So you'd like to to find out just who is sending those email love letters, determine the sender of a blackmail message, or just root out the source of a virus emailed to you. There are indeed many such situations where you would like to know who sent a particular email message to you. This article will teach you how to use "Email Headers" to backtrack and find the original sender's IP address. Don't worry, it's not rocket science. If it were, SPAM would still only be canned meat and an amusing Monty Python skit!
Theory...
Email messages, as in the case of their non-electronic cousins, have "envelopes" of a sort. In the case of email the envelope is composed of a series of "Headers". These are just a series of lines of characters which precede the actual email message. Email programs such as Outlook do not normally display these Headers when displaying a message. From these Headers however, the email program is able to extract important information about the message, such as the message encoding method, the creation date, the message subject, the sender and receiver, etc.
Moreover, just as a postal envelope contains an address, a return address and the cancellation stamp of the post office of origin, an email message in these "Headers" carries with it a history of its journey to your email inbox. Because of this, it's possible to determine the original IP address of the sender.
Since email programs do not normally display these Headers, we must first learn how to display them. Depending on the program, this is done in a variety of ways. The following sequence details the way to do this using the Windows default email program, "Outlook Express".
First, select "Properties" from the "File" Menu, or just press ALT+Enter. Next, select the "Details" tab.
Here's how to view the Headers in the Microsoft Office version of Outlook:
- Open a message.
- On the View menu, click Options.
Note:If you do not see the Options command, make sure you click View on the toolbar in an open message window. The View menu on the standard Outlook toolbar does not have the Options command. - The Header information appears under the Delivery options in the Internet Headers box.
See how to show email headers in Yahoo, HotMail, Gmail, and AOL web mail.
As you can see on these pictures, a Header consists of two sections separated by a colon ":". The first part is the Header's name. The second is the Header's data. In the case of postal mail, in principle, it is possible to write any kind of information (c/o, suite or apartment number, etc.) into the address information. Similarly email Headers can include any kind of information also. Usually however, an email Header will contain at least the following basic Header information:
| | | |
| To: | The name and email address of the recipient | To: "John Doe" |
| From: | The name and email address of the sender | From: "Alice Smith" |
| Date: | Date the message was created | Date: 1 Nov 2004 22:49:20 -0000 |
| Subject: | The subject of the message which follows the Headers | Subject: How are you? |
| Return-Path: | The email address for responding to the message | Return-Path: |
| Received: | Delivery stamp | Received: from [67.66.123.205] by web41013.mail.yahoo.com via HTTP; Sun, 25 Apr 2004 23:13:34 PDT |
In some cases, a number of these Headers may not be necessary.
To determine the address of origin, special attention must be paid to the 'Received:' Headers. These Headers are selected on our screenshot illustration. 'Received' Headers have the following format:
Sample:
Briefly this means that the server web41013.mail.yahoo.com received the message from the IP address 67.66.123.205 on the 25th of April 2004, at 11:13:34 pm PDT via the HTTP protocol (i.e. through the web). |
So, we have observed, it is from the 'Received' Header that we retrieve the IP address or domain name. Using this IP address, Active Whoisis able to look up additional information such as associated postal and email addresses. You can easily select and copy the IP address from the Outlook Internet Headers box by using CTRL-C to place it on the clipboard.
We are faced with an additional problem however. Email messages frequently contain more than one 'Received' Headers. How can we know which of these several Headers contains the originating IP address belonging to the sender? 'Received' Headers are appended to the front of the email message as it travels through the internet to your email inbox. The flow diagram below will show you how these 'Received' Headers are appended to the message as we travel backwards from the receiver to the sender:
Posts
