How can I trace where email came from?

A good rule of thumb is to begin at the bottom and work your way up in the headers to determine where an email is from.

//

I frequently get questions that boil down to “How can I trace where this email came from?” or “Can I determine the IP address of the sender of an email?”

The answer is both yes and maybe, and it may not do you any good. However there is a lot of interesting information in your email that you normally don’t see, and the trail of mail servers is part of that.

So let’s interpret some email headers.

First, there’s the challenge of even getting to the real email headers. In Hotmail they’re apparently always visible. In Outlook, they’re hidden by default, so with the message open, click on View, and then Options, and you’ll see a box labeled Internet Headers. In Thunderbird, you can expand or collapse the headers by clicking on a simple control next to the subject line.

In any case, headers typically look something like this:

Return-Path:
<lnotenboom@hotmail.com>
Delivered-To: 1-leo-clean_nospam@pugetsoundsoftware.com
Received: (qmail 13384 invoked by uid 110); 13 May 2005 21:33:53
-0000
Delivered-To: 1-leo_nospam@pugetsoundsoftware.com
Received: (qmail 13380 invoked from network); 13 May 2005 21:33:53
-0000
Received: from bay107-f18.bay107.hotmail.com (HELO hotmail.com)
(64.4.51.28)
by pugetsoundsoftware.com with SMTP; 13 May 2005 21:33:53 -0000
Received: from mail pickup service by hotmail.com with Microsoft
SMTPSVC;
Fri, 13 May 2005 14:33:53 -0700
Message-ID: <BAY107-F18247D6C6473F92CC602D8D2120@phx.gbl>
Received: from 64.4.51.220 by by107fd.bay107.hotmail.msn.com with
HTTP;
Fri, 13 May 2005 21:33:52 GMT
X-Originating-IP: [64.4.51.220]
X-Originating-Email: [lnotenboom@hotmail.com]
X-Sender: lnotenboom@hotmail.com
From: “Leo Notenboom” <lnotenboom@hotmail.com>
To: leo_nospam@pugetsoundsoftware.com
Bcc:
Subject: Example Email
Date: Fri, 13 May 2005 14:33:52 -0700
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 13 May 2005 21:33:53.0097 (UTC)
FILETIME=[75980390:01C55803]

 

Now yours may look a lot different. It may be longer or shorter, or have additional information, or less. But the basic idea is that there’s a lot of information in the headers that has to do with the administration of getting the email from the sender to the receiver.

A detailed reference is more than I can present here, and quite honestly, probably more than you need. But let’s examine the headers above a little more closely, since it’s a good example of a “normal” email message. They are from a message I sent to my regular email account from my Hotmail account.

A good rule of thumb is to begin at the bottom and work your way up in the headers. That’ll make more sense in just a minute. Working from the bottom:

  • X-OriginalArrivalTime: is the time the message was submitted to Hotmail … in other words, the time I pressed “Send”. Headers that begin with “X-” are “non standard”, and may not be used by all mailers. They’re often just informational. Note also the date and time: 13 May 2005 21:33:53.0097 (UTC). The “(UTC)” means that the time is recorded as “Universal Time Coordinated”, sometimes thought of as Greenwich Mean Time or GMT. Since I’m in the Pacific time zone, and daylight savings time is in effect, that means I sent it at roughly 2:33 PM PDT.
  • Content-Type: is how the mailers tell each other what the format of the mail is: plain text, as this example is, or HTML, or something else.
  • Mime-Version: “Mime” stands for Multipurpose Internet Mail Extensions, and is the formatting protocol most  often used to encode attachments and alternate representations in a single email.
  • Date: This is the more common place you’ll find the date and time that the message was sent. This is added by the sending mailer, and is commonly used by your email client as the “Sent Date”. Note that the time zone is specified as local time (2:33 PM) and an offset (-7 hours) from UTC. PDT is 7 hours behind UTC as I write this. Subtract the offset (and remember that subtracting a negative offset means to add it), and you’ll get the equivalent 21:33 UTC.
  • Subject: As you’d expect, the subject of the email as you typed it.
  • Bcc: To be honest, I’m not sure why Hotmail includes this here, as they strip out any BCC’d recipients. BCC is
    supposed to be stripped from email completely before it is sent.
  • To: Again, as you’d expect, the list of recipient email addresses that this message is addressed to. What most people don’t realize is that the To: line doesn’t define who the email actually goes to, but rather simply lists who the mailer claims it’s to go to. A virus, for example, can easily create a mail message that has bogus addresses in the To: line, and then send the mail to someone else entirely. That’s known as “spoofing”.
  • From: Just like To:, the “From:” address shows you from whom the mail was supposedly sent. And also like “To:”, it’s very easy for the spammers and virus writers to spoof the From: address to be pretty much anything they want.
  • X-Sender: is another representation of the address the email originated from, but like all “X-” headers, is optional and not universally used or recognized. “X-Sender”, and the similar “Sender:” are supposed to indicate the sender of the email, which might be an intermediary. For example, if you send mail to a mailing list, the mail might be “From:” you, but the mailing list software might be the “Sender:” to everyone else who receives it.
  • X-Originating-Email: another representation of the sender of the email. Some mailers add this as a precaution against those who spoof the “From:” line.
  • X-Originating-IP: The IP address of the computer on which the email originated. Once again, an optional and informational “X-” header. In this case, the IP address is one of Hotmail’s servers.
  • Received: Herein lies the gold. I’ll get into more detail on that below.
  • Deliver-To: is added by the receiving mail server when it finally delivers the email to a specific email alias or mailbox. In my case, I have my mailer configured to deliver my mail to two separate mailboxes: one with, and one without, spam filtering.
  • Return-Path: is the address that the email, if it fails to be delivered, should be bounced back to.
Email headers cannot be trusted, and not all email can be traced or authenticated.
The series of “Received” headers are the trail that tells us from where the message was sent, and along what path or series of servers it  traveled across the internet. And this is why we started at the bottom, as each mail server adds a received header to the top.In the first one we can see that a Hotmail server “by107fd.bay107.hotmail.msn.com” got the message from the server at “64.4.51.220”. In this case it lists an IP address only, since there is apparently no name associated with the server at that address. Since this is Hotmail, and I’m certain that Hotmail has many, many servers, it’s not surprising that they might not give all of them a name on the internet.Further up the header we can see that it left “bay107-f18.bay107.hotmail.com” and was then received by “pugetsoundsoftware.com”, my mail server. Note that this line also includes a couple of interesting bits of information:

  • (HELO hotmail.com) – this is part of the SMTP mail protocol where the server identifies itself while connecting. Basically, it’s saying “Hello, I’m Hotmail.com” when it initiates the transfer of mail to the next server to receive it. The receiving server logs this information as part of the “Received” header it adds.
  • (64.4.51.28) – this is the IP address of the server making the connection.

As part of spam prevention and server authentication, a mail server may elect to ensure that all three of these pieces of information match: the IP address reported matches the server name reported, which in turn should match the end of the HELO string. In practice, the internet is a little too fast and loose for that to be a reliable gauge of authenticity … too many legitimate servers are not configured to report the right information for that check to always be valid.

Another interesting use of the Received headers is to determine where a delay may have occurred in transferring the mail. Since each is time-stamped, it’s quickly apparent where a message may have been held up.

Now lets look at the headers of some SPAM I recently received:

Return-Path: <fake@fakecompany.com>
Delivered-To: 1-leo-clean_nospam@pugetsoundsoftware.com
Received: (qmail 19652 invoked by uid 110); 14 May 2005 20:03:05
-0000
Delivered-To: 1-leo_nospam@pugetsoundsoftware.com
Received: (qmail 19649 invoked from network); 14 May 2005 20:03:05
-0000
Received: from fake.pittpa.adelphia.net (**.**.198.208)
by pugetsoundsoftware.com with SMTP; 14 May 2005 20:03:05 -0000
Received: from desk.fakecompany.com
by qdam.eiynwr.com with SMTP; Sat, 14 May 2005 13:03:09 -0800
Message-ID: <BKELLDAGKABIOCHDFD567DGAA.fake@fake.it>
From: “Fake Name” <fake@fakecompany.com>
To: leo_nospam@pugetsoundsoftware.com
Subject: Fast solution to your problems in a bed!
Date: Sat, 14 May 2005 13:03:09 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”–DELPHI7551932757739836KN”

 

[Note: everything that says "fake" is something I changed to anonymize this example. Someone's real email address and real company domains were used in the original.]

There are several interesting things about these headers:

  • The “Message-ID:” references an account at a domain in Italy. The first “Received:” header references “desk.fakemailer.com” -
  • fakemailer appears to be a legitimate business involved in bulk email technologies based in New York state.
  • That header also references “qdam.eiynwr.com” – a domain that doesn’t appear to exist.
  • The next header appears to receive the message from “fake.pittpa.adelphia.net”, which from the name would indicate a Pittsburgh, PA node of adelphia.net.
  • The “From:” line indicates yet a third party, fakecompany.com. On the surface this company, in New York City, appears to be unrelated to any aspect of the message, though I could be wrong.

The kicker is that the links for the products being sold by this email all go to a domain registered in Bulgaria.

So what to make of it all? It is possible that the originating computer, desk.fakemailer.com, is, in fact, sending out spam on purpose. It’s also possible that this machine has been infected with a virus, and is sending out spam without realizing it. And yet another scenario is that the machine is not involved at all, and that spammers in Bulgaria have spoofed the headers of the originating machine (using the companies role in the bulk email business to confuse and obfuscate the issue).

And therein lies the problem with SPAM and why there’s no simple solution. Email headers cannot be trusted, and not all email can be traced or authenticated. Legitimate mail typically can be traced, but for SPAM and virus-generated email it’s difficult to say that the headers are absolutely trustworthy.

But it’s interesting information, nonetheless.

There are 137 comments:

  1. James Hill Reply

    Hi Leo,

    First, I want to thank you for putting very informative information on the web.

    I have a question about tracing the origin of an email. I think someone has been email me from a yahoo.com address but, when he is online at work not his home personal computer. Can I still trace this information? Would I need to get help from the company to find this out or can I determine this on my own. Also, what specifically will I have to look for in orde to figure this out? Thanks for the help!

    Best Wishes,

    James Hill

  2. Leo Reply

    The example of hotmail I sent to myself above is a good example. The information of explicitly where I’m located (i.e. the IP address of my machine) was never part of it.) I believe you would need to get yahoo or hotmail involved to find out more. They’ll probably need things like a court order, if they even CAN get the info.

  3. Miriam Reply

    I have received an email from someone who logged into my email adress and posted a message I would like to know if you can trace where they are emailing from.

  4. Bonnie Reply

    I guess I’m not computer literate enough to decipher all that. What I want to know is simple…if my boyfriend says he’s in London and I get a yahoo message that shows a time with PDT after it, does that mean he is actually emailing me from somewhere else?

  5. Leo Reply

    If you mean Email message, it’s likely it only means that the computer used was set to the Pacific Timezone. The computer could be anywhere.

  6. Brandon P. Reply

    hi, i was wondering, if someone can know my name or personal information i keep in my email, because i have some things in my credit balance that i dont even know who made. Is it hacking? my cousin told me that these guys can get into my pc if i dont have a Firewall, so he reccomended th norton antivirus, but i dont know if it right.
    Thank You and waiting for your answer.
    Brandon P.

  7. John Reply

    I can trace some from hotmail but others I can’t and yahoo I can’t is there a program or website to pinpoint there street adress no matter how they sent the email like in the movies. This email came from 211 seseame st. at 12:00 pm sat. June 9th??? if so please help!

  8. Leo Reply

    In most movies you’ll note that it’s the police doing it. That’s what it takes … the help of the ISP, usually at the request (or demand) of law-enforcement.

  9. Robin Reply

    Someone is sending email to a person I know. Useing an email address I no longer have. I have a new account,screen name and password.Is there any way that this person can find out where the email came from. I have checked and it did not come from my computer. It appears that someone wants this person to think it did. Any info would be helpful
    THANK YOU
    PS
    I believe this person is also AOL

  10. Leo Reply

    Only using the techniques in the article you just commented on. To get more detailed, you’ll need the originating ISP’s help.

  11. Randy Reply

    My friend (really) is going through a break up. She has been checking her ex-boyfriend’s e-mail account to see if he’s been home and deleting a couple of e-mails that were sent by his current girlfriend.

    I told her this was an invasion of privacy and that her logging on to her ex’s e-mail account can be traced to her.

    She continues to check/delete his e-mail. If her ex suspects something, is there a way that my friend can be traced as the culprit?

    Please reply ASAP because my friend is obsessed with doing this. If her actions can be traced, I’m sure that she will stop(hopefully).

  12. Leo Reply

    It may be traceable, but if it is, it’s very VERY hard, and would require HotMail’s cooperation, which seems to me likely to happen only as the result of a police investigation or court order.

  13. Alice Reply

    hello, happy morning to you ….

    As we known we are able to trace the email for who is sending by checking the full headers, and finally we will get the information about which ISP the email is sent through, but we dont know who actually the sender is except we require or report mail abuse to the ISP and get the details such as residential address ,phone number of the sender from them.

    Refer to the above matter, is there any way or software to enable us to get full details of the sender ( i mean the phone number or residential address …etc ) of the sender without requiring the ISP or reporting to the ISP ? or is there any software that we could trace the sender information in details by ourself ?

    Beside that, i am not a hacker but i really interested in the relevant knowledge about that, how can i get knowledge about that ?

    thank you and looking for you reply as soon as possible …

  14. Janis Reply

    Curious…I found information on how to spy basically on someone if you have their Email address …It said to go to Gooles Advanced Search and in the “author” box type in the email address an press search…you will find everything that person has writeen to public usenet groups and anything that person ha said in certain chat rooms….Can’t find the Author box on Google in advanced.

    Can this be true….can you do tracking or spying if you have someones Email address?

    More curious than wanting to spy…just can’t believe it can be that easy for some to do it or to have it done to me…

    Your help is appreciated

  15. Leo Reply

    Yes and no.

    When you use Google, all you will find is any time that person’s email address shows up on the web. That could be because of mailing lists that are archived on-line, usenet postings or what have you.

    But it will NOT find email, and it will not track email.

    It just finds what’s on the web.

  16. Patty Reply

    Dear Leo, I recently received some emails from an annoymous person accusing my husband of having an affair and claiming to have details. I would really like to know who is sending these. They are using a yahoo email address. Is there any way I can trace the origin of these emails?

    Thank you :)

  17. Leo Reply

    You can get part way by using the information in the article you just commented on. After that, you’ll need Yahoo’s help – IF they’re willing to give it. (Typically they are no.)

  18. Merrie Price Reply

    question. I have been typing with a man that said that he is from california but has traveled to the UK. But when he sends his e-mail through Yahoo the time stamp on it shows (PDT) does that mean that he is in the PDT time zone when he sent it and not actually traveling in the UK? Please this information will tell me if this man is not being honest with me. He wants to meet me and I need to find out if this is a scam. Thank you so much.

  19. Merrie Price Reply

    correction. I went back to look again. Each time that he has sent an email to me and I to him it is stamped -0700. I wanted to know is it possible to find out what time it is where he is sending the email from. The time stamps all say -0700 and he originally was supposed to be sending them to me and I am two hours earlier than I. But now he should be 6 hours ahead of me. This would not be an issue if I was not concerned that this person is not whom he said he is, or where he is. Thank you

  20. Leo Reply

    -700 is pacific time right now. But it’s quite possible to set your computer to whatever time zone you like, so that doesn’t really provide any proof.

  21. kristen Reply

    Leo, I might come across like a broken record, Ive been getting distrubing messages left on a web page of mine, Now all I have is an Ip address. Can it be tracked to more then just finding out city/state/isp? If so can you tell me how PLEASE… Thank You!!!

  22. Jaggy Reply

    is it possible to find out whre an email is read from?
    just as we are able to get a confirmation message when the recipient reads our mail sent to them, is it possible to find out the IP address from where that mail is being accessed by the person?

  23. Leo Reply

    No, not that I’m aware of. And for the record, read-receipts – the confirmation you speak of – is 90% ineffective as well. Most people disable them.

  24. Amy Reply

    I am researching/tracing emails I am receiving from a hotmail account. In the bottom most “recieved” I get an IP that matches with the IP listed in the “X-Originating IP”

    My question stems from another email from this hotmail account. Again, the IP in the bottom most “recieved” matches the “X-Originating IP” however there is a SECOND “X-Originating IP” listed after the first which gives me a completely different IP.

    What is this second mysterious “X-Originating-IP”???

  25. Leo Reply

    It could be many things. In fact the either of them could be the IP address of the computer that originated, or forwarded the message – or they could be random crap inserted to make the mail “look” legitimate, or to obfuscate the real sender.

  26. Teri Reply

    Someone broke into my sister-in-law’s hotmail email account and is now sending very discreminating emails to her relatives and friends using her email address. Is there a way to find out the physical address that the person who has stolen the account is sending them from? They are saying that she is using drugs, abusing her kids, etc. and I am trying to contact her but the only way is through her email account. Please advise. thank you – Teri

  27. mjanish Reply

    i want to know the person who is send me some bugs mail

    Haow can i find his location city & whole information for future cure

  28. Leo Reply

    You cannot get that level of detail. Please read the article you just commented on.

  29. Rich Reply

    I am getting emails with parts of them being just a bunch of scrambled words and the rest of the email is about sometihng being a good deal to buy stock in, “i think”. Sometimes there are a name with it, but when I reply my mail cannot be delivered. What is it ?

  30. Siya Reply

    Hi Leo,

    Someone is sending me threating emails from the same IP but different email addresses. Is there a possibility that its being sent by a single user using different accounts.

  31. Leo Reply

    Sure. It’s also possible that it’s being sent by different people behind the same router or orgainzational firewall, or using the same anonymizer service.

    Could be many things.

  32. Siya Reply

    Thanks for your reply Leo,But everytime I check the header its always showing the same IP address but different email a/cs. and when I tried to find out the exact location from that IP, I got an organisations address, Now in organisations an IP is assigned to a single user only. Can i know exactly who is sending those emails.

  33. Leo Reply

    There’s no way to know. You’ll have to contact the organization.

  34. Stephen Reply

    Hi Leo,
    I used to have an email address that I used frequently, but for about a month I don

  35. Timmy Reply

    Hi,

    I need to know how i can see who was Bcc on an email I received…any ideas?

  36. Mary Reply

    i tried following the tutorial but it got too technical for me. there are many services that would trace the email for you -i’ve found infopursuit.com, sendertracer.com, and abika.com. i had to pay, but they did the job.

  37. Paige Reply

    A coworker from Canada has a privately owned laptop and uses a Canadian Cable ISP. She claims to travel to the US quite often, conveniently when we are required to work weekends. She sent me a hotmail email and the IP address in the header belonged to her Canada based Cable ISP. Does having an IP belonging to a Canadian ISP in the header prove she was definitely in Canada, and not the US, when the email was sent? Or is it possible her laptop would have her Canada IP stored and she wouldn’t get a new IP when she connected to the internet in the US?

  38. Leo A. Notenboom Reply

    “Prove” is a word I won’t use, but it would seem to indicate that she was connected to her canadian ISP. Now the thing is, it could have been over a dial-up connection to her ISP from anywhere, including the US.

  39. Jasmeet Reply

    In Lori Hanken’s case the email received from ip address 67.50.14.110 is from Hastings, Minnesota

  40. jasmeet Reply

    rj,you’ll have to enable the full/all/advance headers from the mail options of ur email ,only then u’ll be able to see the full header information. like for instance,for a hotmail a/c go to the options page,and select ‘mail display settings’ ,in the message headers section select the full or advanced radio button. And then u may be able to trace where the emails are comming from using a paid software or sites like http://dnsstuff.com

  41. Manish Reply

    Pl trace location of email sender ( location of pc which was used for sending mail not the IP address) Im giving details of mail’s header information below:

    [apparently someone else's information removed -Leo]

  42. Leo Notenboom Reply

    I cannot trace an IP address to a specific location or machine. You need to contact the ISP in question.

  43. Zoe Reply

    I found your information VERY useful. Thank you so much Leo for making this available.

    I do have one question though – How do i trace the city location where someone sent a messege via blackberry. If someone is on roaming service then how does I figure the city in which the mail was sent from?

    THANKS

  44. Leo Notenboom Reply

    I doubt that you can. It all depends on how your carrier assigns/uses IP addresses, and there’s no requirement that it be city based. In any case, you’d have to try and figure it out with them.

  45. Gary Reply

    Hi

    I have question regarding BCC from an hotmail account. If BCC line is included in the header is it correct to say that the person who sent that email BCC’d someone else in on the email they sent me ?

    Thanks

  46. Leo Notenboom Reply

    If the BCC line is present, but empty, it tells you nothing. You can make NO assumptions one way or another. There could have been BCC’ed recipients, or not.

    If the BCC line is present, and has email addresses in it, that’s a BUG in the sender’s mailer – it should not be there. You can probably infer that the email addresses listed were BCC’ed, but CANNOT assume anything else. There could have been more BCC’ed. Or not.

    If the BCC line is NOT present, you can assume nothing. There could have been BCC’ed recipients, or not.

  47. James O'Reilly Reply

    Hi,

    Thank you for your help on this. My girlfriend is currently being harrased and is being thretand from a fake Yahoo address. We have been to the police as there are many threats and things are getting very personal.

    I have an e-mail address, jenniegarthuk@yahoo.co.uk, whats the best way in finding out the IP address to give to the police as they are being most unhelpful.

    Thanks for your advice so far, it is much appreciated.

    Regards

    James

  48. Linda Butler Reply

    I need to know where an email I received came from. The ip information is as follows:[66.196.101.11]. The information in the received line is as follows: from 66.196.101.11 (HELO web59015.mail.re1.yahoo.com) (66.196.101.11) by mta173.mail.re3.yahoo.com with SMTP; Fri, 15 Dec 2006 12:46:40 -0800

    Thanks for your help…I don’t know how to read what it means. Thanks.

  49. Leo Notenboom Reply

    Someone sent it using Yahoo’s web mail interface. That’s all you can tell from that.

  50. Kevin Reply

    Dear Sir,
    I need to find out who sent an email to me. They sent it to me before my wedding, telling me not to do it. They sent it via hotmail under a fake account and removed the account after sending the email. I still have the whole email and I am having trouble figuring out where it originated. Please help.

  51. Bob Reply

    Hi
    Did you know there are private investigators that specialize in tracing emails? I was able to find out who my exwife was cheating with by visiting a website called emailrevealer.com.
    I just gave them her screen name and they found s secret personals ad she had. Then I was albe to find her boyfriends email on her myspace page.
    The detective foud her ad , the myspace account then located the guy she was cheating with.

  52. Mary Reply

    I received mails with the same mail address,always yahoo, in the return-path,From, and Reply-to, but it doesn’t exist.I checked the IP 200.69.231.41 but only said iplannetworks.net. How can I identify the real sender? Thanks.

  53. Leo A. Notenboom Reply

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    You can’t. You’ve gotten as much information as someone can without involving
    law enforcement.

    Leo
    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.6 (MingW32)

    iD8DBQFGOqK3CMEe9B/8oqERAl52AJ4qNGQ8oFKO2pZm/eXXFQKnheCfWACfYziR
    oilOanMKMC23C4zhUQ45ozc=
    =E6pM
    —–END PGP SIGNATURE—–

  54. Melissa Reply

    I have two different emails, from two different accounts of whom I believe to be the same person.
    Is there a way to determine if they are indeed the same person harrassing me?

    [email headers including someone else's email address removed.]

  55. Leo A. Notenboom Reply

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    No. Not without contacting the ISPs used to send each mail, and even then
    you’ll probably need a court order in order to get them to listen to you.

    Leo
    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.6 (MingW32)

    iD8DBQFGUxRjCMEe9B/8oqERArN6AJ9O6S5Lkn0wfQnra85FWafUT3XY/ACdHkL4
    9Reve1Ip2N6LEVKyeG58gMc=
    =khZV
    —–END PGP SIGNATURE—–

  56. Diane Reply

    How can i find out who sent me this message as the i need to know if its legal or not. I need to contact the person who sent the mail – can you help..

    Return-path:
    Envelope-to: dianelouw@iburst.co.za
    Delivery-date: Thu, 12 Jul 2007 10:11:16 +0200
    Received: from veronique.gransy.com ([87.236.199.200])
    by mail-01.jhb.wbs.co.za with esmtp (Exim 4.63)
    (envelope-from )
    id 1I8tlV-0002XU-3q
    for dianelouw@iburst.co.za; Thu, 12 Jul 2007 10:11:15 +0200
    Received: by veronique.gransy.com (Postfix, from userid 33)
    id 0FB72C51F; Thu, 12 Jul 2007 10:10:06 +0200 (CEST)

  57. Gregg Parratto Reply

    I am trying to trace the original message sender below the AOL source. Here is the original info: How can I trace the gmail IP?

    Received: by 10.143.163.4 with HTTP; Thu, 2 Aug 2007 08:55:34 -0700 (PDT)
    Message-ID:
    Date: Thu, 2 Aug 2007 11:55:34 -0400
    From: “Tim Duffy”
    To: “Gregg Parratto”
    Subject: Fwd: [Hamilton] Fwd: Talk is cheap, campaign promises cheaper. — Please forward to all share holders
    In-Reply-To:
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=”—-=_Part_65885_13716383.1186070134038″
    References:

  58. Leo A. Notenboom Reply

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    You cannot.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFGtRQICMEe9B/8oqERAm3gAJ0U2xkPrrPydh1cwbvv6g6A6C1a8ACghQdB
    IytYInCg1iGLCby2dW1dDMk=
    =D07N
    —–END PGP SIGNATURE—–

  59. Leo A. Notenboom Reply

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    No.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFGwHzsCMEe9B/8oqERApSqAJ9igmkQJzbuoZWkEAV2wlakyzpllQCgi+IQ
    Za+fPUVLEaZvKYHLjXrPKUw=
    =aAho
    —–END PGP SIGNATURE—–

  60. ERIK Reply

    Hi. have managed to find an ip address from an email im curious about. have determined the geo location and did a reverse dns (?) lookup , so it hink i have the host server (?) can you track something further ? i.e- right back to the physical location of the computer ? (sorry, may seem like an idiotic question but im a relative newbie . am extremely interested though and advice on any good reading material would also be appreciated. thanks irrespective.

  61. james Reply

    how can i see the full headers in a hotmail new live account?,, i tried view source on e-mail but this is not giving they full header like i used to be able to see on my old hotmail account,,can you help me please?

  62. gerry newby Reply

    the article was interesting, but didn’t address the question, how to find who is sending scams spams and oopsy daisies!

    So, we can’t track down and drop a dime on ‘em then how do i set up my computer/email to reject automatically, emails i don’t want? without said emails ever getting to my inbox, or better still automatically send ‘em back!!!

  63. Leo A. Notenboom Reply

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    You got it from Hotmail. The sender could be anywhere on the planet, there’s no
    way to know.

    Thanks,

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFHSKBjCMEe9B/8oqERAvS7AJ9B9Ja41NasNWQrRGXRw3H13mlQNACgjyDY
    wIVDEhC0IE9otX5aiiG+3/0=
    =x6ZQ
    —–END PGP SIGNATURE—–

  64. Bill Reply

    Can someone (that I sent an e-mail to) hijack my IP address and send e-mails to make it “appear” that it came from my computer location?

    thanks

  65. Leo A. Notenboom Reply

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    IP addresses cannot be hijacked.

    Email headers can be forged, however, to make it look like it came from your
    email address. They can try to make it look like it came from your IP address,
    but that kind of spoofing is detectible.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFHfcmCCMEe9B/8oqERAl6IAKCBOWTETjd16A5sjMG6HYFvuZJnIwCfeMYg
    W2uAv32AIdEAVNI2GkfVVbQ=
    =UdaC
    —–END PGP SIGNATURE—–

  66. barbara davis Reply

    I am receiviing spamed email from another company but the email address in the to box is not mine. How do I get these when it’s not my email?

  67. Leo A. Notenboom Reply

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    You were probably BCC’ed.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFHucabCMEe9B/8oqERAkvFAJ9CGNezb9Kak2W3Ghf7V3VoDFogTwCdGvvN
    dVxEv+RwVMX2qGDWvKfwjSM=
    =t5Rj
    —–END PGP SIGNATURE—–

  68. Sg Reply

    How do you determine if an e-mail that you receive has been BCC’d to another person?

  69. Leo A. Notenboom Reply

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    You cannot tell by looking at an email you’ve recieved
    whether or not it was BCCed to anyone else.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFH4ZF6CMEe9B/8oqERAq6nAJ9C6Vg+EokK20Mq/LG6ImNgB0QefQCcDN1v
    wI6jDioY3TfubKWoV0n8BeA=
    =UcTy
    —–END PGP SIGNATURE—–

  70. mary Reply

    I need to know in plain english if there is a way I can tell where(physical address or at least city) of an email

  71. Leo Reply

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    Mary: in plain English: no.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFIWo1ACMEe9B/8oqERAkcpAKCG9UoPEOIWC6eQyK5+ZwioddgztwCdFfS7
    Sk8zEXonJkvtXUpEWcwf9RE=
    =iJMt
    —–END PGP SIGNATURE—–

  72. RobMarson Reply

    I trace spam emails to their ISP’s by using these free tools. IPNetInfo and a program called Abuse. Abuse is a free application that scans the headers of emails and comes up with the ISP the mail was sent from. It then sends in a preconfigured complaint letter to the Abuse Dept. of that provider.I have gotten over 2000 IP addresses disconnected so far in my 2 year fight against these scumbags. So long as they continue to spam me I’ll gladly let the ISP aware of it. here is the link for ABUSE Program…http://spam-abuse.sourceforge.net/about_us.php. IPnetInfo is easy to find. Google it. Get a Spam Filter as well. I use MailWasher Pro. Hope that helps.

  73. Rob Marson Reply

    Oops…I forgot this part. If I feel that ABUSE isn’t showing ALL the info, I then use IPNetInfo to scan the IP addresses and weblinks in the headers. Not only does it find the info I need but it also confirms what ABUSE found.

  74. Vicky Reply

    This was all too complicated. I put reverse email trace in google and came back with a company called emailrevealer.com. They took care of my email trace.

  75. Dan Reply

    I was wondering, I have the emailers Ip address and I want to trace it back further than the city. Can i trace to to the exact place somehow? thanks

  76. Leo Reply

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    NO. Not unless you’re the police with a court order.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFIe4U/CMEe9B/8oqERAnKwAJ9tLRpCtrLnOdOJdoZim5H7kkHW3gCeP6+s
    aD9q6/8fKEFmOvNkGUSV7PQ=
    =7wtl
    —–END PGP SIGNATURE—–

  77. Sriram Reply

    i have a question. Please help me out. If the sender just logs into his system and read the mail which he received and if he don’t do any other transactions except reading his mails. Can he be traced?

    Maybe, but likely only by law enforcement / the police.
    -Leo

  78. sara Reply

    hello I have had my mail address forged as the send and return path by a 419 scammer, I have rported them to hot mail and yahoo – they keep changing their address at the end of the letter, this means that I am flooded with non delivery messages and have been accused of spamming – Yahoo claim that they cannot do any thing but hotmail have blocked them each time, is there anything I can do? I am sure there is a lot of info in the return messages I tracked an IP to the USA – I am in France help!!!!

    This happens all the time, and there’s almost nothing you can do. This article has more: Someone’s sending from my email address! How do I stop them?!

    -Leo

  79. Mickey Reply

    A friend of mine says she is in Singapore and she has been emailing me with her .msn account. Is there any way to tell from the message header if she is truly in Singapore? The X-Originating-IP is 99.8.186.64 which is SBC internet service in San Francisco. Does this mean she is really in San Francisco? Thanks, Mickey

    There’s no way to know for certain. She could be using an ISP that routes through S.F., or something else could be at play.

    - Leo
    17-Dec-2008
  80. Jim Downs Reply

    To try this out, I traced the first “received” IP address to a Verizon account in the city where I know my friend lives. So far so good. But when the e-mail was sent to me, my friend was actually traveling and I thought had used his laptop through the internet service at the house where he was staying. Why would his original home IP address still show? Doesn’t it show the IP address of the place where he connected, or does it always show the “base” address where the person signed up for his account?

    It could be either, there’s no way to really know. That’s why IP tracing is so unreliable without help from the ISP (which they’ll only give with a court order).

    - Leo
    04-Apr-2009
  81. Dave Reply

    I actually just tested out this service to see exactly how accurate these “IP finders” can be. I’m not terribly impressed after a couple tries. By creating a bogus email address and sending my primary account an email or two, I used a few of the suggested services to “track” my IP address. While the service DID manage to narrow the sender location down to the Hudson Valley, NY, the suggested city of origin was about 20 miles away from my home. Every service I’ve tried has returned this same estimated location, and usually the same suggested city. However, the problem remains that these services claimed that I lived on the wrong side of the Hudson River. Bummer.

  82. Sandy Reply

    I have a sbcglobal.net account and received a yahoo.com e-mail. Is there a way of tracing the origination of this e-mail up to the actual computer used even if the computer may be from a work/school/public location

  83. Jose Reply

    Can two emails sent by the same person, the same day but different hour have the same x-originating-ip?

  84. Pao Reply

    Is it posible (without being Police) to trace ip when receiving a facebook message ?

    No.

    - Leo
    05-Jun-2009
  85. Dawn Reply

    A former boyfriend’s new girlfriend has received a half a dozen nasty e-mails from a gmail account.. They determined it was an alias and he is trying to take me to court..accusing me of sending them. I suggested they start a formal investigation with the police and they are supposivly going to subpoena gmail for their records. I didn’t do it, but is there anyway someone could cut and paste and IP address or make it look like it came from my home IP address. I was at worked all day, using another IP address which I will be happy to provide as well…I think I’m just paranoid that it can be traced back to me by someone very computer savvy.

  86. John Molloy Reply

    My ex girlfriend installed a program on my computer(s) that allowed her to accessed my computer and every program on it. She also installed this program on the servers at my College. Every e-mail she sent had the ISP address of my computer or my school computer on her Hotmail messages so it looks like I sent the e-mails. The tech guys removed the programs but said they couldn’t tell where the terminals were accessed from. Is there anything I can do to prove it wasn’t me sending the messages except for the fact that for some of them, I was in a class of 20 and didn’t leave?

  87. Neffy Reply

    Is it possible for someone to attach a program to an email sent to me that allows them to then send msgs that appear to come from my ip addr or email?

    Of course. This is why we repeatedly say don’t open attachments you don’t expect, or aren’t completely certain of.

    Leo
    17-Nov-2009

  88. Thom Reply

    I received an email from a hotmail account and want to trace it’s origin. I’ve looked and there are NO typical headers in this email. Could they of been stripped out before being sent? I can send you the entire “View Source” code if you like, but there is NO information like Return-Path in here.

  89. Jessica Reply

    I have a question similar to one already asked, I just need some clarification. I am going through a situation dealing with a ex who says he got an email through facebook from a friend of mine (the email was not very nice, to say the least) and my friend says it did not come from him. I am just wondering if there is any way to figure out where the email came from on facebook so I can end this.
    Thank you

  90. Ray Reply

    Similar to Jessica on 12/17, my son is getting some very disturbing messages on Facebook. How can we trace where they are from? The originators are 3 different names with very limited profiles. He has turned off his accesability setting so he cannot be seen, but still gets them. Is there any way to get an IP address from this?

  91. marty Reply

    ok i have a question! my wife is receivimg threats via text but she is being text from a computer. the person texting her is a hotmail user… jus says from: and then his threat followe by a link to sign up for hot mail. im tryin to figure out if we even know the idiot. is there anyway to track him with it being a text with no headers? phome company said they dont have any info on how to track this and wen recieved texts said you have one text from tjen wen u open jis says [Name Removed] :@ grrr

    All I can suggest is that you contact the authorities.

    Leo
    27-Feb-2010

  92. John Reply

    @Mayla:

    No, it is not possible to do this, as Leo says on about 5 different pages.

    The only way to get someone’s name and location from an IP is to contact the police, who may or may not decide to help you. The police can get a court order to give to the ISP to find out where that IP is located. If you can’t get the police to help you, or get a court order some other way then there isn’t anything you can do.

    Leo’s article about it is here: http://ask-leo.com/how_do_i_find_out_whos_at_a_particular_ip_address.html

  93. Richard Reply

    Just how do you arrive at Italy, Bulgaria and New York as where the messages originated in your sample? Pittsburgh, PA is clear.

  94. only14 Reply

    hi.
    I’ve received this email from a person that i do not know, named [name removed]. she says she’s 24 from texas. and she got my id through google friendship search. is that possible? and she wants to be friends.so she’s given me her email as well. how can i know if she’s a faker and if i should reply?

    Sounds like a scam to me. I get ‘em all the time.

    Leo
    10-Apr-2010

  95. charlie Reply

    Hi Leo.

    Is it possible to find the IP address from just a facebook message. The profile has since been deleted. and thats the only point of contact. There was a photo sent also? And Facebook for Iphone?

    Are there experienced hackers that would be able to find personal information from that alone?

  96. Dave Jay Reply

    Can anybody email me and tell me exactly how to trace the origin / Country etc of an incoming email.
    Any help would be greatly appreciated.
    Many Thanks
    Dave [email address removed]

  97. jen Reply

    Is an IP address always included in the email? I was trying to locate an IP address in an email and couldn’t. Also, if someone has two different email addresses, can they be traced to the same person? thanks!

    No, an IP address is not always included.

    Leo
    07-May-2010

  98. Sophia Reply

    Where to start?? The short version! My former tenants are spaming me with bogus email. I don’t want to get into a long winded discussion about the validity of this statement. I have placed my now available rental property on Craigslist. After 2 months, I have received dozens emails mail that a 12 year old would write. I was responding to messages which put me at great fear. Sender would ask to arrange an appointment and never show up..OK people are jerks! But some senders threaten me with harm. Is it possible for a very nasty person to monitor block and censor emails from Craigslist. Thanks

  99. chuck Reply

    Is it possible to figure out where a facebook email came from? The profile is there but no pic etc. I would just like to see the area from which it originated.
    Thanks

    There’s no way thate I know of.

    Leo
    14-May-2010

  100. Misty Reply

    Hello, I want to post a simple question: is it possible that numerous people have the same X-Originating-IP ? I mean, the ISP has a dynamic IP, but it rotates only weekly, and during the same week I received severalm mails from different people, all using the same X-Originating-IP – supposely, from different places. Do you think it’s possible? I suspect it is not, so I’m thinking it’s a single person, pretending to be different ones.

  101. Barbara Parks Reply

    I am sick of getting e-mails from [email address removed]. They are in fact spamming. THey hacked my e-mail, got my name and then e-mailed my sister and asked for $1200.00 from her so I could get back from Scotland.
    Needless to say, I never went to Scotland.

    Isn’t there some way to stop these spammers or whatever they are?

  102. peter Reply

    i have a friend who has been a victim a violent assault. the people where never caught. a year later she now, recieveing threating emails. she does not live in a country that has a police force that can be trusted, nor have the resources. is there a way to trace these email to a computer? each time it is a new email address. from reading the above acticle, the answer appears to be maybe. i have giving details, in hopes of getting some online help.

    Unfortunately you need the assistance of the ISPs or Email providers involved, and they will typically only do so with appropriate legal action is taken.

    Leo
    03-Jul-2010

  103. Marcus Reply

    If I had used my internet access to create a gmail account & used this gmail account to send out emails, will the people, whom i sent the emails to, able to trace me down to my office, if i do not put my names at all?
    I want to send some love notes to a girl I admire, but afraid.

    Sometimes your IP address will be included in the headers that you normally don’t see, and sometimes depending on your ISP and internet setup this might identify your place of employment. More than that typically requires a court order and police involvement.

    Leo
    13-Jul-2010

  104. waqar Reply

    Hi,

    I followed the instructions here however, I am unable to pinpoint the exact location of the email ( i mean the computer it originated from). I tried looking up the ip address and the closest I got was a nearby city.. how do i find the location of the computer an email originated from .. for example i tried send my self an email and I found out that it was sent from montreal. My question is how do I found the house ( in this case my house) where the email comes from
    Regards

    As is stated on many places on this site (search for IP tracing), you cannot. The ability to trace an IP address to a specific location is not something you or I can do. If you have a legitimate need, law enforcement can do it with a court order.

    Leo
    07-Aug-2010

  105. Gus Reply

    If an email is received but it has passed by many computers, wether due to resending of email or virus, does the originating IP show up or does it show the last originating IP.

    Regards

    Gus

    Depends on how it was passed along. If it was passed along by mail servers in the process of delivery, then typically all the IP addresses involved are included. If it was forwarded or re-sent by a mail program of some sort, then usually only the last sender. But in all of this there are no guarantees.

    Leo
    13-Aug-2010

  106. JENNIFER Reply

    A CLIENT OF MINE RECEIVED AN EMAIL FROM SOMEONE THAT WAS SLANDERING AND DEFAMATING ONE OF MY EMPLOYEES, I HAVE THE HEADER TO THE EMAIL AND WASN’T SURE HOW TO DETERMINE ANYTHING EVEN WITH READING THE ABOVE EXPLANATION, HOW DO I KNOW WHO IT CAME FROM?

  107. Prettybold Reply

    Hi,
    I tried to view message source of hotmail but the file is saved on my computer and it cannot be opened.
    Can you please help me to open that file of .aspx format?

  108. Lizzy Reply

    I’ve been getting threatening emails from a cyber harasser for a while now & have reported it to the law enforcement.They asked me to pass on the header info of the mail but I had a quick look at it and although I dont know much about these things, it seemed like the person has hidden the real IP. Are there any ways around that?

  109. Nergal Reply

    Hi, Leo,

    Doesn’t the fact that the bottom header in the above example is more than an hour after the next one up, and that “by qdam.eiynwr.com” and “from fake.pittpa.adelphia.net” don’t match mean the bottom header is forged?

    While they are suspicious, it’s not an absolute indication of forgery. Clocks have been set wrong, and email can indeed sit on a mail server for an hour for various reasons. And servers can indeed respond as different names. The article above calls out some more reasons that this is bogus.

    Leo
    30-Oct-2010

  110. Nikki Reply

    Hi, I had some emails sent to me a couple weeks ago, it was Gmail, and I’m pretty sure it was made specifically to disguise themselves. Only thing is, they either changed emails or deleted the account shortly after I kept asking who it was. Is there any way for me to still track this and find out who it is? 6

    Unless you can involve law enforcement to get at information and records from Google, nope.

    Leo
    21-Dec-2010

  111. jbeal1 Reply

    How do you view email headers in Vista Windows Mail? Under the View menu there is no Options selection. Additionally, View Headers is checked but I can’t get to them and I cannot find the info in Vista Windows Email Help file. I received an email that appears to come from my gmail account addressed to my other email address (not gmail) and I did NOT send it. How do people use your email address to send emails and how can I track and stop this?

    Right click on the mail summary line in your inbox, click on Properties, and then click on the Details tab.

    Leo
    04-Mar-2011

  112. Mitchell Reply

    An associate from Ukraine is in Moscow and sent an email using a borrowed PC.
    The IP address indicated it came from Bangkok, but my associate is in Moscow.
    Each device/laptop has its own IP address; therefore not matter where you travel the IP will always point to “Bangkok”?

    I did reference the time stamp and it did give me the appropriate hour for Moscow.
    Date: Sun Mar 2011 13:36:47 +0300 (time when “send” was pressed)
    I am on Pacific Standard Time so there is a 10 hour spread.
    My received stamp; Sun Mar 2011 03:36:57

    Had my associates email been written and sent from Bangkok… would not the time stamp have been the 14 hour difference?
    My associates email address is a “mail.ru” email account having been acquired in Ukraine.

    To simplify…. Where is my associate? Moscow or Bangkok?

    The IP address is assigned to the computer by the ISP it’s connecting to. Typically that’s the ISP in the location that the computer is connected. But not always. I’m in the Seattle area, but if I dial-up and connect via an ISP in Australia my IP address will be an Australian one. Similarly the time on an email is usually defined by the computer sending the email – and if that computer’s time is set wrong then the time can easily be wrong. You see this a lot in spam where they fake the time to be from the future so as to appear at the top of your inbox. Short answer: still no way to really know for sure.

    Leo
    20-Mar-2011

  113. dino Reply

    Outlook, they’re hidden by default, so with the message open, click on View, and then Options, and you’ll see a box labeled Internet Headers.
    Using office pro plus 2010 outlook. When I receive an email all I have at the top is File and Message.
    No view. I got lucky and found it. Click message. Open ribbon. Click on the tiny tags down arrow. At the bottom is the “internet headers” tiny box and tiny letters.

    I clicked inside the box, did control+a, control+c for copy and pasted opened a new email, clicked inside the box where you enter text, then control+v to paste. Much easier to read. Thanks for reminding me about the headers, this may be helpful.

  114. shaz Reply

    Hi,

    My girlfriend recently had her hotmail account hacked into. When we traced the ip address we found that it matched up to mine. How would someone gain access to my IP address and how do we tract it to the original ip address. We still have the headers, what do we look for?

    Regards shaz

  115. jackie Reply

    How can i tell if an email that is sent to me will tell the sender of the email that i have opened it?

    Make sure images are not displayed, and do not click on any links contained in the email.

    Leo
    18-Jan-2012
  116. Preciosite Reply

    I could find out all the above from internet search..all i wanted to know was is there a way to find out weather the email was sent by a mobile phone or a laptop????
    is there a way to find that out. i can trace the IP mails sent from a same origin gave me differnt IPs one shows broadband..other shows hotmail server and other shows private IP address..is it possible?

  117. Mikhus Reply

    To help the users to read the headers I’ve written the tool, which is available here: http://smart-ip.net/trace-email

    Actually it does the basic analysis of the headers and provide human-readable conclusions. It just much faster to analyze with the tool then read the headers in a plain format.

    Hope it will helps at least someone.

    Best regards,
    Mike

  118. R unknown Reply

    Thank you for helping me. Because of you I wasn’t scammed again.

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise an comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.