How to track down the true source of an email

Nowadays, a large portion of spam is actually sent from compromised home PCs. Spammers don’t use lax ISPs to send mail, they use grandma’s hijacked computer and cable modem. These computers are often compromised by email worms, which then send out more emails in an attempt to infect other PCs, thus creating more zombies. The emails claim to be from some random address found on the PC. The “From” address is not a reliable indicator of who has the infected PC. The “From” address is analogous to the return address on the envelope of a piece of postal mail – there’s nothing guaranteeing that’s really where it came from. Once you understand what’s happening, it’s fairly easy to interpret the information in an email to see what’s happening.

1. View the email’s headers

The first step is to actually see all the behind-the-scenes information that’s included in the email message. This process will vary based on which email program you’re using. You will be opening the virus/spam email, so make sure that your operating system and email client are both fully patched to prevent any bugs (like auto-running an attached program) from causing harm to your system.

In Mozilla and Thunderbird (and probably other Mozilla-based programs), select the email message and press Ctrl+U to view the source. This will open a new window with all of the data in the email message visible. You can also enable the View All Headers option in the menus, which will show all of this hidden information along with subject and address information.

In Outlook Express, Ctrl+F3 will bring up a view showing all of the email’s data also.

In the full version of Outlook (included with MS Office), right-click on the message and choose Options. This will display a new window. A small window at the bottom will show the email’s complete data. You can also use the PocketKnife Peek addon. This creates a new preview window which has tabs for viewing the email in several ways. The Internet header tab will show the information we’re looking for.

If you use webmail like Hotmail or Yahoo, there should be an option somewhere in the preferences to display the message’s source or headers. You will need to enable this or set it to display all headers.

Other email clients should be similar. You need to enable the option to display all headers, or view the source code of the message.

Once you’ve enabled the source/header view in your particular client, you’ll be looking at something like this:

Delivery-date: Mon, 22 Mar 2004 19:30:32 -0800
Received: from [] (
	by with esmtp (Exim 4.24-ND)
	id 1B5ccM-0006XQ-H5
	for; Mon, 22 Mar 2004 19:30:19 -0800
Date: Mon, 22 Mar 2004 19:59:27 -0800
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <>
Subject: Re: Status
Content-Type: multipart/mixed;

This is a multi-part message in MIME format.

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

For further details see the attachment.

++++ Attachment: No Virus found
++++ F-Secure AntiVirus -

Content-Type: application/octet-stream;
Content-Transfer-Encoding: base64
Content-Disposition: attachment;

2. Find the IP address of the sending mail server

The sending mail server has to connect to your mail server to deliver the message. Because of this, we can always find out where the mail came from. Some viruses and spammers will add fake information to the email to make it look like it came from somewhere else.

Here is what we’re looking for:

Received: from [] (
	by with esmtp (Exim 4.24-ND)
	id 1B5ccM-0006XQ-H5
	for; Mon, 22 Mar 2004 19:30:19 -0800

There may be several sections that begin with Received: from if the sender added fake info. In this email, this is the lone entry. If there are several, it should be the one closest to the top (though some mail filters act as a separate server, and the last one is actually your company/ISP processing the mail). After it says who it is received from, it will list who it was received by. In this case, it was received by, which is my mail server. Yours may be something like or

This line tells us that my mail server received the email from the mail server at The helo command is what the sending mail server said its name was. This email message is from the Netsky virus, so it uses the destination address for the helo command – it got from my email address, even though it claims to be from Most other viruses will use the spoofed sender address for the helo, i.e. this email’s helo would be

This nuance of Netsky makes for some easy email filtering. Even though my domain is, my mail server is not named As you can see above, it’s something totally different due to the email provider I use. Any email coming in with in the headers must be a fake, as there is no mail server named

Here is an example of having multiple valid headers. You can see that the message went from Dell’s server to the company’s main mail server, then from there went to the mail server of one individual branch. You’ll have to figure out on your own whether the headers you’re seeing are legitimate or not. But if you do have a setup like this, everything will have these headers (since every mail has to come in through the same server(s)).

Received: from ([])
	by with Microsoft SMTPSVC(5.0.2195.6713);
	Fri, 12 Mar 2004 11:57:15 -0500
Received: from ([])
	with SMTP id M2004031211444513348
	for ; Fri, 12 Mar 2004 11:44:46 -0500

3. Figure out who this IP address belongs to

Now that we have the IP address where the email came from, we can probably get a better idea of whose PC this is. To do this, we’re going to use the internet’s Domain Name Server system. DNS converts names like and into IP addresses. Every computer on the internet has an IP address, and this is the “real” address of the server. Domain names are just an easy way for people to remember how to get to a server.

You can find information on the spammer IP address at That form will show information on the owner of the address block containing that IP, including the different contacts (possibly including an abuse address) for the address. This form provides the same information as the process below, all in one step. However, the following method gives you a better understanding of what you’re figuring out. Once you understand what’s happening, you might as well use since it’s quicker.

Here’s the detailed way, if you want to gain a better understanding of what you’re figuring out. You can use the ping command included with just about every OS to figure this out. In Windows, the -a switch tells ping to resolve IP addresses into hostnames. ping -a will tell our computer to connect to the IP address and resolve the hostname.

The output will be something like this:

Pinging [] with 32 bytes of data:

Reply from bytes=32 time=125ms TTL=110
Reply from bytes=32 time=136ms TTL=110
Reply from bytes=32 time=140ms TTL=110
Reply from bytes=32 time=150ms TTL=110

Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 125ms, Maximum = 150ms, Average = 137ms

Ping is a tool that times network connections, to aid in troubleshooting. We can ignore all of that info except the very first line. Pinging [] with 32 bytes of data: tells us that the IP address resolves to the hostname

However, some firewalls and routers may block the ping packets, so you won’t be able to obtain any useful information this way. There is still hope via online ping tools which do the same thing, but not on your PC. VisualRoute will also return as the hostname of the last system (at the bottom of the list).

The first section is obviously based on the IP address. Many broadband ISPs use hostnames based on the address like this. The last part,, tells us the ISP. isn’t a valid website, but redirects to This is the front page for Shaw, an ISP. The .ca tells us that they’re in Canada, which helps us narrow down the middle part of the hostname. In this case, ed stands for Edmonton. Many other ISPs use this scheme as well, naming subnetworks after the state/province, or after cities. If you were to find a hostname, you could figure out that the user’s IP address is, they live near Denver, Colorado, and they have Comcast for an ISP. Some ISPs may use airport codes as well.

Even though VisualRoute shows a map of where the connection is coming from, it may not be accurate. In the DNS records for domain names, there is an option to specify locational coordinates. If the location isn’t found for a specific server, it works it’s way backwards up to the top domain. If Shaw were headquartered in Iowa, everything under might show up as being located in Iowa. This is an optional setting, and completely user-defined. It should not be assumed to be accurate.

4. More on finding and stopping virus-infected PCs

If you only know one person in Edmonton and have never given your email address out, then you probably know whose PC this is already. If you’ve been on messageboards, mailing lists, or mass-forwards, then a whole bunch of people may have your email address. Recent email worms look at many different files to find addresses. It’s possible that the infected person has never emailed you, but your address is on a saved webpage on their hard drive. Address books are still the best source of valid email addresses, but they’re not the only target anymore.

The “From” email address and the “To” email address (yours) were both on the infected PC. This may give you a hint as to how the person got your email address. In this case, was on the infected PC along with my address. is a website that sells aftermarket wheels for cars. The infected PC has both my address and a wheel-related address on it. It’s probably safe to say that I know this person through one of the car forums I visit (as opposed to a computer forum or a growing-vegetables-that-look-like-celebrities forum).

This may narrow it down enough that you can figure out who the culprit is. If not, you can at least make a post on the car forum(s) you visit letting them know that someone has a virus. A script like will show the IP address of the person connecting to the page. You can post a link like this and tell them you got a virus email from If someone’s IP address is that exact address, or the first two or three parts match, they should scan their computer. If they have anti-virus software installed, it needs to be updated. If they don’t have AV software, they should do an online scan and/or get an AV program. Note that it’s best if you don’t even post the “From” email address. That person’s address just happened to be on the infected PC (just like yours) – they had no more to do with it than you did. Just say that you got a virus email with a car-related “From” address, so it’s likely someone from that forum that’s infected.

Also, you now know that the IP address is probably not a mail server. If it were, it would most likely have a hostname like There probably isn’t any valid email coming from this server, so you can filter out any emails containing Received: from []. You should be careful though, as some lesser ISPs do provide companies with server connections that still get assigned hostnames like this. It’s possible, but not very likely.

Spam Punisher is a small tool to automate this process. The program parses an email (open a saved file or cut and paste) for IP addresses, and can then do lookups on the owners of those IP addresses. You can find the old freeware 1.4 beta version here or you can get the current shareware version here.