There's a common misconception today that the Internet is an anonymous
medium, providing shelter for pretty much anyone to do anything without
fear of being found out. Hackers, virus writers and email
spammers all exploit this misconception in order to avoid being caught.
The fact, however, is that the anonymity
of the Internet is not a technical issue but a human issue; in many
cases, the only factor preventing a victim from tracking down an
assailant is a lack of knowledge about how the Internet works. The most
common example of Internet hit-and-run seems to be email, which fortunately
is also one of the easiest types to trace.
Here's how to do it.
Step #1: The Email Header
Every email sent over the global email network contains a segment of
information called an email header. The email
header will look something
From email@example.com Tue Aug 26 22:51:35 2003
Received: from hotmail.com (law11-f84.law11.hotmail.com [188.8.131.52])
by westhost8.westhost.net (8.11.6/8.11.6) with ESMTP id h7R2Px802190
for ; Tue, 26 Aug 2003 21:25:59 -0500
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Tue, 26 Aug 2003 19:25:54 -0700
Received: from 184.108.40.206 by lw11fd.law11.hotmail.msn.com with HTTP;
Wed, 27 Aug 2003 02:25:54 GMT
From: "Nameless User Guy"
Subject: Re: Question
Date: Tue, 26 Aug 2003 22:25:54 -0400
Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 27 Aug 2003 02:25:54.0292 (UTC)
X-Spam-Status: No, hits=0.0 required=6.0
X-Spam-Checker-Version: SpamAssassin 2.52 (220.127.116.11-2003-03-24-exp)
Your email software should contain a feature allowing you to see the
headers. Virtually all of them do.
The information in this header indicates exactly where and when this email
originated. Ignore the "From" and "Return-Path" lines - they can be very
When an email is sent over the global email network, it doesn't simply
go from point A to point Z. It does a relay-race along a sequence of
computers that pass the email along until it gets to its intended
destination. The "Received:" lines in the email header keep a record
of the route the email took in getting there; we can use those lines
to pinpoint the source of the email.
In this example, there are three "Received:" lines, each one showing that
an email has been received by a particular machine and from another
particular machine, at a certain date and time. The "Received:" line
closest to the top of the header indicates the final leg of the trip, and
the one closest to the email body documents the first leg.
We want to get a source trace on this message, so we're interested in
the first leg. According to this header, this email was originally
received by a Hotmail server on August 27, 2003 GMT. It was done over the
Web ("with HTTP") and came from IP address 18.104.22.168.
Every computer on a modern, TCP/IP-based computer network is identified
by a numeric code - its IP address - that enables other computers
to locate it and deliver data. The original source of this email is a
computer with IP address 22.214.171.124. Now we need to find out what we
can about that machine.
Step #2: Learning More About The Subnet Owner (Using ARIN)
IP addresses aren't random. They're usually leased in large blocks by
organizations and companies, and the American Registry for Internet
Numbers maintains records of who owns which IP blocks. We can do a search
of ARIN records at their website,
When I do a search for 126.96.36.199, I get this result:
OrgName: UNIVERSITY OF SOUTH FLORIDA
Address: 4202 E. Fowler Ave
NetRange: 188.8.131.52 - 184.108.40.206
NetType: Direct Assignment
TechName: Ableman, Matthew
This email came from a computer in operation at the University of South Florida.
Step #3: Querying The Global Domain Name Network
Next we do an "nslookup search", which queries the global domain name (DNS)
network for information on that particular IP address. Web interfaces to
the network can be found easily via any search engine. Right now I'm using
provided by an Australian consulting firm. A search for 220.127.116.11
turns up the following.
Results for host: tigger.lib.usf.edu
Host tigger tigger.lib.usf.edu 18.104.22.168
Results for subdomain: lib.usf.edu
Host tigger tigger.lib.usf.edu 22.214.171.124
Mailserver dudley.lib.usf.edu (pref=1) dudley.lib.usf.edu 126.96.36.199
Nameserver dudley.lib.usf.edu (SOA) dudley.lib.usf.edu 188.8.131.52
Nameserver swiper.lib.usf.edu swiper.lib.usf.edu 184.108.40.206
Webserver www.lib.usf.edu lists.lib.usf.edu 220.127.116.11
"lib.usf.edu" indicates that the machine belongs to a local network in
operation at the library of USF. This particular machine is named "tigger".
Running It To Ground
The rest is simple, old-fashioned detective work.
Using a few other tools (such as
nmap), I can tell that the
machine is currently online and appears to be running a version of
Microsoft Windows. More information can be found about the machine and
its owner by calling the system administrator (the "TechName" from ARIN's
record) and asking.
If the email is spam, it's probably coming from an unsecured email relay
or a compromised (hacked) computer. In either case, the administrator
should be informed so that the system can be repaired. If the email is
of a threatening or harassing nature, the administrator will appreciate
being informed before it becomes a police matter.
Tracing email is not hard. It just requires some knowledge and the means
to apply it. Through the use of a few simple, freely-available tools, you
can do your part to make illegitimate emailers accountable for their
Note: Headers and ARIN data above have been slightly altered from
their original results. None of this is a slight against USF, and I in no
way mean to imply that USF is a source of illegitimate email. I simply
needed an IP, and that was the one I used.