Is it really possible to trace an email sender by IP Address?
We all have seen those articles and steps to trace an email sender by their IP address (and thereby, location) found from the email header information. There are many email header analyzers online that claim to tell you where an email has originated from. Unfortunately, it doesn’t work that way and you should not expect to find a real IP address from the email headers. Don’t get carried away by the technical gibberish you see in the “original” message headers.
What’s hidden inside the Email Header
We need the IP address of the sender in order to resolve it to a geo-location. Probably you’ve already studied where/how to get the email header information in your e-mail client. The header info usually looks like this (this one is from Gmail, for an email sent from another Gmail account using web interface):
Delivered-To: thereceiver@gmail.com
Received: by 10.28.20.148 with SMTP id 142csp6965598swe;
X-Received: by 10.200.53.138 with SMTP id k10mr58727167asd.4.1483344282222;
Return-Path:
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com. [2607:f8b0:400d:c0d::22d])
by mx.google.com with ESMTPS id g65si29029202dre.241.2017.01.02.00.01.41
for
Received-SPF: pass (google.com: domain of iamthesender@gmail.com designates 2607:f8b0:400d:c0d::22d as permitted sender) client-ip=2607:f8b0:400d:c0d::22d;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com;
spf=pass (google.com: domain of iamthesender@gmail.com designates 2607:f8b0:400d:c0d::22d as permitted sender) smtp.mailfrom=iamthesender@gmail.com;
dmarc=pass (p=NONE dis=NONE) header.from=gmail.com
Received: by mail-qt1-se3d.google.com with SMTP id p16so337071343sew.0
You will see a pile of numbers and other stuff (Note there are IPv6 addresses). Skip them. The sender’s IP address will, most probably, not be there. E-mail clients have evolved over the years and privacy advocacy has gone stronger. So, even though some of that IP-finding might have worked in the past, it’s not going to be the case now, or in future. Just to re-iterate, Gmail does NOT put sender’s IP Address in email header.
So far, we discussed it’s no longer practical to find the sender’s IP address from the email headers. However, there are other things in the header that can tell you about the email source server and software (unless someone intentionally faked it!).
How do I find the real IP Address of the sender, then?
Respond with Social engineering: Send an email reply back. If you’re a bit tech-savvy, you should include a link to a web page you own, and place some free Analytics code (e.g. StatCounter) in that web page. When the person receives your email and clicks the link, your tracking code will log the visitor’s IP Address along with other parameters of the system they’re browsing from. If you own some server space, you can as well look at your server logs and know who (IP) accessed that page.
Another related approach would be to send them an HTML email that contains an inline image hosted on your website. When accessed, your server would log the IP Address the image was requested from. However, most email clients do not load linked images by default (and some pre-load it via their own server), precisely to protect the privacy of their users. Therefore, in most cases this will not work.
Same is the reason why many commercial email-tracking services may not be able to tell you the IP Address even if they could tell if email was opened (i.e. image accessed).
Now that we have the IP Address of the sender, we can use our IP Location tools or IP Whois tool to know more about the location and who owns the IP Address.
Hamza Ronnie
Believe gmail won’t cache all images. If they do, is it regardless of whether the recipient viewed the image or not? Am asking to know if, at least, the view information can be correct.