Tools To Trace an Email
Have you ever received an email several days after it was sent? Have you ever gotten an unwanted email with a fake “From” name, and wished you could find out where it came from? Read on to learn about some free tools that can help with both situations... |
How to Trace the Source (or Path) of an Email
There are times when it’s useful to trace the path that an email took to get to your inbox. The most common situation is suspected spam, when you want to discover the true source of an email.
Delays in receiving emails can also be diagnosed by tracing the path that emails take to you. But tracing emails on your own can be pretty frustrating.
Every email contains hidden information about the path it took to you, called “header information.” To most people, it looks like gibberish. Here is just a small part of a typical example:
X-Received: by 10.67.3.3 with SMTP id bs3pad.121.144187; Wed, 09 Sep 2015 05:10:17 -0700 (PDT)
Return-Path: EDDCOQNWXFNNFKD.BNLk9QJHMF3MHBFK.BNL@example.com
From: "Some User" <someuser@example.com>
To: "My Name" <myaddress@mydomain.com>
Message-ID: 60762392-7dbc-50e41ecd8bee@xt2mta1217.xt.local
With the possible exception of the "From" and "To" lines, ordinary mortals struggle to make sense out of email headers like this snippet. Geeks who run email servers or hunt down spammers may get eyestrain looking at raw headers, too. But there are many online tools that parse email headers to make them more legible by humans.
The Email Header Analyzer is a free online tool provided by MX Tools, Inc., a Texas-based firm that primarily serves network administrators and ISPs. Anyone can use the Analyzer, however; just paste a block of header information into the tool’s form and click the “Analyze Header” button.
The results include a bar graph, indicating any delays in the hops that the message took to reach you. It will also show you if any of the mail servers that relayed the message are on a spam blacklist. If the sender's server is on a blacklist, that's a big red flag that the message may be suspicious or malicious.
Wrapping Your Head Around Headers
The Google Apps Toolbox also includes a message header analyzer. Its main purpose is to highlight delays in message relays and pinpoint their possible sources. (Typically, email messages are received within seconds, even if they must travel half-way around the globe.)
Google also provides brief, clear instructions on how to find message headers in Webmail messages, including Gmail, AOL, Yahoo! Mail, Excite Webmail, and Hotmail (now Outlook.com). Instructions for finding headers in desktop clients such as Microsoft Outlook, Apple Mail, Mozilla Thunderbird, and Opera are also given.
Sometimes, just hitting the “Reply” button on a message will paste the full header information as well as the message’s text into a message form. But this “show full headers in replies” option can look pretty messy, so it’s often disabled by default. You may have to find this option in your email app’s settings and enable it when necessary.
Interpeting Email Headers is another Google tutorial, for those who want to read raw email header info. It walks you through each line of a sample header, explaining in plain English what it means.
Identifying a Spammer
If a sender forges the "From" line, you may not be able to find the email address of the actual sender. But analyzing the email headers will show you at least that it WAS forged, and give you an indication where it originated.
For extra credit, you can paste the IP address found on the first "Received" line into the MaxMind GeoIP tool, to learn the approximate geographic location of the sender. (Note that first "Received" line is the one closest to the bottom of the headers. As messages travel over the Internet, the header lines stack up, so you need to read them in reverse order.)
For example, I got a classic 419 Scam message from a spammer today, showing this: "Received: from User (UnknownHost [197.211.53.1]) by vdt.com …" Sure enough, the MaxMind tool confirmed my suspicion that the sender was in Lagos, Nigeria.
If you think a message is from a spammer or a scammer, don't reply to it. You'll only be confirming to the bad guys that your address is valid, and possibly embroiling yourself in a heap of trouble. You can forward unwanted email(s) to the FTC at spam@uce.gov. Personally, I find it more satisfying to just hit the DELETE button and move on with my life.
Your thoughts on this topic are welcome. Post your comment or question below...
|
|
This article was posted by Bob Rankin on 2 Aug 2016
For Fun: Buy Bob a Snickers. |
Prev Article: Virtual Kidnapping Scams On The Rise |
The Top Twenty |
Next Article: Securely Erasing Data Just Got Easier |
There's more reader feedback... See all 24 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Tools To Trace an Email (Posted: 2 Aug 2016)
Source: https://askbobrankin.com/tools_to_trace_an_email.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Tools To Trace an Email"
(See all 24 comments for this article.)Posted by:
HA
02 Aug 2016
Bob doesn't put the ads there. They are not recommended by him.
Posted by:
SharonH
02 Aug 2016
I am always interested in some of the weird emails I receive. WHOIS (I see Bob K mentions it above) and ARIN are also some tools to help trace the message. I forget how I did it, but a few years ago I was able, after quite some work, to find out the city in China where the bogus email came from. Wish I could remember what I did!
My curiousness always gets the better of me.
Posted by:
Alex
02 Aug 2016
I started receiving this type of email after applying for Canada Pension Plan. Now retired I don't have the assets to hunt these parasites down.
Posted by:
Stuart Berg
02 Aug 2016
Two comments:
1. I found that
http://www.iptrackeronline.com/email-header-analysis.php
gets better reviews than MXToolbox.
2. I forward all my Spam to Knujon where they go after the spammers in every way possible.
http://www.knujon.com/
Posted by:
Warren Ngo
02 Aug 2016
Hi Bob, for what it's worth, and as an exercise, I used Email Header Analyzer to check up on your email header. I'm not technically savvy on the information provided, but did notice that one entry on a "From" line, smtp-coi-g04-011.aweber.com was tagged as BlackList.
Posted by:
Top Squirrel
02 Aug 2016
You say ot to reply to any spam, even to ask them to delete your name because that will show them ou are a valid address.
I once started to get a whole lot of email with the from line having weird-sounding names, promising sex dates and such. A dozen or more a day, same apparent source. They always had a message that says if you do not want to receive our emails, please let us know and we'll stop it.
I thought, what the hell, they already know my email is valid as the emails do not get bounced back. So I asked them to delete me.
Believe it or not, they did. Never heard from them again.
Some things work.
By the way, what happens if you try to take them up on it? Do they try to sell you sex pics? Do you get trapped on a botnet? Sex with 72 virgins? I guess I'll never find out.
Posted by:
Art F
02 Aug 2016
Some replies imply that it can be dangerous to even open a suspect email. Is this true? I thought the thing to avoid was clicking on a link contained in such an email, or opening an attachment. Can simply opening an email cause any problems?
Posted by:
Smoky Lowe
02 Aug 2016
I use a program called Mail Washer.It lets me see the headers also I can read the body of the mail, as it don't down load from my server until I process the mail. I then can bounce it from my server,I very seldom receive more then two before it stops.Thanks for all the good advice I have received from you.
Posted by:
Paul
02 Aug 2016
I use Spamcop to report spam emails to the necessary abuse contacts
Posted by:
olamoree
02 Aug 2016
Good information... and very good responses and suggested sites. I get some 50 to 100 spams a day as I have had a gmail account for over 10 years with the same address. Gmail does very well at sorting them into the Spam Folder. What I would like to know is HOW you can trace an email that you SEND. I have a couple people that always say, "But your mail never arrived", yet, it is NOT bounced or returned as undeliverable. I suspect that the people really got the mail but are ducking the responsibility. How can I trace email that I send and doesn't bounce back to me?
Posted by:
Howard L
02 Aug 2016
Don't forget one spam that aims at your heart: A relative or friend sends you a desperate email saying that he or she has been (1) wrongly thrown in jail, (2) robbed of his/her money, etc., and always needs a loan, which you should send to a temporary email address. Grandparents don't always know their grandchildren's whereabouts yet feel responsible for them, thus are ideal targets.
Moral: Before transfering a dime, check the sender by phone. Chances are the person's still in the U.S. and has an email account that's been hacked.
Posted by:
Roger M
02 Aug 2016
Good information Bob; generated a lot of good information for novices.
Posted by:
Old Man
03 Aug 2016
Re: Bob K
I don't know what e-mail client you use, but Ctrl+U brings up the page source code rather than that for the e-mail in at least two clients. I get the header by right-clicking the subject line and selecting to view the source code.
Re: Art
So far just opening a plain text message has been safe. However, most are in HTML format and could contain extra code that transmits to an unsavory source - leading to more SPAM or even downloading malware.
Posted by:
Ken Gash
03 Aug 2016
I have found a very useful add-on for Thunderbird called MailHops 1.0.12 by Andrew Van Tassel. It will list each of the hops taken and it will show a map of the path and distance travelled of the message. So if I get a message from Uncle Lou asking me to click on a url I will enjoy and I see the message originated in Lithuania, I can safely delete it.
Posted by:
Dave Fox
03 Aug 2016
Hi Bob, good article as always. I can use your help. I use outlook.com as my e-mail program, lately I have been getting some e-mails, that when I go to block them, my e-mail address shows up instead of the person who sent the e-mail. In other words to me from me. I sent a copy to the FTC as you recommended. It's not private mail it's some sort of scam as usual, I have been deleting them off, as I'm afraid to open them. Any comments would be appreciated !
Posted by:
Bob K
03 Aug 2016
Re: Old Man
On the CTRL-U -- I guess I should have explained it a little better. You are right in that it brings up the source page for whatever you are viewing (maybe).
I use Thunderboid for an email client. With that, if you have an email open, it shows the source. Also, if you just highlight one entry in the inbox, without opening it, it will show the source of that email.
If you are using a web-based email client, many of them have the ability to show source also, or at least all the headers.
Re: Olamoree
On the lost emails you send -- many ISPs check outbound emails for what they consider malware, or whatever, and silently drop it. Example: I receive an email that is supposed to be from my bank but isn't, and I want to forward it to the security people at my bank. Never gets to them!
I always do a BCC: back to myself on every email I send. Sometimes my ISP was eating things for no reasonable reason. My outbound email no longer goes thru my ISP. The Gmail servers seem to work fine for me, there are probably others out there that are also just as good.
Posted by:
Daniel Castellanos
03 Aug 2016
I use this in Mozilla Thunderbird:
MailHops maps the route an email traveled to get to you. Using GeoIP it also displays distance traveled along with the location (city, state and country) of the sender. Using the MailHops API from https://www.MailHops.com this Add-on will show the location of the sender. From there you can click on the location and view a map of the IP hops that a message took to get to your inbox. Distance is also calculated to give you the miles or kilometers that a message traveled. It will also show the senders weather if you add a Forecast.io API key. User agent, DKIM and other Authentication used by the sender.
Fork this add-on on github, https://github.com/avantassel/mailhops-plugin
Posted by:
Bob Pegram
03 Aug 2016
This illustrates that a lot of what computer trouble-shooters do is not very complicated. The "how to" is just information most people don't realize is easily available if they look using their browser's search function.
Posted by:
Gary H
04 Aug 2016
Unfortunatly none of this works in iOS. No app that I can find Browser sites don't work properly for this either.
Is there a way to view headers in iOS?
Posted by:
alan
12 Dec 2016
Attn: Loan Offer Apply Now
I am Alan Smith,a Private Money Lender and a corporate financial for real estate and any kinds of business financing. I also offer Loans to individuals,Firms and corporate bodies at 3% interest rate per annual and 3% interest rate monthly base,loan terms determinant
INFORMATION NEEDED ARE:
Full Name: Location: Age: Sex: Country: Contact Phone numbers: Amount Needed/Duration: email: alansmith.smith61@gmail.com
Alan Smith