To totally unlock this section you need to Log-in
So you’d like to to find out just who is sending those email love letters, determine the sender of a blackmail message, or just root out the source of a virus emailed to you. There are indeed many such situations where you would like to know who sent a particular email message to you. This article will teach you how to use “Email Headers” to backtrack and find the original sender’s IP address. Don’t worry, it’s not rocket science.
There are basically two steps involved in the process of tracking an email: find the IP address in the email header section and then look up the location of the IP address. It’s worth noting that you usually won’t be able to get the exact location of the actual person who sent the email.
For example, if someone in Germany sends you an email using Gmail, the last IP address in the header section will probably be the public IP address assigned to that user from the ISP, which will give you the location of the user ranging from within a mile all the way to the city or region level.
The reason for the wide range is that the IP address that an ISP assigns to a particular user is normally dynamic. This means that the IP address they had when the email was sent may now be assigned to a different user in the region. This is the main reason why you might get a wide geographic area when looking up the location of the IP address.
However, depending on what device people are using to send emails when using Gmail or another online email service, the last IP address might just be the IP address of Google or Yahoo or Hotmail servers, so keep that in mind too.
Email messages, as in the case of their non-electronic cousins, have “envelopes” of a sort. In the case of email the envelope is composed of a series of “Headers“. These are just a series of lines of characters which precede the actual email message. Email programs such as Outlook do not normally display these Headers when displaying a message. From these Headers however, the email program is able to extract important information about the message, such as the message encoding method, the creation date, the message subject, the sender and receiver, etc.
Moreover, just as a postal envelope contains an address, a return address and the cancellation stamp of the post office of origin, an email message in these “Headers” carries with it a history of its journey to your email inbox. Because of this, it’s possible to determine the original IP address of the sender.
As you can see on the above picture, for example, a Header consists of two sections separated by a colon “:”. The first part is the Header’s name. The second is the Header’s data. In the case of postal mail, in principle, it is possible to write any kind of information (c/o, suite or apartment number, etc.) into the address information. Similarly email Headers can include any kind of information also. Usually however, an email Header will contain at least the following basic Header information:
In some cases, a number of these Headers may not be necessary. To determine the address of origin, special attention must be paid to the ‘Received:‘ Headers. These Headers are selected on our screenshot illustration. ‘Received‘ headers have the following format:
So, we have observed, it is from the ‘Received‘ Header that we retrieve the IP address or domain name.
There are other possible variations in email routing. Your Email Service Provider (or the provider of the sender) may use several ‘pass-through‘ email servers and these servers can add several ‘Received’ Headers. Also, if you and the sender use the same server, the message will have only one ‘Received‘ Header.
Practice… or tips for traps
Unfortunately there are those who for various reasons want to conceal their IP address from the message receiver. About 95% of Internet email is composed of spam, viruses and other types of illicit material. Most spammers use clever tricks to hide their true IP address. They can, for example, place fake ‘Received‘ headers into the email headers. They might look something like the following:
Received: from %RNDUCCHAR1524 (j126.96.36.199.%RNDLCCHAR15357.ti.yahoo.com 188.8.131.52)
by mail08.t.yahoo.com (47.1.777akv719/%RNDDIGIT12.4.50) with SMTP id fwf54N4Wnto%RNDDIGIT15;
Wed, 06 Oct 2004 09:22:39 +0500
In this example, symbols such as %RNDDIGIT12 or %RNDLCCHAR15357 seem like instructions to a mass-mailer application to insert RaNDom CHARacters or DIGITS to confuse you as well as your anti-spam filter.
In this case, the true sender IP could be in the first ‘Received‘ Header, that is, the one that was inserted by your email service provider’s email server, because most spammers send their messages directly to your mailbox without using any intermediate servers. In this case only one of the ‘Received‘ Headers can be the one we’re looking for. Once we find it, we can conclude that all of the others are fake.
We may safely conclude that since there are often several ‘Received‘ headers in an email message, servers deliver email using a chained process. For that reason the sender indicated in the current ‘Received‘ Header should always correspond directly to the server indicated in the previous ‘Received‘ Header!
Find the IP Address for an Email in GMail, Yahoo Mail, and Outlook
Let’s go ahead and take a look at how you would find the IP address in the email header for Google, Yahoo and Outlook since those are the most popular email clients. If you’re using a different email client, just Google how to view email header info. Then come back and read the rest of this article.
- Log into your Gmail account and open the email in question.
- Click on the down arrow that’s to the right of the Reply arrow. Choose Show Original from the list.
Now here is the technical part! You need to look for the lines of text that start with “Received: from“. It might be easier to simply press Ctrl + F and perform a search for that phase. You’ll notice that there are several Received From’s in the message header. This is because the message header contains the IP addresses of all of servers involved in routing that email to you.
To find the first computer that originally sent the email, you’ll have to find the Received From that’s farthest DOWN. As you can see from the above image, the first one is from a computer with a private IP address of 192.168.1.13 and with the public IP address 184.108.40.206.
Then it was routed to our ISP’s server at lightspeed.rcsntx.sbcglobal.net, which is basically AT&T U-verse and so on and so forth till it got to your email server. The tool that I mention below to lookup an IP address gives you the organization name.
The computer 192.168.1.13 is our example home computer and the IP address assigned to our computer on our internal LAN network. There are several ranges of IP addresses that are considered private IP addresses. All you need to do is recognize it’s a private IP address and that you can’t lookup the location of a private IP address.
- Log into your Yahoo account and open the email.
- Now in the menu bar, click on Actions and then click on View Full Header.
Again, you’ll see the same information as before, just in a different pop up window:
As you can see above, the last IP address for an email we sent from our Gmail account to our Yahoo account was 220.127.116.11. When you lookup the IP address, it’s just a Google server in California. So depending on how the user sends the email (email client, desktop or mobile, WiFi or cellular), you may get a useful location or you may not.
- Open the email in Outlook by double-clicking on it.
- Go to View at the top menu (the menu options for the email, not the main Outlook window) and choose Options.
You’ll get a dialog box where you can set the message options and at the bottom you’ll see the Internet Headers box. For some silly reason, the box is very small and you have to scroll a lot, so it’s best to simply copy and paste the text into Notepad to view it more easily.