Helping people with computers... one answer at a time.

A good rule of thumb is to begin at the bottom and work your way up in the headers to determine where an email is from.

I frequently get questions that boil down to "How can I trace where this email came from?" or "Can I determine the IP address of the sender of an email?"

The answer is both yes and maybe, and it may not do you any good. However there is a lot of interesting information in your email that you normally don't see, and the trail of mail servers is part of that.

So let's interpret some email headers.

First, there's the challenge of even getting to the real email headers. In Hotmail they're apparently always visible. In Outlook, they're hidden by default, so with the message open, click on View, and then Options, and you'll see a box labeled Internet Headers. In Thunderbird, you can expand or collapse the headers by clicking on a simple control next to the subject line.

In any case, headers typically look something like this:

Return-Path: <lnotenboom@hotmail.com>
Delivered-To: 1-leo-clean_nospam@pugetsoundsoftware.com
Received: (qmail 13384 invoked by uid 110); 13 May 2005 21:33:53 -0000
Delivered-To: 1-leo_nospam@pugetsoundsoftware.com
Received: (qmail 13380 invoked from network); 13 May 2005 21:33:53 -0000
Received: from bay107-f18.bay107.hotmail.com (HELO hotmail.com) (64.4.51.28)
by pugetsoundsoftware.com with SMTP; 13 May 2005 21:33:53 -0000
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Fri, 13 May 2005 14:33:53 -0700
Message-ID: <BAY107-F18247D6C6473F92CC602D8D2120@phx.gbl>
Received: from 64.4.51.220 by by107fd.bay107.hotmail.msn.com with HTTP;
Fri, 13 May 2005 21:33:52 GMT
X-Originating-IP: [64.4.51.220]
X-Originating-Email: [lnotenboom@hotmail.com]
X-Sender: lnotenboom@hotmail.com
From: "Leo Notenboom" <lnotenboom@hotmail.com>
To: leo_nospam@pugetsoundsoftware.com
Bcc:
Subject: Example Email
Date: Fri, 13 May 2005 14:33:52 -0700
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 13 May 2005 21:33:53.0097 (UTC) FILETIME=[75980390:01C55803]

Now yours may look a lot different. It may be longer or shorter, or have additional information, or less. But the basic idea is that there's a lot of information in the headers that has to do with the administration of getting the email from the sender to the receiver.

A detailed reference is more than I can present here, and quite honestly, probably more than you need. But let's examine the headers above a little more closely, since it's a good example of a "normal" email message. They are from a message I sent to my regular email account from my Hotmail account.

A good rule of thumb is to begin at the bottom and work your way up in the headers. That'll make more sense in just a minute. Working from the bottom:

  • X-OriginalArrivalTime: is the time the message was submitted to Hotmail ... in other words, the time I pressed "Send". Headers that begin with "X-" are "non standard", and may not be used by all mailers. They're often just informational. Note also the date and time: 13 May 2005 21:33:53.0097 (UTC). The "(UTC)" means that the time is recorded as "Universal Time Coordinated", sometimes thought of as Greenwich Mean Time or GMT. Since I'm in the Pacific time zone, and daylight savings time is in effect, that means I sent it at roughly 2:33 PM PDT.

  • Content-Type: is how the mailers tell each other what the format of the mail is: plain text, as this example is, or HTML, or something else.

  • Mime-Version: "Mime" stands for Multipurpose Internet Mail Extensions, and is the formatting protocol most often used to encode attachments and alternate representations in a single email.

  • Date: This is the more common place you'll find the date and time that the message was sent. This is added by the sending mailer, and is commonly used by your email client as the "Sent Date". Note that the time zone is specified as local time (2:33 PM) and an offset (-7 hours) from UTC. PDT is 7 hours behind UTC as I write this. Subtract the offset (and remember that subtracting a negative offset means to add it), and you'll get the equivalent 21:33 UTC.

  • Subject: As you'd expect, the subject of the email as you typed it.

  • Bcc: To be honest, I'm not sure why Hotmail includes this here, as they strip out any BCC'd recipients. BCC is supposed to be stripped from email completely before it is sent.

  • To: Again, as you'd expect, the list of recipient email addresses that this message is addressed to. What most people don't realize is that the To: line doesn't define who the email actually goes to, but rather simply lists who the mailer claims it's to go to. A virus, for example, can easily create a mail message that has bogus addresses in the To: line, and then send the mail to someone else entirely. That's known as "spoofing".

  • From: Just like To:, the "From:" address shows you from whom the mail was supposedly sent. And also like "To:", it's very easy for the spammers and virus writers to spoof the From: address to be pretty much anything they want.

  • X-Sender: is another representation of the address the email originated from, but like all "X-" headers, is optional and not universally used or recognized. "X-Sender", and the similar "Sender:" are supposed to indicate the sender of the email, which might be an intermediary. For example, if you send mail to a mailing list, the mail might be "From:" you, but the mailing list software might be the "Sender:" to everyone else who receives it.

  • X-Originating-Email: another representation of the sender of the email. Some mailers add this as a precaution against those who spoof the "From:" line.

  • X-Originating-IP: The IP address of the computer on which the email originated. Once again, an optional and informational "X-" header. In this case, the IP address is one of Hotmail's servers.

  • Received: Herein lies the gold. I'll get into more detail on that below.

  • Deliver-To: is added by the receiving mail server when it finally delivers the email to a specific email alias or mailbox. In my case, I have my mailer configured to deliver my mail to two separate mailboxes: one with, and one without, spam filtering.

  • Return-Path: is the address that the email, if it fails to be delivered, should be bounced back to.

"Email headers cannot be trusted, and not all email can be traced or authenticated."

The series of "Received" headers are the trail that tells us from where the message was sent, and along what path or series of servers it traveled across the internet. And this is why we started at the bottom, as each mail server adds a received header to the top.

In the first one we can see that a Hotmail server "by107fd.bay107.hotmail.msn.com" got the message from the server at "64.4.51.220". In this case it lists an IP address only, since there is apparently no name associated with the server at that address. Since this is Hotmail, and I'm certain that Hotmail has many, many servers, it's not surprising that they might not give all of them a name on the internet.

Further up the header we can see that it left "bay107-f18.bay107.hotmail.com" and was then received by "pugetsoundsoftware.com", my mail server. Note that this line also includes a couple of interesting bits of information:

  • (HELO hotmail.com) - this is part of the SMTP mail protocol where the server identifies itself while connecting. Basically, it's saying "Hello, I'm Hotmail.com" when it initiates the transfer of mail to the next server to receive it. The receiving server logs this information as part of the "Received" header it adds.

  • (64.4.51.28) - this is the IP address of the server making the connection.

As part of spam prevention and server authentication, a mail server may elect to ensure that all three of these pieces of information match: the IP address reported matches the server name reported, which in turn should match the end of the HELO string. In practice, the internet is a little too fast and loose for that to be a reliable gauge of authenticity ... too many legitimate servers are not configured to report the right information for that check to always be valid.

Another interesting use of the Received headers is to determine where a delay may have occurred in transferring the mail. Since each is time-stamped, it's quickly apparent where a message may have been held up.

Now lets look at the headers of some SPAM I recently received:

Return-Path: <fake@fakecompany.com>
Delivered-To: 1-leo-clean_nospam@pugetsoundsoftware.com
Received: (qmail 19652 invoked by uid 110); 14 May 2005 20:03:05 -0000
Delivered-To: 1-leo_nospam@pugetsoundsoftware.com
Received: (qmail 19649 invoked from network); 14 May 2005 20:03:05 -0000
Received: from fake.pittpa.adelphia.net (**.**.198.208)
by pugetsoundsoftware.com with SMTP; 14 May 2005 20:03:05 -0000
Received: from desk.fakecompany.com
by qdam.eiynwr.com with SMTP; Sat, 14 May 2005 13:03:09 -0800
Message-ID: <BKELLDAGKABIOCHDFD567DGAA.fake@fake.it>
From: "Fake Name" <fake@fakecompany.com>
To: leo_nospam@pugetsoundsoftware.com
Subject: Fast solution to your problems in a bed!
Date: Sat, 14 May 2005 13:03:09 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--DELPHI7551932757739836KN"

[Note: everything that says "fake" is something I changed to anonymize this example. Someone's real email address and real company domains were used in the original.]

There are several interesting things about these headers:

  • The "Message-ID:" references an account at a domain in Italy.

  • The first "Received:" header references "desk.fakemailer.com" - fakemailer appears to be a legitimate business involved in bulk email technologies based in New York state.

  • That header also references "qdam.eiynwr.com" - a domain that doesn't appear to exist.

  • The next header appears to receive the message from "fake.pittpa.adelphia.net", which from the name would indicate a Pittsburgh, PA node of adelphia.net.

  • The "From:" line indicates yet a third party, fakecompany.com. On the surface this company, in New York City, appears to be unrelated to any aspect of the message, though I could be wrong.

The kicker is that the links for the products being sold by this email all go to a domain registered in Bulgaria.

So what to make of it all? It is possible that the originating computer, desk.fakemailer.com, is, in fact, sending out spam on purpose. It's also possible that this machine has been infected with a virus, and is sending out spam without realizing it. And yet another scenario is that the machine is not involved at all, and that spammers in Bulgaria have spoofed the headers of the originating machine (using the companies role in the bulk email business to confuse and obfuscate the issue).

And therein lies the problem with SPAM and why there's no simple solution. Email headers cannot be trusted, and not all email can be traced or authenticated. Legitimate mail typically can be traced, but for SPAM and virus-generated email it's difficult to say that the headers are absolutely trustworthy.

But it's interesting information, nonetheless.

Article C2351 - May 14, 2005 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

137 Comments
James Hill
May 18, 2005 8:01 AM

Hi Leo,

First, I want to thank you for putting very informative information on the web.

I have a question about tracing the origin of an email. I think someone has been email me from a yahoo.com address but, when he is online at work not his home personal computer. Can I still trace this information? Would I need to get help from the company to find this out or can I determine this on my own. Also, what specifically will I have to look for in orde to figure this out? Thanks for the help!

Best Wishes,

James Hill

Leo
May 18, 2005 10:04 PM

The example of hotmail I sent to myself above is a good example. The information of explicitly where I'm located (i.e. the IP address of my machine) was never part of it.) I believe you would need to get yahoo or hotmail involved to find out more. They'll probably need things like a court order, if they even CAN get the info.

Miriam
May 29, 2005 11:17 AM

I have received an email from someone who logged into my email adress and posted a message I would like to know if you can trace where they are emailing from.

Leo
May 29, 2005 3:19 PM

Use the techniques outlined in the article you just commented on. You may also want to read this article as well: http://ask-leo.com/someones_sending_from_my_email_address_how_do_i_stop_them.html

Bonnie
June 8, 2005 3:12 PM

I guess I'm not computer literate enough to decipher all that. What I want to know is simple...if my boyfriend says he's in London and I get a yahoo message that shows a time with PDT after it, does that mean he is actually emailing me from somewhere else?

Leo
June 8, 2005 9:46 PM

If you mean Email message, it's likely it only means that the computer used was set to the Pacific Timezone. The computer could be anywhere.

Brandon P.
June 17, 2005 12:40 AM

hi, i was wondering, if someone can know my name or personal information i keep in my email, because i have some things in my credit balance that i dont even know who made. Is it hacking? my cousin told me that these guys can get into my pc if i dont have a Firewall, so he reccomended th norton antivirus, but i dont know if it right.
Thank You and waiting for your answer.
Brandon P.

Leo
June 17, 2005 8:39 AM

You should read this article: http://ask-leo.com/how_do_i_keep_my_computer_safe_on_the_internet.html

John
June 30, 2005 3:37 PM

I can trace some from hotmail but others I can't and yahoo I can't is there a program or website to pinpoint there street adress no matter how they sent the email like in the movies. This email came from 211 seseame st. at 12:00 pm sat. June 9th??? if so please help!

Leo
June 30, 2005 5:20 PM

In most movies you'll note that it's the police doing it. That's what it takes ... the help of the ISP, usually at the request (or demand) of law-enforcement.

Robin
July 3, 2005 4:28 PM

Someone is sending email to a person I know. Useing an email address I no longer have. I have a new account,screen name and password.Is there any way that this person can find out where the email came from. I have checked and it did not come from my computer. It appears that someone wants this person to think it did. Any info would be helpful
THANK YOU
PS
I believe this person is also AOL

Leo
July 4, 2005 1:11 PM

Only using the techniques in the article you just commented on. To get more detailed, you'll need the originating ISP's help.

Randy
July 9, 2005 2:43 PM

My friend (really) is going through a break up. She has been checking her ex-boyfriend's e-mail account to see if he's been home and deleting a couple of e-mails that were sent by his current girlfriend.

I told her this was an invasion of privacy and that her logging on to her ex's e-mail account can be traced to her.

She continues to check/delete his e-mail. If her ex suspects something, is there a way that my friend can be traced as the culprit?

Please reply ASAP because my friend is obsessed with doing this. If her actions can be traced, I'm sure that she will stop(hopefully).

Leo
July 9, 2005 9:01 PM

It may be traceable, but if it is, it's very VERY hard, and would require HotMail's cooperation, which seems to me likely to happen only as the result of a police investigation or court order.

Alice
July 18, 2005 12:59 AM

hello, happy morning to you ....

As we known we are able to trace the email for who is sending by checking the full headers, and finally we will get the information about which ISP the email is sent through, but we dont know who actually the sender is except we require or report mail abuse to the ISP and get the details such as residential address ,phone number of the sender from them.

Refer to the above matter, is there any way or software to enable us to get full details of the sender ( i mean the phone number or residential address ...etc ) of the sender without requiring the ISP or reporting to the ISP ? or is there any software that we could trace the sender information in details by ourself ?

Beside that, i am not a hacker but i really interested in the relevant knowledge about that, how can i get knowledge about that ?

thank you and looking for you reply as soon as possible ...

Leo
July 19, 2005 12:04 PM

Nope, not that I'm aware of. The ISP has to help.

Janis
July 30, 2005 9:16 AM

Curious...I found information on how to spy basically on someone if you have their Email address ...It said to go to Gooles Advanced Search and in the "author" box type in the email address an press search...you will find everything that person has writeen to public usenet groups and anything that person ha said in certain chat rooms....Can't find the Author box on Google in advanced.

Can this be true....can you do tracking or spying if you have someones Email address?

More curious than wanting to spy...just can't believe it can be that easy for some to do it or to have it done to me...

Your help is appreciated

Leo
July 30, 2005 4:54 PM

Yes and no.

When you use Google, all you will find is any time that person's email address shows up on the web. That could be because of mailing lists that are archived on-line, usenet postings or what have you.

But it will NOT find email, and it will not track email.

It just finds what's on the web.

Patty
September 15, 2005 7:29 AM

Dear Leo, I recently received some emails from an annoymous person accusing my husband of having an affair and claiming to have details. I would really like to know who is sending these. They are using a yahoo email address. Is there any way I can trace the origin of these emails?

Thank you :)

Leo
September 15, 2005 8:23 AM

You can get part way by using the information in the article you just commented on. After that, you'll need Yahoo's help - IF they're willing to give it. (Typically they are no.)

Merrie Price
September 27, 2005 3:45 AM

question. I have been typing with a man that said that he is from california but has traveled to the UK. But when he sends his e-mail through Yahoo the time stamp on it shows (PDT) does that mean that he is in the PDT time zone when he sent it and not actually traveling in the UK? Please this information will tell me if this man is not being honest with me. He wants to meet me and I need to find out if this is a scam. Thank you so much.

Merrie Price
September 27, 2005 4:11 AM

correction. I went back to look again. Each time that he has sent an email to me and I to him it is stamped -0700. I wanted to know is it possible to find out what time it is where he is sending the email from. The time stamps all say -0700 and he originally was supposed to be sending them to me and I am two hours earlier than I. But now he should be 6 hours ahead of me. This would not be an issue if I was not concerned that this person is not whom he said he is, or where he is. Thank you

Leo
September 30, 2005 10:45 PM

-700 is pacific time right now. But it's quite possible to set your computer to whatever time zone you like, so that doesn't really provide any proof.

kristen
October 16, 2005 8:37 PM

Leo, I might come across like a broken record, Ive been getting distrubing messages left on a web page of mine, Now all I have is an Ip address. Can it be tracked to more then just finding out city/state/isp? If so can you tell me how PLEASE... Thank You!!!

Leo
October 17, 2005 5:04 PM

You want this article: http://ask-leo.com/can_i_get_someones_name_and_address_from_their_ip_address.html

Jaggy
November 11, 2005 4:23 PM

is it possible to find out whre an email is read from?
just as we are able to get a confirmation message when the recipient reads our mail sent to them, is it possible to find out the IP address from where that mail is being accessed by the person?

Leo
November 13, 2005 10:55 AM

No, not that I'm aware of. And for the record, read-receipts - the confirmation you speak of - is 90% ineffective as well. Most people disable them.

Amy
January 12, 2006 9:20 AM

I am researching/tracing emails I am receiving from a hotmail account. In the bottom most "recieved" I get an IP that matches with the IP listed in the "X-Originating IP"

My question stems from another email from this hotmail account. Again, the IP in the bottom most "recieved" matches the "X-Originating IP" however there is a SECOND "X-Originating IP" listed after the first which gives me a completely different IP.

What is this second mysterious "X-Originating-IP"???

Leo
January 12, 2006 10:02 AM

It could be many things. In fact the either of them could be the IP address of the computer that originated, or forwarded the message - or they could be random crap inserted to make the mail "look" legitimate, or to obfuscate the real sender.

Teri
March 2, 2006 12:45 PM

Someone broke into my sister-in-law's hotmail email account and is now sending very discreminating emails to her relatives and friends using her email address. Is there a way to find out the physical address that the person who has stolen the account is sending them from? They are saying that she is using drugs, abusing her kids, etc. and I am trying to contact her but the only way is through her email account. Please advise. thank you - Teri

Leo
March 2, 2006 3:43 PM

Only if you involve the police.

mjanish
March 20, 2006 8:43 PM

i want to know the person who is send me some bugs mail

Haow can i find his location city & whole information for future cure

Leo
March 20, 2006 8:55 PM

You cannot get that level of detail. Please read the article you just commented on.

Rich
March 24, 2006 12:15 PM

I am getting emails with parts of them being just a bunch of scrambled words and the rest of the email is about sometihng being a good deal to buy stock in, "i think". Sometimes there are a name with it, but when I reply my mail cannot be delivered. What is it ?

Leo
March 24, 2006 12:17 PM

Spam. NEVER reply to spam.

Siya
March 29, 2006 10:05 PM

Hi Leo,

Someone is sending me threating emails from the same IP but different email addresses. Is there a possibility that its being sent by a single user using different accounts.

Leo
March 29, 2006 10:10 PM

Sure. It's also possible that it's being sent by different people behind the same router or orgainzational firewall, or using the same anonymizer service.

Could be many things.

Siya
March 29, 2006 10:23 PM

Thanks for your reply Leo,But everytime I check the header its always showing the same IP address but different email a/cs. and when I tried to find out the exact location from that IP, I got an organisations address, Now in organisations an IP is assigned to a single user only. Can i know exactly who is sending those emails.

Leo
March 29, 2006 10:35 PM

There's no way to know. You'll have to contact the organization.

Stephen
April 6, 2006 5:01 PM

Hi Leo,
I used to have an email address that I used frequently, but for about a month I dont get to check my mail. This email address started sending pornographic materials and viruses to all my contacts in my address book.
I canceled that account two weeks ago but my contacts still complain of receiving viruses from it. Please help!!
I've contacted my ISP and complained, traced the i.p on the header to the same ISP i use. I would really like to know the address of the computer doing this, not the server used to email.
Help

Leo
April 7, 2006 8:08 AM

You need to work with the ISP. But I also suspect that the issues covered in this article might be the case: http://ask-leo.com/someones_sending_from_my_email_address_how_do_i_stop_them.html

Timmy
June 21, 2006 2:16 AM

Hi,

I need to know how i can see who was Bcc on an email I received...any ideas?

Leo A. Notenboom
June 21, 2006 10:50 AM

You don't. That's the whole point of BCC. This article has more: http://ask-leo.com/how_to_i_view_the_list_of_bcced_recipients_on_an_email_ive_received.html

Mary
July 26, 2006 3:53 AM

i tried following the tutorial but it got too technical for me. there are many services that would trace the email for you -i've found infopursuit.com, sendertracer.com, and abika.com. i had to pay, but they did the job.

Paige
August 7, 2006 6:11 PM

A coworker from Canada has a privately owned laptop and uses a Canadian Cable ISP. She claims to travel to the US quite often, conveniently when we are required to work weekends. She sent me a hotmail email and the IP address in the header belonged to her Canada based Cable ISP. Does having an IP belonging to a Canadian ISP in the header prove she was definitely in Canada, and not the US, when the email was sent? Or is it possible her laptop would have her Canada IP stored and she wouldn't get a new IP when she connected to the internet in the US?

Leo A. Notenboom
August 8, 2006 9:18 AM

"Prove" is a word I won't use, but it would seem to indicate that she was connected to her canadian ISP. Now the thing is, it could have been over a dial-up connection to her ISP from anywhere, including the US.

Jasmeet
September 7, 2006 4:48 AM

In Lori Hanken's case the email received from ip address 67.50.14.110 is from Hastings, Minnesota

jasmeet
September 7, 2006 5:05 AM

rj,you'll have to enable the full/all/advance headers from the mail options of ur email ,only then u'll be able to see the full header information. like for instance,for a hotmail a/c go to the options page,and select 'mail display settings' ,in the message headers section select the full or advanced radio button. And then u may be able to trace where the emails are comming from using a paid software or sites like http://dnsstuff.com

Manish
September 23, 2006 2:42 AM

Pl trace location of email sender ( location of pc which was used for sending mail not the IP address) Im giving details of mail's header information below:

[apparently someone else's information removed -Leo]

Leo Notenboom
September 23, 2006 8:44 AM

I cannot trace an IP address to a specific location or machine. You need to contact the ISP in question.

Zoe
November 19, 2006 1:27 PM

I found your information VERY useful. Thank you so much Leo for making this available.

I do have one question though - How do i trace the city location where someone sent a messege via blackberry. If someone is on roaming service then how does I figure the city in which the mail was sent from?

THANKS

Leo Notenboom
November 19, 2006 8:43 PM

I doubt that you can. It all depends on how your carrier assigns/uses IP addresses, and there's no requirement that it be city based. In any case, you'd have to try and figure it out with them.

Gary
November 29, 2006 3:32 PM

Hi

I have question regarding BCC from an hotmail account. If BCC line is included in the header is it correct to say that the person who sent that email BCC'd someone else in on the email they sent me ?

Thanks

Leo Notenboom
November 29, 2006 3:37 PM

If the BCC line is present, but empty, it tells you nothing. You can make NO assumptions one way or another. There could have been BCC'ed recipients, or not.

If the BCC line is present, and has email addresses in it, that's a BUG in the sender's mailer - it should not be there. You can probably infer that the email addresses listed were BCC'ed, but CANNOT assume anything else. There could have been more BCC'ed. Or not.

If the BCC line is NOT present, you can assume nothing. There could have been BCC'ed recipients, or not.

James O'Reilly
December 11, 2006 10:54 AM

Hi,

Thank you for your help on this. My girlfriend is currently being harrased and is being thretand from a fake Yahoo address. We have been to the police as there are many threats and things are getting very personal.

I have an e-mail address, jenniegarthuk@yahoo.co.uk, whats the best way in finding out the IP address to give to the police as they are being most unhelpful.

Thanks for your advice so far, it is much appreciated.

Regards

James

Linda Butler
December 16, 2006 6:32 AM

I need to know where an email I received came from. The ip information is as follows:[66.196.101.11]. The information in the received line is as follows: from 66.196.101.11 (HELO web59015.mail.re1.yahoo.com) (66.196.101.11) by mta173.mail.re3.yahoo.com with SMTP; Fri, 15 Dec 2006 12:46:40 -0800

Thanks for your help...I don't know how to read what it means. Thanks.

Leo Notenboom
December 16, 2006 9:53 AM

Someone sent it using Yahoo's web mail interface. That's all you can tell from that.

Kevin
January 9, 2007 5:44 PM

Dear Sir,
I need to find out who sent an email to me. They sent it to me before my wedding, telling me not to do it. They sent it via hotmail under a fake account and removed the account after sending the email. I still have the whole email and I am having trouble figuring out where it originated. Please help.

Leo Notenboom
January 9, 2007 6:13 PM

No way to find out that I know of.

Bob
February 23, 2007 5:02 PM

Hi
Did you know there are private investigators that specialize in tracing emails? I was able to find out who my exwife was cheating with by visiting a website called emailrevealer.com.
I just gave them her screen name and they found s secret personals ad she had. Then I was albe to find her boyfriends email on her myspace page.
The detective foud her ad , the myspace account then located the guy she was cheating with.

Mary
May 3, 2007 4:49 PM

I received mails with the same mail address,always yahoo, in the return-path,From, and Reply-to, but it doesn't exist.I checked the IP 200.69.231.41 but only said iplannetworks.net. How can I identify the real sender? Thanks.

Leo A. Notenboom
May 3, 2007 8:04 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You can't. You've gotten as much information as someone can without involving
law enforcement.

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGOqK3CMEe9B/8oqERAl52AJ4qNGQ8oFKO2pZm/eXXFQKnheCfWACfYziR
oilOanMKMC23C4zhUQ45ozc=
=E6pM
-----END PGP SIGNATURE-----

Melissa
May 21, 2007 10:57 AM

I have two different emails, from two different accounts of whom I believe to be the same person.
Is there a way to determine if they are indeed the same person harrassing me?

[email headers including someone else's email address removed.]

Leo A. Notenboom
May 22, 2007 9:03 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No. Not without contacting the ISPs used to send each mail, and even then
you'll probably need a court order in order to get them to listen to you.

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGUxRjCMEe9B/8oqERArN6AJ9O6S5Lkn0wfQnra85FWafUT3XY/ACdHkL4
9Reve1Ip2N6LEVKyeG58gMc=
=khZV
-----END PGP SIGNATURE-----

Diane
July 12, 2007 6:13 AM

How can i find out who sent me this message as the i need to know if its legal or not. I need to contact the person who sent the mail - can you help..


Return-path:
Envelope-to: dianelouw@iburst.co.za
Delivery-date: Thu, 12 Jul 2007 10:11:16 +0200
Received: from veronique.gransy.com ([87.236.199.200])
by mail-01.jhb.wbs.co.za with esmtp (Exim 4.63)
(envelope-from )
id 1I8tlV-0002XU-3q
for dianelouw@iburst.co.za; Thu, 12 Jul 2007 10:11:15 +0200
Received: by veronique.gransy.com (Postfix, from userid 33)
id 0FB72C51F; Thu, 12 Jul 2007 10:10:06 +0200 (CEST)

Gregg Parratto
August 2, 2007 9:22 AM

I am trying to trace the original message sender below the AOL source. Here is the original info: How can I trace the gmail IP?

Received: by 10.143.163.4 with HTTP; Thu, 2 Aug 2007 08:55:34 -0700 (PDT)
Message-ID:
Date: Thu, 2 Aug 2007 11:55:34 -0400
From: "Tim Duffy"
To: "Gregg Parratto"
Subject: Fwd: [Hamilton] Fwd: Talk is cheap, campaign promises cheaper. -- Please forward to all share holders
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_65885_13716383.1186070134038"
References:

Leo A. Notenboom
August 4, 2007 5:04 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You cannot.

Leo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFGtRQICMEe9B/8oqERAm3gAJ0U2xkPrrPydh1cwbvv6g6A6C1a8ACghQdB
IytYInCg1iGLCby2dW1dDMk=
=D07N
-----END PGP SIGNATURE-----

vicky
August 12, 2007 6:54 PM

is it possible to get a physical address from where an email came from?

Leo A. Notenboom
August 13, 2007 8:46 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFGwHzsCMEe9B/8oqERApSqAJ9igmkQJzbuoZWkEAV2wlakyzpllQCgi+IQ
Za+fPUVLEaZvKYHLjXrPKUw=
=aAho
-----END PGP SIGNATURE-----

ERIK
August 22, 2007 9:17 AM

Hi. have managed to find an ip address from an email im curious about. have determined the geo location and did a reverse dns (?) lookup , so it hink i have the host server (?) can you track something further ? i.e- right back to the physical location of the computer ? (sorry, may seem like an idiotic question but im a relative newbie . am extremely interested though and advice on any good reading material would also be appreciated. thanks irrespective.

Leo A. Notenboom
August 22, 2007 1:49 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You want this article:
http://ask-leo.com/how_do_i_find_out_whos_at_a_particular_ip_address.html

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFGzKF4CMEe9B/8oqERAsJcAJ9RfLshb+NvoeDmFYbpJy88V1eMeACZATV6
megdgFacLuzrmbLLNnq3c9I=
=sNfe
-----END PGP SIGNATURE-----

james
October 19, 2007 4:11 PM

how can i see the full headers in a hotmail new live account?,, i tried view source on e-mail but this is not giving they full header like i used to be able to see on my old hotmail account,,can you help me please?

Leo A. Notenboom
October 22, 2007 10:58 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That's this article:
http://ask-leo.com/how_do_i_view_full_headers_in_windows_live_hotmail.html
be sure to read the update therein.

Leo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHHOTcCMEe9B/8oqERAph2AJ0dasF0dWc95o5P2qGPQJ+jMWC7egCfRt4P
CONpEMpq29fXVymeJEV4ZuQ=
=ACQL
-----END PGP SIGNATURE-----

gerry newby
November 18, 2007 10:12 PM

the article was interesting, but didn't address the question, how to find who is sending scams spams and oopsy daisies!

So, we can't track down and drop a dime on 'em then how do i set up my computer/email to reject automatically, emails i don't want? without said emails ever getting to my inbox, or better still automatically send 'em back!!!

Leo A. Notenboom
November 24, 2007 2:05 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You got it from Hotmail. The sender could be anywhere on the planet, there's no
way to know.

Thanks,

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHSKBjCMEe9B/8oqERAvS7AJ9B9Ja41NasNWQrRGXRw3H13mlQNACgjyDY
wIVDEhC0IE9otX5aiiG+3/0=
=x6ZQ
-----END PGP SIGNATURE-----

Bill
January 1, 2008 12:47 PM

Can someone (that I sent an e-mail to) hijack my IP address and send e-mails to make it "appear" that it came from my computer location?

thanks

Leo A. Notenboom
January 3, 2008 9:51 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IP addresses cannot be hijacked.

Email headers can be forged, however, to make it look like it came from your
email address. They can try to make it look like it came from your IP address,
but that kind of spoofing is detectible.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHfcmCCMEe9B/8oqERAl6IAKCBOWTETjd16A5sjMG6HYFvuZJnIwCfeMYg
W2uAv32AIdEAVNI2GkfVVbQ=
=UdaC
-----END PGP SIGNATURE-----

barbara davis
February 16, 2008 9:19 AM

I am receiviing spamed email from another company but the email address in the to box is not mine. How do I get these when it's not my email?

Leo A. Notenboom
February 18, 2008 9:55 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You were probably BCC'ed.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHucabCMEe9B/8oqERAkvFAJ9CGNezb9Kak2W3Ghf7V3VoDFogTwCdGvvN
dVxEv+RwVMX2qGDWvKfwjSM=
=t5Rj
-----END PGP SIGNATURE-----

Sg
March 19, 2008 7:28 AM

How do you determine if an e-mail that you receive has been BCC'd to another person?

Leo A. Notenboom
March 19, 2008 3:20 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You cannot tell by looking at an email you've recieved
whether or not it was BCCed to anyone else.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFH4ZF6CMEe9B/8oqERAq6nAJ9C6Vg+EokK20Mq/LG6ImNgB0QefQCcDN1v
wI6jDioY3TfubKWoV0n8BeA=
=UcTy
-----END PGP SIGNATURE-----

mary
June 18, 2008 12:13 PM

I need to know in plain english if there is a way I can tell where(physical address or at least city) of an email

Leo
June 19, 2008 9:46 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mary: in plain English: no.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIWo1ACMEe9B/8oqERAkcpAKCG9UoPEOIWC6eQyK5+ZwioddgztwCdFfS7
Sk8zEXonJkvtXUpEWcwf9RE=
=iJMt
-----END PGP SIGNATURE-----

RobMarson
July 3, 2008 2:38 AM

I trace spam emails to their ISP's by using these free tools. IPNetInfo and a program called Abuse. Abuse is a free application that scans the headers of emails and comes up with the ISP the mail was sent from. It then sends in a preconfigured complaint letter to the Abuse Dept. of that provider.I have gotten over 2000 IP addresses disconnected so far in my 2 year fight against these scumbags. So long as they continue to spam me I'll gladly let the ISP aware of it. here is the link for ABUSE Program...http://spam-abuse.sourceforge.net/about_us.php. IPnetInfo is easy to find. Google it. Get a Spam Filter as well. I use MailWasher Pro. Hope that helps.

Rob Marson
July 3, 2008 2:44 AM

Oops...I forgot this part. If I feel that ABUSE isn't showing ALL the info, I then use IPNetInfo to scan the IP addresses and weblinks in the headers. Not only does it find the info I need but it also confirms what ABUSE found.

Vicky
July 11, 2008 6:44 PM

This was all too complicated. I put reverse email trace in google and came back with a company called emailrevealer.com. They took care of my email trace.

Dan
July 13, 2008 9:14 PM

I was wondering, I have the emailers Ip address and I want to trace it back further than the city. Can i trace to to the exact place somehow? thanks

Leo
July 14, 2008 9:56 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NO. Not unless you're the police with a court order.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIe4U/CMEe9B/8oqERAnKwAJ9tLRpCtrLnOdOJdoZim5H7kkHW3gCeP6+s
aD9q6/8fKEFmOvNkGUSV7PQ=
=7wtl
-----END PGP SIGNATURE-----

Sriram
July 29, 2008 12:21 AM

i have a question. Please help me out. If the sender just logs into his system and read the mail which he received and if he don't do any other transactions except reading his mails. Can he be traced?

Maybe, but likely only by law enforcement / the police.
-Leo

sara
August 29, 2008 9:00 AM

hello I have had my mail address forged as the send and return path by a 419 scammer, I have rported them to hot mail and yahoo - they keep changing their address at the end of the letter, this means that I am flooded with non delivery messages and have been accused of spamming - Yahoo claim that they cannot do any thing but hotmail have blocked them each time, is there anything I can do? I am sure there is a lot of info in the return messages I tracked an IP to the USA - I am in France help!!!!

This happens all the time, and there's almost nothing you can do. This article has more: Someone's sending from my email address! How do I stop them?!

-Leo

Mickey
December 16, 2008 4:26 PM

A friend of mine says she is in Singapore and she has been emailing me with her .msn account. Is there any way to tell from the message header if she is truly in Singapore? The X-Originating-IP is 99.8.186.64 which is SBC internet service in San Francisco. Does this mean she is really in San Francisco? Thanks, Mickey

There's no way to know for certain. She could be using an ISP that routes through S.F., or something else could be at play.
- Leo
17-Dec-2008

Adrian
February 18, 2009 11:44 AM

Good post,
here is an web-based email tracer toolsL http://www.myiptest.com/staticpages/index.php/trace-email-sender

Jim Downs
April 3, 2009 2:30 PM

To try this out, I traced the first "received" IP address to a Verizon account in the city where I know my friend lives. So far so good. But when the e-mail was sent to me, my friend was actually traveling and I thought had used his laptop through the internet service at the house where he was staying. Why would his original home IP address still show? Doesn't it show the IP address of the place where he connected, or does it always show the "base" address where the person signed up for his account?

It could be either, there's no way to really know. That's why IP tracing is so unreliable without help from the ISP (which they'll only give with a court order).
- Leo
04-Apr-2009

Dave
April 25, 2009 2:51 PM

I actually just tested out this service to see exactly how accurate these "IP finders" can be. I'm not terribly impressed after a couple tries. By creating a bogus email address and sending my primary account an email or two, I used a few of the suggested services to "track" my IP address. While the service DID manage to narrow the sender location down to the Hudson Valley, NY, the suggested city of origin was about 20 miles away from my home. Every service I've tried has returned this same estimated location, and usually the same suggested city. However, the problem remains that these services claimed that I lived on the wrong side of the Hudson River. Bummer.

Sandy
May 15, 2009 10:35 PM

I have a sbcglobal.net account and received a yahoo.com e-mail. Is there a way of tracing the origination of this e-mail up to the actual computer used even if the computer may be from a work/school/public location

Jose
June 1, 2009 4:36 PM

Can two emails sent by the same person, the same day but different hour have the same x-originating-ip?

Pao
June 4, 2009 6:03 PM

Is it posible (without being Police) to trace ip when receiving a facebook message ?

No.
- Leo
05-Jun-2009

Dawn
June 21, 2009 9:11 AM

A former boyfriend's new girlfriend has received a half a dozen nasty e-mails from a gmail account.. They determined it was an alias and he is trying to take me to court..accusing me of sending them. I suggested they start a formal investigation with the police and they are supposivly going to subpoena gmail for their records. I didn't do it, but is there anyway someone could cut and paste and IP address or make it look like it came from my home IP address. I was at worked all day, using another IP address which I will be happy to provide as well...I think I'm just paranoid that it can be traced back to me by someone very computer savvy.

Del Hopkins
October 25, 2009 3:37 PM

Here's a quick online tool for tracing the source IP addresses from the email sender, along with subsequent mail stops:
http://www.myipaddress.mobi/TraceEmail.aspx

John Molloy
October 30, 2009 7:08 PM

My ex girlfriend installed a program on my computer(s) that allowed her to accessed my computer and every program on it. She also installed this program on the servers at my College. Every e-mail she sent had the ISP address of my computer or my school computer on her Hotmail messages so it looks like I sent the e-mails. The tech guys removed the programs but said they couldn't tell where the terminals were accessed from. Is there anything I can do to prove it wasn't me sending the messages except for the fact that for some of them, I was in a class of 20 and didn't leave?

chimeronc
November 8, 2009 4:09 PM

its always a bit misleading when the information doesn't explicitly say that you cannot trace it back to the original individual.

read www.howtotraceemails.net for more info.

Neffy
November 16, 2009 8:53 PM

Is it possible for someone to attach a program to an email sent to me that allows them to then send msgs that appear to come from my ip addr or email?

Of course. This is why we repeatedly say don't open attachments you don't expect, or aren't completely certain of.
Leo
17-Nov-2009

Thom
December 11, 2009 5:19 AM

I received an email from a hotmail account and want to trace it's origin. I've looked and there are NO typical headers in this email. Could they of been stripped out before being sent? I can send you the entire "View Source" code if you like, but there is NO information like Return-Path in here.

Jessica
December 17, 2009 5:04 PM

I have a question similar to one already asked, I just need some clarification. I am going through a situation dealing with a ex who says he got an email through facebook from a friend of mine (the email was not very nice, to say the least) and my friend says it did not come from him. I am just wondering if there is any way to figure out where the email came from on facebook so I can end this.
Thank you

Ray
February 12, 2010 5:04 AM

Similar to Jessica on 12/17, my son is getting some very disturbing messages on Facebook. How can we trace where they are from? The originators are 3 different names with very limited profiles. He has turned off his accesability setting so he cannot be seen, but still gets them. Is there any way to get an IP address from this?

marty
February 27, 2010 10:56 AM

ok i have a question! my wife is receivimg threats via text but she is being text from a computer. the person texting her is a hotmail user... jus says from: and then his threat followe by a link to sign up for hot mail. im tryin to figure out if we even know the idiot. is there anyway to track him with it being a text with no headers? phome company said they dont have any info on how to track this and wen recieved texts said you have one text from tjen wen u open jis says [Name Removed] :@ grrr

All I can suggest is that you contact the authorities.
Leo
27-Feb-2010

Mayla
March 6, 2010 12:04 PM

I have an IP address, looking to find the name and actual address of the owner... is this possible?

Only if you're the police. More here: Can I get someone's name and address from their IP address?
Leo
08-Mar-2010

John
March 8, 2010 4:50 AM

@Mayla:

No, it is not possible to do this, as Leo says on about 5 different pages.

The only way to get someone's name and location from an IP is to contact the police, who may or may not decide to help you. The police can get a court order to give to the ISP to find out where that IP is located. If you can't get the police to help you, or get a court order some other way then there isn't anything you can do.

Leo's article about it is here: http://ask-leo.com/how_do_i_find_out_whos_at_a_particular_ip_address.html

Richard
March 21, 2010 7:13 AM

Just how do you arrive at Italy, Bulgaria and New York as where the messages originated in your sample? Pittsburgh, PA is clear.

only14
April 9, 2010 11:05 PM

hi.
I've received this email from a person that i do not know, named [name removed]. she says she's 24 from texas. and she got my id through google friendship search. is that possible? and she wants to be friends.so she's given me her email as well. how can i know if she's a faker and if i should reply?

Sounds like a scam to me. I get 'em all the time.
Leo
10-Apr-2010

charlie
April 10, 2010 1:59 AM

Hi Leo.

Is it possible to find the IP address from just a facebook message. The profile has since been deleted. and thats the only point of contact. There was a photo sent also? And Facebook for Iphone?

Are there experienced hackers that would be able to find personal information from that alone?

Dave Jay
April 19, 2010 10:40 AM

Can anybody email me and tell me exactly how to trace the origin / Country etc of an incoming email.
Any help would be greatly appreciated.
Many Thanks
Dave [email address removed]

jen
May 7, 2010 6:15 AM

Is an IP address always included in the email? I was trying to locate an IP address in an email and couldn't. Also, if someone has two different email addresses, can they be traced to the same person? thanks!

No, an IP address is not always included.
Leo
07-May-2010

Sophia
May 9, 2010 2:05 PM

Where to start?? The short version! My former tenants are spaming me with bogus email. I don't want to get into a long winded discussion about the validity of this statement. I have placed my now available rental property on Craigslist. After 2 months, I have received dozens emails mail that a 12 year old would write. I was responding to messages which put me at great fear. Sender would ask to arrange an appointment and never show up..OK people are jerks! But some senders threaten me with harm. Is it possible for a very nasty person to monitor block and censor emails from Craigslist. Thanks

chuck
May 12, 2010 6:52 AM

Is it possible to figure out where a facebook email came from? The profile is there but no pic etc. I would just like to see the area from which it originated.
Thanks

There's no way thate I know of.
Leo
14-May-2010

Misty
May 19, 2010 7:21 AM

Hello, I want to post a simple question: is it possible that numerous people have the same X-Originating-IP ? I mean, the ISP has a dynamic IP, but it rotates only weekly, and during the same week I received severalm mails from different people, all using the same X-Originating-IP - supposely, from different places. Do you think it's possible? I suspect it is not, so I'm thinking it's a single person, pretending to be different ones.

Barbara Parks
June 7, 2010 8:05 AM

I am sick of getting e-mails from [email address removed]. They are in fact spamming. THey hacked my e-mail, got my name and then e-mailed my sister and asked for $1200.00 from her so I could get back from Scotland.
Needless to say, I never went to Scotland.

Isn't there some way to stop these spammers or whatever they are?

peter
July 2, 2010 10:59 AM

i have a friend who has been a victim a violent assault. the people where never caught. a year later she now, recieveing threating emails. she does not live in a country that has a police force that can be trusted, nor have the resources. is there a way to trace these email to a computer? each time it is a new email address. from reading the above acticle, the answer appears to be maybe. i have giving details, in hopes of getting some online help.

Unfortunately you need the assistance of the ISPs or Email providers involved, and they will typically only do so with appropriate legal action is taken.
Leo
03-Jul-2010

Marcus
July 13, 2010 3:30 AM

If I had used my internet access to create a gmail account & used this gmail account to send out emails, will the people, whom i sent the emails to, able to trace me down to my office, if i do not put my names at all?
I want to send some love notes to a girl I admire, but afraid.

Sometimes your IP address will be included in the headers that you normally don't see, and sometimes depending on your ISP and internet setup this might identify your place of employment. More than that typically requires a court order and police involvement.
Leo
13-Jul-2010

waqar
August 6, 2010 11:04 PM

Hi,

I followed the instructions here however, I am unable to pinpoint the exact location of the email ( i mean the computer it originated from). I tried looking up the ip address and the closest I got was a nearby city.. how do i find the location of the computer an email originated from .. for example i tried send my self an email and I found out that it was sent from montreal. My question is how do I found the house ( in this case my house) where the email comes from
Regards

As is stated on many places on this site (search for IP tracing), you cannot. The ability to trace an IP address to a specific location is not something you or I can do. If you have a legitimate need, law enforcement can do it with a court order.
Leo
07-Aug-2010

Gus
August 9, 2010 11:03 AM

If an email is received but it has passed by many computers, wether due to resending of email or virus, does the originating IP show up or does it show the last originating IP.

Regards

Gus

Depends on how it was passed along. If it was passed along by mail servers in the process of delivery, then typically all the IP addresses involved are included. If it was forwarded or re-sent by a mail program of some sort, then usually only the last sender. But in all of this there are no guarantees.
Leo
13-Aug-2010

JENNIFER
August 13, 2010 2:10 PM

A CLIENT OF MINE RECEIVED AN EMAIL FROM SOMEONE THAT WAS SLANDERING AND DEFAMATING ONE OF MY EMPLOYEES, I HAVE THE HEADER TO THE EMAIL AND WASN'T SURE HOW TO DETERMINE ANYTHING EVEN WITH READING THE ABOVE EXPLANATION, HOW DO I KNOW WHO IT CAME FROM?

Deny
September 5, 2010 10:26 AM

Hi Leo,

Great information's but isn't easy to use free email trackers such as:
http://www.ipaddresslocation.org/email-tracking/email-header.php
http://www.find-ip-address.org/email-search/find-email.php

Instead of analyzing full email header content email tracking tools above give all information's about email sender.

Hopefully it is useful for some people.

Prettybold
September 16, 2010 4:38 AM

Hi,
I tried to view message source of hotmail but the file is saved on my computer and it cannot be opened.
Can you please help me to open that file of .aspx format?

Lizzy
September 21, 2010 5:01 PM

I've been getting threatening emails from a cyber harasser for a while now & have reported it to the law enforcement.They asked me to pass on the header info of the mail but I had a quick look at it and although I dont know much about these things, it seemed like the person has hidden the real IP. Are there any ways around that?

Nergal
October 30, 2010 4:15 AM

Hi, Leo,

Doesn't the fact that the bottom header in the above example is more than an hour after the next one up, and that "by qdam.eiynwr.com" and "from fake.pittpa.adelphia.net" don't match mean the bottom header is forged?

While they are suspicious, it's not an absolute indication of forgery. Clocks have been set wrong, and email can indeed sit on a mail server for an hour for various reasons. And servers can indeed respond as different names. The article above calls out some more reasons that this is bogus.
Leo
30-Oct-2010

Nikki
December 20, 2010 9:22 AM

Hi, I had some emails sent to me a couple weeks ago, it was Gmail, and I'm pretty sure it was made specifically to disguise themselves. Only thing is, they either changed emails or deleted the account shortly after I kept asking who it was. Is there any way for me to still track this and find out who it is? 6

Unless you can involve law enforcement to get at information and records from Google, nope.
Leo
21-Dec-2010

Marianna
February 4, 2011 11:00 AM

Trace email tool from http://www.ip-address.org/tracker/trace-email.php is great fully automatized and free email tracking tools that need only email header from email that you would like to trace back.

Jaimin Rajani
February 19, 2011 10:32 AM

Technolicious: Trace where that email came from - http://www.tech.nolicio.us/2011/02/trace-where-that-email-came-from.html

jbeal1
March 1, 2011 11:15 AM

How do you view email headers in Vista Windows Mail? Under the View menu there is no Options selection. Additionally, View Headers is checked but I can't get to them and I cannot find the info in Vista Windows Email Help file. I received an email that appears to come from my gmail account addressed to my other email address (not gmail) and I did NOT send it. How do people use your email address to send emails and how can I track and stop this?

Right click on the mail summary line in your inbox, click on Properties, and then click on the Details tab.
Leo
04-Mar-2011

Mitchell
March 20, 2011 1:50 PM

An associate from Ukraine is in Moscow and sent an email using a borrowed PC.
The IP address indicated it came from Bangkok, but my associate is in Moscow.
Each device/laptop has its own IP address; therefore not matter where you travel the IP will always point to “Bangkok”?

I did reference the time stamp and it did give me the appropriate hour for Moscow.
Date: Sun Mar 2011 13:36:47 +0300 (time when “send” was pressed)
I am on Pacific Standard Time so there is a 10 hour spread.
My received stamp; Sun Mar 2011 03:36:57

Had my associates email been written and sent from Bangkok... would not the time stamp have been the 14 hour difference?
My associates email address is a “mail.ru” email account having been acquired in Ukraine.

To simplify…. Where is my associate? Moscow or Bangkok?

The IP address is assigned to the computer by the ISP it's connecting to. Typically that's the ISP in the location that the computer is connected. But not always. I'm in the Seattle area, but if I dial-up and connect via an ISP in Australia my IP address will be an Australian one. Similarly the time on an email is usually defined by the computer sending the email - and if that computer's time is set wrong then the time can easily be wrong. You see this a lot in spam where they fake the time to be from the future so as to appear at the top of your inbox. Short answer: still no way to really know for sure.
Leo
20-Mar-2011

dino
April 1, 2011 6:49 PM

Outlook, they're hidden by default, so with the message open, click on View, and then Options, and you'll see a box labeled Internet Headers.
Using office pro plus 2010 outlook. When I receive an email all I have at the top is File and Message.
No view. I got lucky and found it. Click message. Open ribbon. Click on the tiny tags down arrow. At the bottom is the "internet headers" tiny box and tiny letters.

I clicked inside the box, did control+a, control+c for copy and pasted opened a new email, clicked inside the box where you enter text, then control+v to paste. Much easier to read. Thanks for reminding me about the headers, this may be helpful.

shaz
August 28, 2011 11:31 AM

Hi,

My girlfriend recently had her hotmail account hacked into. When we traced the ip address we found that it matched up to mine. How would someone gain access to my IP address and how do we tract it to the original ip address. We still have the headers, what do we look for?


Regards shaz

jackie
January 18, 2012 11:26 AM

How can i tell if an email that is sent to me will tell the sender of the email that i have opened it?

Make sure images are not displayed, and do not click on any links contained in the email.
Leo
18-Jan-2012
Preciosite
January 24, 2012 2:22 AM

I could find out all the above from internet search..all i wanted to know was is there a way to find out weather the email was sent by a mobile phone or a laptop????
is there a way to find that out. i can trace the IP mails sent from a same origin gave me differnt IPs one shows broadband..other shows hotmail server and other shows private IP address..is it possible?

Mikhus
February 27, 2012 3:26 AM

To help the users to read the headers I've written the tool, which is available here: http://smart-ip.net/trace-email

Actually it does the basic analysis of the headers and provide human-readable conclusions. It just much faster to analyze with the tool then read the headers in a plain format.

Hope it will helps at least someone.

Best regards,
Mike

R unknown
February 6, 2013 9:29 AM

Thank you for helping me. Because of you I wasn't scammed again.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.