Do you know that every email carries the IP address of the sender or the computer which has sent the email? Though it is not directly visible to us, a small trick can spill the beans. To find IP address from email, you need to locate the header of the email and ip address, and several other details can be revealed.
Nowadays, some email providers like Gmail are hiding ip address and some other information to ensure the sender’s privacy. But then this opens a new page in scams-history. A quick ip-location check can empower a receiver to get information to recognize a scam.
Email is much more than a message. It is made up of three components. They are the envelope, header and the body of the email. The envelope is a part of the internal process by which an email is routed. The body is the actual message content of the email.
But what about the header? It is this component of email which is designed to carry the IP address of the computer which sent it.
What is meant by an email header?
The header comes with every email. It contains the routing message, including the sender, recipient, date, and subject. It does not include any personal information like phone number, house number, street number, etc.
Some headers are mandatory like FROM, TO and DATE headers. Some of them are optional but ubiquitous in use like SUBJECT and CC. The sender’s IP address is contained in the email header.
After viewing the header information, the initiating IP can be used to find out where the message was sent. It can most likely determine the city and ISP the sender used.
But now the question is how to locate the header?
Where is the email header located?
Let us discuss how to locate an email header inside an email before proceeding to discuss its details.
Let us consider few most common email services.
- Log in to Gmail
- Open the message
- Click the down arrow on the top right of message pane, beside Reply
- Select Show Original
- The full header will appear in a new window
- Login to Yahoo
- Open the message
- Click Full Headers at the top of the message
- It appears above the message text
- Login to MSN Hotmail
- Go to inbox
- Put the cursor over the email of which you want to see the headers and right click
- Select ‘View message source’ from the menu of options appeared
- The full headers of the concerned email are displayed
Headers give the routing information
Not only common identifications like FROM, TO, DATE, SUBJECT are provided by email headers, but also they give the information about the route the email takes when relayed from source to destination.
As the email travels, it passes through various MTA (Mail Transfer Agent). MTA, in turn, leaves its mark on email header and stamps it with time, date and recipient.
Every MTA that has processed the email message adds a “Received: line” to the email header. When there are many such lines, reading from the bottom upwards will tell how the email moved towards you.
These “Received: lines” contain the email and IP address of each sender or recipient. They also give the date and time of each exchange. It indicates if the email address was a part of an email list.
All these information are vital for computer programmers and IT professionals to track spammers. That is why email headers are so necessary.
How “Received: From” field looks like?
To trace the route of the email and so the ip address, it is crucial to decipher “Received: From” field. At the high level, three could be three cases.
When mail is sent between one sender and one receiver
When a sender directly sends a message to a receiver, the “Received: From” field appears once. But, it seems multiple times in case of forwarded emails.
If the email is forwarded type
In the case of a forwarded message, the last occurrence of this field will have the IP address of the person who delivered the mail to you.
And if the email is from spammers
For spam or phishing message, the situation is more difficult. The spammers will intentionally distort this field. This distortion further complicates tracing the sender’s address.
But there is never a dead end. To trace the IP address of the sender in this case, we require the “By field.”
The By Field and tracking address of spammers
The By-field tells the location from which the mail was previously sent.
What we need to do is that start with the last occurrence in the “Received: From” field. This entry is matched with By-field from the previous appearance of the “Received: From” field.
Any entries containing domain names or IP addresses which is mismatching with the remaining header chain should be dismissed. In the end, the last Received: From line containing valid information is the one that includes the actual address of the sender.
There could be several other scenarios as well which is beyond the purview of this article. Spammers and hackers are getting smarter with time, and so there would be n number of possibilities as of how these email headers would be corrupt.
Different email providers and how they store IP addresses
There are different internet-based email service providers. Each one of them varies in their way of inserting IP addresses in the email headers.
It is important to remember that all these email providers can change their policy anytime and accordingly may hide details including ip addresses. It is to ensure the sender’s privacy.
Let’s discuss few of the email providers and how they store sender’s ip address in the header.
Gmail is one of the most famous email services worldwide. If an email is received through Gmail’s web interface, there is a high chance that one may not be able to find out the sender’s IP address.
Google hides the real IP address of the sender. It merely removes all information of the sender’s IP address from all the headers. The IP address in the Received: From entry is Google’s server IP.
This means it may not be possible to find a sender’s real IP address in a received Gmail. However, there lies an exception.
If a person sends a mail from his Gmail account using a desktop client like Thunderbird, Outlook, etc, then originating IP address is often included in the header.
Hotmail provides an extended header line. It is called X-Originating IP. This contains the sender’s actual IP address.
In the case of Windows Live Hotmail, Microsoft makes use of the X-Originating IP for storing the IP addresses of anybody who sends an email from Hotmail.
This allows them to blacklist email addresses or IP addresses from which emails sent are reported to be mostly spam. The X-Originating IP information can be used passively, like people reporting a given IP as spam. It can also be in active use, like “the Hotmail Spam report collection page.”
This field may not appear in the email header if someone sends a mail to your Hotmail account through another email service.
Like any other email header field, even X-Originating IP can be faked. Also if you get the IP address of the sender, there will remain doubt on its veracity.
Emails from Yahoo! Contain the IP address of the sender in the Last Received: entry.
An email received is something much more than just a message. It provides the capability to trace the actual IP address of the email sender. The email headers contain this information.
Different email services deal with the sender’s IP address in different ways.
These days, some of the email providers are hiding ip addresses and other information from the email to ensure the sender’s privacy. But then this opens a new page in scams-history. As discussed, a quick ip-location check can empower a receiver to get information to recognize a spam.
In our view, email providers should not hide IP address just for the sake of ensuring sender’s privacy. After all why a legitimate email sender has a problem revealing his IP address. What do you think?