Yesterday I posted an article about tracing hackers that try to get in your system. Today I give you one about tracing an emails back to the original sender.
The first thing you have to do is to enable email headers. The site (no longer available, link removed) shows you how to do so using Gmail, Yahoo Mail and MSN Hotmail. All desktop clients should support this feature as well. Email Headers show you additional information about the email, for example the first server that received the email from the sender or IP addresses.
Here is an example of how to display headers on Gmail. Open the email that you want to check, and click on the small down arrow icon in the "from" line. A menu pops up, and you need to select "show original" from it to display all email headers.
After explaining how to configure your mail software to display email headers, the site explains the important headers in detail.This is necessary to understand how to use them to trace an email message back to its original sender. Finally the last part of the article shows you how to trace the sender looking upr the senders IP address on the Internet. Its again only helpful if the email was not relayed through botnets, cracked servers or other means of disguising the spammer's original IP address.
Update: You can enable all email headers in Mozilla Thunderbird the following way: Click on View > Headers > All. This should enable detailed headers that you can use to analyze where the email is coming from.
Once you have configured email headers, you need a basic understanding of what you should be looking for to use them effectively. What you basically need to understand is that the sender of an email is not sending it directly to you. The email instead is first send to the sender's email provider from where it is usually send through a number of servers before it reaches your email provider's server from where you can retrieve it in your email client.
To find the sender's IP address, you need to look for the header X-Originating-IP. If that header is not displayed, you need to look at the first received server to find the IP address of the sender. Keep in mind that the IP can still be fake, e.g. if a proxy was used.
Update 2: The original site is no longer available on the Internet, and we have removed the link pointing to it from this article as a consequence.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.