How To...  Trace an email

1. How to get the email header from various popular email solutions
2. A header example
3. How to analyze that header to determine where an email came from
4. Tracing Tools
5. How to report email abuse (spam, phishing, etc)

Getting an email header

1. In Outlook
   • Right-click on the mail message in your Inbox or other Outlook folder.
   • Select 'Options...' from the resulting popup menu
   • The 'Message Options' dialog box will appear.
   • The header is contained in the 'Internet Headers' section at the bottom.
   • TIP: For easier viewing, right-click in the 'Internet Headers' field and click on 'Select All' in the popup menu (or type ctrl-A). Right-click again and click on 'Copy' in the popup menu (or type ctrl-C). Then paste all the Internet Headers into your favorite text editor (such as 'Notepad')
     
     
2. In Gmail
   • Open the message
   • Click 'More Options' (Just before the date at the top of the message)
   • Click 'Show Original' in the panel that is shown
   • The header is the series of lines at the top of the message, above the text of the message itself
     
     
3. In Hotmail
   • Once logged in, click on the "Options" link in the upper navigation bar
   • Click on the "Mail Display Settings" link
   • Examine the 'Internet Headers' in the resulting 'Message Options' dialog
   • Go to your inbox and open one of your messages. Your email will now show header information
     
     
4. In Yahoo
   • Once logged in, click on the "Options" link in the upper navigation bar
   • click on the "General Preferences" link
   • Under "Messages", locate the "Headers" heading and select "All"
   • Go to your inbox and open one of your messages. Your email will now show header information
     
     

Email Internet Headers

What you see will be very similar to the following (with 'line numbers' added for clarity and discussion in following sections):

1: Received: from tes1a623.OneMail.com.sg ([203.127.89.129]) by visualroute.com (8.11.6) id f9CIVSk24480; Tue, 12 Oct 2004 12:31:29 -0600 (MDT)
2: Message-Id: <200110121831.f9CIVSk24480@s2.domain.com>
3: Received: from drb.com (IIM1608 [203.127.89.138]) by tes1a623.OneMail.com.sg with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0)
4:   id 4XNK9ATR; Wed, 13 Oct 2004 01:19:10 +0800
5: From: paylesslongdistance@somedomain.com
6: To: <>
7: Subject: Long Distance - 4.9 cents per min - NO FEES!
8: Date: Tue, 12 Oct 2004 13:24:26 -0400
9: X-Sender: paylesslongdistance@yahoo.com
10: X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
11: Content-Type: text/plain; charset="us-ascii"
12: X-Priority: 3
13: X-MSMail-Priority: Normal
14: X-UIDL: 8`Y!!0GR!!"?H"!k:O!!
15: Status: U

Header Line Syntax: The Internet Header Fields are just a series of text lines, where each line looks like:
Header-Name: Header-Value
If a line starts with a tab or spaces, that line is a continuation of the previous Header-Value line. So, the Header-Name Received in line 3 has a Header-Value that spans lines 3 and 4.

Find the sending computers using 'Received' Headers

The most important header field for tracking purposes is the Received header field, which usually has a syntax similar to:
Received: from ? by ? via ? with ? id ? for ? ; date-time
Where from, by, via, with, id, and for are all tokens with values within a single Header-

Value, which may span multiple lines. Note: Some mail servers may not include all of these tokens -- or additional tokens/values may be added to this field, but now you are prepared to break it apart and understand it.

Every time an email moves through a new mail server, a new Received header line (and possibly other header lines, like line 2 above) is added to the beginning of the headers list. This is similar to Fed Ex package tracking, when your package enters a new sorting facility and is 'swiped' through a tracking machine.

This means that as you read the Received headers from top to bottom, that you are gradually moving closer to the computer/person that sent you the email.

But please note that as you read through the Received header fields and get closer to the computer/person that sent you the email, you need to consider the possibility that the sender added one or more false Received header lines to the list (at the time, the senders beginning of the list) in an attempt to redirect you to another location and prevent you from finding the true sender. But, now that you know false header lines are possible, just stay alert.

You will probably find it very useful to break a single Received line into multiple lines, with one token per line. Namely, the header line:
Received: from tes1a623.OneMail.com.sg ([203.127.89.129]) by visualroute.com (8.11.6) id f9CIVSk24480; Tue, 12 Oct 2004 12:31:29 -0600 (MDT)
is much easier to read and understand when formatted so that each token is on a new line, as in:
Received:
  from tes1a623.OneMail.com.sg ([203.127.89.129])
  by   visualroute.com (8.11.6)
  id   f9CIVSk24480
  ;    Tue, 12 Oct 2004 12:31:29 -0600 (MDT)

The Sender's IP Address

For tracking purposes, we are most interested in the from and by tokens in the Received header field. In general, you are looking for a pattern similar to:
Received: from BBB (dns-name [ip-address]) by AAA ...
Received: from CCC (dns-name [ip-address]) by BBB ...
Received: from DDD (dns-name [ip-address]) by CCC ...
In other words, mail server AAA received the email from BBB and provides as much information about BBB, including the IP Address BBB used to connect to AAA. This patterns repeats itself on each Received line. The syntax of the from token most times looks like:
name (dns-name [ip-address])
Where: name is the name the computer has named itself. Most of the time we never look at this name because it can be intentionally misnamed in an attempt to foil your tracking (but it may leak the windows computer name). dns-name is the reverse dns lookup on the ip-address. ip-address is the ip-address of the computer used to connect to the mail server that generated this Received header line. So, the ip-address is gold to us for tracking purposes.

The by token syntax just provides us with the name that the mail server gives itself. But since the last mail server could be under the control of a spammer, we should not trust this name.

So, what is crucial for tracking, is to pay attention to the trail of ip-address in the from tokens and not necessarily the host name provided to us in the by tokens. Hopefully an example will make the reason why very clear:

1: Received: from tes1a623.OneMail.com.sg ([203.127.89.129]) by visualroute.com (8.11.6) id f9CIVSk24480; Tue, 12 Oct 2004 12:31:29 -0600 (MDT)
3: Received: from drb.com (IIM1608 [203.127.89.138]) by tes1a623.OneMail.com.sg with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0)
If you ignore line 1, you would conclude from line 3 that mail server tes1a623.OneMail.com.sg sent you an email, but this would be wrong. When you trace to the host name tes1a623.OneMail.com.sg, you are actually tracing to the IP Address lookup on that host name, which is 192.9.200.230. But as you can see from line 1, the IP Address used was really 203.127.89.129. Do not be fooled by this attempted misdirection by spammers and fraudsters.

Determine the IP Address of the Sender: Using the example email headers above and analyzing the Received header lines we can conclude:

• A Visualware employee received an email
• which came from visualroute.com (line 1)
• which came from tes1a623.OneMail.com.sg (line 1; line 3 confirms)
• but whose ip-address used was 203.127.89.129 (line 1)
• which came from drb.com/IIM1608 (line 3)
• but whose ip-address used was 203.127.89.138 (line 3)

So, we have just tracked this email to the source -- IP Address 203.127.89.138

Tracing Tools

You may find out to which organization or person an IP address really belongs by using the American Registry for Internet Numbers (ARIN) database.

• Email Graphic Traceroute - A very useful and easy to use tool. Simply paste your header into the web page and it will generate a Google map mashup showing you exactly where the e-mail has gone.
• Geobytes Free Services - A huge list of useful free services that all rely on being able to associate an IP address to a physical location. These services include:
  • Spam Locator
  • IP Locator
• DNS Report - A very comprehensive look at a specific domain name. Also provides an option to check an e-mail address.
• DNS Tools & Network Tools - A lot of very useful IP and DNS tools including:
  • ping
  • lookup
  • trace route
  • whois

More information hidden in the headers

The Internet Headers for an email message may contain some really interesting information about the sender.

1. Windows Computer Name: It appears that the Windows computer name is sometimes leaked. Consider the following partial header information from an actual email:
   Received: from hanksdell (11-22-33-44.xyz.net [11.22.33.44]) by visualroute.com (8.8.5) id SAA26331; Mon, 11 Oct 2004 18:46:53 -0600 (MDT)
   Where we can clearly see the IP Address of the sender, but we can also see the computer name of hanksdell. While the computer name can be named anything, in this case, I might assume that the person is named Hank and uses a Dell computer.
   
   This computer name may be intentionally misleadingly named or not be meaningful but it can become very useful confirming information if law enforcement can confirm that the name of the suspect's computer matches the name in the email header.
   
   
2. Time zone Information: Consider lines 3 and 4 from the Internet Header discussion above:
   3: Received: from drb.com (IIM1608 [203.127.89.138]) by tes1a623.OneMail.com.sg with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0)
   4:     id 4XNK9ATR; Wed, 13 Oct 2004 01:19:10 +0800
   Notice that in the Internet Headers, when a time is displayed, many times it is followed with a plus/minus and four digits, which represent HHMM (hour and minutes) from GMT (Greenwich Mean Time), or London, UK time. Plus means east of GMT. Minus means west of GMT.
   
   So, according to +0800, the server is 8 hours east of GMT. TIP: Go into the Windows Control panel and enter into the Date/Time dialog, where there is a Time Zone list. This time zone appears to be in Singapore. Then, the .sg in tes1a623.OneMail.com.sg means Singapore, which is one more confirmation of this information. A final confirmation comes from performing a VisualRoute trace 203.127.89.129 (the IP Address for tes1a623.OneMail.com.sg). TIP: Trace to the IP Address, not the host name.
   
   This graphic can help you determine what part of the world the time zone you are looking at includes. (Warning, this is a large graphic file, 600K, with image dimensions of 4800x2000 pixels.)
   
   
3. X-Mailer: This will usually tell you the mailer software used by the sender of the email. Consider:
   10: X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
   This may or may not be immediately useful, but it can be very useful if there is a follow-up investigation by authorities.
   
   
4. X-Originating-IP: If you are attempting to track down an email received from a Hotmail email account, look for the X-Originating-IP header field, which will tell you the IP Address of the computer that sent the email. Consider:
   1: Received: from hotmail.com (f105.pav1.hotmail.com [64.4.31.105]) by s2.xyz.com (8.11.6) id f9BIvve34655; Mon, 11 Oct 2004 12:58:00 -0600 (MDT)
   2: Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; 3:     Mon, 11 Oct 2001 11:57:51 -0700 4: Received: from 202.156.2.147 by pv1fd.pav1.hotmail.msn.com with HTTP; 5:     Mon, 11 Oct 2004 18:57:51 GMT 6: X-Originating-IP: [202.156.2.147]
   However, notice that we could have obtained the same IP Address information by examining the Received header fields. But it is nice to have this extra confirmation.
   
   

Final Warnings

Please pay attention to these warnings when attempting to track email messages:

1. Host Names vs IP Addresses: Always make tracking decisions based upon the IP Addresses that you find in the header information and not on host names. Host names may be fake.
2. False Header Information: Be aware that spammers may try to insert fake Received: header lines into the Internet Headers of the email message to confuse you. Just follow the trail through the Received: header fields from mail server to mail server and use some common sense when the information conflicts.
3. False IP Address: The IP Address that you finally end up at is the IP Address of the computer that sent the email. That computer may be the real sender or it could be a computer that was hacked so that a false email could be sent. Or the IP Address could be that of an 'anonymizer' company.
4. IP Addresses Change: Do not assume that the sender's computer has a fixed, constant IP Address. This may be true in some cases, but most people who dial into the Internet almost always get a different IP Address each and every time they connect. However, all is not lost. Many times you can report the IP Address and full email Internet Headers (which many times contain time-of-day information) to the person's ISP and the ISP can track this down to a unique end-user (by examining login and logout logs) and take action.
5. Viruses: Do not assume the worst of the person sending the email. They may have just been infected with a virus, which is using a person's computer to spread itself.
6. Open Mail Servers: Do not assume the worst of the company whose mail server was used to send the original email. They may be involved in the spam, but they also may just have a misconfigured email server, which is allowing a spammer to send the email through their mail server.

Report Email Abuse - Spam, Phishing, etc.

Reports for email abuse -- such as spam, email-borne viruses and email threats -- should be directed to the sender's ISP and to the Federal Trade Commission (spam@uce.gov)

More information

For more great discussions on this topic, see

• Reading Email Headers talks in more detail about decyphering the contents of an e-mail header
• Permanent Message Header Field Names is a great resource for everything that may be in an e-mail header.