Thursday, January 20, 2011



You just received an email message. 
It could be giving the good news, you had just one European Lotto. Or some long-lost relative died unexpectedly in Nigeria and left you $82 million. Or your friend was obtained by authorities in South Africa while attending the World Cup and then sent off an e-mail asking you to send them money.
Have you ever wondered where those messages come from? Wouldn't it be nice if there was some way to trace the message? Some record of where the message had been, since it was sent by someone, and all the little relays in between. 
What if I told you; just such a record exists, for every e-mail ever written? It's true! It's called the HEADERS. today I'm going to show you how to find and decipher an e-mail header.

Exhibit A

Looking at this message we can see
sent this message to "UNDISCLOSED RECIPIENT"
This little trick is accomplished by, sending this message to herself, and then BCC (Blind Carbon Copy) to you and everyone else on the sucker list. This is done to keep you from seeing that 500 other people won the same 750,000 British pounds. Which just might cause suspicion to the reader. And it prevents authorities from being able to locate and notify other persons on the sucker list. This is one bullet proof method to remove a record of all the BCC recipients. because no record is made. It was designed that way, in the RFCs.

So what do we care about them? Nothing! Right now our main concern is to find out from whence this message came. In Microsoft Outlook 2007, the headers are found by clicking on

The headers are the text located in the window labeled "Internet headers" duh!

and they look like this:

The top shows it was delivered to But we already know where it was delivered, we want to know where it came from? A header marks the newest information at the top of the list. So the information we want is down at the bottom. Where the message originated from?

Received: from [] by via HTTP; Thu, 16 Dec 2010 05:47:37 PST
X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/
Date: Thu, 16 Dec 2010 05:47:37 -0800 (PST)

All of that gobbledygook is computer-ese for the user named, at the time and date indicated, uploaded a message for delivery from the Internet node identified by IP ADDRESS
Yea!BIG DEAL. How does this help us? you ask.
Exactly who is

Lets ask google
type in:

and you get

What are the odds that the SYS ADMIN for the European LOTTO lives in Chicago, Illinois? 
Not very!
But maybe the owner of the PC assigned IP ADDRESS is completely unaware that her PC sent the message. She may have become the victim of any number of virus infections that actually load a Mail Server and send spam for fun and profit. Or she maybe a victim, forced to respond as part of a "bot" net (robot network). Which can be forced (without owners consent) to perform any number of illegal activities.

If you're feeling particularly civic minded, you may alert the authorities 

by clicking HERE


Marnie said...

Now that was the most informative post ever. I often wondered how you could track this. Thanks!

floweringmama said...

Ah, I hate those emails. Such a pain in the ... well, you know!

Cathy @ Country Cathy

Spiky Zora Jones said...

OH MY GOD...i knew these winning were always fake and a scam. I just never knew we could locate them...sounds like fun finding them.

I'm letting my frends know.
thanks warrior are fighting an excellent battle and winning.

2Thinks said...

Stopped in to see what time it is in California and got a bonus lesson. Thanks Sherlock, you're a great teacher.

Cloudia said...

You are cool, and yes, Google can answer many questions. Just ask!

Aloha from Honolulu
Comfort Spiral



Jo said...



That was extremely intersting. Thank you...!

I just received one of those e-mails the other day.

Jo said...

(I meant interesting...) *heh*

Leah said...

Thank you so much. That's really useful.