Email Tracing


In some cases, you may want to know the origin of some e-mails:

  • When you are suspicious with a particular e-mail.
  • When a friend asks you about an e-mail you never send. There are two possible explanations: (1) your computer has been hijacked by nasty viruses/worms and sent out e-mails without your knowing; (2) somebody else uses your e-mail address for the e-mails he/she sent. Whatever the case is, you want to know the truth.
  • Someone contacts you for a job offer, and before you want to proceed any further, you may need to know more about this guy.

This short tutorial explains the basic of the e-mail system work and how to this knowledge to trace e-mails. Tracing an e-mail is not as hard as you might think. Let's begin to see how it works.

Route of an e-mail message


Mostly people send and receive e-mail messages with E-Mail Client software. Microsoft Outlook, Outlook Express, Netscape Communicator, Eudora and Pegasus are examples of widely used e-mail clients.

When you send your e-mail, you send it to a SMTP server called Mail Transfer Agent (MTA). SMTP stands for Simple Mail Transfer Protocol. Protocol is a standard for network communication. Your friend uses her e-mail client to access a server called Mail Delivery Agent (MDA). MTA is responsible for transferring your e-mail to the recipient MDA. It may transfer it directly to the MDA, or indirectly via other MTAs. Your e-mail route could be one of the following routes:

  • Sending Client - Sending MTA - Receiving MDA - Receiving Client.
  • Sending Client - Sending MTA - (one or more other MTAs) - Receiving MDA - Receiving Client.

Each MTA and MDA is also called a node in the route. The purpose of e-mail tracing / tracking is to find out the identity of each node along the route to the original sender. Each node along the route add a piece of information in the e-mail header section. We trace the e-mail by carefully studying this section.

E-mail headers


An e-mail message contains two main sections: header section and body section. Headers are used to convey control information of the e-mail; while body is used to convey the actual data (the e-mail content). It is like your paper mail or package. The header is the mail envelope and packing documents, while the body is the content inside the envelope or package.

Each node along the e-mail route add a piece of information, except the receiving mail client software. The most important piece of information for e-mail delivery is created by sending e-mail client software. It describes the recipient of the message. However, information created by sender is also the most unreliable. Some senders use fake identities or impersonate other individuals. The information created by your MDA should be considered reliable. We should treat information from other MTAs as quasi-reliable. As the rule of thumb, the closer a MTA to the receiving end, the more reliable it is.

How To Display E-mail Headers


If you use e-mail client other than those listed below, you have to refer to the software documentation for the details.


E-mail Header with Microsoft Outlook Express 6

  • Select the message you want to display.
  • From menu File, click Properties.
  • Choose Details tab.


E-mail Header with Microsoft Outlook 10

It is not very easy to deal with e-mail headers within Microsoft Outlook.

  • Select the message you want to display.
  • Right click the selected subject to pop up a menu.
  • From the pop-up menu, click Options.
  • Find Internet Headers information box inside the pop-up window.


E-mail Header with Netscape Communicator 7.2

Netscape 7.2 is header friendly. It displays the headers conveniently on the view pane. To turn header view on and off:

  • To turn on: from menu View/Headers, select All.
  • To turn off: from menu View/Headers, select Normal.


E-mail Header with Eudora 6.2

Eudora is also a header friendly e-mail client.

  • Double click the message you want to display.
  • Turn on the Blah Blah icon.


E-mail Header with Pegasus Mail 4

Pegasus Mail is another header friendly e-mail client.

  • Double click the message you want to display.
  • Select Raw view tab.


Headers Created by Sending E-mail Client.

Sender e-mail client software may create some of these headers:

Date: Original sending date
From: Author(s) of the message
Sender: Actual submitter of the message
To: Primary destination
Cc: Secondary destination (Carbon Copy)
Bcc: Blind Carbon Copy. Same with Cc, but e-mail addresses listed here are not forwarded to each recipient.
Reply-To: Address to reply to. Default reply-to address is From, reply-to-author. However, you may specify a different address to reply-to.
Message-Id: A unique identifier for each message. Message-Ids are provided by Sender e-mail client or Sender MTA. Often a message is a response to a previous message, Message-Id is then the identifier for the header References and In-Reply-To.
Organization: Organization the sender affiliated with.
Subject: Subject or summary of the message.
In-Reply-To: Message-Ids of the parent (previous) messages.
References: Message-Ids of other correspondences.
MIME-Version: Version of the Internet message body format standard in use. MIME stands for Multipurpose Internet Mail Extensions.
Content-Type: MIME type of the content is used in the message body. Some common values are:
text/plain, text/html, text/xml, text/enhanced, image/jpeg, image/gif, audio/basic, audio/au, video/mpeg, application/octet-stream, application/postscript, application/ms-word, application/ms-excel, application/rtf, multipart/mixed, multipart/alternative, multipart/parallel, multipart/related, message/rfc822, message/external-body.
Content-Transfer-Encoding: MIME encoding used to represent data in a message for transfer using a mail transport protocol.
Common values include the following:
  • 7bit - Message contains 7-bit un-encoded US-ASCII data (Default).
  • 8bit - Message contains 8-bit un-encoded data.
  • binary - Message contains an un-encoded octet stream.
  • quoted-printable - Message contents transformed to 7-bit US-ASCII using quoted-printable encoding algorithm.
  • base64 - Message contents transformed to 7-bit US-ASCII using Base64 encoding algorithm.
Disposition-Notification-To: Indicates that the sender wants a disposition notification when this message is received by its recipients.
Keyword: Rarely used.
Comments: Rarely used.
Resent-*: Headers with prefix Resent- are for forwarded messages
X-*: All headers start with X- are additional features that have not yet made it into standard.
X-Mailer: Information about the sender e-mail client software.
X-Priority: Priority of the message. Values: 1 (Highest), 2 (High), 3 (Normal), 4 (Low), 5 (Lowest). 3 (Normal) is default if the field is omitted.

Headers Created by Mail Transfer Agent (MTA).

A MTA may create one or some of these headers:

Received: This is the most important header created by an MTA. The most used format for this field is:
Received: from * by * with * id * for *; timestamp
from *: sending host
by *: receiving host
with *: link/mail protocol
id *: Message-Id generated or copied by the MTA
for *: destination in the field To
Return-Path: It shows the return path of the message, i.e., the address that bounces will be sent to. Final MTA should insert a return-path header containing the envelope sender address when the e-mail arrives at its final destination. Mostly MTAs insert the sender address in Return-Path.
Apparently-To: Rarely inserted by MTA when there is no 'To:' recipient in the original message. Some mailing list hosts insert X-Apparently-To to the mails delivered to members of mailing-lists.
Mailing-List: Mailing List ID or Name. Non-standard. Other mailing-list related headers may follow this header.
Delivered-To: Used mostly for loop detection by many mailing-list hosts and autoresponders.

Headers Created by Mail Delivery Agent (MDA).

Besides MTA headers above, some MDAs may have anti-spam or anti-virus features in their system. These systems may add some specific headers to an e-mail.

Let's trace e-mails


Below is a sample of an e-mail header.

X-Apparently-To: georgeburn@yahoo.ca via 206.190.38.42; Thu, 09 Dec 2004 01:08:32 -0800
X-YahooFilteredBulk: 172.182.209.16
X-Originating-IP: [172.182.209.16]
Return-Path: <vchia@tm.net.my>
Received: from 172.182.209.16 (EHLO tm.net.my) (172.182.209.16)
    by mta128.mail.re2.yahoo.com with SMTP; Thu, 09 Dec 2004 01:08:32 -0800

From: vchia@tm.net.my
To: georgeburn@yahoo.ca
Subject: report
Date: Thu, 9 Dec 2004 10:08:28 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary="----=_NextPart_000_0005_34D93898.B33F1947"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000


In the example, georgeburn@yahoo.ca got an e-mail. From the domain name, he knew that items in blue color were generated by his mail server (yahoo.com), it should be consider reliable. The red headers however, are created by sender e-mail client.

From the red headers, the author claimed that he/she was vchia@tm.net.my (see 'From' header), who used Microsoft Outlook Express 6 as the e-mail client. The e-mail address suggests it is an e-mail from Malaysia (TLD .my is for Malaysia).

However, the header created by the receiving mail server (mta128.mail.re2.yahoo.com) tells us that the origin IP address for this e-mail is 172.182.209.16. Let's us check the validity of sender's information with Quis? Pro. Click links below for the full reports:

Query result of TM.NET.MY.

+---------------------------------------------+
DOMAIN REPORT FOR: TM.NET.MY               
by Quis? {WHOIS In Details} Dec 14, 2004   
http://gadget.stringcodes.com/quis/        
+---------------------------------------------+

[Registrant MYNIC Handle : RGA000355]
Telekom Malaysia Berhad
709B, 6th Floor
Block E, Kelana Park View, No. 1 Jalan SS 6/2, Kelana Jaya
47301 Petaling Jaya
inetnum: 202.71.96.0 - 202.71.111.255


TM.NET.MY is owned by Telekom Malaysia. The IP Addresses allocated for this entity is [202.71.96.0 - 202.71.111.255]. IP Address 172.182.209.16 definitely does not belong to tm.net.my. The report for IP Address 172.182.209.16 reveals the real source. The e-mail originates from a US customer of America Online (AOL).

+--------------------------------------------+
REPORT FOR IP Address: 172.182.209.16     
by Quis? {WHOIS In Details} Dec 14, 2004  
http://gadget.stringcodes.com/quis/       
+--------------------------------------------+

Host: ACB6D110.ipt.aol.com


Query result of 172.182.209.16.