How To Trace

//How To Trace
How To Trace 2017-12-30T21:54:52+00:00

Very few people know this, but emails actually arrive in your inbox with a “˜receipt’ also called a “header”, which contains a lot of information about the sender.

When trying to determine if you are dealing with a scammer, look at the email.  Embedded in there is the source IP address – which you can easily trace back to the country of origin.  This is usually enough to provide that the dating profile contains false statements.

This is a great tool to visually trace where emails come from:

The following is reprinted from

Accessing the email header is different for every email provider or email application, and sometimes, it is even hidden. In most of the cases however, the option to reveal the full header will be somewhere in the area where the subject and sender name are provided.

For example, the Yahoo! Mail header is in the upper right corner of the sender box, which is pointed out in the screenshot above. When you click Show Original, a text file will open in a new tab. This file contains all the necessary headers at the start. They are highlighted in screenshots.

And this is how the full email header appears in Yahoo! Mail:


For Gmail, the header is hidden under “˜Show Original’ ““ which will show you the complete email in plain text, including the header.

The example below is the header from an email I received in GMail.

In order to find out the IP address of the original sender, we need to look closely at the first half of the header. Somewhere in there, you’ll find a domain name and an IP address. Particularly, take a closer look at the term “˜Received: from’:

The first “˜Received: from’ line gives us the IP address of the server which forwarded the email to my Gmail address.

Received: from [])

If we continue our search, the second “˜Received: from’ line gives us the originating IP address.

Received: from unknown (HELO ? ([email protected] with plain)

This means that Chaz, located at sent me an email.

The next line will only appear if the email was sent using an email application residing on the sender’s computer, like Thunderbird or Apple Mail. In our case:

X-Mailer: Apple Mail (2.753.1)

If the user sent the email using the web interface, the string would have looked like this:

Received: from [] by via HTTP

We have the originating IP address . To find out who’s behind that IP address we need to do a reverse DNS lookup using a web service like DomainTools, the command line or from “˜Network Tools’ in Ubuntu.

In our case, we know that someone called Chaz from Atlanta, using Cox Communications ““ with an IP address, depending on the subnet mask, sent that email.

Alternatively, you could use a tool called Email Trace, that does the whole operation for you after inputing the full email header into the text box. It might not always work, so knowing how to do it the old fashion way might come in handy.

This proves useful if you’re trying to report a spammer to your ISP, find out where a certain person is located at the moment, or help you spot phishing emails. For example, PayPal couldn’t have sent an email from an IP address in China.

If you know other good uses for this procedure, please share it with us in the comments.

Here is another example, this is the header shown in Outlook (usually go to the File menu, then PROPERTIES, and look in the pop-up for INTERNET HEADERS):

Return-Path: <[email protected]>
Delivery-Date: Mon, 14 Jan 2013 19:11:37 -0500
Received: from ( [])
by (node=mxus3) with ESMTP (Nemesis)
id 0M93Ab-1TnVCE2rtN-00CLLY for [email protected]; Mon, 14 Jan 2013 19:11:37 -0500
Received: from [] by with NNFMP; 15 Jan 2013 00:11:35 -0000
Received: from [] by with NNFMP; 15 Jan 2013 00:11:31 -0000
Received: from [] by with NNFMP; 15 Jan 2013 00:11:31 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: [email protected]
Received: (qmail 61307 invoked by uid 60001); 15 Jan 2013 00:11:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1024; t=1358208689; bh=5qvMOz+zcKvvgXFKY6ZNnIci/zNL1Z6lhIWnkc6AIGI=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=qKJux4wiZlcc/EGzSXZA3S2w3sJsKg0UBUWK5MdzByupcYhCo1EueUsQqyqdXSfP5+GcKYoGvMrZ/3tV7vgwWC5gvlmYuW4Zxs2hQPAQF77UOzed+b5T+yxZ8L3E9BYCskUFnTNhWb+ZCeqFCZ9ilaEOCBlQxeuI5bjZnqSEJL8=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
X-YMail-OSG: .43r__0VM1kvbKvojL9YNut6fw9LQm.BPDbE.NvcxyCO6pF
Received: from [] by via HTTP; Mon, 14 Jan 2013 16:11:29 PST
X-Rocket-MIMEInfo: 001.001,V2hhdGV2ZXIsIHN3ZWV0IHlvdXJzZWxmLi4uLi4KCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwogRnJvbTogImRydGltQHByZWNvbHVtYmlhbi51cyIgPGRydGltQHByZWNvbHVtYmlhbi51cz4KVG86ICdLdW1iZXJsaW4gV2lsbGlhbScgPGt1bTc1NDdAeWFob28uY29tPiAKU2VudDogTW9uZGF5LCBKYW51YXJ5IDE0LCAyMDEzIDExOjE1IEFNClN1YmplY3Q6IFJFOiBIaQogCgpGdWNrIG9mZgrCoApGcm9tOkt1bWJlcmxpbiBXaWxsaWFtIFttYWlsdG86a3VtNzU0N0B5YWhvby5jb21dIApTZW4BMAEBAQE-
X-Mailer: YahooMailWebService/
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>
Message-ID: <[email protected]>
Date: Mon, 14 Jan 2013 16:11:29 -0800 (PST)
From: Kumberlin William <[email protected]>
Reply-To: Kumberlin William <[email protected]></[email protected]>
Subject: Re: Hi
To: <<your email address>>
In-Reply-To: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=”-910415156-635500673-1358208689=:50062″
X-UI-Junk: AutoMaybeJunk +0 ();
Envelope-To: <<your email address>>

You see the line: Received: from [] by via HTTP; Mon, 14 Jan 2013 16:11:29 PST

That contains the senders real IP address.  In the Dating profile she said she was in Miami – BUT look at the map below (from  try it yourself)

You see that the emails appear to be coming from Europe – most likely through a PROXY to hide the original location – meaning from Ghana!

Doing this will at least give you confirmation of a person’s location, which usually is enough to spot a scammer!

Good Luck and Good Hunting!


Your Comments Matter!

8 Comments on "How To Trace"

newest oldest most voted

how to look for the full header on an icloud account?

john sellen

there should be a law making all dating sites to have a link to sites like this so as to make it easier for people who are not computer savvy to find out whats going on out there

michael kors

Everyone loves what you guys are up too. This kind
of clever work and reporting! Keep up the amazing
works guys I’ve incorporated you guys to blogroll.

This is the right web site for anyone who would like to find out about this topic. You realize so much its almost hard to argue with you (not that I actually will need to…HaHa). You definitely put a new spin on a topic that’s been discussed for a long time. Wonderful stuff, just great!

Hey very nice site!! Man .. Beautiful .. Wonderful .. I will bookmark your blog and take the feeds also?I am satisfied to seek out numerous helpful info right here within the post, we want work out extra strategies on this regard, thank you for sharing. . . . . .