Copyright held by The John Cooke Fraud Report. Reprint rights are granted with attribution to The John Cooke Fraud Report with a link to this website.
By Cowboy Don
This is a simple investigative tool that can often confirm the approximate source location of a received mail, or can raise suspicions if it fails to do so. As easy but often informative as this is, every file handler should routinely trace questionable emails; and even investigators may find such quick searches helpful for filling in the blanks. For any who are not current on these possibilities, it can be an easy tool to incorporate.
1: It seldom if ever works with emails forwarded to you as the original tracking information generally falls off the forward. Any attempts will thus only yield information on the individual who forwarded the email to you. (In some cases, that, too, can be a clue.)
2: It will not work on Gmails received as Gmail does not include full information. The same is true with a few other provider networks. For many networks, however, works like a charm.
3: Senders who want to hide their location can use email proxy services to prevent actual source tracking, but it’s always worth a try and takes only a few seconds per search. Too, if you see that someone is going to the trouble of using a proxy service, you might ask yourself why?
The first step is to obtain the email header information. No need to understand any of it, just copy it so you can paste elsewhere. How to find the hidden header data varies with different email services and sometimes with the browser used to access mail. Consult your provider or review how-to explanations on the web.
Typical header info may look like this…
Return-Path: <JCFR@aol.com>
Received: from core-mhd001a.r1000.mail.aol.com (coremhd001.
r1000.mail.aol.com [172.29.239.65])
by mtaomg-da02.r1000.mx.aol.com (OMAG/Core Interface) with
ESMTP id 4807AE00008A
for <Don57Cowboy@aol.com>; Mon, 17 Dec 2012 19:25:44 -0500
(EST)
From: JCFR@aol.com
Full-name: JCFR
Message-ID: <5376.690bdc8c.3e011207@aol.com>
Date: Mon, 17 Dec 2012 19:25:44 -0500 (EST)
Subject: Re: How to trace emails
To: Don57Cowboy@aol.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”part1_5376.690bdc8c.3e011207_boundary”
X-Mailer: AOL 9.5 sub 5401
X-Originating-IP: [72.193.188.246]
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mx.aol.com;
s=20121107; t=1355790345;
bh=gBpXqcllt5493LKLlHXNY8PY4e7PFQuoikFJL+aM404=;
h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type;
b=i1LeFVncC4RO07tCPtgLOFoZFTqVAXP9EOnxzclJFNz5FsnV6iQ
6ZLxB836UI2j6h
SZGbbV7oiNZRTq4g+w+Cb/IP7oqTu17wM32WnBZqnHExuwZ/7JT
/bGSZOmXatYf1ys
zH6c8NtfJ12Mg9GPsigA0n8GZhPEzyipllHRLWfE=
x-aol-sid: 3039ac1d338a50cfb8082512
Results can vary so I paste such header data and compare searches on the four following sites opened on respective browser tabs:
http://www.ip-adress.com/trace_email/
http://www.ip-address.org/tracker/trace-email.php#email_headers
http://my-addr.com/trace_email_address/free_email_trace_route/
online_email_trace_route_tool.php
http://www.ip-tracker.org/find/email-finder.php
With the first listed site providing this info for example:
At Mon, 17 Dec 2012 19:25:44 -0500 (EST), the email sender
JCFR@aol.com sent you an email from the IP address 72.193.188.246
located in United States, Las Vegas.
Email Sender: JCFR@aol.com [more info]
IP address: 72.193.188.246
IP address country: United States
IP address state: Nevada
IP address city: Las Vegas
IP postcode: 89123
IP address latitude: 36.0097
IP address longitude: -115.1479
ISP of this IP: Cox Communications
Organization: Cox Communications
Local Time of this IP country: 2012-12-17 20:47 –––
[color-box color=”gray”] Cowboy Don is one of our fightfraudamerica.com volunteers. Most of the cases we refer to him are romance scams, and his email tracking often leads to West Africa. He’s also a valuable resource when our editor finds herself unable to fully function in a technological world. Thank you, CD! [/color-box]