Nov 162011
 

Find IP in HeadersWhenever you have a suspicious feeling about a message or just want to protect yourself, one of the first things to do is to try to determine from where the email was sent. In my case I keep receiving various email and contact form offers related to my website, and although I actually like dealing with human beings from anywhere in the world, I have a problem when people pretend to be who they are not or where they’re not.

There’s a relatively easy way to research a location from which a message was sent. The first great tool that I use for locating an IP address is http://infosniper.net, also accessible from this website’s “Tools” drop-down menu, under “IP Address Location” option.

But before this can be done we need to determine the sender’s IP address. However, if the message was sent from Gmail in a web browser, this won’t work because unlike Microsoft, Yahoo, and most other email providers, Google protects its users’ privacy by omitting the sender’s IP address. This is good so end users are safer in countries with oppressive governments and life-threatening criminal activities, but doesn’t help when you want to protect yourself from scam.

Finding the IP Address

Here’s how to find the IP address of the sender:
1. Open the message
2. View e-mail message’s full header

If received from hotmail.com:
Look for this line in the bottom of the header: X-Originating-IP: [xxx.xxx.xxx.xxx]

If received from yahoo.com:
The header has several lines starting with “Received: from [xxx.xxx.xxx.xxx] by …” – look for the last one towards the bottom of the header.

In both cases the dotted number in square brackets is the IP address of the sender, unless the email was spoofed.

For email from other providers that I didn’t test look at the bottom of the headers, and the last IP, usually listed in the last “received from” line, is usually the sender’s IP if the provider does record it.

Once you have the IP address, plug it in the infosniper.net to see the location from where the email was sent.

Room for Error

Yahoo headers: if there’s HELO in same line it’s not the sender’s IP but the server.

Yahoo servers are located at Sunnyvale, CA and Microsoft servers are in Redmond, WA. If you get any of these places, chances are you plugged in an IP from somewhere in the middle instead of the bottom one.

IP addresses 10.x.x.x, 192.168.x.x and 172.16.x.x-172.31.x.x are private and they exist on many internal networks throughout the world so they won’t show any location, and this also may be a sign a wrong IP address has been plugged in.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)