How to track original location of an email via its IP Address

Tracking the IP address of an email sender does require looking at some technical details, so be ready to dig your heels in! There are basically two steps involved in the process of tracking an email: find the IP address in the email header section and then look up the location of the IP address. First things first , u need 2 get familiar with EMAIL HEADERS and its characteristic

??Email Header
An email consists of three vital components: the envelope, the header(s), and the body of the message. The envelope is something that an email user will never see since it is part of the internal process by which an email is routed. The body is the part that we always see as it is the actual content of the message contained in the email. The header(s), the third component of an email, is perhaps a little more difficult to explain, though it is arguably the most interesting part of an email.

??Header
In an e-mail, the body (content text) is always preceded by header lines that identify particular routing information of the message, including the sender, recipient, date and subject. Some headers are mandatory, such as the FROM, TO and DATE headers. Others are optional, but very commonly used, such as SUBJECT and CC. Other headers include the sending time stamps and the receiving time stamps of all mail transfer agents that have received and sent the message. In other words, any time a message is transferred from one user to another (i.e. when it is sent or forwarded), the message is date/time stamped by a mail transfer agent (MTA) - a computer program or software agent that facilitates the transfer of email message from one computer to another. This date/time stamp, like FROM, TO, and SUBJECT, becomes one of the many headers that precede the body of an email.

To really understand what an email header is, you must see one. Here is an example of a full email header*:
Return-Path: <example_from@dc.edu> X-SpamCatcher-Score: 1 [X] Received: from [136.167.40.119] (HELO dc.edu) by fe3.dc.edu (CommuniGate Pro SMTP 4.1.8) with ESMTP-TLS id 61258719 for example_to@mail.dc.edu; Mon, 23 Aug 2004 11:40:10 -0400 Message-ID: <4129F3CA.2020509@dc.edu> Date: Mon, 23 Aug 2005 11:40:36 -0400 From: Taylor Evans <example_from@dc.edu> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jon Smith <example_to@mail.dc.edu> Subject: Business Development Meeting Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit

* email headers should always be read from bottom to top.

??Headers Provide Routing Information

Besides the most common identifications (from, to, date, subject), email headers also provide information on the route an email takes as it is transferred from one computer to another. As mentioned earlier, mail transfer agents (MTA) facilitate email transfers. When an email is sent from one computer to another it travels through a MTA. Each time an email is sent or forwarded by the MTA, it is stamped with a date, time and recipient. This is why some emails, if they have had several destinations, may have several RECEIVED headers: there have been multiple recipients since the origination of the email. In a way it is much like the same way the post office would route a letter: every time the letter passes through a post office on its route, or if it is forwarded on, it will receive a stamp. In this case the stamp is an email header. When viewed in their entirety, these multiple recipient headers will look like this in an email:
Received: from tom.bath.dc.uk ([138.38.32.21] ident=yalrla9a1j69szla2ydr) by steve.wrath.dc.uk with esmtp (Exim 3.36 #2)id 19OjC3-00064B-00 for example_to@imaps.bath.dc.uk; Sat, 07 Jun 2005 20:17:35 +0100 Received: from write.example.com ([205.206.231.26]) by tom.wrath.dc.uk with esmtp id 19OjBy-0001lb-3V for example_to@bath.ac.uk; Sat, 07 Jun 2005 20:17:30 +0100 Received: from master.example.com (lists.example.com [205.206.231.19]) by write.example.com (Postfix) with QMQP id F11418F2C1; Sat, 7 Jun 2005 12:34:34 -0600 (MDT)

In the example shown above, there are three Received: stamps. Reading from the bottom upwards, you can see who sent the message first, next and last, and you can see when it was

done. This is because every MTA that processed the email message added a Received: line to the email's header. These Received: lines provide information on where the message originated and what stops it made (what computers) before reaching its final destination. As the example shows, these Received: lines provide the email and IP address of each sender and recipient. They also provide the date and time of each transfer. The lines also indicate if the email address was part of an email list. It is all this information that is valued by computer programmers and IT department associates when making efforts to track and stop SPAM email message. And it is this information that arguable makes headers the most important part of an email. Now obvious question here is where do we look for the EMAIL HEADERS in the email clients lyk GMAIL , YAHOO , etc......... Lets go ahead and take a look at how you would do this for Google, Yahoo and Outlook since those are the most popular email clients. Googles Gmail 1. Log into your account and open the email in question. 2. Click on the down arrow thats to the right of the Reply link. Choose Show Original from the list.

Now heres the technical part that I was telling you about earlier! You need to look for the lines of text that start with Received: from. It might be easier to simply press Ctrl + F and perform a search for that phase. Youll notice that there are several Received Froms in the message header. This is because the message header contains the IP addresses of all of servers involved in routing that email to you.

This is an example header frm my yahoo inbox

From Shiv Shankar Tue Aug 17 10:11:50 2010 X-Apparently-To: ankitnayak007@ymail.com via 98.138.85.133; Tue, 17 Aug 2010 03:11:53 -0700 Return-Path: <shiv199008@yahoo.in> Received-SPF: none (mta1041.mail.sp2.yahoo.com: domain of shiv199008@yahoo.in does not designate permitted sender hosts) X-YMailISG: q0yH0JMcZAraxPsZJcxIvd6ae1Bvp8VnK2ljebrIOsV8A6GH msanW0PJiLmhKETIi8eRg3yMMKuWafuYVEH9dwJxOJCdBr4DJor65GPnaccw 7QT4XdQb0v9gQa2437.HEasnv4erIYGpw3_m7EOmn3HJDNKajxx3vfEfnBIp VVIvZC8p8gBrROakm4Ey9k2zeBB.ZIgOrfFOesouXi881Cec0r_XGYq1ZKcl 7B3.wvXAEu_McSglxkTolpDF1nZ6exCa0nBz90iGKncKZZqTCik.W0cd38FG 6oyZnw6KSRyZcAynpFrvfyhGohNjypC_SCDlOIzDQhDRqgju0.HrpjYgUJlz 0aYnv5hqk6PxIcQbnbSyCDtpPBFAAkWhgA36bHykvdAwQLSZvpWFJwRJnVZK ElqeiiULLxFjAl8BBgrf32CQusyr32SFpUMjE1AJp44CNUEyxeNu_dyq3Hp9 F4dppY4ZY730KgEYhJh9igdVkir5M3zdD8CjdWWKAOFLu0vaujtFfH6KQSWz S4kNfBaDLtaZ3CEBalXL41MivtoWHZE_p6IbeE3d1aQjxhoxLxrZZn28ogRW RqCUR3lW2Fsolei5sUs7TtIBxastnnIQWVh_gsH_nd0y2h33NDg7j_eR196Z CennsUeImMgXfrOIYTRLmQB4N6r1Z31Y349qQO0KqHQSAKT6sqCv5rGHvtFr qK4X-Originating-IP: [202.86.4.193] Authentication-Results: mta1041.mail.sp2.yahoo.com from=yahoo.in; domainkeys=pass (ok); from=yahoo.com; dkim=pass (ok) Received: from 127.0.0.1 (202.86.4.193) (HELO n9-vm0.bullet.mail.in.yahoo.com)

by mta1041.mail.sp2.yahoo.com with SMTP; Tue, 17 Aug 2010 03:11:53 -0700 Received: from [202.86.4.171] by n9.bullet.mail.in.yahoo.com with NNFMP; 17 Aug 2010 10:11:51 -0000

Received: from [203.104.17.88] by t2.bullet.in.yahoo.com with NNFMP; 17 Aug 2010 10:11:51 -0000 Received: from [127.0.0.1] by omp102.mail.in2.yahoo.com with NNFMP; 17 Aug 2010 10:11:51 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 505278.79693.bm@omp102.mail.in2.yahoo.com Received: (qmail 82129 invoked by uid 60001); 17 Aug 2010 10:11:51 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1282039911; bh=9RGCNNWX6YRXDfR337y6YaE+0dUdjaqgxlL5jz1BcNA=; h=MessageID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:ContentType; b=jNF9syVY1QqTD+/jZ+UMZVl1dyaXWChd+pND5u3Gbnqn6Yr/VV/Dt2nmjv0ytRpUCgT49uOqnsA 6UhlqHxCIbKvOYEwcwEDHL5Ynvw/uNfOKKr+tK6G9BlEViIZe1uBudZyh28MSOXNwUng4B8Z+z7uq 8wLEZwL5FP+ikkNI5mI= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.in; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIMEVersion:Content-Type;

b=sgWp1gPVRcqf+v7BAM9WCbfmOPqX25/q4HqK/ml2oxEyFy1HOLenBsZ+Iiy7gMTWpVjrLBWdC9H n+2seMGL1/s6d6rJl9598GQzuF4ASLXgfiBKnFCNvnIrliWNj8uySoVOZGhMrmtszup0PfI3d0LOQ ZLHOJS2dngcGZ6sAvDg= ; Message-ID: <974281.81844.qm@web95712.mail.in.yahoo.com> X-YMail-OSG: H3c9HFkVM1naCdJ1l5ZhOKfy4qEhFjiLjPs0spZ8mT7BOyR .p2WHS58IWvf1mhHBB8hFjQfCZhDj3KtyFEn0v8v8EkjKOPg7sD7rkcV5VLu 3IJo0ZjHSJGmQygUofEXBORxtFEpMgomLEptau4kHEPJWSNyKhVlaIYSwbXk gfigXbKhac4zS0UYA7iebOfto9Y9ytM6YIiuW Received: from [117.254.249.147] by web95712.mail.in.yahoo.com via HTTP; Tue, 17 Aug 2010 03:11:50 PDT X-Mailer: YahooMailClassic/11.3.2 YahooMailWebService/0.8.105.279950 Date: Tue, 17 Aug 2010 03:11:50 -0700 (PDT) From: Shiv Shankar <shiv199008@yahoo.in> Subject: qwwqwq

To: ankitnayak007@ymail.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-187675209-1282039910=:81844" Content-Length: 413

To find the first computer that originally sent the email, youll have to find the Received From thats farthest DOWN. As you can see from the above header, the first one is from a computer with the IP address 117.254.249.147 Then it was routed to Email Server at 203.104.17.88 and then to 202.86.4.171 n then 202.86.4.193 and so on and so forth till it got to my inbox. So, the system by which the email had came is 117.254.249.147 which is traced to Calcutta ,west Bengal and the name of the ISP is NIB (National Internet Backbone) which is BSNLs server ,the next IP 203.104.17.88 is traced to Mumbai , Maharashtra , ISP is Peninsula Corporate Park And Name of the server (hostname) is omp102.mail.in2.yahoo.com which is one of the yahoos email server in India . The next two IPs also traced to Mumbai ,and their ISP are also same i.e Peninsula Corporate Park, but their hostnames differs , for 202.86.4.171 it is t2.bullet.in.yahoo.com and for 202.86.4.193 it is n9-vm0.bullet.mail.in.yahoo.com. This means the email traveled through 3 yahoo servers in Mumbai then was finally reached to me . Ultimately if u need 2 get the information of the sender of the email, all u need to do is ,contact BSNLs Calcutta office ,and ask for info. on the IP 117.254.249.147 which was hosted by its server when the email was sent ,all the ISPs in India maintain logs for more than six months, theyll provide u the name, address n phone no. of the sender. Ill go through Yahoo and Outlook before talking about tracking the location of that IP address. Yahoo Mail Beta 1. Log into your account and open the email (if youre using Yahoo Mail Beta with the new preview interface, make sure you double-click on the email so that it opens in a new tab) 2. At the top right, youll see there is a drop-down option for Actions. 3. Click on it and choose View Full Header.

Microsoft Outlook 1. Open the email in Outlook by double-clicking on it 2. Go to View at the top menu (the menu options for the email, not the main outlook window) and choose Options.Youll get a dialog box where you can set the message options and at the bottom youll see the Internet Headers box. Now the most important part comes which is Tracking the location of an IP address Now that we have our originating IP address , let,s find out where that is! You can do this by performing a location lookup on the IP address. My favorites are What is my IP Address , IP2Location and GeoBytes IP Locator. [ Note : U can also use tracert command in the command prompt ,it gave me the hostname for 202.86.4.193 i.e n9-vm0.bullet.mail.in.yahoo.com ]

but sometimes this will not give the current location of the IP bcoz , the IP which was urs when u sent the mail may not be urs anymore ,since everytym u connect to the internet u are assigned a new IP Address.

Now for more information you can use the WHOIS command search for the IP.This will give you information on who hosts that IP address and their registration information. You can always contact them to try and find more information on that particular IP address.(By Default WHOIS command is disabled in windows environment , you can use it in Linux or u can use WHOIS database search online.) One thing I missed out is that gmail includes the private IP addresses in their headers ,and it is very difficult to trace those Private IPs ,,but other email service providers use public IPs in their email headers ,,So its easy to trace yahoo ,outlook emails than gmail,,,

I think u need another tutorial on private n public IP addy Take care ! Bye ..

Summary: A good rule of thumb is to begin at the bottom and work your way up in the headers to determine where an email is from. Have fun tracking down those emails!

[~AN~]
ankitnayak007@gmail.com