2016 Postmortem
In reply to the discussion: So let me get this straight... [View all]RichVRichV
(885 posts)The simplest is to go through the domain name. Every email has to have a domain listed after the @ symbol that is linked to the mail servers. It's not that hard to find domains for specific people. Every domain name has contact information for people that setup and maintain the account. All you need to know is the name of the person you're looking for or the names of associates that would have set it up (staffers, IT people working for that person with clearance). Or you can search via phone number, contact address, etc. Once you identify the domain name you can do a whois lookup for the full contact information to verify. All of that is public records.
Alternately if they're using a .gov email address then you can narrow your search to those and look for .gov names related to her name or position.
Once you locate the domain name for the emails you just have to nslookup the ip address of the server the domain name points to. You can check for open smtp ports to verify it is an email server.
This is all rather trivial. Most IT people could do it with a little patience and some basic personal information. Finding a server is the easy part. This is just one of many ways to do so. The hard part is getting into them (assuming the people setting them up are semi-competent).
There's an IT saying: "Security through obscurity is no security at all". Hoping someone doesn't find out where your server is isn't how things are protected on the internet.