Taken from "The Scam Survivors' Handbook"Whenever you send an email to someone, there's some extra information sent with it that the person receiving it won't see unless they know how to look for it. These are called the email headers, and it includes a lot more information than you'd expect. If you know what to do then you can find out the path the email took, if the email address shown is the real one or if it's faked, also the exact time and date it was sent. When you join the r/s.com forum then we send you a welcome PM with several important links on the forum. How to find headers using the most common email clients is one of them. Each client is different, so the instructions for finding them on Yahoo mail is different to ones for finding them on Gmail and so on. We'll show you an example of what the email headers look like, but don't worry. Most of what you'll see is unimportant and can be ignored. We're only showing you so that you can know what they look like. Here we go, don't be afraid...Delivered-To: XXXXXX@gmail.comReceived: by 10.204.76.17 with SMTP id a17cs50731bkk;Fri, 6 Aug 2010 04:06:00 -0700 (PDT)Received: by 10.216.26.145 with SMTP id c17mr743754wea.70.1281092760535;Fri, 06 Aug 2010 04:06:00 -0700 (PDT)Return-Path: <odily4ritaa@yahoo.co.uk>Received: from n25.bullet.mail.ukl.yahoo.com (n25.bullet.mail.ukl.yahoo.com [87.248.110.142])by mx.google.com with SMTP id s66si2166278weq.66.2010.08.06.04.05.59;Fri, 06 Aug 2010 04:05:59 -0700 (PDT)Received-SPF: neutral (google.com: 87.248.110.142 is neither permitted nor denied by best guess record for domain of odily4ritaa@yahoo.co.uk) client-ip=87.248.110.142;Authentication-Results: mx.google.com; spf=neutral (google.com: 87.248.110.142 is neither permitted nor denied by best guess record for domain of odily4ritaa@yahoo.co.uk) smtp.mail=odily4ritaa@yahoo.co.uk; dkim=pass (test mode) header.i=@yahoo.co.ukReceived: from [217.146.182.179] by n25.bullet.mail.ukl.yahoo.com with NNFMP; 06 Aug 2010 11:05:44 -0000Received: from [87.248.111.151] by t5.bullet.ukl.yahoo.com with NNFMP; 06 Aug 2010 11:05:59 -0000Received: from [127.0.0.1] by omp208.mail.ukl.yahoo.com with NNFMP; 06 Aug 2010 11:05:59 -0000X-Yahoo-Newman-Property: ymail-5X-Yahoo-Newman-Id: 248888.94550.bm@omp208.mail.ukl.yahoo.comReceived: (qmail 87758 invoked by uid 60001); 6 Aug 2010 11:05:58 -0000DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1281092758; bh=u1nEhdUKEy+mJbnm4pJNy76/bzoDhBCAAm3IMDNgQGA=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=G8NuAZr1bKTKjgXOmW9t2nc82TQ9waB0E+SDb968tm1tMB2w69BMXyuLJmvKAVFiypG9bK+0C7IFadhJgnguER+13xXV30qeNsGaw78cLkLkzcY2SJddO77nj/sK937jBL0Jn9lKjXiGPyifBGjU+8S451IGdM4CKLQ6xB+UyNk=DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;s=s1024; d=yahoo.co.uk;h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type;b=XMSOGtoSb0gFyCZIYE4MxuUYUuYX16RtbAauG9jXVNyEHURAcUiO96WC0bocS316jrFIQ+RKQvnl568wku0ctOGnWb89SxgKbj4LuOi9e0egVwAXt2iCvf7bJIlwixVbHnVYneUESP1H9om/moX15BVK8a0+uNBMECszaVUNLJ8=;Message-ID: <918394.63115.qm@web24812.mail.ird.yahoo.com>X-YMail-OSG: J33bJbwVM1nvKW7FNVxLajOKWyRGNISyWG7dL0S8B95uZCYQywV0SE8M2FnMjpeAhnmy2HkfW2teigeaCvMm2mkxuDqUi8Npc3qljzRefWJACNS_F8VY.xXjmS0J06iJqwXeN7P0t7V3J3xY1zvwIK..tqUbJgj6eAgRPX3Dxp4x7taqDqXrdhAxPUmrihkGtD1.LrIQ2kxvm80qd9oai5SmIIL4u0nLLtzWyG_kUjS9ZBRSTGg6ScVcHpxJzqXr_aHxghuJ_f3Edi_wev0HuvRJNtZK5KcHpCOCfxOYKCJ__bc24HzEbxj92ABCOUXSFctR9wmJZJ.5FWu2fGkQk.w-Received: from [41.208.132.212] by web24812.mail.ird.yahoo.com via HTTP; Fri, 06 Aug 2010 11:05:58 GMTX-Mailer: YahooMailClassic/11.3.2 YahooMailWebService/0.8.105.279950Date: Fri, 6 Aug 2010 11:05:58 +0000 (GMT)From: Rita Usman <odily4ritaa@yahoo.co.uk>Subject: HONEY PLEASE CONTACT THE BANK TODAYTo: My email address<XXXXXX@gmail.com>In-Reply-To: <AANLkTikZcJeuRoaYu-W+t2cu52K3uJ1T_rgHGBHfuEQZ@mail.gmail.com>MIME-Version: 1.0Content-Type: multipart/alternative; boundary="0-616293714-1281092758=:63115"What you're looking for is the "Received: from" part. You can either find it yourself, or copy and paste the headers into whatismyipaddress.com Headers show the route from you back to the person that sent it, so you have to look at the last IP address you see rather than the first one. In this case we can see that the IP address we're looking for is 41.208.132.212 and that it leads to Senegal. All that most people will be able to get from the IP address is the location of the internet provider used, but the authorities are able to contact the provider and get the physical location of the computer used to send out the emails. No matter where the scammer claims to be, the IP address will show their true location. Of course nothing is ever that simple. It is possible to fake an IP address by using something called a proxy to connect to the internet from another computer in another part of the world, but a quick Google search will often tell you that it's a proxy and not to be trusted.
« Go back
Powered by Help Desk Software HESK, brought to you by SysAid