Finding Email sender's IP address

How To Find the Sender's Original
IP Address Using Email Message Headers

The content of this page was originally produced by Ivan Mayrakov, whos website is at http://www.johnru.com

     So you'd like to to find out just who is sending those email love letters, determine the sender of a blackmail message, or just root out the source of a virus emailed to you. There are indeed many such situations where you would like to know who sent a particular email message to you. This article will teach you how to use "Email Headers" to backtrack and find the original sender's IP address. Don't worry, it's not rocket science. If it were, SPAM would still only be canned meat and an amusing Monty Python skit!

Theory...

     Email messages, as in the case of their non-electronic cousins, have "envelopes" of a sort. In the case of email the envelope is composed of a series of "Headers". These are just a series of lines of characters which precede the actual email message. Email programs such as Outlook do not normally display these Headers when displaying a message. From these Headers however, the email program is able to extract important information about the message, such as the message encoding method, the creation date, the message subject, the sender and receiver, etc.

     Moreover, just as a postal envelope contains an address, a return address and the cancellation stamp of the post office of origin, an email message in these "Headers" carries with it a history of its journey to your email inbox. Because of this, it's possible to determine the original IP address of the sender.

     Since email programs do not normally display these Headers, we must first learn how to display them. Depending on the program, this is done in a variety of ways. The following sequences details the way to do this using a some email systems:

  • Gmail
    GMail
    In Gmail you need to open 'original' email
     
    Open Gmail message and click for menu
    First open an email and click for menu.
     
    Gmail: In menu you need to choose Show original
    In menu choose 'Show original'
     
    GMail opens original email in new window or tab
    Track email headers in GMail
     
  • MS Outlook.com (former Hotmail)
    Outlook.com former MS Hotmail.
     
    Outlook: Right-click the message in the list
    Right-click the message in the message list
     
    Outlook: click View message source for email headers
    then click View source
     
    Hotmail open new tab to show headers
    Track email headers in Outlook.com (former Hotmail)
  • AOL mail
    AOL mail
    AOL Desktop software does not show headers, so you need to connect to email through WWW.AOL.COM via any browser. The View Message Source from context menu allows seeing headers.
     
    AOL mail: Right-click the message in the list
    You need right-click the message in the message list
     
    AOL: click View Message Source
    then click View Message Source
     
    AOL open new window to show headers
    Track email headers in AOL mail
  • Yahoo mail (obsolete)
    Yahoo Mail
    On Yahoo Mail you need to click "View Full header" from menu "More actions..." while you see message.
     
    Yahoo: click Compact header first
    click Compact header first
     
    Yahoo: Now choose full header
    Now choose Full header

     
    Headers in Yahoo Mail shown in pop up window
    Track email headers in Yahoo mail
  • "Outlook Express" from Windows XP(obsolete)
    The Windows XP default email program, "Outlook Express".
    First, select "Properties" from the "File" Menu, or just press ALT+Enter. Next, select the "Details" tab.
    Open Outlook Express menu to see email headers
    Open Outlook Express menu to see email headers
    you can track email headers in Outlook Express
    Headers in Outlook Express
  • Microsoft Office version of Outlook (obsolete)

         Here's how to view the Headers in the Microsoft Office version of Outlook:

    • Open a message.
    • On the View menu, click Options.
      Note:If you do not see the Options command, make sure you click View on the toolbar in an open message window. The View menu on the standard Outlook toolbar does not have the Options command.
    • The Header information appears under the Delivery options in the Internet Headers box.
    Tracing headers in MS Office Outlook
    Headers in MS Office

     As you can see on these pictures, a Header consists of two sections separated by a colon ":". The first part is the Header's name. The second is the Header's data. In the case of postal mail, in principle, it is possible to write any kind of information (c/o, suite or apartment number, etc.) into the address information. Similarly email Headers can include any kind of information also. Usually however, an email Header will contain at least the following basic Header information:

Header Name
Header Data
Sample
To: The name and email address of the recipient To: "John Doe" <This email address is being protected from spambots. You need JavaScript enabled to view it. >
From: The name and email address of the sender From: "Alice Smith"<This email address is being protected from spambots. You need JavaScript enabled to view it. >
Date: Date the message was created Date: 1 Nov 2004 22:49:20 -0000
Subject: The subject of the message which follows the Headers Subject: How are you?
Return-Path: The email address for responding to the message Return-Path: <This email address is being protected from spambots. You need JavaScript enabled to view it. >
Received: Delivery stamp Received: from [67.66.123.205]
     by web41013.mail.yahoo.com via HTTP; Sun, 25 Apr 2004 23:13:34 PDT

     In some cases, a number of these Headers may not be necessary.
     To determine the address of origin, special attention must be paid to the 'Received:' Headers. These Headers are selected on our screenshot illustration. 'Received' Headers have the following format:

  Received: from [computer name and/or IP address from sender]
         by [server name] (maybe Internet protocol too); date.

Sample:
   Received: from [67.66.123.205]
         by web41013.mail.yahoo.com via HTTP; Sun, 25 Apr 2004 23:13:34 PDT

      Briefly this means that the server web41013.mail.yahoo.com received the message from the IP address 67.66.123.205 on the 25th of April 2004, at 11:13:34 pm PDT via the HTTP protocol (i.e. through the web).

     So, we have observed, it is from the 'Received' Header that we retrieve the IP address or domain name. Using this IP address, Active Whois is able to look up additional information such as associated postal and email addresses. You can easily select and copy the IP address from the Outlook Internet Headers box by using CTRL-C to place it on the clipboard.

     We are faced with an additional problem however. Email messages frequently contain more than one 'Received' Headers. How can we know which of these several Headers contains the originating IP address belonging to the sender? 'Received' Headers are appended to the front of the email message as it travels through the internet to your email inbox. The flow diagram below will show you how these 'Received' Headers are appended to the message as we travel backwards from the receiver to the sender:

email receiver      The Recipient's mailbox receives his message from his POP3 or webmail server. No new 'Received' Header is added at this stage.
Headers from the top of Headers sequence:
email server      The Recipient's email server (POP3, Yahoo, Hotmail, etc.) receives the email message from the original sender's server. (e.g. bay15.hotmail.msn.com)
  • A 'Received: from [sender mail server] by [recipient mail server]' field is appended to the top of the current sequence of Header strings.
  • Any previous 'Received' Headers will appear below this new one .
  • The newest 'Received:' Header at the top of the sequence of Headers now contains the IP address belonging to the email server of the sender; (e.g. Hotmail.com) It is not the true IP address of the sender himself.
Received: from bay15.hotmail.com (HELO hotmail.com) (65.54.185.39)
     by mail2.aol.com with SMTP; 30 Sep 2004 02:27:02 -0000

arrow down

email server      The sender's email server receives an email message from the sender's computer.
  • The first 'Received' Header containing the true IP address of the sender(e.g. 203.172.49.180), is appended to the message, appearing now at the very top of the sequence of Headers.
  • As the message travels over the Internet, new 'Received' fields will be appended to the top of the sequence of Headers. This means that the sender's actual IP address will always be in the very bottommost "Received:" Header.
Received: from 203.172.49.180 by bay15.hotmail.msn.com with HTTP;
     Thu, 30 Sep 2004 02:26:37 GMT

arrow down

email sender      The Sender sends an email message to his own email server to begin its journey to the receiver. A common Headers strings is created. From: "John Doe" <This email address is being protected from spambots. You need JavaScript enabled to view it. >
To: "Alice Smith"<This email address is being protected from spambots. You need JavaScript enabled to view it. >
Subject: Nice meeting!
Date: Thu, 30 Sep 2004 02:26:37 +0000

     There are other possible variations in email routing. Your Email Service Provider (or the provider of the sender) may use several 'pass-through' email servers and these servers can add several 'Received' Headers. Also, if you and the sender use the same server, the message will have only one 'Received' Header.

Practice... or tips for traps

     Unfortunately there are those who for various reasons want to conceal their IP address from the message receiver. About 95% of Internet email is composed of spam, viruses and other types of illicit material. Most spammers use clever tricks to hide their true IP address. They can, for example, place fake 'Received' headers into the email headers. They might look something like the following:

Received: from %RNDUCCHAR1524 (j236.128.26.76.%RNDLCCHAR15357.ti.yahoo.com 96.208.178.254)
     by mail08.t.yahoo.com (47.1.777akv719/%RNDDIGIT12.4.50) with SMTP id fwf54N4Wnto%RNDDIGIT15;
     Wed, 06 Oct 2004 09:22:39 +0500

     In this example, symbols such as %RNDDIGIT12 or %RNDLCCHAR15357 seem like instructions to a mass-mailer application to insert RaNDom CHARacters or DIGITS to confuse you as well as your anti-spam filter. In this case, the true sender IP could be in the first 'Received' Header, that is, the one that was inserted by your email service provider's email server, because most spammers send their messages directly to your mailbox without using any intermediate servers. In this case only one of the 'received' Headers can be the one we're looking for. Once we find it, we can conclude that all of the others are fake.

     We may safely conclude that since there are often several 'Received' headers in an email message, servers deliver email using a 'chained' process. For that reason the sender indicated in the current 'Received' Header should always correspond directly to the server indicated in the previous Received' Header!

     It is also useful to check the DNS of senders by using Active Whois. 'Received:' Headers with random domain names will never resolve to random IP addresses.

     While viruses have not yet attained this level of deviousness, you can easily retrieve the IP address administrator email from Active Whois and quickly stem a new virus outbreak by warning the administrator that someone sent numerous viruses to you using his server.

Some additional facts in conclusion:

     There is a useful Header: 'X-Mailer' that not only specifies the email program of the sender, but allows you to indicate what message was originally sent by the email bot, and whether this Header is currently missing from the message.

     The email address of sender can be easily faked. The SMTP (Simple Mail Transfer Protocol) by which email is handled, allows this deception because it doesn't verify all Headers such as the 'From' Header that contains email address of sender.