How to Find the Originating Point of an Email
All email comes from somewhere, but the true origin of an email message may be difficult to determine. The sender's name and email address displayed in the "From" line of a message are untrustworthy information that the message's true sender can alter easily. To locate the origin of a message, you must review the detailed full headers included with each email message, which most email programs do not display automatically.
Other People Are Reading
Instructions
-
-
1
Determine how to view full header information with your email client. In some cases, this may be as easy as clicking a hot key combination; in others, you may need to change your email client's settings. Consult your email client's "Help" feature for information on viewing full headers.
-
2
Read the full header information for the email you wish to trace. If the message includes only a single "Received: from" line, the Internet Protocol (IP) address included on that line should be the originating point of the email message. An IP address appears as a set of four numbers between 0 and 255, separated by periods. For example, 10.0.234.17 and 192.168.27.16 are IP addresses.
-
-
3
Inspect the path the email message traveled if the full headers contain more than one "Received: from" line. The "Received: from" line includes the IP address and sometimes one or more mail servers that sent and received the email message. If any of the routing information has been faked in an attempt to hide the origin of the message, the server names or IP addresses listed in subsequent lines do not describe a coherent delivery route.
In a coherent delivery route, the "from" location stated in one line matches the "by" location in the next line. For example:
Received: from server.mymailhost.com (mail.mymailhost.com [136.43.79.123]) by mail.nowhere.org
Received: from somewhere.com (127-134-6-98.dsl.somewhere.com [127.134.6.98]) by server.mymailhost.com
In a faked delivery route, the "from" location in one line does not match the "by" location in the next line. For example:
Received: from server.mymailhost.com (mail.mymailhost.com [136.43.79.123]) by mail.abc.org
Received: from yadayada.edu (UHY76fgVG.edu [127.134.6.98]) by server.nowhere.com
-
4
Locate the sender's true IP address on the last line of the first coherent delivery route. Depending on how much of the header information has been faked, the last true "Received: from" line might be the first line, the last line, or a line in the middle.
-
5
Convert the IP address into a server name using a free, public "Whois" IP address translator service.
-
1
Tips & Warnings
Although the "Received: from" lines may state one or more names for the server that sent or received the email message, the IP address is the most reliable piece of identifying information.
Some email programs and services do not allow the email recipient to review original email headers, or they strip IP addresses from the headers. It is not possible to determine the actual origin of an email message if you are unable to view the full headers of the message.
Some full headers contain a line called "X-originating-IP," which is intended to provide the IP address of the original sender. However, this line can easily be faked and should not be relied upon for accuracy.
References
Resources
- Photo Credit Email Concept image by wayne ruston from Fotolia.com
