Where was that email from?

I helped a friend (you know who you are ;-) track down a fraudelent email to an IP address in Nigeria. I always knew this was possible but never had the need to figure out how to do it before.

I found the gory details about reading email headers here.

http://www.stopspam.org/email/headers.html

But the short answer is to enable your email client to show all of the email headers. Start at the bottom of the headers and work your way upward. Email providers like yahoo and gmail and others include the ip address of the sender of the mail i.e. the address of the machine the user was located at when they sent the email.

X-Gmail-Received: 47a9d23e3cc0c5720f2a4f0291794d59cff5c209
Received: by 12.39.223.18 with HTTP; Thu, 2 Mar 2006 21:29:58 -0800 (PST)
Message-ID:
Date: Thu, 2 Mar 2005 21:29:58 -0500
From: "John Doe"
To: John.Doe@gmail.com
Subject: testing
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Delivered-To: john.doe@gmail.com

Look for the last Received: by listing

Received: by 12.39.223.18 with HTTP; Thu, 2 Mar 2006 21:29:58 -0800 (PST)

In the example above the ip address of the sender is 12.39.223.18. (Note I made the IP address up for this example).

Now go to this site http://www.geobytes.com/IpLocator.htm?GetLocation and type in the ipaddress into the form.

Results in the right hand corner

Gaithersburg, Maryland.

Easy right?

TIP: If you have multiple emails where you are trying to track the sender get their ip address from each of the emails. If it differs you'll find that while the lookup will fail for one, it may work for one of the others.