.

2. Checking IPs from FOFA Results: Once you get IPs from the FOFA query, you can further analyze them to see which providers are hosting these dashboards.

Detecting Provider Using IPinfo and IP2Location

Once you have an IP address, tools like IPinfo and IP2Location allow you to identify the provider, ISP, or hosting company.

1. Using IPinfo: Visit IPinfo and enter the IP address you extracted. The platform provides details such as:

   • ISP name
   • Hosting service (like AWS, DigitalOcean, Google Cloud)
   • Geolocation information

   Example Output:

    

   IP: 209.85.220.73 ISP: Google LLC Location: United States

2. Using IP2Location: Visit IP2Location and enter the IP address to get detailed information on:

   • ISP or hosting provider.
   • Usage type (e.g., data center, broadband, proxy).
   • Geolocation data including country, city, and region.

Combining FOFA, IPinfo, and IP2Location for Full Insight

1. FOFA helps you discover dashboards or systems exposed on the internet based on keywords like PowerMTA.
2. IPinfo and IP2Location allow you to further investigate the providers hosting these services.

Workflow Example:

• Use FOFA to search for title=="PowerMTA monitoring".
• Get the IP addresses from FOFA results.
• Use IPinfo or IP2Location to identify the provider for each IP.
• Verify if any concurrent competitors or providers are using the same infrastructure.

Conclusion

By using tools like FOFA, IPinfo, and IP2Location, you can gain insight into which providers or hosting services are being used by different email infrastructures, including PowerMTA setups. This can help you:

• Optimize your email deliverability by avoiding blacklisted IPs.
• Monitor your competitors' infrastructure choices.
• Ensure better security by detecting exposed dashboards.

These tools, combined with a proper understanding of email headers, empower you to stay ahead in email marketing and infrastructure monitoring.

Video in Youtube

Useful Links:

• FOFA
• IPinfo
• IP2Location