Tracking Where Your Emails Come From

Recently, I started receiving odd emails in my usually clean Gmail inbox. Unsure if they were spam or someone just trying to mess with me, it got my brain ticking and I decided to try figuring out where the emails came from. The steps here will be presented assuming you’re using Gmail on a Mac OSX, but they should still be applicable with other email services.

  1. Locate the email header. Every email has header information built-in. It’s usually hidden when you’re just opening and reading emails normally, but most email services provide a way to view the email header if you want to. In Gmail, with the email of choice open, click on the drop down menu at the top right of the email, and you should see an option called “Show original”.gmail
  2. “Show original” should open a new browser with header information about the email. Within this header information will be the IP address of where the email was sent from. There could be a Public IP address and a Private IP address. Both will be listed as something like Received: from.gmailoriginal
  3. Using our terminal, we can run a  whois search on the Public and Private IP addresses. Simple open a terminal window type whois XXX.XX.XX.XX where XXX.XX.XX.XX is the IP Addresses identified. You should see results similar to this:whoisAs you can see the results give us an organization name and address, along with listed contact information. Results will vary based on the origin of the email.
  4. Another terminal command we can use to get information is traceroute . Simple open a terminal window type traceroute XXX.XX.XX.XX where XXX.XX.XX.XX is the Private IP Address identified.traceroute   We can perform subsequent whois searches on each of these IP addresses if we wish. It will help paint a picture of the router locations the email was sent through. In our case we see locations such as 1&1 Internet AG in Amsterdam, Germany, Telia International Carrier in Sweden, Level 3 Communications in Broomfield, Colorado, and Total Server Solutions in Atlanta, Georgia. Assuming each of these are simply server locations, it’s not all that helpful in identifying the location of the actual sender.
  5. If we want a chance at finding the actual senders IP, we have to get slightly more tricky. In this case, we could try using a cookie tracking service. Now, as a precaution, it is never recommended to reply to spam email, as this lets the spammer know your account is still active, thus encouraging them to send more spam. But if you have to scratch that itch on your brain, as I do, then try this. Look for a service (such as www.readnotify.com) that offers free cookie tracking on emails. Set up an account, and then send a reply email to the target with the proper cookie tracking settings. Try to keep it as invisible as possible (the service should have settings to make things hidden). Once the user opens the reply email with cookie tracking, you should be able to see information such as when they opened it, how long it was open for, what operating system and browser they use, and where they opened it from. Ex:cookietrack
  6. Now, if you’re like me, knowing that cookie tracking services like this exist made me question if any emails I’ve received were being tracked. Luckily, there’s a Chrome extension called UglyMail that lets you know (if you’re using Gmail). Simply add the extension to your Chrome browser, open your Gmail, and you should see a symbol (an eye) in the subject of any email that is being tracked.uglyemail

I hope this helps you locate and prevent any annoying emails!

Thank you for reading and stay tuned for more future ramblings!

-JPR

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s