How to Track an E-mail - Part 2 Unraveling Hidden information from e-mail header

Every e-mail has a visible set of information on sender (From:), recipient (To:), subject (Subject:), Organization of the sender (Orgn:) etc. However, there's a great deal more hidden within, that can reveal significant information about the sender.

A little scrutiny of this hidden information may help you locate sender's country, genuineness of the e-mail used in 'From:' column, whether the sender tried to conceal his/her identity etc.

A fake sender attempting to confuse identity usually means a fraudster trying to steal your money or a virus attack, a potential hazard in either case, that can cost you a lot in terms of financial loss, computer crash etc. A little time spent on analyzing suspicious looking e-mails is an insurance against such disasters.

Those using Yahoo, Rediffmail, Hotmail or any such web-based e-mail service may think that their true identity and location are hidden. In reality - one may still find information about them by analyzing their e-mail headers.

What is E-mail Header

The part of an e-mail where such hidden information is stored is called 'header'. Header of an e-mail stores various information on the path it has traversed while reaching your mailbox - right from sender's computer. Normally, one doesn't need this kind of information and mail clients (Eudora, Outlook, Netscape etc. ) do not display it.

To see e-mail header in Netscape, open any e-mail and click

View > Page Source

For Outlook, right-click on the mail message that is still in your Inbox, select 'Options...' from the resulting popup menu Examine the 'Internet Headers' in the 'Message Options' dialog

At first look - the header may look confusing and puzzling. This is more so for spam e-mails as spammers try their best to make the header misleading. Do not lose heart - I am going to explain how to pick up right information from it.

Examining a Typical Header

Let us examine following e-mail header:

1. Delivery-date: Wed, 03 Nov 2004 23:59:47 -0600
2. Received: from bani by with local-bsmtp (Exim 4.43)
3.         id 1CPaev-00057o-Q4
4.         for; Wed, 03 Nov 2004 23:59:47 -0600
5. Received: from [] (
6.         by with smtp (Exim 4.43)
7.         id 1CPaev-00057f-8T
8.         for; Wed, 03 Nov 2004 23:59:45 -0600
9.  Received: (qmail 28471 invoked by uid 510); 4 Nov 2004 05:59:09 -0000
10. Date: 4 Nov 2004 05:59:09 -0000
11. Message-ID: <>
12. Received: from unknown ( by
13.         via HTTP; 04 nov 2004 05:59:08 -0000
14. MIME-Version: 1.0
15. From: "Raj International " 
16. Reply-To: "Raj International " 
17. To: "InfoBanc" 
18. Subject: Thanks for activation

I have added line numbers for clarity and help in discussion - you will not see such line numbers in actual e-mail heading.

Explanation of Header Elements

If you look carefully at e-mail header above, a pattern is clearly visible. The header is composed of several lines of text - each starting with header name (e.g. Delivery-date) , a colon (:), a space and finally header value. If a line starts with a tab or spaces (line nos. 2-4 and 5-8) - that line is a continuation of the previous header value line. So, the header name 'Received:' in line 2 has a header value that spans lines 2 to 4.

Some of the header names are simple and self-explanatory, such as the 'Delivery-date:', 'From:', 'Reply-To:, 'Subject:' etc. For example, sender's e-mail address appears after header name 'From:' and the recipients e-mail address appears after the 'To:' header name.

Please note - mail servers have no way to check if the sender is using his or her own e-mail address. This lack of verification is a weakness - that spammers and fraudsters use ruthlessly to confuse recipients. So, do not accept sender's e-mail address at face value. A fraudster or spammer, in all likelihood, will never use his/her actual e-mail address. Instead, he/she may use a legitimate e-mail address (it could even be your own e-mail) as sender.

We shall not discuss each and every header name - as many of these can be forged or a fake one inserted by spammer. What is most important for our purpose (and most difficult to forge) is the 'Received:' headers. Analysis of 'Received:' header names can reveal a great deal of information about the sender.

We shall discuss how to analyze the Received header and locate sender's country in next issue.

Happy and Productive Surfing

Dr. Amit K Chatterjee

Related Links:


Source: FAIDA - Newsletter on Business Opportunties from India and Abroad Vol: 5, Issue 11 ; November 18' 2004

Author : Dr. Amit K. Chatterjee
(Amit worked in blue-chip Indian and MNCs for 15 years in various capacities like Research and Information Analysis, Market Development, MIS, R&D Information Systems etc. before starting his e-commerce venture in 1997. The views expressed in this columns are of his own. He may be reached at )

� All Rights Reserved. Limited permission is granted to publish this article in a web-site or printed in a journal/ newspaper/ magazine provided the publisher takes prior permission from author, do not make any change in the article (i.e. keep it exactly same as displayed above) and cite the Source of this article as The Great Indian Bazaar with a link to this page.