James Bigglesworth (CyberCrimeOps.COM)
January 30, 2010
Being an anti-fraud activist for a number of years, and frequenting many different types of anti-fraud communities, I have heard many questions (and answers) about locating IP Addresses from an email. This article is for non-technical explanations into how to find it, and then how to figure out what it means.
MEET THE IP ADDRESS
Before we get started, let us look briefly at what an IP Address actually is.
Simply put, an IP (Internet Protocol) Address is a series of numbers assigned to a device that is part of a computer network. The IP Address can be thought of in the same light as a street address, giving a unique reference to a geographical location.
The IP Address is a set of 4 numbers separated by periods like this; nnn.nnn.nnn.nnn. Each number will be between 0 and 255 like this; 192.168.0.1.
When you connect to the internet, your ISP gives you an IP Address, and it stays with you as you surf the world-wide-web. You may get a different one from your ISP the next time you connect, or you may get the same one. When you send an email, each machine between you and the recipient makes their mark in the email header. These marks give a roadmap of how the email has travelled through the internet.
WHY IS AN IP ADDRESS IMPORTANT?
As mentioned above, an IP Address gives unique geographical pointers, and in the case of email communications can show you where an email actually came from, and the route travelled before it gets to your inbox.
This information can be vital in figuring out whether someone talking to you via email is being truthful about their location or not. For example; if someone you are about to purchase something from says they are in the UK, but their IP Address says Nigeria, then clearly you may be on the verge of being defrauded.
CAN EMAIL IP ADDRESSES BE MANIPULATED?
In short, yes. There are a few ways that an IP Address can be altered when sending an email. Spammers for example, use an Email Relay systems to obfuscate their originating location. So instead of an email really being sent from Russia, it may appear to come from the United States of America. Typically this kind of email is sent in bulk via specialised email software designed just for this task.
Other techniques are to send emails using scripts on a website, probably one that has been hacked into. These may only give the starting IP Address which relates to the machine on which the script was hosted.
Another technique is to use a webmail account that either does not give out the originating IP Address, or the webmail account is logged into whilst using a piggyback machine (Internet Proxy) to hide the real location.
HOW DO I FIND THE EMAIL IP ADDRESS
Locating the IP Address requires that you look at the header information embedded into the email itself. How you get to that information will depend on what you use to read your emails.
Rather than reinvent a wheel, I have chosen to incorporate information already published elsewhere. SpamCop.NET (anti-spam organisation) carry a large list of information regarding the revealing of email header information. The page is part of the SpamCop.NET FAQ [link] and covers many of the more popular software applications and webmail providers.
READING THE EMAIL HEADER
The email header contains a great deal of information, and for our purposes most of this is useless. Due to the possible wealth of information it is very easy (and common) for people to get completely confused.
First obstacle is realise that you must read the header from bottom to top and not top to bottom! This common mistake could mean the difference between identifying someone in Africa, or saying they are in Sunnyvale California and work for Yahoo!
As you read up the header, look for the first IP Address. You may be lucky as the header may have a special field called X-Originating-IP (or similar). If not, keep reading until you spot something, then look this number up using a WHOIS service (see below).
LOOKING UP AN EMAIL IP ADDRESS
As mentioned above, we need to use a WHOIS lookup service once we have located an IP Address. There are literally many hundreds of these on the internet that can be used.
I will recommend only two, as I use both of these myself. The first is called Domain Tools [link] and is my personal favourite. The other is called DNS Stuff [link]. DNS Stuff contains a lot more geeky tools, but look for the “WHOIS/IPWHOIS Lookup” and enter the IP Address.
The information you get back may give you the information your seek, such as the company & country that is allocated to that IP Address.
Some things to think about when getting results you don’t understand. Some foreign countries, especially Africa, use satellite connections to get onto the internet. This means that the IP Address will relate to the first landfall that is made from the satellite. This could be in any number of countries, such as UK, Canada, USA, Israel, or others.
It takes more investigation at that point as you then have to visit the corporate website and try and find their coverage map, if they publish it. This will indicate what satellite services they utilise, and what areas of the world it covers.
IS THE ORIGINAL IP ADDRESS ALWAYS IN THE HEADER?
Unfortunately no. Some email services do not log the original IP Address in the header. Typically this would be done from a WebMail provider. Three of the best known IP hiders are GMail, FastMail and HushMail.
GMail and FastMail allow their users to send emails directly from their email application of their computer, instead of using the webmail interface. This mechanism does not hide the original IP Address, so it is always worth having a look at the header, just in case.
ITS TOO COMPLICATED, IS THERE AN EASIER WAY?
Fortunately there are people out there who like to help, by providing tools we can use for free. If you find reading an email header too confusing or complicated then try copying and pasting the whole header into the following web-page; http://headertool.apelord.com/. I have no idea who owns it, but it has been around for many years.
This very useful tool will read the header for you and display all those it finds, along with a probable country of origin. The email header will be displayed to you again, but all IP Addresses will be highlighted so you can see where they all are. This can be very useful if you are learning to read the header yourself.
The ApeLord tool will also have links to DNSStuff, to enable you to look at details in closer detail.
- Wikipedia – IP Address [link] | Private IP Address [link]
- Wikipedia – Email Relay [link]
- Wikipedia – Internet Proxy [link]
- SpamCop.NET – Reveal the full, unmodified email. [link]
- Wikipedia – Email Headers [link] | E-Mail Message Header [link]
- ApeLord – Header Analysis [link]
- WHOIS Lookup – Domain Tools [link] | DNS Stuff [link]
Original article written for Shawn Mosch, co-founder of ScamVictimsUnited.COM
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.