Answer Geek: How to Trace E-Mail Senders

By
Todd Campbell
January 7, 2006, 7:41 AM ET
7 min read


-- Q U E S T I O N: If you want to find where an e-mail sent to you originated from, meaning the location of the computer used to send it to you, how do you go about doing that? — Una H.

A N S W E R: A good question, indeed, and one to which there is a good answer. Sort of. Embedded in every e-mail message is about half a printed page of mostly-technical routing data in the form of something called e-mail headers. These headers are the equivalent of the footprints an e-mail message has left on its journey over the wires, servers, and routers that constitute the Internet. All that information makes it theoretically possible to trace any e-mail message back to its source.

Great, right?

But there is a problem. Some of those e-mail headers can be forged. And for the most part, the only e-mail senders who would bother to tamper with e-mail headers are precisely the ones whom you might want to track down. When friends or colleagues send you a quick e-mail message, they probably have no reason to muck around in their e-mail programs to falsify information about where the message originated, right?

On the other hand, there’s the shady world of e-mail spammers and scammers who send e-mails with subject lines like the one I received recently: “Meet The Richest People on Earth.” That message promised to put “at least $122,400.00 in [my] pocket Risk-Free within the next 60-90 Days.” Someone like that may well have a reason to cover his (or her) tracks.

A Head StartIn any case, let’s take a look at e-mail headers, starting with the basics. If you call up your e-mail program you’ll probably find the following headers: From, To, Cc, maybe Bcc, Subject, and some information on when the e-mail was created and sent under headings like Date, or Sent and Received. All of these fields are pretty self-explanatory and if the person in the From header is on the up-and-up, all you really have to do is hit Reply to send the sender a message asking where they sent the message from, and you’re set.

But that’s not really the question you asked, Una, is it?

If you really want to trace an e-mail back to its origins, you need to take a look at the extended e-mail header. How you expose that depends on your e-mail program, but there is a command or a button somewhere that will call up all of the headers up for you. (I do it by selecting View and then Options, which calls up a window that includes all of the header information.)

By way of an example, I am using a pretend e-mail message. I have changed a number of parts to the message header below, including the domain name of my e-mail address … “todd@your-friendly-neighborhood-answer-geek.com is not my real e-mail address.” (So please don’t try to send me email at that address, okay?) Here are some fictitious extended headers:

Return-Path: Received: from mrelay3.postalplace.com ([505.101.352.313]) by answer-geek’s.ISP.com (Post.Haste MTA v2.1.3 release (PH302-214c) ID# 0-38159U2500L250S0) with ESMTP id ABC154

for ; Wed, 31 Jan 2001 17:17:00 -0800Received: from mrelay3-bc.postalplace.com ([505.101.352.313]) by mrelay3.postalplace.com with Microsoft SMTPSVC(4.5.1974.183.41); Wed, 31 Jan 2001 17:17:15 -0800From: todd@your-friendly-neighborhood-answer-geek.com (Todd Campbell)To: todd@your-friendly-neighborhood-answer-geek.comSubject: Answer Geek (mail)Return-Path: todd@your-friendly-neighborhood-answer-geek.comMessage-ID: <00dc01517010121MRELAY3@mrelay3.postalplace.com>Date: 31 Jan 2001 17:17:15 -0800

Okay, so what have we got here? For starters, keep in mind that the purpose of this e-mail example is to give you an idea of how to go about tracing the thread back to the sender; it is not a real e-mail message. So you’ll have to use your own in-box to try this at home. Naturally, you’ll also find slightly different information from e-mail header to e-mail header, depending in part on the e-mail application that was used to generate the message.

From Return-Path to SenderLet’s start with Return-Path. This is the address that your e-mail program will insert when you hit reply, and it is the address that a mail server sends a message back to when it bounces a piece of undeliverable mail to the sender. Below Return-Path forget about From and To — both of which contain my e-mail “address” because I sent the message to myself — and Subject and Date; all of that information appears in the basic e-mail header. At the bottom, Return-Path appears again here followed by Message-ID. Every e-mail message gets a unique e-mail ID when it is created. That ID helps your e-mail application and the servers through which your e-mail message passes keep track of the e-mail.

To track down the original source of the message, we need to go back to Received. The Received headers are a list of all of the mail servers that handled the message while it was en route. They are always listed in reverse chronological order, with the most recent one at the top and the oldest one at the bottom. Note that the original Received header says “from mrelay3-bc.postalplace.com ([505.101.352.313]) by mrelay3.postalplace.com.” In this example, “mrelay3-bc.postalplace.com” is the server that generated the e-mail. The string of numbers in brackets is the Internet Protocol or IP address, which is the Internet equivalent of the that mail server’s telephone number.

Now we’re getting somewhere. You can go out on the Web to a “whois” search page to find out if the domain name (postalplace.com) or the IP address is registered with any of the organizations that keep track of that sort of thing. Often, the results of a search will include contact information. If I do a “whois” search on that particular IP address, it will probably turn up nothing, as it was a faked address. But if you do a “whois” search on your own example, it should turn up the company that owns the server from which your e-mail message was sent. The second Received header (the one at the top) shows the transfer of the message from the postalplace server to my Internet Service Provider (some of the details have been changed there, too).

Forging Ahead

Before we wrap this up, let’s go back to forgeries. Much of the information in e-mail headers can be forged, including everything from Return-Path to the Message-ID. Received headers can be forged, but only up to a point.

Once an e-mail message is zipping along on the Internet, Received headers are added by the mail servers themselves and are most likely to be authentic. But if someone wanted to hide the true source of the e-mail, it’s not to difficult to add a series of fake headers at the beginning of the Received list to throw off anyone who wants to track them down.

And why would someone want to do that? Because the laws that make it illegal to send an unsolicited ad to a fax machine also cover sending unsolicited e-mail ads to your computer. The penalty for violating the law: “actual monetary loss, or $500, whichever is greater, for each violation.” If you are a spam artist, $500 per violation could add up to a lot of dough.

Todd Campbell is a writer and Internet consultant living in Seattle. The Answer Geek appears weekly, usually on Thursdays.