How To Trace an Email

Category: Email , Spam

Have you ever received an email several days after it was sent? Have you ever gotten an unwanted email with a fake “From” name, and wished you could find out where it came from? Read on to learn about some free tools that can help with both situations...

How to Trace the Source (or Path) of an Email

There are times when it’s useful to trace the path that an email took to get to your inbox. The most common situation is suspected spam, when you want to discover the true source of an email.

Delays in receiving emails can also be diagnosed by tracing the path that emails take to you. But tracing emails on your own can be pretty frustrating.

Every email contains hidden information about the path it took to you, called “header information.” To most people, it looks like gibberish. Here is just a small part of a typical example:

Received: by 110.46.73.35 with SMTP id z62csp234112ita; Wed, 9 Sep 2015 05:10:19 -0700 (PDT)
X-Received: by 10.67.3.3 with SMTP id bs3pad.121.144187; Wed, 09 Sep 2015 05:10:17 -0700 (PDT)
Return-Path: EDDCOQNWXFNNFKD.BNLk9QJHMF3MHBFK.BNL@example.com
From: "Some User" <someuser@example.com>
To: "My Name" <myaddress@mydomain.com>
Message-ID: 60762392-7dbc-50e41ecd8bee@xt2mta1217.xt.local
How to Trace Emails

With the possible exception of the "From" and "To" lines, ordinary mortals struggle to make sense out of email headers like this snippet. Geeks who run email servers or hunt down spammers may get eyestrain looking at raw headers, too. But there are many online tools that parse email headers to make them more legible by humans.

The Email Header Analyzer is a free online tool provided by MX Tools, Inc., a Texas-based firm that primarily serves network administrators and ISPs. Anyone can use the Analyzer, however; just paste a block of header information into the tool’s form and click the “Analyze Header” button.

The results include a bar graph, indicating any delays in the hops that the message took to reach you. It will also show you if any of the mail servers that relayed the message are on a spam blacklist. If the sender's server is on a blacklist, that's a big red flag that the message may be suspicious or malicious.

Wrapping Your Head Around Headers

The Google Apps Toolbox also includes a message header analyzer. Its main purpose is to highlight delays in message relays and pinpoint their possible sources. (Typically, email messages are received within seconds, even if they must travel half-way around the globe.)

Google also provides brief, clear instructions on how to find message headers in Webmail messages, including Gmail, AOL, Yahoo! Mail, Excite Webmail, and Hotmail (now Outlook.com). Instructions for finding headers in desktop clients such as Microsoft Outlook, Apple Mail, Mozilla Thunderbird, and Opera are also given.

Sometimes, just hitting the “Reply” button on a message will paste the full header information as well as the message’s text into a message form. But this “show full headers in replies” option can look pretty messy, so it’s often disabled by default. You may have to find this option in your email app’s settings and enable it when necessary.

Interpeting Email Headers is another Google tutorial, for those who want to read raw email header info. It walks you through each line of a sample header, explaining in plain English what it means.

Identifying a Spammer

If a sender forges the "From" line, you may not be able to find the email address of the actual sender. But analyzing the email headers will show you at least that it WAS forged, and give you an indication where it originated.

For extra credit, you can paste the IP address found on the first "Received" line into the MaxMind GeoIP tool, to learn the approximate geographic location of the sender. (Note that first "Received" line is the one closest to the bottom of the headers. As messages travel over the Internet, the header lines stack up, so you need to read them in reverse order.)

For example, I got a classic 419 Scam message from a spammer today, showing this: "Received: from User (UnknownHost [197.211.53.1]) by vdt.com …" Sure enough, the MaxMind tool confirmed my suspicion that the sender was in Lagos, Nigeria.

If you think a message is from a spammer or a scammer, don't reply to it. You'll only be confirming to the bad guys that your address is valid, and possibly embroiling yourself in a heap of trouble. You can forward unwanted email(s) to the FTC at spam@uce.gov. Personally, I find it more satisfying to just hit the DELETE button and move on with my life.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 24 Sep 2015


For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 23 September 2015

The Top Twenty
Next Article:
Buying Prescription Eyeglasses Online

Most recent comments on "How To Trace an Email"

(See all 23 comments for this article.)

Posted by:

Jay R
24 Sep 2015

Your email comes just after I emptied my junk mail folder. Therefore, I put your IP address into the blacklist box and you were as clean as a whistle.

As always, thank you for the great job of making sense out of chaos.

The Old Man and the Moon


Posted by:

Rob
24 Sep 2015

Indeed delete and move on. However, if your email client keeps a blocked senders list (MS OUTLOOK does) add the offender to that before deleting the message. At least you will not see another message from that specific address. Yes the spammers use many addresses. Block those too. :-)


Posted by:

Howie Watkins
24 Sep 2015

When you trace the originating mail server that sent you SPAM you often find that it is an innocent party who has been hacked.


Posted by:

Doc
24 Sep 2015

As a former teacher who was still of the 'old school' which believed that Teaching was a full time profession during the school year and most of the summer, every student had every e-mail I could be reached at, (and every phone number) so they could call if they got stuck in or out of my class, I teach and don't draw a lot of lines between subjects.

In Yahoo! just right-click the marked e-mail and look at the last lines (first of the list), generally it will say ISP 'X' does not allow (clients, e-mail) and that is all I need to know since I MIGHT know a Birdie Warbler, or a blue-cap Bill who's trying to get a hold of me now that I'm retired. And, if still in doubt, just run down to the bottom (top) of list and see who the 'reply to' is. If it SAYS it's from "Your Best Student from 1992 and I just wanted to say thanks or have a question" and the bottom says REPLY TO 'Your worst Nightmare from 1987' a simple click makes it go away.

I'm going to try the programs, but 95% of the time just right clicking the checked e-mail in Yahoo will give you all you need to know - and sadly it's generally from 'your worse nightmare from hell'. Unless you really DO have a minister who is being held for ransom in Niger ('One Country too Far'). He still can't sent from and ISP who won't let him.

If they REALLY want you, MOST students (old friends) will remember to put in subject line that will make you remember them: "In October when I turned you into the dean for witchcraft, I was wrong." or some such thing; "I never showed up for class and turned you into HR for harassment because you failed me and now I need letter for grad school and you are the only one who can save me" are also common themes.


Posted by:

Linda Anne Quinlan Gasper
24 Sep 2015

Once again, Bob, a great article. I use "NirSoft IPNETINFO". It is a great tool and you download it to your computer, paste the mime header into it and it gives you everything you could possibly want to know! I've done a lot of traces for Microsoft Outlook.com/hotmail.com as well as several where in the address mime header, there is a message they are tracking for SPAM/PHISHING abuse. Yes, it takes time, but some of these scams out there have gotten real sophisticated-including authentic pictures of logo's. If you trace the whole message, there is often lot's of goodies hidden in the "View Source" of the picture. If we all took the time, we could really help to cut down on the vast amounts of spam, phishing, and scams out there-making the Internet a much safer place to travel!
LindaSView


Posted by:

IanG
24 Sep 2015

Thanks Bob. More great information and help with daily conundrums.

I have wasted much time over the years trying to make sense of those headers - knowing that the answer lay 'somewhere' within what I was looking at.


Posted by:

Sheri
25 Sep 2015

I tried the MX Tools email header analyser and the Google Toolbox head analyser and I had to use Crt+V to paste the header into the MX Tools one :-(-

But IPTracker at http://www.iptrackeronline.com/email-header-analysis.php, which was recommended by JonK, gives much clearer info, including the country of origin :-) So I will use that in future. Thanks JonK :-)


Posted by:

David
25 Sep 2015

I've been using SpamCop (www.spamcop.net) for years. If you want to you can send a notice of spam to the ISP.


Posted by:

OldNana
25 Sep 2015

Excellent article, as always. Thanks for this. I was having trouble with finding the headers in MS Outlook (they change stuff just often enough to keep us all confused). I found right-clicking the UNopened message and choosing "Message Options" will show Internet headers at the bottom of the window. (After all .. who wants to open it to find a header when we're trying to see if it's safe to open in the first place?) I'll be sure to use the Email Header Analyzer soon.


Posted by:

James Ware
25 Sep 2015

Your article is very informative. However, something came up today regarding email this I thought was impossible.
On Oct 23rd a friend sent me an email with the following header information:

From: C1les
To: James Ware
Sent: Wednesday, September 23, 2015 7:25 PM
Subject: Day

Today, Oct 24th she asked me why I did not respond to some of the content of the email. I never got the email.
I checked all of my gmail email files and have mail from her before the 7:25 p.m. sent time but not that email.
I couldn't believe an email could be lost in cyberspace so had her resend it from her sent mail file so I could see that it had been sent, and when. All the information is in the lines I included above.
Have anybody heard of this happening before?
Is there a way to trace your sent email to delivery point?
Hope this fit the requirement for current subject.
Thanks for any information.
James


Posted by:

olamoree
25 Sep 2015

I get emails to me that show that I sent them to myself. Analysis shows that they were able to put in my address instead of their own. Usually dubious offers from suspicious locations. It does NOT mean that they have hacked my email account.


Posted by:

Ryan James
25 Sep 2015

I may be missing something, but I have never received an email with "hidden information about the path it took to you, called “header information".

If it is hidden, where do you find it? You did not point this out.

Not one of the hundreds of e-mails I received in the last two days have this information. HELP!


Posted by:

Tony D
26 Sep 2015

If I'm curious about an email I receive in Outlook, I drag it, unopened, to my desktop, rename the suffix to .txt & open it in Notepad. Granted I won't see anything but text, but usually I can determine if it's legit or not. But I'm looking forward to trying out the Email Header Analyzer and the other suggestions in the previous comments.


Posted by:

Ken Gash
27 Sep 2015

I have been using a Thunderbird add-on called MailHops 1.0.3 It places a couple of radio buttons at the bottom of the standard header. If you click on Hops, you get a list of all the hops the email took. Even more informative is the button called Map which provides a graphic representation of paths on a map to show the complete route of the message. One recent junk mail started in Vietnam, went to a private location in Siberia, then to Alaska then to Kansas City then to me.
It works well and is always there to use on any email with just a click.


Posted by:

Mac 'n' Cheese
27 Sep 2015

Hi, Ryan James,

You asked about hidden header information. Information about how to find it was hidden in plain sight in Bob's article:

Google also provides brief, clear instructions on how to find message headers in Webmail messages, including Gmail, AOL, Yahoo! Mail, Excite Webmail, and Hotmail (now Outlook.com). Instructions for finding headers in desktop clients such as Microsoft Outlook, Apple Mail, Mozilla Thunderbird, and Opera are also given.

There's a link in that sentence (in the actual article, not in this comment) that will take you to https://support.google.com/mail/answer/22454.

HTH! ["Hope That Helps!"]

Mac


Posted by:

bb
30 Sep 2015

And here's another tracer: http://whatismyipaddress.com/trace-email

Includes instructions for getting the headers on common mail providers. Gives a nice map where it detected the email was from. I like it because the url is easy to remember.

And it must be said that these traces are not always accurate - sending email using our Satellite ISP put us in Kansas when in reality we are 2,000 miles away from that.


Posted by:

Wayne K.
02 Oct 2015

My problem, the hacker has cloned my address, how do you get this fixed?? So far,sending the mail to the abuse@ address hasn't helped yet.

EDITOR'S NOTE: Cloned your address? What does that mean?


Posted by:

Aryeh Zelasko
07 Oct 2015

ipTRACKERonline : Complete email header analysis. Analyse email headers here
http://www.iptrackeronline.com/header.php

An other tracing service.


Posted by:

Craig Stadler
04 Jan 2016

Try an email search engine like http://www.the-email-archive.com, this will allow you to search where the email has been used in the past on websites and documents as well


Posted by:

AUDIOMIND
05 Jan 2016

What is the point of tracking the source of the email if you cannot or don't plan to do anything about it?


There's more reader feedback... See all 23 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- How To Trace an Email (Posted: 24 Sep 2015)
Source: https://askbobrankin.com/how_to_trace_an_email.html
Copyright © 2005 - Bob Rankin - All Rights Reserved