Sender's IP Address

For tracking purposes, we are most interested in the from and by tokens in the Received header field. In general, you are looking for a pattern similar to:

In other words, mail server AAA received the email from BBB and provides as much information about BBB , including the IP Address BBB used to connect to AAA . This patterns repeats itself on each Received line. The syntax of the from token most times looks like:

name (dns-name [ip-address])

Where: name is the name the computer has named itself. Most of the time we never look at this name because it can be intentionally misnamed in an attempt to foil your tracking (but it may leak the windows computer name ). dns-name is the reverse dns lookup on the ip-address. ip-address is the ip-address of the computer used to connect to the mail server that generated this Received header line. So, the ip-address is gold to us for tracking purposes.

The by token syntax just provides us with the name that the mail server gives itself. But since the last mail server could be under the control of a spammer, we should not trust this name.

usb restore	undelete usb disk	digital picture recovery
best data recovery software	file recovery programs	mmc card data recovery
notebook recovery	advanced keylogger	hard disk recovery software

So, what is crucial for tracking, is to pay attention to the trail of ip-address in the from tokens and not necessarily the host name provided to us in the by tokens. Hopefully an example will make the reason why very clear:

1: Received: from tes1a623.OneMail.com.sg ([ 203.127.89.129 ]) by visualroute.com (8.11.6) id f9CIVSk24480; Tue, 12 Oct 2004 12:31:29 -0600 (MDT)
3: Received: from drb.com (IIM1608 [203.127.89.138]) by tes1a623.OneMail.com.sg with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0)

If you ignore line 1, you would conclude from line 3 that mail server tes1a623.OneMail.com.sg sent you an email, but this would be wrong. When you trace to the host name tes1a623.OneMail.com.sg , you are actually tracing to the IP Address lookup on that host name, which is 192.9.200.230 . But as you can see from line 1, the IP Address used was really 203.127.89.129 . Do not be fooled by this attempted misdirection by spammers and fraudsters.

Determine the IP Address of the Sender: Using the example email headers above and analyzing the Received header lines we can conclude:

A Visualware employee received an email
which came from visualroute.com (line 1)
which came from tes1a623.OneMail.com.sg (line 1; line 3 confirms)
but whose ip-address used was 203.127.89.129 (line 1)
which came from drb.com/IIM1608 (line 3)
but whose ip-address used was 203.127.89.138 (line 3)
So, we have just tracked this email to the source -- IP Address 203.127.89.138 .

TIP: Practice! Track down the emails received from friends and family. Since you know where they are really located, that will help you to analyze the Internet Headers. You will quickly gain experience and confidence in your ability to track down the computer/person that sent you an email message.

Home | Contact us | Request to publish your help manuals | Request to remove your help manuals