Trace an Email? Here's how...
Have you ever received an unwanted, spammy email with a fake “From” name, and wished you could find out where it actually came from? Have you ever gotten an email several days after it was sent? Read on to learn about some free tools that can help with both situations...
Who Really Sent That Email?
There are times when it’s useful to trace the path that an email took to get to your inbox. The most common situation is suspected spam, when you want to discover the true source of an email.
Delays in receiving emails can also be diagnosed by tracing the path that emails take to you. But tracing emails on your own can be pretty frustrating.
Every email contains hidden information about the path it took to reach you, called “header information.” To most people, it looks like gibberish, which is why it's hidden by your email program. Here is just a small part of a typical example:
X-Received: by 10.67.3.3 with SMTP id bs3pad.121.144187; Mon, 10 Jun 2019 05:10:17 -0700 (PDT)
From: "Some User" <firstname.lastname@example.org>
To: "My Name" <email@example.com>
With the possible exception of the "From" and "To" lines, ordinary mortals struggle to make sense out of email headers like this snippet. Geeks who run email servers or those who hunt down spammers for fun may get eyestrain looking at raw headers, too. But there are many online tools that parse email headers to make them more legible by humans.
The Email Header Analyzer is a free online tool provided by MX Tools, Inc., a Texas-based firm that primarily serves network administrators and ISPs. Anyone can use the Analyzer, however; just paste a block of header information into the tool’s form and click the “Analyze Header” button.
The results include a bar graph, indicating any delays in the hops that the message took to reach you. It will also show you if any of the mail servers that relayed the message are on a spam blacklist. If the sender's server is on a blacklist, that's a big red flag that the message may be suspicious or malicious.
Wrapping Your Head Around Headers
But where do you find those hidden headers? Google provides brief, clear instructions on how to find message headers in Webmail messages, including Gmail, AOL, Yahoo! Mail, Excite Webmail, and Hotmail (now Outlook.com). Instructions for finding headers in desktop clients such as Microsoft Outlook, Apple Mail, Mozilla Thunderbird, and Opera are also given.
The Google Apps Toolbox also includes a message header analyzer. Its main purpose is to highlight delays in message relays and pinpoint their possible sources. (Typically, email messages are received within seconds, even if they must travel half-way around the globe.)
IPTracker is an email header tool that's more suited for non-techie users. In addition to showing the IP address of the sender, it also shows the name of the sender's Internet service provider, and the city and country of origin on a map.
Interpreting Email Headers is another Google tutorial, for those who want to read raw email header info. It walks you through each line of a sample header, explaining in plain English what it means.
Identifying a Spammer
If a sender forges the "From" line, you may not be able to find the email address of the actual sender. But analyzing the email headers will show you at least that it WAS forged, and give you an indication where it originated.
It's also important to keep in mind that a lot of spammy emails are sent from computers that are compromised by malware. So don't assume that the person in the From: line of an email has any knowledge of having sent it.
For extra credit, you can paste the IP address found on the first "Received" line into the MaxMind GeoIP tool, to learn the approximate geographic location of the sender. (Note that first "Received" line is the one closest to the bottom of the headers. As messages travel over the Internet, the header lines stack up, so you need to read them in reverse order.)
For example, I got a classic 419 Scam message from a spammer today, showing this: "Received: from User (UnknownHost [220.127.116.11]) by vdt.com …" Sure enough, the MaxMind tool confirmed my suspicion that the sender was in Lagos, Nigeria.
If you think a message is from a spammer or a scammer, don't reply to it. You'll only be confirming to the bad guys that your address is valid, and possibly embroiling yourself in a heap of trouble.
If you can determine that the outgoing mail server is an internet service provider, you can forward the suspect message, with full headers exposed, to abuse@[isp-name].com and often they will disable the sender's account. You can also forward unwanted emails to the FTC at firstname.lastname@example.org, but I'm not convinced that they do anything with them. Personally, I find it more satisfying to just hit the DELETE button and move on with my life.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 10 Jun 2019
|For Fun: Buy Bob a Snickers.|
Ransomware: Are You at Risk?
The Top Twenty
[HOWTO] Speed Up Google Chrome
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Trace an Email? Here's how... (Posted: 10 Jun 2019)
Copyright © 2005 - Bob Rankin - All Rights Reserved