Emails sent over the Internet encapsulate the IP address of the computer that sent the Email. The Email header is used to store the IP address, which is delivered to the recipient along with the message. The header of an Email contains addressing and routing information for accurate delivery of Emails to the intended destination.
Looking up IP Addresses in Email Headers
Email headers are delivered with every Email message. However, in contemporary Email clients, headers are concealed from view but can be displayed when the option to do so is selected. A header of an Email contains a considerable amount of information.
The words Received: from being reflected at the beginning of the Email headers followed by recipient information as indicated below:
Received: from EHLO mta962.chtah.net (18.104.22.168) by mta1046.mail.gq1.yahoo.com with SMTP; Mon, 13 Mar 2017 03:44:49 +0000
Email servers that route messages automatically insert these lines into the header of a message and contain the actual IP address of the sender.
Information Contained in Multiple Received: from Lines
Multiple “Received: from” lines in an Email header indicate that the message has made several hops through multiple Email servers. However, this might not perpetually be the case since spammers can insert additional “Received from” lines in headers.
To differentiate fake “Received from” lines with the correct ones, check to see if the last “Received: from” line in the header contains the correct IP address.
More Information about Fake Email Headers
When spammers insert fake information, a different method must be followed to identify the IP address of the sender. When the spammer adds false information, it usually exists in the last “Received: from “line in the Email header.
The method to find the correct address is to trace the message path by starting with the last “Received: from” line in the header. Check to make sure that the “by” which represents the sending location which is listed in the “received” header matches with the “from” which represents the receiving location indicated in the “Received” header below it. Domain names and IP addresses that do not match with the rest of the header chain can be safely disregarded. The true address of the sender is contained in the last “Received: from” line which has valid information.
Many spammers send direct Email messages, rather than through an Internet Email server. This means that all the header lines that contain “Received: from” lines will be fake except the first line which will include the real address of the sender.
IP Addresses and Service Related to Internet Email
The way in which IP addresses are used in email headers differs among the different Internet-based email services. To locate IP addresses in mails, follow the steps outlined below:
- The Gmail service from Google leaves out the IP address of the sender from all the headers. The “Received: from” field contains only the IP address of the Gmail Mail server. Hence it is not possible to find the true address of the sender in the Email received from Gmail.
- An extended header line which is also known as the “X-Originating-IP” is sent by Hotmail service provided by Microsoft and contains the actual IP address of the sender.
- Lastly, Emails which originate from Yahoo contain the IP address of the sender which is available from the last “Received: from” entry.