How To Trace
Very few people know this, but emails actually arrive in your inbox with a “˜receipt’ also called a “header”, which contains a lot of information about the sender.
When trying to determine if you are dealing with a scammer, look at the email. Embedded in there is the source IP address – which you can easily trace back to the country of origin. This is usually enough to provide that the dating profile contains false statements.
This is a great tool to visually trace where emails come from: http://traceroute.monitis.com/
The following is reprinted from MakeUseOff.com:
Accessing the email header is different for every email provider or email application, and sometimes, it is even hidden. In most of the cases however, the option to reveal the full header will be somewhere in the area where the subject and sender name are provided.
For example, the Yahoo! Mail header is in the upper right corner of the sender box, which is pointed out in the screenshot above. When you click Show Original, a text file will open in a new tab. This file contains all the necessary headers at the start. They are highlighted in screenshots.
And this is how the full email header appears in Yahoo! Mail:
For Gmail, the header is hidden under “˜Show Original’ ““ which will show you the complete email in plain text, including the header.
The example below is the header from an email I received in GMail.
In order to find out the IP address of the original sender, we need to look closely at the first half of the header. Somewhere in there, you’ll find a domain name and an IP address. Particularly, take a closer look at the term “˜Received: from’:
The first “˜Received: from’ line gives us the IP address of the server which forwarded the email to my Gmail address.
Received: from smtp110.biz.mail.mud.yahoo.com(smtp110.biz.mail.mud.yahoo.com [18.104.22.168])
If we continue our search, the second “˜Received: from’ line gives us the originating IP address.
Received: from unknown (HELO ?192.168.0.100?) (firstname.lastname@example.org with plain)
This means that Chaz, located at 22.214.171.124 sent me an email.
The next line will only appear if the email was sent using an email application residing on the sender’s computer, like Thunderbird or Apple Mail. In our case:
X-Mailer: Apple Mail (2.753.1)
If the user sent the email using the web interface, the string would have looked like this:
Received: from [126.96.36.199] by web56706.mail.re3.yahoo.com via HTTP
We have the originating IP address 188.8.131.52 . To find out who’s behind that IP address we need to do a reverse DNS lookup using a web service like DomainTools, the command line or from “˜Network Tools’ in Ubuntu.
In our case, we know that someone called Chaz from Atlanta, using Cox Communications ““ with an IP address 184.108.40.206, depending on the subnet mask, sent that email.
Alternatively, you could use a tool called Email Trace, that does the whole operation for you after inputing the full email header into the text box. It might not always work, so knowing how to do it the old fashion way might come in handy.
This proves useful if you’re trying to report a spammer to your ISP, find out where a certain person is located at the moment, or help you spot phishing emails. For example, PayPal couldn’t have sent an email from an IP address in China.
If you know other good uses for this procedure, please share it with us in the comments.
Here is another example, this is the header shown in Outlook (usually go to the File menu, then PROPERTIES, and look in the pop-up for INTERNET HEADERS):
Delivery-Date: Mon, 14 Jan 2013 19:11:37 -0500
Received: from nm25.access.bullet.mail.mud.yahoo.com (nm25.access.bullet.mail.mud.yahoo.com [220.127.116.11])
by mx.perfora.net (node=mxus3) with ESMTP (Nemesis)
id 0M93Ab-1TnVCE2rtN-00CLLY for email@example.com; Mon, 14 Jan 2013 19:11:37 -0500
Received: from [18.104.22.168] by nm25.access.bullet.mail.mud.yahoo.com with NNFMP; 15 Jan 2013 00:11:35 -0000
Received: from [22.214.171.124] by tm7.access.bullet.mail.mud.yahoo.com with NNFMP; 15 Jan 2013 00:11:31 -0000
Received: from [127.0.0.1] by omp1027.access.mail.sp2.yahoo.com with NNFMP; 15 Jan 2013 00:11:31 -0000
Received: (qmail 61307 invoked by uid 60001); 15 Jan 2013 00:11:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1358208689; bh=5qvMOz+zcKvvgXFKY6ZNnIci/zNL1Z6lhIWnkc6AIGI=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=qKJux4wiZlcc/EGzSXZA3S2w3sJsKg0UBUWK5MdzByupcYhCo1EueUsQqyqdXSfP5+GcKYoGvMrZ/3tV7vgwWC5gvlmYuW4Zxs2hQPAQF77UOzed+b5T+yxZ8L3E9BYCskUFnTNhWb+ZCeqFCZ9ilaEOCBlQxeuI5bjZnqSEJL8=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
Received: from [126.96.36.199] by web181106.mail.ne1.yahoo.com via HTTP; Mon, 14 Jan 2013 16:11:29 PST
References: <firstname.lastname@example.org> <1357565038.77999.YahooMailNeo@web181102.mail.ne1.yahoo.com> <email@example.com> <1357589957.97924.YahooMailNeo@web181104.mail.ne1.yahoo.com> <firstname.lastname@example.org> <1357774257.99213.YahooMailNeo@web181103.mail.ne1.yahoo.com> <email@example.com> <1357863809.10905.YahooMailNeo@web181106.mail.ne1.yahoo.com> <firstname.lastname@example.org> <1357887383.77454.YahooMailNeo@web181103.mail.ne1.yahoo.com> <email@example.com> <1357946156.85022.YahooMailNeo@web181104.mail.ne1.yahoo.com> <firstname.lastname@example.org> <1358002830.84998.YahooMailNeo@web181101.mail.ne1.yahoo.com> <email@example.com> <1358011456.68112.YahooMailNeo@web181106.mail.ne1.yahoo.com> <firstname.lastname@example.org> <1358080042.37003.YahooMailNeo@web181106.mail.ne1.yahoo.com> <email@example.com> <1358160107.78115.YahooMailNeo@web181105.mail.ne1.yahoo.com> <firstname.lastname@example.org>
Date: Mon, 14 Jan 2013 16:11:29 -0800 (PST)
From: Kumberlin William <email@example.com>
Reply-To: Kumberlin William <firstname.lastname@example.org>
Subject: Re: Hi
To: <<your email address>>
Content-Type: multipart/alternative; boundary=”-910415156-635500673-1358208689=:50062″
X-UI-Junk: AutoMaybeJunk +0 ();
Envelope-To: <<your email address>>
You see the line: Received: from [188.8.131.52] by web181106.mail.ne1.yahoo.com via HTTP; Mon, 14 Jan 2013 16:11:29 PST
That contains the senders real IP address. In the Dating profile she said she was in Miami – BUT look at the map below (from http://traceroute.monitis.com/ try it yourself)
You see that the emails appear to be coming from Europe – most likely through a PROXY to hide the original location – meaning from Ghana!
Doing this will at least give you confirmation of a person’s location, which usually is enough to spot a scammer!
Good Luck and Good Hunting!