Tuesday, February 10, 2015

[Office]: How to Track the Original Location of an Email via its IP Address

How to Track the Original Location of an Email via its IP Address


Here’s a quick guide on how to track an email to its original location by figuring out the email’s IP address and looking it up. I have found this to be quite useful on many occasions for verification purposes since I receive lots of suspicious emails daily due to my blog. Tracking the IP address of an email sender does require looking at some technical details, so be ready to dig your heels in!
There are basically two steps involved in the process of tracking an email: find the IP address in the email header section and then look up the location of the IP address. It’s worth noting that you usually won’t be able to get the exact location of the actual person who sent the email. For example, if someone in Germany sends you an email using Gmail, the last IP address in the header section will probably be the public IP address assigned to that user from the ISP, which will give you the location of the user ranging from within a mile all the way to the city or region level.
The reason for the wide range is that the IP address that an ISP assigns to a particular user is normally dynamic. This means that the IP address they had when the email was sent may now be assigned to a different user in the region. This is the main reason why you might get a wide geographic area when looking up the location of the IP address.
However, depending on what device people are using to send emails when using Gmail or another online email service, the last IP address might just be the IP address of Google or Yahoo or Hotmail servers, so keep that in mind too.
Another scenario where you might not get any useful info is if the email was sent from a server on a hosting company data center. For example, whenever I get an email from Boxee, the originating IP address is from SoftLayer, which is a big server hosting company. That’s because the email was probably created and sent from the server itself.

Find the IP Address for an Email in GMail, Yahoo Mail, and Outlook

Let’s go ahead and take a look at how you would find the IP address in the email header for Google, Yahoo and Outlook since those are the most popular email clients. If  you’re using a different email client, just Google how to view email header info. Then come back and read the rest of this post.

Google Gmail

1. Log into your Gmail account and open the email in question.
2. Click on the down arrow that’s to the right of the Reply arrow. Choose Show Original from the list.
show original gmail
Now here is the technical part that I was telling you about earlier! You need to look for the lines of text that start with “Received: from“. It might be easier to simply press Cntrl + F and perform a search for that phase. You’ll notice that there are several Received From’s in the message header. This is because the message header contains the IP addresses of all of servers involved in routing that email to you.
email header info
To find the first computer that originally sent the email, you’ll have to find the Received From that’s farthestDOWN. As you can see from the above image, the first one is from a computer  with a private IP address of192.168.1.13  and with the public IP address 99.108.173.229. Then it was routed to my ISP’s server at lightspeed.rcsntx.sbcglobal.net, which is basically AT&T U-verse and so on and so forth till it got to your email server. Don’t worry, I don’t happen to know off the top of my head that sbcglobal is AT&T U-verse! The tool that I mention below to lookup an IP address gives you the organization name.
The computer 192.168.1.13 is my personal home computer and the IP address assigned to my computer on my internal LAN network. There are several ranges of IP addresses that are considered private IP addresses. You can read about them on Wikipedia. All you need to do is recognize it’s a private IP address and that you can’t lookup the location of a private IP address. You can, however, use the internal IP address if you were to contact the organization, they might be able to help you determine the exact user or person the email came from. I’ll explain this in more detail below.
Now I’ll go through Yahoo and Outlook before talking about tracking the location of the IP address.

Yahoo Mail

1. Log into your Yahoo account and open the email.
2. Now in the menu bar, click on Actions and then click on View Full Header.
yahoo view header
Again, you’ll see the same information as before, just in a different pop up window:
yahoo full header
As you can see above, the last IP address for an email I sent from my Gmail account to my Yahoo account was 209.85.212.43. When you lookup the IP address, it’s just a Google server in California. So depending on how the user sends the email (email client, desktop or mobile, WiFi or cellular), you may get a useful location or you may not.

Microsoft Outlook

1. Open the email in Outlook by double-clicking on it
2. Go to View at the top menu (the menu options for the email, not the main Outlook window) and chooseOptions.
outlook message headers
You’ll get a dialog box where you can set the message options and at the bottom you’ll see the Internet Headers box. For some silly reason, the box is very small and you have to scroll a lot, so it’s best to simply copy and paste the text into Notepad to view it more easily.
internet headers

Tracking the location of an IP address

Now that we have our originating IP address of 99.108.173.229, let’s find out where that is! You can do this by perform a location lookup on the IP address. My favorite is whatismyipaddress.com.
ip address location

As you can see from above, the site gives you general IP info like the ISP and organization, which in my case was AT&T. It then gives you more specific location information, which is Allen, TX. That is accurate since the email was from my wife from our house in Allen, TX. It even gives you a nice map with a pretty approximate location:
location of ip address

As you can see, the circle is quite large, but the little red marker is fairly close to where I live. This is a pretty lucky instance where I got some useful info. In another email, for example, I got the following IP address:199.242.234.126. When I looked it up, the area was quite large and the red marker couldn’t help me determine any other useful info.
locate ip address

However, when looking at the Organization, I saw UT Southwestern Medical Center at Dallas. Perfect! That’s exactly where my friend works and she had sent an email during the day while at work.
Unfortunately  if you want to get more detailed information beyond that, such as the computer inside the medical center that sent the email, you’ll have to contact that organization. You may have to furnish court orders, etc, but at least you have a starting point. Again, as I mentioned above in the beginning, this is where you could provide the organization with the actual internal IP address of the computer that sent the email, if it’s in the header.
In the example above, finding the contact info for the medical center would be pretty easy. However, that is not always the case. In the latter situation, you can get more contact information by doing WHOIS database search. My favorite one is from WHOis.net. This will give you information on the organization that hosts that IP address and their registration information. You can always contact them to try and find more information on that particular IP address.
Have fun trying to track down those emails! 

No comments:

Post a Comment