Facebook Twitter Gplus Pinterest RSS

How To Trace

Very few people know this, but emails actually arrive in your inbox with a “˜receipt’ also called a “header”, which contains a lot of information about the sender.

When trying to determine if you are dealing with a scammer, look at the email.  Embedded in there is the source IP address – which you can easily trace back to the country of origin.  This is usually enough to provide that the dating profile contains false statements.

This is a great tool to visually trace where emails come from:  http://traceroute.monitis.com/

The following is reprinted from MakeUseOff.com:

Accessing the email header is different for every email provider or email application, and sometimes, it is even hidden. In most of the cases however, the option to reveal the full header will be somewhere in the area where the subject and sender name are provided.


For example, the Yahoo! Mail header is in the upper right corner of the sender box, which is pointed out in the screenshot above. When you click Show Original, a text file will open in a new tab. This file contains all the necessary headers at the start. They are highlighted in screenshots.

And this is how the full email header appears in Yahoo! Mail:

 

For Gmail, the header is hidden under “˜Show Original’ ““ which will show you the complete email in plain text, including the header.

The example below is the header from an email I received in GMail.

In order to find out the IP address of the original sender, we need to look closely at the first half of the header. Somewhere in there, you’ll find a domain name and an IP address. Particularly, take a closer look at the term “˜Received: from’:

The first “˜Received: from’ line gives us the IP address of the server which forwarded the email to my Gmail address.

Received: from smtp110.biz.mail.mud.yahoo.com(smtp110.biz.mail.mud.yahoo.com [68.142.201.179])

If we continue our search, the second “˜Received: from’ line gives us the originating IP address.

Received: from unknown (HELO ?192.168.0.100?) (chaz@68.108.204.242 with plain)

This means that Chaz, located at 68.108.204.242 sent me an email.

The next line will only appear if the email was sent using an email application residing on the sender’s computer, like Thunderbird or Apple Mail. In our case:

X-Mailer: Apple Mail (2.753.1)

If the user sent the email using the web interface, the string would have looked like this:

Received: from [158.143.189.83] by web56706.mail.re3.yahoo.com via HTTP

We have the originating IP address 68.108.204.242 . To find out who’s behind that IP address we need to do a reverse DNS lookup using a web service like DomainTools, the command line or from “˜Network Tools’ in Ubuntu.

In our case, we know that someone called Chaz from Atlanta, using Cox Communications ““ with an IP address 68.108.204.242, depending on the subnet mask, sent that email.

Alternatively, you could use a tool called Email Trace, that does the whole operation for you after inputing the full email header into the text box. It might not always work, so knowing how to do it the old fashion way might come in handy.

This proves useful if you’re trying to report a spammer to your ISP, find out where a certain person is located at the moment, or help you spot phishing emails. For example, PayPal couldn’t have sent an email from an IP address in China.

If you know other good uses for this procedure, please share it with us in the comments.

Here is another example, this is the header shown in Outlook (usually go to the File menu, then PROPERTIES, and look in the pop-up for INTERNET HEADERS):

Return-Path: <kum7547@yahoo.com>
Delivery-Date: Mon, 14 Jan 2013 19:11:37 -0500
Received: from nm25.access.bullet.mail.mud.yahoo.com (nm25.access.bullet.mail.mud.yahoo.com [66.94.237.90])
by mx.perfora.net (node=mxus3) with ESMTP (Nemesis)
id 0M93Ab-1TnVCE2rtN-00CLLY for drtim@precolumbian.us; Mon, 14 Jan 2013 19:11:37 -0500
Received: from [66.94.237.196] by nm25.access.bullet.mail.mud.yahoo.com with NNFMP; 15 Jan 2013 00:11:35 -0000
Received: from [98.139.44.90] by tm7.access.bullet.mail.mud.yahoo.com with NNFMP; 15 Jan 2013 00:11:31 -0000
Received: from [127.0.0.1] by omp1027.access.mail.sp2.yahoo.com with NNFMP; 15 Jan 2013 00:11:31 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 15909.21098.bm@omp1027.access.mail.sp2.yahoo.com
Received: (qmail 61307 invoked by uid 60001); 15 Jan 2013 00:11:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1358208689; bh=5qvMOz+zcKvvgXFKY6ZNnIci/zNL1Z6lhIWnkc6AIGI=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=qKJux4wiZlcc/EGzSXZA3S2w3sJsKg0UBUWK5MdzByupcYhCo1EueUsQqyqdXSfP5+GcKYoGvMrZ/3tV7vgwWC5gvlmYuW4Zxs2hQPAQF77UOzed+b5T+yxZ8L3E9BYCskUFnTNhWb+ZCeqFCZ9ilaEOCBlQxeuI5bjZnqSEJL8=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type;
b=BpqDTYTQdYcVViVLhOXL47hYrs3ASSB0frxGhoqn1vZWKe/TTnS8xUNx3rEB46d4zgy7FW78Zz+JyHrHLSO+Ve5SE0N1u1pdDc0NHELem6eXgpFrw3CEe3mtPqSXX6ZUCbl8cqelczE/i25zNweUZ7BYM+yUkqns5jV8Urby0i8=;
X-YMail-OSG: .43r__0VM1kvbKvojL9YNut6fw9LQm.BPDbE.NvcxyCO6pF
GSDMKHbdYLkiMyyqylbiBRlc7nBlK0Uzo9PZzaYJtPi4F7abDh9Bjf1CdGrA
zi_U1YrZsgNJpNaz1TGoJ7L1kvgnM0eyuMadc1UrM_rCJAHpvV1BfFzYounR
4Ie7YuJHOoX9dZmUupaT_X7MmRtXGzEiFMGK2D.8XUhy3iDom8le41nPkSEt
DvoNXc73LHmNJmnBWz6zjMdkNRA968.gzw7R68aRUK98Z0GWzeIoJPD0pLy2
p3ZdLJjpEs4Bd4uqooVGVaVougsv6O.NRWbOVnr0w_.fiqEI1k1qTV77hzAE
ALUMwYMd9SRjBBFb6LLiE7LkPqfHJwd8z2XdJZJFTiWkkLyUGyKkPFyhADmC
bvjHwHZEGbiUFudOAJtxkt7V.WvDlgOyLtUQiayTEHnoyQaNVTEMSS2FTwHZ
E2p144mU7PR1mVO1cmRgO_BycS.YxjKJKtWiBHCne74.wLnnalMNaPCxP9Bf
NgZ68WgyttKriRtVGdz4ECjF_0c6EO_.bd.D3tXKxcrlJbbO0QLqxvinvRcN
lJZX33pg4Sa3VG15qKtRaej.sKnTPERQ6xkl2hem4WxvVC.SEwx.cQXZJ1dc
.w6i2ZHk-
Received: from [172.129.103.50] by web181106.mail.ne1.yahoo.com via HTTP; Mon, 14 Jan 2013 16:11:29 PST
X-Rocket-MIMEInfo: 001.001,V2hhdGV2ZXIsIHN3ZWV0IHlvdXJzZWxmLi4uLi4KCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwogRnJvbTogImRydGltQHByZWNvbHVtYmlhbi51cyIgPGRydGltQHByZWNvbHVtYmlhbi51cz4KVG86ICdLdW1iZXJsaW4gV2lsbGlhbScgPGt1bTc1NDdAeWFob28uY29tPiAKU2VudDogTW9uZGF5LCBKYW51YXJ5IDE0LCAyMDEzIDExOjE1IEFNClN1YmplY3Q6IFJFOiBIaQogCgpGdWNrIG9mZgrCoApGcm9tOkt1bWJlcmxpbiBXaWxsaWFtIFttYWlsdG86a3VtNzU0N0B5YWhvby5jb21dIApTZW4BMAEBAQE-
X-Mailer: YahooMailWebService/0.8.130.494
References: <110401cdeca5$fb482260$f1d86720$@my-domain.us> <1357565038.77999.YahooMailNeo@web181102.mail.ne1.yahoo.com> <1dbc01cdecf2$e12f0bd0$a38d2370$@my-domain.us> <1357589957.97924.YahooMailNeo@web181104.mail.ne1.yahoo.com> <283e01cdeebf$0ebb1bc0$2c315340$@my-domain.us> <1357774257.99213.YahooMailNeo@web181103.mail.ne1.yahoo.com> <28db01cdeed4$68fd98a0$3af8c9e0$@my-domain.us> <1357863809.10905.YahooMailNeo@web181106.mail.ne1.yahoo.com> <034801cdef96$284d9b80$78e8d280$@my-domain.us> <1357887383.77454.YahooMailNeo@web181103.mail.ne1.yahoo.com> <045101cdefe6$c9f16750$5dd435f0$@my-domain.us> <1357946156.85022.YahooMailNeo@web181104.mail.ne1.yahoo.com> <07ad01cdf070$aee1a800$0ca4f800$@my-domain.us> <1358002830.84998.YahooMailNeo@web181101.mail.ne1.yahoo.com> <089e01cdf0e2$ae36bb30$0aa43190$@my-domain.us> <1358011456.68112.YahooMailNeo@web181106.mail.ne1.yahoo.com> <08fa01cdf11b$9d88ed60$d89ac820$@my-domain.us> <1358080042.37003.YahooMailNeo@web181106.mail.ne1.yahoo.com> <0a4301cdf21d$453a3b70$cfaeb250$@my-domain.us> <1358160107.78115.YahooMailNeo@web181105.mail.ne1.yahoo.com> <0d5201cdf28b$90738c40$b15aa4c0$@my-domain.us>
Message-ID: <1358208689.50062.YahooMailNeo@web181106.mail.ne1.yahoo.com>
Date: Mon, 14 Jan 2013 16:11:29 -0800 (PST)
From: Kumberlin William <kum7547@yahoo.com>
Reply-To: Kumberlin William <kum7547@yahoo.com>
Subject: Re: Hi
To: <<your email address>>
In-Reply-To: <0d5201cdf28b$90738c40$b15aa4c0$@my-domain.us>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=”-910415156-635500673-1358208689=:50062″
X-UI-Loop: V01:FUqGeBDLACk=:jRjztGwM1ERFACRegGIT6bXQFuREj+0VUjxGPJ6BTFY=
X-UI-Junk: AutoMaybeJunk +0 ();
V01:iwS3BG2u:+IMLe319NquAdCZBSSxYieyRW163yN6/6r3zPeZQhpRXJnKBgzA
rqL//Qavjy7AftZgbo6WpILGR4xLEPU96VhBa6kAsDJyuy5kHKDSbKxHShXimaJ4
kgvLK/IHn94HkhzK+c6mA0YsTI/UcXz9ndPPseyxtkKTUgBjiMnXg37+QOiLnwNt
Ft3RAwxp7MyrRSwiLq8xS8y7GEapwS91LervQ7auD2iWTzAv4uwDgoBdrRuu+9YW
scJJ8UCDGwN5X
Envelope-To: <<your email address>>

You see the line: Received: from [172.129.103.50] by web181106.mail.ne1.yahoo.com via HTTP; Mon, 14 Jan 2013 16:11:29 PST

That contains the senders real IP address.  In the Dating profile she said she was in Miami – BUT look at the map below (from http://traceroute.monitis.com/  try it yourself)

You see that the emails appear to be coming from Europe – most likely through a PROXY to hide the original location – meaning from Ghana!

Doing this will at least give you confirmation of a person’s location, which usually is enough to spot a scammer!

Good Luck and Good Hunting!


Why Did'nt You Leave Us A Comment?Why Didn't You Leave Us A Comment?  Dude, do your part!



Romance Scammer Email Address List
You May Also Want To Check Our Catalog Of Email Addresses

Don't Confront Or Accuse Dating ScammersDon't Confront Or Accuse Dating Scammers


We Recommend



 

Scammers Change Their Photos & Email Addresses Constantly
  • Learn About New Scammers
  • Stay Up To Date With New Photos
  • Get Alerts About New Scams
Enter your email to get our latest Scammer Updates!
The following two tabs change content below.

Romance Scams Now Publisher

Scammer Hunter, Investigator, Documentor, Exposer at McGuinnessPublishing® LLC. a unit of WebFossil®
RomanceScamsNow.com is jointly published by PerfectReputations® and McGuinnessPublishing®. This site is maintained by the McGuinnessPublishing® staff to provide the most up to date information about active scammers from around the world available anywhere. Be sure to use our search feature to locate scammers you may suspent. And be sure to report scammers here!

Latest posts by Romance Scams Now Publisher (see all)

 

Your Comments Matter!

6 Comment No login required!s on "How To Trace"


Guest
john sellen
9 months 11 days ago
there should be a law making all dating sites to have a link to sites like this so as to make it easier for people who are not computer savvy to find out whats going on out there
Guest
michael kors
11 months 27 days ago
Everyone loves what you guys are up too. This kind of clever work and reporting! Keep up the amazing works guys I've incorporated you guys to blogroll.
Guest
ansing@aol.com
1 year 4 months ago
This is the right web site for anyone who would like to find out about this topic. You realize so much its almost hard to argue with you (not that I actually will need to…HaHa). You definitely put a new spin on a topic that's been discussed for a long time. Wonderful stuff, just great!
Guest
TolmieCavallo206@hotmail.com
1 year 4 months ago
Hey very nice site!! Man .. Beautiful .. Wonderful .. I will bookmark your blog and take the feeds also?I am satisfied to seek out numerous helpful info right here within the post, we want work out extra strategies on this regard, thank you for sharing. . . . . .
Guest
Energy
1 year 10 months ago
Just desire to say your article is as astonishing.i can assume you're knowledgeable on this subject.
Guest
StygianAgent
1 year 7 months ago
Are you a bot or just #$%^&*( stupid?
 
Home / How To Trace