Most people won’t notice this, but emails actually arrive in your inbox with a “˜receipt’, which contains a lot of information about the sender. In order to find the sender’s identity, we only need to retrieve an IP address, but inside the email header we can also find the originating domain, reply-to address and sometimes even the email client, for example Thunderbird.
Why would you want to find out the identity of the sender? Well, you may have heard of shady email scams or emails supposedly from Paypal inviting you to re-enter your personal information. Now, you can determine if an email is truly from the authentic source.
Accessing the email header is different for every email provider or email application, and sometimes, it is even hidden. In most of the cases however, the option to reveal the full header will be somewhere in the area where the subject and sender name are provided.
For example, the Yahoo! Mail header is in the upper right corner of the sender box, which is pointed out in the screenshot above. When you click Show Original, a text file will open in a new tab. This file contains all the necessary headers at the start. They are highlighted in screenshots.
And this is how the full email header appears in Yahoo! Mail:
For Gmail, the header is hidden under “˜Show Original’ – which will show you the complete email in plain text, including the header.
The example below is the header from an email I received in GMail.
In order to find out the IP address of the original sender, we need to look closely at the first half of the header. Somewhere in there, you’ll find a domain name and an IP address. Particularly, take a closer look at the term “˜Received: from’:
The first “˜Received: from’ line gives us the IP address of the server which forwarded the email to my Gmail address.
Received: from smtp110.biz.mail.mud.yahoo.com(smtp110.biz.mail.mud.yahoo.com [220.127.116.11])
If we continue our search, the second “˜Received: from’ line gives us the originating IP address.
Received: from unknown (HELO ?192.168.0.100?) (firstname.lastname@example.org with plain)
This means that Chaz, located at 18.104.22.168 sent me an email.
The next line will only appear if the email was sent using an email application residing on the sender’s computer, like Thunderbird or Apple Mail. In our case:
X-Mailer: Apple Mail (2.753.1)
If the user sent the email using the web interface, the string would have looked like this:
Received: from [22.214.171.124] by web56706.mail.re3.yahoo.com via HTTP
We have the originating IP address 126.96.36.199 . To find out who’s behind that IP address we need to do a reverse DNS lookup using a web service like DomainTools, the command line or from “˜Network Tools’ in Ubuntu.
In our case, we know that someone called Chaz from Atlanta, using Cox Communications – with an IP address 188.8.131.52, depending on the subnet mask, sent that email.
Alternatively, you could use a tool called Email Trace, that does the whole operation for you after inputing the full email header into the text box. It might not always work, so knowing how to do it the old fashion way might come in handy.
This proves useful if you’re trying to report a spammer to your ISP, find out where a certain person is located at the moment, or help you spot phishing emails. For example, PayPal couldn’t have sent an email from an IP address in China.
If you know other good uses for this procedure, please share it with us in the comments.
Image credit: nekto_nektov