Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Does email coming from the same IP address imply that it was the same computer?

Question:

I have Hotmail and I’ve been getting nasty e-mails from somebody who I do
not know. I figured out how to view the headers and try trace the IP addresses.
As I was doing some trial and error from the X-Originating-IP addresses from
people on my list, I noticed that one of my friends has the EXACT same
X-Originating-IP address from the one I’ve been getting my nasty e-mails from.
Is my old friend sending me nasty e-mails off of the same computer but through
different e-mails? If it helps, there both Hotmail accounts. Thank you in
advance for your help and assistance.

Of course he could be, but the IP address doesn’t prove it.

There are several reasons that a single IP address could be used by several
different computers.

Become a Patron of Ask Leo! and go ad-free!

In the simplest case, an IP address uniquely identifies your computer on the
internet. However for many reasons that’s becoming less and less common as
computers proliferate.

Routers

An IP address only identifies whatever it is you have connected to the
internet. In many cases these days, that’s a router:

Router connecting several machines to the internet

In a case such as this, all the computers to the left of the router will
appear on the internet as having the same IP address. That IP address is
actually assigned to the router, and it handles routing the traffic to the
appropriate computer on the local network.

In a case like this the IP address you’ve extracted from your email headers
may get you as far as the router, but that’s it. You can’t tell which computer
behind the router was responsible for it.

The diagram above is a common home or small business configuration. It’s
important to realize, though, that in larger installations there could easily
be hundreds of computers sharing a single or smaller set of IP addresses. Once
again, with just the internet IP address, there’s no way to tell which computer
sent your email.

Dynamic IP Addresses

Many computers are connected to the internet using what’s called a “dynamic”
IP address. The IP address is assigned to that computer when it first connects
to the internet, and is released when it disconnects. A common example is
dial-up connectivity where the connection and disconnection are both obvious
and frequent. Persistent connections can also use dynamic IP addresses, and in
fact can be re-assigned a new address even without having to disconnect –
though typically that’s not the case. However even the slightest disconnection
could cause a new IP address to be assigned.

“…in larger installations there could easily be
hundreds of computers sharing a single or smaller set of IP addresses.”

What’s important to note here is that the IP address you were assigned
yesterday might very well be used by someone else today.

That means if your sender is using a dynamic IP address, then it might be
someone else entirely if you see that same IP address in another email at a
later time. There’s no obvious way to know.

Local IP addresses

If the address you see begins with 192.168., 172.16. through 172.32. or 10.
then it’s not an internet IP address at all, but rather a local IP address
assigned by a router.

Looking at the diagram above again, you can see that internet IP addresses
are assigned to the router’s connection to the internet. However on the left,
on the local side of the router, the addresses are assigned from a range of IPs
reserved for local networks. Most home and small business routers assign from
the 192.168. address range.

The problem here is that if that’s the IP address you’re seeing, then it
tells you pretty much nothing. There are probably tens of thousands of machines
with that 192.168.?.? IP address, scattered on local networks around the
internet.

Without the internet IP address, there’s just no way to get
closer.

The Bottom Line

Ultimately, as I’ve said time and time again, trying to use IP addresses to
locate someone is futile for the average person. Yes, technically there may be
ways to backtrack, but it’s complex, and often involves breaching privacy
barriers that will require law enforcement and/or court orders.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

18 comments on “Does email coming from the same IP address imply that it was the same computer?”

  1. I’m in a battle of the bands compitition where the winner is judged by the amount of votes they get on line. You can vote once a day from your computer. They count your IP address. I’m worried that if an office of 40 friends all vote for me, they only count as one vote if it’s the same IP address. 40 different computers, 40 people voting, one vote counted. Can this happen?

    Reply
  2. The crucial point in this case is that it’s being sent from Hotmail. Any emails sent through a web-based service will have the webmail provider’s email address as the X-Originating-IP because the actual computer used to send the message is not writing the headers. The headers will be written by the server-side script on the Webmail hosting providers service.

    So any email sent from a webmail service will have one of the IP addresses that resolves back to the webmail provider, and all you can deduce from it is that the spammer was connected to the same webmail server as your friend on hotmail.

    Reply
  3. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    Actually, HotMail does occasionally include IP address of the computer
    accessing the web service as the x-Originating-IP – I just confirmed it.
    Not sure about other providers, but that bit of anonymity obviously
    isn’t guaranteed.

    Leo
    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.6 (MingW32)

    iD8DBQFF4h2oCMEe9B/8oqERAjy0AKCLnKEIl+iRz+4Haw74kdfR+ehROQCbBjRY
    175hbr7h5daL24hwQ2YjCVs=
    =JAPa
    —–END PGP SIGNATURE—–

    Reply
  4. Yes…hotmail does include at least the IP address of the router that the user was connected too, I have confirmed that when i send an email through hotmail it includes my routers IP every time without fail.

    It is possible your friend sent the mails but you cant be sure, what you could do is check all the IP’s of your friend and also from the person sending the malicious emails and see if there is any pattern.

    Reply
  5. I’m having the exact same issue. I’ve compared the malicious emails with the other emails and found that one of the IPs found in both email addresses headers is EXACTLY the same (starts with 10. and the rest of the numbers match identically). Does this prove anything?

    Not really, though it might be useful with other data. All that a “10.” address means is that the person is behind a router. That exact same “10.” address could exist behind hundreds if not thousands of different routers.

    Leo
    14-Jan-2010

    Reply
  6. Hi Leo – your site and info has been most helpful. I think I have the answer but hopefully you can help. I have had a number of e-mail from two different people supposedly, but both mails have come from IP 86.178.233.xxx. Identical. These emails have come to me over a period of about 2 weeks. These MUST be coming from the same computer, or router. Am I right? So one e-mail couldn’t be coming from Aberdeen, and one from London.

    Many thanks,

    John Heaney

    You simply can’t make that assumption. ISPs do funny things with IP addresses, particularly if they IP addresses are assigned dynamically. Not only could that single IP address have been assigned to different computers over time, but there’s no guarantee that the computers are near each other. Similarly, if the IP address is of a NAT router, such as you and I might use in the home, then there could be any number of computers sharing that same IP address.

    Leo
    03-Mar-2010

    Reply
  7. Hi,
    I am getting abuse emails showing my close friends Static IP address.. But i gotta doubt on my new roomate. Is it possible for my roomate to use my Friend’s static IP and send abuse emails to me using our common internet connection.
    [Note: we use same internet connection and same computer for internet perpose..]
    Pls help me with the solution… thanks!

    Reply
  8. Hi Sir,
    My email was compromised and I am sure it was my sister in law. I checked the IP who logged in my account and was 85.133.202.236 and her emails come from IP which is 85.133.203.214. How can I prove that to Immigration office? Please advice. She is ruining my immigration. Please advice. Thank you very much.

    Reply
  9. I have constantly received emails from 2 different people with same IP address starting 209…Does this mean its the same person.

    Reply
  10. I have been checking my friend email looking at the IP address. My friend has been traveling around the states. The address comes up Atlanta Georgia close to a building on the maps but the latest email told me they are in Las Vegas but the address still comes up Atlanta Georgia same IP number on all emails? I don’t understand sorry if this is a repeat question

    Reply
    • The location given by a WhoIs search can be off by hundreds of miles. Often the results are the location of the email service provider. Often when I look up the location of an IP address I get the location of the Amazon Web Services or the location of the email service provider.

      “Geo-location services are notoriously inaccurate. Depending on which service is used, my home IP address has been located as “Woodinville” (the postal region which encompasses 18 square miles and some 10,000 residential addresses), Seattle (roughly 10 miles from my house), Portland, Oregon (150 miles) and even southern California (close to 1000 miles).”
      What Can People Tell from My IP Address?

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.