The Non-Technical Guide To Finding An Email IP Address

James Bigglesworth (CyberCrimeOps.COM)
January 30, 2010

Being an anti-fraud activist for a number of years, and frequenting many different types of anti-fraud communities, I have heard many questions (and answers) about locating IP Addresses from an email. This article is for non-technical explanations into how to find it, and then how to figure out what it means.


Before we get started, let us look briefly at what an IP Address actually is.

Simply put, an IP (Internet Protocol) Address is a series of numbers assigned to a device that is part of a computer network. The IP Address can be thought of in the same light as a street address, giving a unique reference to a geographical location.

The IP Address is a set of 4 numbers separated by periods like this; nnn.nnn.nnn.nnn. Each number will be between 0 and 255 like this;

When you connect to the internet, your ISP gives you an IP Address, and it stays with you as you surf the world-wide-web. You may get a different one from your ISP the next time you connect, or you may get the same one. When you send an email, each machine between you and the recipient makes their mark in the email header. These marks give a roadmap of how the email has travelled through the internet.


As mentioned above, an IP Address gives unique geographical pointers, and in the case of email communications can show you where an email actually came from, and the route travelled before it gets to your inbox.

This information can be vital in figuring out whether someone talking to you via email is being truthful about their location or not. For example; if someone you are about to purchase something from says they are in the UK, but their IP Address says Nigeria, then clearly you may be on the verge of being defrauded.


In short, yes. There are a few ways that an IP Address can be altered when sending an email. Spammers for example, use an Email Relay systems to obfuscate their originating location. So instead of an email really being sent from Russia, it may appear to come from the United States of America. Typically this kind of email is sent in bulk via specialised email software designed just for this task.

Other techniques are to send emails using scripts on a website, probably one that has been hacked into. These may only give the starting IP Address which relates to the machine on which the script was hosted.

Another technique is to use a webmail account that either does not give out the originating IP Address, or the webmail account is logged into whilst using a piggyback machine (Internet Proxy) to hide the real location.


Locating the IP Address requires that you look at the header information embedded into the email itself. How you get to that information will depend on what you use to read your emails.

Rather than reinvent a wheel, I have chosen to incorporate information already published elsewhere. SpamCop.NET (anti-spam organisation) carry a large list of information regarding the revealing of email header information. The page is part of the SpamCop.NET FAQ [link] and covers many of the more popular software applications and webmail providers.


The email header contains a great deal of information, and for our purposes most of this is useless. Due to the possible wealth of information it is very easy (and common) for people to get completely confused.

First obstacle is realise that you must read the header from bottom to top and not top to bottom! This common mistake could mean the difference between identifying someone in Africa, or saying they are in Sunnyvale California and work for Yahoo!

As you read up the header, look for the first IP Address. You may be lucky as the header may have a special field called X-Originating-IP (or similar). If not, keep reading until you spot something, then look this number up using a WHOIS service (see below).


As mentioned above, we need to use a WHOIS lookup service once we have located an IP Address. There are literally many hundreds of these on the internet that can be used.

I will recommend only two, as I use both of these myself. The first is called Domain Tools [link] and is my personal favourite. The other is called DNS Stuff [link]. DNS Stuff contains a lot more geeky tools, but look for the “WHOIS/IPWHOIS Lookup” and enter the IP Address.

The information you get back may give you the information your seek, such as the company & country that is allocated to that IP Address.

Some things to think about when getting results you don’t understand. Some foreign countries, especially Africa, use satellite connections to get onto the internet. This means that the IP Address will relate to the first landfall that is made from the satellite. This could be in any number of countries, such as UK, Canada, USA, Israel, or others.

It takes more investigation at that point as you then have to visit the corporate website and try and find their coverage map, if they publish it. This will indicate what satellite services they utilise, and what areas of the world it covers.


Unfortunately no. Some email services do not log the original IP Address in the header. Typically this would be done from a WebMail provider. Three of the best known IP hiders are GMail, FastMail and HushMail.

GMail and FastMail allow their users to send emails directly from their email application of their computer, instead of using the webmail interface. This mechanism does not hide the original IP Address, so it is always worth having a look at the header, just in case.


Fortunately there are people out there who like to help, by providing tools we can use for free. If you find reading an email header too confusing or complicated then try copying and pasting the whole header into the following web-page; I have no idea who owns it, but it has been around for many years.

This very useful tool will read the header for you and display all those it finds, along with a probable country of origin. The email header will be displayed to you again, but all IP Addresses will be highlighted so you can see where they all are. This can be very useful if you are learning to read the header yourself.

The ApeLord tool will also have links to DNSStuff, to enable you to look at details in closer detail.

Further Reading

  • Wikipedia – IP Address [link] | Private IP Address [link]
  • Wikipedia – Email Relay [link]
  • Wikipedia – Internet Proxy [link]
  • SpamCop.NET – Reveal the full, unmodified email. [link]
  • Wikipedia – Email Headers [link] | E-Mail Message Header [link]
  • ApeLord – Header Analysis [link]
  • WHOIS Lookup – Domain Tools [link] | DNS Stuff [link]

Original article written for Shawn Mosch, co-founder of ScamVictimsUnited.COM

This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.

Scam mentioned in popular television show

Does anyone watch the show Medium, about Allison DuBois who works for the DA’s office and can see and hear people who have died and can pick up on things? Allison DuBois is a real person, and her gift has helped to solve many cases.

On the show this week her daughter Bridgette who also has this gift, runs into a man in the library using the computer every day. He is dressed as an African prince, or at least that is the way that he appears to the girl. She sees the name that he uses on an email account, and when her older sister is later complaining about the spam emails and mentions the same name Bridgette tells the family that she knows this guy and that he comes to the library all of the time. They family tried to tell Bridgette that it is a scam, and that he is just pretending to be a Prince with a lot of money and that in his emails he asks you to give him some money to help him get his money out of the bank that it is in.

(sorry . . . you have to watch the short ad in order to see the clip)

So, the next day Bridgette sees this guy at the library again and gives him all of the money she has (about $30 I think . . . remember, this is a girl in grade school) and she says he can take it to help him get his money and then he just has to pay her back when he does get her money.

The man later returns to the library to give Bridgette her money back saying that he cannot take money from a little girl, and that he had only been doing this type of thing for a few weeks. Don’t we all wish that THIS part happened in real life!

I do think it is great that they are getting the word about the Nigerian scams out into the popular television shows. This one episode could have helped to educate a lot of people that this is a scam.…/episode/1317709/summary.html?tag=ep_guide;summary

National Center for Disaster Fraud to Coordinate Haitian Fraud Complaints

The FBI and the National Center for Disaster Fraud (NCDF) have established a telephone hotline to report suspected Haitian earthquake relief fraud. The number is (866) 720-5721. The phone line is staffed by a live operator 24 hours a day, seven days a week. You can also e-mail information directly to

The National Center for Disaster Fraud was originally established by the Department of Justice to investigate, prosecute, and deter fraud in the wake of Hurricane Katrina, when billions of dollars in federal disaster relief poured into the Gulf Coast region. Its mission has expanded to include suspected fraud from any natural or man-made disaster. More than 20 federal agencies, including the FBI, participate in the NCDF, allowing it to act as a centralized clearinghouse of information related to Haitian relief fraud.

The FBI continues to remind the public to apply a critical eye and do their due diligence before giving contributions to anyone soliciting donations on behalf of Haitian victims. Solicitations can originate from e-mails, websites, door-to-door collections, mailings and telephone calls, and similar methods.

Therefore, before making a donation of any kind, consumers should adhere to certain guidelines, including the following:

Do not respond to unsolicited (spam) incoming e-mails, including clicking links contained within those messages.

Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.

Beware of organizations with copy-cat names similar to but not exactly the same as those of reputable charities.

Rather than following a purported link to a website, verify the legitimacy of non-profit organizations by utilizing various Internet-based resources that may assist in confirming the group’s existence and its non-profit status.

Be cautious of e-mails that claim to show pictures of the disaster areas in attached files because the files may contain viruses. Only open attachments from known senders.

To ensure contributions are received and used for intended purposes, make contributions directly to known organizations rather than relying on others to make the donation on your behalf.

Do not be pressured into making contributions, as reputable charities do not use such tactics.

Do not give your personal or financial information to anyone who solicits contributions.

Providing such information may compromise your identity and make you vulnerable to identity theft.

Avoid cash donations if possible. Pay by debit or credit card, or write a check directly to the charity. Do not make checks payable to individuals.

If you believe you have been a victim of fraud from someone or an organization soliciting relief on behalf Haitian earthquake victims, contact the National Center for Disaster Fraud at (866) 720-5721. You can also fax information to fax (225) 334-4707 or e-mail it to Anyone who has received an e-mail soliciting donations or is aware of fraudulent charity websites claiming to be collecting for Haitian victims, please notify the IC3 via

Information on Credit CARD Act

This information can be found at the Consumer Law & Policy Blog
The Fed has announced new amendments to Regulation Z to implement the provisions of the Credit CARD Act that go into effect next month. The Fed is still working on amendments to implement the Credit CARD Act measures that take effect in August. Here’s an excerpt from the Fed’s press release summarizing the effect of the new amendments

Among other things, the rule will:

Protect consumers from unexpected increases in credit card interest rates by generally prohibiting increases in a rate during the first year after an account is opened and increases in a rate that applies to an existing credit card balance.

Prohibit creditors from issuing a credit card to a consumer who is younger than the age of 21 unless the consumer has the ability to make the required payments or obtains the signature of a parent or other cosigner with the ability to do so.

Require creditors to obtain a consumer’s consent before charging fees for transactions that exceed the credit limit.

Limit the high fees associated with subprime credit cards.

Ban creditors from using the “two-cycle” billing method to impose interest charges.

Prohibit creditors from allocating payments in ways that maximize interest charges.

Haitian Earthquake Relief Fraud Alert

We should have seen it coming . . . with just about every major event or tragedy that happens in our world today, someone out there will come up with a scam to try and con people out of their money. The latest one is the Haitian Earthquake Relief Fraud. The sad part is that the victims of these scams are people who just want to do some good by helping out another person in trouble.

Here are links to some warnings that were issued today

FBI Alert
Oregon Attorney General’s office
The Better Business Bureau

Always verify the charity before you make a donation. The BBB has a page where you can check out a charity. It is located at

BBB Top 10 Scams for 2010


ST. PAUL, Minn. – The recession has thousands of people out of work, but the scam artists are hard at work. In year ahead, the Better Business Bureau says they are likely to come at you from every angle.

No one knows that better than the Bureau’s Dan Hendrickson.

“The people that are out there trying to get information dishonestly are very persistent, said Hendrickson. “And they will keep on coming at you and that’s way you always have to be on guard.”

The Better Business Bureau has looked at the past to try and predict what will happen in the future, in this case the next year. For 2010, it has put together its own Top Ten List of scams:

1. Winter Olympics Scams. This year’s Olympic Games are fairly close by in Vancouver, British Columbia. A little known fact is that U.S. citizens can buy event tickets only through . Buy your tickets anywhere else, and the BBB says you risk losing your money. It also advises consumers to be aware of travel packages that don’t provide accommodations.

2. Census Scams. At its core the government Census is about counting people. For the crook it’s about counting something else. The BBB fears that under the guise of collecting data, scammers will try to trick people into giving out banking and other personal information. The Census WILL NOT contact you by email, and if a Census worker comes to your door, you have the right to ask for their credentials proving they work for the Census.

3. Green Remodeling Offers. President Obama and Congress are giving away tax credits for qualified remodeling projects that reduce energy consumption. When working with a contractor, homeowners should have a clear understanding of what makes a product or appliance green and if it benefits them. Also, check the credentials of the contractor with the Better Business Bureau or the state licensing agencies.

4. Job Scams. In this recession, scammers will try to rope people into fraudulent re-shipping schemes or offer jobs in exchange for an upfront payment.

5. Pre-Acquired Account Marketing Offers. It’s a high-brow term for a low-brow attempt to take your money. It happens when you buy something on line and you suddenly get a pop-up offering discounts to the store from which you just made a purchase. By clicking on these offers to save, customers unknowingly sign up for memberships which result in a monthly bill.

6. IRS Related Scams. These are typically by email. The message indicates it’s from the IRS asking for financial information. The IRS reminds taxpayers that it never discusses tax account information by email.

7. Wireless Security Breaches. Which business person or college student hasn’t fired up their laptop and gone online at a coffee shop? Yes, they are great places to hang out, but everything you transmit is viewable on an unsecured network.

8. Fake Online Classified Ads or Auction Sales. Think Craigslist. It’s a great site, but also a place where crooks can post fake ads to scam you out of your money. The BBB advises that if you buy from a online classified ad or auction site that you consider only making payment through third party transaction companies such as PayPal.

9. Gift Card Scams. The BBB says there are actually online sites where people can buy gift cards at reduced prices. Later they discover that the cards carry little to no value.

10. Smishing Scams. This works like Phishing on your computer, except Smishing takes place on your cell phone. It happens when a text message is sent to your phone indicating your bank or credit card accounts have been frozen and you need to call a certain number to rectify the accounts. The scammer is looking to collect your banking information. This actually happened in December of 2008 to many customers of a major Twin Cities bank.

The best advice from the Better Business Bureau is to be aware.

“We hear so many times people saying, ‘Well it sounded like such a good deal, or such a good offer, I had to do it,’” said Hendrickson. “And, you know we understand that. But the reality is if it sounds too good to be true, it probably is.”

Scammed couple gets their money back!

This one makes me so happy!

Feds return money to Bay Area elderly scammed by Canadian con artists
Investigators warn public to be wary of callers soliciting money

SAN JOSE, Calif. – Investigators with U.S. Immigration and Customs Enforcement (ICE) and the U.S. Postal Inspection Service (USPIS) Monday returned $7,000 to an elderly San Jose couple victimized by Canadian con artists who told them they had won a multi-million dollar Canadian sweepstakes.

ICE and USPIS investigators handed the octogenarians a check for a portion of the funds they forwarded to a Canadian postal box over the course of the last several months. The money was ostensibly to pay the Canadian “luxury” tax on the sweepstakes winnings so they could collect the prize. Like many elderly victims targeted in this and similar telemarketing scams, the couple believed the man who called them last year claiming to be an attorney responsible for alerting them about their sweepstakes win. In response to repeated appeals, the couple mailed multiple cashiers checks and packages containing cash to various Canadian addresses.

The check given to the couple this week represented the cash found in a parcel intercepted by Canadian authorities assigned to Project COLT (Center of Operations Linked to Telemarketing), a binational effort involving numerous agencies, including ICE, USPIS, the Federal Bureau of Investigation (FBI), U.S. Customs and Border Protection (CBP), the Royal Canadian Mounted Police and the Quebec Provincial Police. The case is under ongoing investigation by Canadian authorities.

“This couple is fortunate investigators were able to recover some of the money they lost, but regrettably much of their life savings will probably never be accounted for,” said Mark Wollman, special agent in charge for the ICE office of investigations in San Francisco. “While ICE and its enforcement partners are doing everything possible to stop this kind of fraud, the first line of defense is for people to be suspicious of anyone who calls and asks them to send money.”

This week marks the second time in as many months ICE agents have intervened in a case involving an elderly local resident targeted by Canadian telemarketing con artists. In November, they returned $4,000 to a San Jose woman who sent that sum in cash to Canada after receiving a call from a person claiming to be her grandson. The male caller said he was in jail and needed bail money immediately. Soon after, the woman received a call from a man purporting to be her grandson’s attorney who urged her to send the money without delay. Only later did the women learn that her grandson was not in jail and never had been.

“Sadly, we encounter these types of scenarios over and over again,” said Joseph Adiano, inspector for the USPIS. “While it’s hard to believe people fall for ploys like this, you have to remember the telemarketing con artists are incredibly persuasive and they purposely prey primarily on the elderly, who tend to be more trusting.”

Authorities say the most frequent telemarketing scam involves callers posing as “customs agents” who tell victims they have won the Canadian lottery but must send a “processing fee” or “customs duty” before they can collect their winnings. The fraudulent telemarketers may also purport to be lawyers, government officials, police officers, accountants, or lottery company officials. Investigators emphasize the con artists are very believable and will persist until they bilk as much money as possible from their victims.

Initiated in 1998, the goal of Project COLT is to identify, disrupt, and dismantle telemarketing fraud operations. As part of the initiative, law enforcement officers strive to intercept funds – often cash and cashier’s checks – so they can ultimately be returned to victims. Project COLT investigators also work to prevent further victimization, both through public education and the prosecution of those who commit the fraud.

Since its inception, Project COLT has resulted in the seizure and return of more than $25 million to telemarketing fraud victims in the United States and Canada. Telemarketing fraud has become one of the most pervasive forms of white-collar crime in Canada and the United States, with annual losses in both countries in the billions of dollars. These criminal organizations are heavily involved with international and violent organized crime, including the Hell’s Angels motorcycle gang, and as such they represent a significant assault on the United States homeland and upon the financial security and livelihood of its citizens.

Project COLT members also have formed partnerships with Canada Border Services Agency, Canada Post Corporation, Federal Express, Purolator, United Parcel Service, DHL and other companies to assist with fund interception and return.

Before sending any money to telemarketers, ICE urges the public to contact PHONEBUSTERS, Canada’s Anti-fraud Call Center at 1-888-495-8501. The staff at PHONEBUSTERS work closely with Project COLT investigators and other law enforcement agencies. More information on the initiative is also available through the PHONEBUSTERS website at

Bank of America

Are you one of the millions of Americans who would love to tell the big banks what you think of their policies and procedures? Now is your chance!

Tomorrow a group from the PICO National Network will be meeting with Bank Of America executives for a face to face conversation about the problems that they have caused for so many people. They need your help . . . if you have a Bank of America story, go to to submit your story. The more stories that they have, the more that they can try to hold Bank of America accountable for.

Is there a banker in the house?

because I just got this from Banker’s Online . . .

Paperless Fed – A Game Changer for Financial Institutions
Soon the Federal Reserve will be all electronic when it comes to processing checks. No longer will the Federal receive paper cash letters or send financial institutions their daily in-clearing items. The same applies to returned items. It will not be long before the Federal Reserve will make an announcement (very similar to ACH tape decision made in 1993) informing financial institutions that all check related transactions will be transmitted electronically. If your institution is unable to receive your daily files electronically, you will need to designate a processor or correspondent institution to receive your items on your behalf.

This program will address the legal, regulatory, technical and operational impacts of the Fed’s elimination of all but one Check Processing Center including but not limited to:

The impact on Funds Availability and bank disclosures (with one processing center, all checks become local checks)
The impact on return items (paper and electronic)
Operational and technical impact on financial institutions that are not image capable
Forward Cash Letters
Return Cash Letters
Presentment by the Federal Reserve and Other financial institutions
Transportation Costs
Federal Reserve Processing Fees
What happens to same day settlement?
What are the processing and other considerations of Non-Cash Items (Collection Items and Foreign Checks)?
What do you do with Bonds, Coupons and Securities?
Bank Float Schedules?

Here is my question . . . will this help to stop more counterfeit cashier’s check scams? In the past, what I have been told is that the reason that the banks do not find out that the check is counterfeit for a week or more is because the paper check still has to go through all of the normal processing channels . . . go to the correct clearing house . . . but if it is all done electronically, wouldn’t that speed up that process? And if that is so, wouldn’t they be able to catch that these checks are counterfeit sooner? (and if so, how much sooner?)

Support Scam Victims United by going out to eat!

Here is an EASY way for people to support Scam Victims United . . . go out to eat!

What am I talking about? Well, if you go to
you will find links to a site where you can purchase discounted gift certificates for local restaurants! You can search by state or zip code, and then purchase the gift certificates and print them off and head out to dinner knowing that you have saved some money AND supported Scam Victims United. (a portion of all purchases made from the link at goes directly to us)

We did this and were able to get $25 gift certificates for $12!

Check it out and see if your favorite restaurant is listed, but remember, to support Scam Victims United you have to use the links at