Here's How To Trace an Email

Category: Email

Have you ever gotten an email several days after it was sent? Have you ever gotten an unwanted email with a fake “From” name, and wished you could find out where it came from? Read on to learn about some free tools that can help with both situations...

How to Trace the Source (or Path) of an Email

There are times when it’s useful to trace the path that an email took to get to your inbox. The most common situation is suspected spam, when you want to discover the true source of an email.

Delays in receiving emails can also be diagnosed by tracing the path that emails take to you. But tracing emails on your own can be pretty frustrating.

Every email contains hidden information about the path it took to you, called “header information.” To most people, it looks like gibberish. Here is just a small part of a typical example:

Received: by 110.46.73.35 with SMTP id z62csp234112ita; Wed, 9 Sep 2015 05:10:19 -0700 (PDT)
X-Received: by 10.67.3.3 with SMTP id bs3pad.121.144187; Wed, 09 Sep 2015 05:10:17 -0700 (PDT)
Return-Path: EDDCOQNWXFNNFKD.BNLk9QJHMF3MHBFK.BNL@example.com
From: "Some User" <someuser@example.com>
To: "My Name" <myaddress@mydomain.com>
Message-ID: 60762392-7dbc-50e41ecd8bee@xt2mta1217.xt.local

How to Trace Emails

With the possible exception of the "From" and "To" lines, ordinary mortals struggle to make sense out of email headers like this snippet. Geeks who run email servers or hunt down spammers may get eyestrain looking at raw headers, too. But there are many online tools that parse email headers to make them more legible by humans.

The Email Header Analyzer is a free online tool provided by MX Tools, Inc., a Texas-based firm that primarily serves network administrators and ISPs. Anyone can use the Analyzer, however; just paste a block of header information into the tool’s form and click the “Analyze Header” button.

The results include a bar graph, indicating any delays in the hops that the message took to reach you. It will also show you if any of the mail servers that relayed the message are on a spam blacklist. If the sender's server is on a blacklist, that's a big red flag that the message may be suspicious or malicious.

Wrapping Your Head Around Headers

The Google Apps Toolbox also includes a message header analyzer. Its main purpose is to highlight delays in message relays and pinpoint their possible sources. (Typically, email messages are received within seconds, even if they must travel half-way around the globe.)

Google also provides brief, clear instructions on how to find message headers in Webmail messages, including Gmail, AOL, Yahoo! Mail, Excite Webmail, and Hotmail (now Outlook.com). Instructions for finding headers in desktop clients such as Microsoft Outlook, Apple Mail, Mozilla Thunderbird, and Opera are also given.

IPTracker is an email header tool that's more suited for non-techie users. In addition to showing the IP address of the sender, it also shows the name of the sender's Internet service provider, and the city and country of origin on a map.

Interpreting Email Headers is another Google tutorial, for those who want to read raw email header info. It walks you through each line of a sample header, explaining in plain English what it means.

Identifying a Spammer

If a sender forges the "From" line, you may not be able to find the email address of the actual sender. But analyzing the email headers will show you at least that it WAS forged, and give you an indication where it originated.

It's also important to keep in mind that a lot of spammy emails are sent from computers that are compromised by malware. So don't assume that the person in the From: line of an email has any knowledge of having sent it.

For extra credit, you can paste the IP address found on the first "Received" line into the MaxMind GeoIP tool, to learn the approximate geographic location of the sender. (Note that first "Received" line is the one closest to the bottom of the headers. As messages travel over the Internet, the header lines stack up, so you need to read them in reverse order.)

For example, I got a classic 419 Scam message from a spammer today, showing this: "Received: from User (UnknownHost [197.211.53.1]) by vdt.com …" Sure enough, the MaxMind tool confirmed my suspicion that the sender was in Lagos, Nigeria.

If you think a message is from a spammer or a scammer, don't reply to it. You'll only be confirming to the bad guys that your address is valid, and possibly embroiling yourself in a heap of trouble. You can forward unwanted emails to the FTC at spam@uce.gov, but I'm not convinced that they do anything with them. Personally, I find it more satisfying to just hit the DELETE button and move on with my life.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 30 Oct 2017


For Fun: Buy Bob a Snickers.

Prev Article:
Is Sharing Your Netflix Password Illegal?

The Top Twenty
Next Article:
Will YouTube TV Turn You Into A Cord-Cutter?

Most recent comments on "Here's How To Trace an Email"

Posted by:

Mark
30 Oct 2017

The article I have been waiting for. I get enough of these at work that I've had to institute new policies for all staff. Can't wait until true "filters" move most of these to the trash can.


Posted by:

Bill
30 Oct 2017

If you determine that the original server is a bona fide ISP or entity, and the sender is using it to do his dirty work, you can often forward the suspect message, with headers exposed, to abuse@[entity-name] and they will disable the sender's account. I've gotten a fair bit of satisfaction from doing that.


Posted by:

Bob K
30 Oct 2017

Maybe it's my imagination, but I have had (I think) darn good luck in forwarding the SPAM I receive to the FTC at spam@uce.gov. You do have to be careful that the headers of the forwarded email is included. In Thunderbird, I set the "View/Headers" to "All".


Posted by:

Bob K
30 Oct 2017

For Bill: I had taken that route (forwarding to the ISP's abuse people), but found I was really only chasing the spammers from one ISP to another.


Posted by:

RandiO
30 Oct 2017

No, Mr. Rankin, I never knew but I shall remember!
RE: "Did you know...? Bob Rankin also operates FlowersFast.com, the popular online florist. AskBob readers save 15% ..."


Posted by:

bb
30 Oct 2017

My favorite tracer is 'whatismyipaddress.com' Click on the 'trace email' tab to paste the headers from an unknown email. It then shows the city/country of the originator.

A really good hacker can spoof that information, but spammers don't care. They are looking for the low hanging fruit. Don't be a 'low hanging fruit' and respond to spam emails.

(There must be a good joke in there somewhere - but I can't think of one!)


Posted by:

Glen
30 Oct 2017

I agree with you all
Back in the day they could run down a phone # of
some annoying call but can't find and stop someone
sending raw smut about women and johnson's


Posted by:

Andy P
31 Oct 2017

If I get a spam/Phishing email I send the raw header to them and ask/tell them to Investigate it. Usually, I get an email back stating they will look into it. Others I just delete.


Posted by:

Wayne
31 Oct 2017

In the last several months, sometimes, when I try to block certain junk emails my outlook.com email service comes back showing my email address as the sending address and says that I can't block it.

Any idea how to get around this failure to block problem that a few junk emailers now annoyingly use?


Posted by:

Jimbo
31 Oct 2017

Borrrrrr-ing.


Posted by:

Pablo
31 Oct 2017

NOT...Borrrrr-g


Posted by:

SharonH
31 Oct 2017

Very timely article. I used to be able to trace these irritating emails using WHOIS, ARIN etc. But I now have a problem. Since Comcast has revamped their email system, there is no way I can obtain headers or footers. Before all I need do is right click on the email and all the info would show up. Now that function is gone and I do not want to open unknown/suspicious emails to see if it's possible to obtain the needed information.

At the very least, I learned to just hover my cursor over the suspect email and one can usually see the sender's REAL email address-Germany seems to be a big source of many of them at present. I'm referring to amateur spammers, not the big guys who can really change everything to fool almost everyone.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- Here's How To Trace an Email (Posted: 30 Oct 2017)
Source: https://askbobrankin.com/heres_how_to_trace_an_email.html
Copyright © 2005 - Bob Rankin - All Rights Reserved