be Smart.
be Secure.
Phone: 800-441-6612

Tracing the Origin of an Email Message — and Hiding it

We are often asked by our users to help  them determine from where an email message has originated. “Where did this spam come from?”

In general, it is fairly easy to do this if you have access to the “headers” of the message.  In this post, we will show you how to determine a message’s original location yourself and also how you can protect yourself from others determining your location when you send email messages to them.

Why would you need to protect yourself — If you are traveling and do not want people to know where you are; if your messages are not going through because your ISP is blacklisted or has a poor reputation.


Determining the physical location of the sender of an email message

In order to determine physical location of the sender of the message, you will first need the full headers of the message that you received.  To get these, see: Viewing the Message Source / Full Headers of an Email.

Here are the headers of a Spam message that LuxSci Support received.  We’ll look at these and see where the message came from (we have removed some data from these headers so that they are suitable for publication):

Received: via dmail-2009.19 for +mail/BACKUP; Mon, 4 Jan 2015 07:56:25 -0600 (CST)
Received: from ([])
	by with ESMTP id o04DuOxL014677
	for <>; Mon, 4 Jan 2015 07:56:25 -0600
Received: from (localhost [])
	by with ESMTP id o04DuPUn030873
	for <>; Mon, 4 Jan 2015 07:56:25 -0600
Received: (from mail@localhost)
	by id o04DuPSE030854
	for; Mon, 4 Jan 2015 07:56:25 -0600
Return-Path: <>
Received: from ( [])
	by with ESMTP id o04DuOYb030811
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <>; Mon, 4 Jan 2015 07:56:25 -0600
Date: Mon, 4 Jan 2015 07:56:25 -0600
Message-Id: <>
Received: from unknown [] (EHLO [])
	by over TLS secured channel
	with ESMTP id
        (envelope-from <>);
	Mon, 04 Jan 2015 06:56:23 -0705 (MST)
From: VIAGRA (c) Best Supplier <>
Subject: Visitor abuse's personal 80% OFF
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

First, we see that this is a Spam message where the sender has forged the message so that the apparent “from” address matches the “to” address — to attempt to get around our spam filters.  For more on this technique, see Save Yourself From “Yourself”: Stop Spam From Your Own Address and How can Spammers Send Forged Email?

Next, we need to get the Internet (IP) address of the sender of the message.  To do this we note a few facts:

  1. Each server that accepts the email message adds a “Received” header to the message.  In this header, the server records the IP address of the server from which it received the message (we have colored these red).
  2. The “Received” headers are added to the top of the message each time.  I.e. the “oldest” “Received” headers are at the bottom of the list of all “Received” headers.
  3. It is possible, though not common, for the sender to add forged “Received” headers to the end of the list of headers.

So, in the best case scenario where there are no forged “Received” headers (as in the above message), we look at the last “Received” header in the list:

Received: from unknown [] (EHLO [])
	by over TLS secured channel
	with ESMTP id
        (envelope-from <>);
	Mon, 04 Jan 2015 06:56:23 -0700 (MST)

In this header, we see that the message was:

  • Received by server “” (one of the servers that perform Premium Email Filtering for us).
  • It was received from IP Address

Next, we take this IP address to a web site like “” and IP WHOIS Lookup and enter it to see where it is located.  In this case, we see that the Spam came from Tulcea, Romania!  We see also that the IP address is owned by “” of Amsterdam and we can send abuse complaints to “”.

It is possible with more detailed IP address databases (paid ones for example), to narrow down the location of the IP to the region, city, or even approximate physical address of the user.  I.e. if you send an email and say you are in Paris now — people can check and see if that is true.

What about if there are forged Received lines?

If you suspect that there are forged “Received” lines (or if the 1st Received lines do not have useful public IP addresses listed), then you have to work a little harder.  You need to go into the list of “Received” lines and find the oldest one that corresponds to a server that you trust is real.  I.e. the message has to leave the Spammer at some point and hit a real server which will record a real “Received” line (e.g. your own email server).  We do this by starting at the top, first reviewing the received lines added by your own organization’s mail servers, and working your way down though servers that you recognize (you will need to know what servers are used in your network).  The “Received” line added by the last one that you recognize may be the last trustable one.

Hiding your location from message recipients

OK, so now that you know how easy it is to find out the approximate location of the sender of an email message, the natural question is “how can I hide my own location?”

The simplest thing to do is to use a web-based (WebMail) email interface.  Messages sent from these interfaces are sent from the provider’s mail servers and not from your local machine.  While the email provider may record your actual IP address for auditing purposes, this information will not (generally, and at LuxSci specifically) be in the “Received” headers of the message.  As a result, your recipients will only be able to track the message back to your email provider’s mail servers … and not to you.

If you are not sure about your WebMail provider, send yourself an email message and see what is in your Received lines.  Compare this to your own current physical IP address (see

If you need to send messages using an email program, like Outlook or Thunderbird, then you need an SMTP service that is able to “anonymize” your outgoing message.  I.e. the service needs to be able to “scrub” the message of all information identifying your location and resend the message in a way that permits the recipients to only track it back to the service’s mail servers (like in the WebMail case).

LuxSci’s anonymous SMTP email service offers this option for no additional cost; it is included as a feature with all email marketing and email hosting accounts.

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries