Here's how to do it.

Step #1: The Email Header

Every email sent over the global email network contains a segment of information called an email header. The email header will look something like this:

From  imauser@hotmail.com Tue Aug 26 22:51:35 2003
Return-Path: 
Received: from hotmail.com (law11-f84.law11.hotmail.com [64.4.17.84])
        by westhost8.westhost.net (8.11.6/8.11.6) with ESMTP id h7R2Px802190
        for ; Tue, 26 Aug 2003 21:25:59 -0500
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
         Tue, 26 Aug 2003 19:25:54 -0700
Received: from 131.247.112.23 by lw11fd.law11.hotmail.msn.com with HTTP;
        Wed, 27 Aug 2003 02:25:54 GMT
X-Originating-IP: [131.247.112.23]
X-Originating-Email: [imauser@hotmail.com]
From: "Nameless User Guy" 
To: rob@rswarren.com
Subject: Re: Question
Date: Tue, 26 Aug 2003 22:25:54 -0400
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: 
X-OriginalArrivalTime: 27 Aug 2003 02:25:54.0292 (UTC)
+FILETIME=[8A72B340:01C36C42]
X-Spam-Status: No, hits=0.0 required=6.0
        tests=none
        version=2.52
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.52 (1.174.2.8-2003-03-24-exp)
Status: RO
X-Status: A
Content-Length: 1010
Lines: 30

Your email software should contain a feature allowing you to see the headers. Virtually all of them do.

The information in this header indicates exactly where and when this email originated. Ignore the "From" and "Return-Path" lines - they can be very easily forged.

When an email is sent over the global email network, it doesn't simply go from point A to point Z. It does a relay-race along a sequence of computers that pass the email along until it gets to its intended destination. The "Received:" lines in the email header keep a record of the route the email took in getting there; we can use those lines to pinpoint the source of the email.

In this example, there are three "Received:" lines, each one showing that an email has been received by a particular machine and from another particular machine, at a certain date and time. The "Received:" line closest to the top of the header indicates the final leg of the trip, and the one closest to the email body documents the first leg. We want to get a source trace on this message, so we're interested in the first leg. According to this header, this email was originally received by a Hotmail server on August 27, 2003 GMT. It was done over the Web ("with HTTP") and came from IP address 131.247.112.23.

Every computer on a modern, TCP/IP-based computer network is identified by a numeric code - its IP address - that enables other computers to locate it and deliver data. The original source of this email is a computer with IP address 131.247.112.23. Now we need to find out what we can about that machine.

Step #2: Learning More About The Subnet Owner (Using ARIN)

IP addresses aren't random. They're usually leased in large blocks by organizations and companies, and the American Registry for Internet Numbers maintains records of who owns which IP blocks. We can do a search of ARIN records at their website, www.arin.net.

When I do a search for 131.247.112.23, I get this result:

OrgName:    UNIVERSITY OF SOUTH FLORIDA
OrgID:      USF
Address:    4202 E. Fowler Ave
City:       Tampa
StateProv:  FL
PostalCode: 33620
Country:    US

NetRange:   131.247.0.0 - 131.247.255.255
CIDR:       131.247.0.0/16
NetName:    USF
NetHandle:  NET-131-247-0-0-1
Parent:     NET-131-0-0-0-0
NetType:    Direct Assignment
NameServer: MOTHER.USF.EDU
NameServer: ZIGGY.USF.EDU
Comment:
RegDate:    1989-02-09
Updated:    1999-04-06

TechHandle: TN32-ARIN
TechName:   Ableman, Matthew
TechPhone:  +1-813-974-1234
TechEmail:  matt@usf.edu

This email came from a computer in operation at the University of South Florida.

Step #3: Querying The Global Domain Name Network

Next we do an "nslookup search", which queries the global domain name (DNS) network for information on that particular IP address. Web interfaces to the network can be found easily via any search engine. Right now I'm using one provided by an Australian consulting firm. A search for 131.247.112.23 turns up the following.

Results for host: tigger.lib.usf.edu

Host tigger tigger.lib.usf.edu 131.247.112.23

Results for subdomain: lib.usf.edu

Host tigger tigger.lib.usf.edu 131.247.112.23
Mailserver dudley.lib.usf.edu (pref=1) dudley.lib.usf.edu 131.247.112.1
Nameserver dudley.lib.usf.edu (SOA) dudley.lib.usf.edu 131.247.112.1
Nameserver swiper.lib.usf.edu swiper.lib.usf.edu 131.247.112.3
Webserver www.lib.usf.edu lists.lib.usf.edu 131.247.112.4

Running It To Ground

The rest is simple, old-fashioned detective work.

Using a few other tools (such as nmap), I can tell that the machine is currently online and appears to be running a version of Microsoft Windows. More information can be found about the machine and its owner by calling the system administrator (the "TechName" from ARIN's record) and asking.

If the email is spam, it's probably coming from an unsecured email relay or a compromised (hacked) computer. In either case, the administrator should be informed so that the system can be repaired. If the email is of a threatening or harassing nature, the administrator will appreciate being informed before it becomes a police matter.

Tracing email is not hard. It just requires some knowledge and the means to apply it. Through the use of a few simple, freely-available tools, you can do your part to make illegitimate emailers accountable for their actions.

Note: Headers and ARIN data above have been slightly altered from their original results. None of this is a slight against USF, and I in no way mean to imply that USF is a source of illegitimate email. I simply needed an IP, and that was the one I used.