Trace E-MAIL Sender


Many people have never seen an email header, because modern email clients often hide the headers from view. However, headers are always delivered along with the message contents. Most email clients provide an option to enable display of these headers if desired.

What is an email header?
The email header is the information that travels with every email, containing details about the sender, route and receiver. It is like a flight ticket: it can tell you who booked it (who sent the email), the departure information (when the email was sent), the route (from where it was sent and how did it arrive to you) and arrival details (who is the receiver and when it was received). As when you would book a flight ticket with a false identity, the same goes for emails: the sender can partially fake these details, pretending that the email was sent from a different account (common practice for spammers or viruses).
How do I get the header to trace email process?

Each E_MAIL program will vary as to how you get to the message options. The basic email client I’ve covered and rest is up to you!!

Outlook – Right click the message while it’s in the inbox and choose Message Options. A window will open with the headers in the bottom of the window.
Windows Live – Right click the correspondence while it’s in the inbox, choose Properties, then click the Details tab.
Gmail – In the upper right corner of the email you’ll see the word Reply with a little down arrow to the right. Click the down arrow and choose Show Original.
Hotmail – Right click the memo and choose View Message Source.
Yahoo! – Right click the note and choose View Full Headers.
AOL – Click Action and then View Message Source.
You can see that no matter the program, the headers are usually just a right click away.

Got the Header, Now how to find the sender IP address to trace the sender:

How to read email headers:

In the example shown above, there are four Received: stamps. Reading from the bottom upwards, you can see who sent the message first, next and last, and you can see when it was done. This is because every MTA(Mail Transfer Agent) that processed the email message added a Received: line to the email’s header. These Received: lines provide information on where the message originated and what stops it made (what computers) before reaching its final destination. As the example shows, these Received: lines provide the email and IP address of each sender and recipient. They also provide the date and time of each transfer. The lines also indicate if the email address was part of an email list. It is all this information that is valued by computer programmers and IT department associates when making efforts to track and stop SPAM email message. And it is this information that arguable makes headers the most important part of an email.

To find the first computer that originally sent the email, you’ll have to find the Received From that’s farthest DOWN. As you can see from the above image, By reading the Receving From tag, we can notice that the email was sent via corporate2.fx.ro, which is the ISP domain of the sender, using the IP 193.231.208.28. The email was sent using SMTP (“with ESMTP id“) from the mail server called mail.fx.ro.

Looking further into the message, you will see the tag called X-Originating-IP: this tag normally gives the real IP address of the sender. The X-Mailer tag says what email client was used to send the email (on our case, the email was sent using FX Webmail).
Tracking the location of an IP address:

Now that we have our originating IP address, let’s find out where that is! You can do this by perform a location lookup on the IP address. My favorites are IP2Location and GeoBytes IP Locator.

GeoBytes gave me a big map of New Orleans, LA along with a bunch of other information about the location itself.

IP2Location also gave me the same information pretty much, including the ISP (Cox Communications). Of course, this is correct since I live in New Orleans!

If you want more information, you can do a WHOIS database search also. one is the ARIN WHOIS Database Search. This will give you information on who hosts that IP address and their registration information. You can always contact them to try and find more information on that particular IP address.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: