I’ve gotten a couple requests for how to trace emails by the sender’s IP. I am going to keep this short and sweet because its really simple and I want everyone to get the basic concepts so they can use them in pretty much any email client or service.
The most important point in the whole process is knowing what “email headers” are. Email headers are usually hidden by default in most web based email clients. That’s probably why you haven’t seen one in a bit. Basically all you need to know is that the header of an email contains all the information that both your email service and the senders email services uses to get the email from the sender to you. This includes the IP address of both the sender and you the receiver. Not all headers look alike Gmail displays their headers differently from Hotmail and so on. Just remember, you are trying to get the information in the FULL header of the email you want to trace.
Now for the easy part:
To find the IP of the sender in Gmail you have to click the little blue triangle in the upper right hand corner of the email from the sender. That will show you a drop down menu. In this menu select SHOW ORIGINAL. You will get a new window or tab with all the header information for the email at… you guessed it… the header is at the top. Look for the line that reads “Received: from BLAH BLAH”. The senders IP is in brackets, like this [127.0.0.1].
For Hotmail, Yahoo and AOL you have to go into your settings, sometimes called “Email Display Settings” and find the setting that will display email headers. For Hotmail its in an advanced setting under “headers”. It pretty much the same for Yahoo and AOL as well.
If you use Outlook or Thunderbird, just look for the email display setting that shows full headers.
Remember you are looking for this line in the header “Received: from” if you pick the IP in brackets from “Received:” with no from then you are probably going to wind up tracing yourself.
Now, you have an IP address (hopefully someone else’s) … what to do.
Well you copy that IP and paste it into http://www.ip-address.com and past in the IP.
ET VOILA!!! You get a map and everything.
Ok, everybody set on that? If not then here’s a link to a video that is pretty easy to follow: CLICKY CLICKY (couldn’t post it cause its on metacafe, hint wordpress add support for metacafe)
BTW – I gave it a check and using TOR does seem to really confuse the heck out of mail servers so the IP isn’t anywhere in plain site. For more info on how to use TOR see our previous post: Tutorial: On Secure Anonymity With Tor – SSH, and SOCKS (n00b approved)