Here's How to (Maybe) Trace an Email

Category: Email , Spam

Thud... an unwanted, spammy email with an obviously fake “From” name just landed in your inbox, and you wish you could find out where it actually came from. Or maybe you got an email several days after it was sent? Read on to learn about some free tools that can help with both situations...

Who Really Sent That Email?

There are times when it’s useful to trace the path that an email traveled to get to your inbox. The most common situation is suspected spam, when you want to discover the true source of an email. Delays in receiving emails can also be diagnosed by tracing the path that emails take to you. But tracing emails on your own can be pretty frustrating.

Every email contains hidden information about the path it took to reach you, called “header information.” To most people, it looks like 100 or so lines of gibberish, which is why it's hidden by your email program. Here is just a small part of a typical example:

Received: by with SMTP id z62csp234112ita; Mon, 18 Aug 2022 05:10:19 -0700 (PDT)
X-Received: by with SMTP id bs3pad.121.144187; 18 Aug 2022 05:10:17 -0700 (PDT)
From: "Some User" <>
To: "My Name" <>
Message-ID: 60762392-7dbc-50e41ecd8bee@xt2mta1217.xt.local

How to Trace Emails

With the possible exception of the "From" and "To" lines, ordinary mortals struggle to make sense out of email headers like this snippet. Geeks who run email servers or those who hunt down spammers for fun may get eyestrain looking at raw headers, too. But there are many online tools that parse email headers to make them more legible by humans.

The Email Header Analyzer is a free online tool provided by MX Tools, Inc., a Texas-based firm that primarily serves network administrators and ISPs. Anyone can use the Analyzer, however; just paste a block of header information into the tool’s form and click the “Analyze Header” button.

The results include a bar graph, indicating any delays in the hops that the message took to reach you. It will also show you if any of the mail servers that relayed the message are on a spam blacklist. If the sender's server is on a blacklist, that's a big red flag that the message may be suspicious, malicious, fictitious, or pernicious.

Wrapping Your Head Around Headers

But where do you find those hidden headers? Google provides brief, clear instructions on how to find message headers in Webmail messages, including Gmail, AOL, Yahoo! Mail, Excite Webmail, and Hotmail (now Instructions for finding headers in desktop clients such as Microsoft Outlook, Apple Mail, Mozilla Thunderbird, and Opera are also given.

The Google Apps Toolbox also includes a message header analyzer. Its main purpose is to highlight delays in message relays and pinpoint their possible sources. (Typically, email messages are received within seconds, even if they must travel half-way around the globe.)

IPTracker is an email header tool that's more suited for non-techie users. In addition to showing the IP address of the sender, it also shows the name of the sender's Internet service provider, and the city and country of origin on a map.

Interpreting Email Headers is another Google tutorial, for those who want to read raw email header info. It walks you through each line of a sample header, explaining in plain English what it means.

Identifying a Spammer

When a load of fresh, steaming hot spam arrives in your inbox, should you get mad, get even, or just press the delete button? My article Report a Spammer? (Read this FIRST...) answers that question.

If a sender forges the "From" line, you may not be able to find the email address of the actual sender. But analyzing the email headers will show you at least that it WAS forged, and give you an indication where it originated. According to Statista, Russia is the top spam-producing country, where 24.77% of all spam originates.

It's also important to keep in mind that a lot of spammy emails are sent from ordinary home computers that are compromised by malware. The spamming masterminds can use networks of infected personal computers that number in the millions, to send their detestable dispatches anonymously. So don't assume that the person in the From: line of an email has any knowledge of having sent it.

For extra credit, you can paste the IP address found on the first "Received" line into the MaxMind GeoIP tool, to learn the approximate geographic location of the sender. (Note that first "Received" line is the one closest to the bottom of the headers. As messages travel over the Internet, the header lines stack up, so you need to read them in reverse order.)

For example, I got a classic 419 Scam email from a spammer recently, showing this: "Received: from User (UnknownHost []) by …" Sure enough, the MaxMind tool confirmed my suspicion that the sender was in Lagos, Nigeria.

If you think a message is from a spammer or a scammer, don't reply to it. You'll only be confirming to the bad guys that your address is valid, and possibly embroiling yourself in a heap of trouble.

If you can determine that the outgoing mail server is an internet service provider, you can forward the suspect message, with full headers exposed, to abuse@[isp-name].com and often they will disable the sender's account. Don’t bother forwarding unwanted emails to the FTC at – that address was phased out in 2004. You can, however report a spam message to the FTC, just don't expect a reply. They will share your report with local, state, federal and foreign law enforcement partners. The FTC does not resolve individual complaints, but your report might be used to investigate cases.

Personally, I find it more satisfying to just hit the DELETE button and move on with my life. Your thoughts on this topic are welcome. Post your comment or question below…

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 19 Aug 2022

For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 17 August 2022

The Top Twenty
Next Article:
Time To Replace Your Computer?

Most recent comments on "Here's How to (Maybe) Trace an Email"

Posted by:

19 Aug 2022

thank you!!!

Posted by:

19 Aug 2022

Quite a few years ago, I was getting a lot of spam on my Hotmail account so I decided to try to find out where it was coming from. I used the various "who is" sites and kept the record in a spreadsheet, which I cannot now read because I don't have the spreadsheet program any more. It was interesting to see how the e-mails would come from the same place for a while then they would come from somewhere else. And most of them came from the U.S. There was nothing I could do about them but it was interesting.

I did get a few that were obviously from compromised computers and I sent the info to their ISPs. The most interesting was spam from a company in Arizona that I reported to them and got a reply from them saying they knew they had a compromised computer but didn't know which one and could I send them the IP address which I did.

Posted by:

19 Aug 2022

Thanks Bob for the information on the tools, they could prove useful. I have been getting emails (usually 1 or 2 a week) purporting to be from a few people I know but which are obviously not from them, asking me to click on a link in the message. I usually just mark it as spam and go on my way; it might be interesting to see if I can learn where they are coming from.

Posted by:

20 Aug 2022

Thank you Bob for an informative article! I'm glad that my email accounts have good spam filters, and a few times I see a few authentic emails in the spam folder, which are easy to retrieve. With the rest, yes, I just delete and move on. Great advice!

Posted by:

20 Aug 2022

Hello Bob,

I was getting over 2,000 spam messages a week. I was able to reduce this by at least 30% by removing myself from a Google membership list which I, of course, was not aware of. There were 59 sex sites using them so you can imagine. The remainder come from a very large dating site (not Ashley!! hahaha) who had, either been hacked or a member of staff was selling the membership - I favour the latter.

What is bothering me a little is the large amount coming supposedly from Walmart, Mcafee, Norton, and many more all threatening that my pc has 23
+ viruses and the large trading companies all telling me that I have won something. About 10 have suddenly appeared within the last month.

For paypal - forward to

Posted by:

21 Aug 2022

I agree that just hitting the delete is the best course of action. I figure that I have to many things going on in my life to waste valuable time researching where some scammer email came from although it might be interesting to know, it is not worth the time wasted to find out.

Posted by:

Earl J
08 Sep 2022

Aloha Bob, and our favorite Latin lurker, et al.,
* * *
As always, a great flood of information from you...
I'm especially enthused to try the spam tracker techniques and tools you recommend... it'll be fun!
* * *
I also believe the delete button is the most effective way to go... I've been doing that for years... (grin)
* * *
Keep healthy, keep safe, and keep posting...
* * *

Until that time. . .

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML

Article information: AskBobRankin -- Here's How to (Maybe) Trace an Email (Posted: 19 Aug 2022)
Copyright © 2005 - Bob Rankin - All Rights Reserved