Domain Name Tests (e.g.

DNS Report Enter domain name  ?
See if there are problems with your DNS hosting
DNS Timing Enter domain or host name  ?
Check speed of your DNS hosting
WHOIS Lookup Enter domain name (or IP)  ?
Lists contact info for a domain/IP (about 150 TLDs!).
Abuse Lookup Enter domain name  ?
Finds abuse contact for a domain from
Domain Info Enter domain name  
Shows info about a website, such as server used.
IP Tests (e.g.

Spam database lookup Enter IP (or host name)  ?
See if a mail server is listed in 150+ spam databases.
Reverse DNS lookup Enter IP/IPv6 (or host name)  ?
See if your IP has a reverse DNS entry.
IPWHOIS Lookup Enter IP (or domain name)  ?
Lists contact info for an IP (or domain).
City From IP Enter IP  ?
Uses geolocation to find the city and country of an IP.
IP Routing Lookup Enter IP  ?
Shows IP routing info, from RADB.
Hostname Tests (e.g.

DNS lookup Enter domain or host name  ?
Look up a DNS record (A, MX, NS, SOA, etc.)
Traceroute Enter host name (or IP/IPv6)  ?
Traces the route packets take to this host.
Ping Enter host name (or IP/IPv6)  ?
Shows how long it takes for packets to reach a host.
ISP cached DNS lookup Enter domain or host name  ?
Check cached DNS at major ISPs.
Other Tests:
URL deobfuscator Enter URL  ?
De-obfuscates confusing URLs.
Free E-mail Lookup Enter E-mail address or domain  ?
Is an E-mail address a known free one?
CIDR/Netmask Enter CIDR range or IP  ?
Calculates CIDR ranges (e.g.
E-mail Test Enter E-mail address or domain  ?
Are there problems sending mail to a user or domain?
CSE HTML Validator Enter website  ?
Finds HTML errors in websites.
Decimal IPs Enter decimal IP  ?
Converts a decimal IP (e.g. 2130706433) into an IP.

Understanding email headers are tracing email addresses.

I am briefly going to describe how email addresses can be traced to a location
Tracing an email address:
If you do not have an actual email message, but only have an email address, you can trace the address its email server. However it should be noted that email addresses can be easily forged, the results from tracing an email address may not be related to the true sender.

In most cases, you should or could trace any email from a dos prompt. (used to do this a long time ago in Sth America.

If you want to understand how email tracer work, continue reading...


2. Email Internet Headers

Every received email has Internet Headers. Using Microsoft Outlook as an example (other mail programs are very similar), just follow these steps to view the headers:

  1. Right-click on the mail message that is still in your Outlook Inbox
  2. Select 'Options...' from the resulting popup menu
  3. Examine the 'Internet Headers' in the resulting 'Message Options' dialog

TIP: Right-click in the 'Internet Headers' field and click on 'Select All' in the popup menu (or type ctrl-A). Then right-click again and click on 'Copy' in the popup menu (or type ctrl-C). Finally, paste all the Internet Headers into your favorite text editor for full examination (such as 'Notepad', included with Windows).

Example: What you see will be very similar to the following (with 'line numbers' added for clarity and discussion in following sections):

1: Received: from ([]) by (8.11.6) id f9CIVSk24480; Tue, 12 Oct 2004 12:31:29 -0600 (MDT)
2: Message-Id: <>
3: Received: from (IIM1608 []) by with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0)
4:   id 4XNK9ATR; Wed, 13 Oct 2004 01:19:10 +0800
5: From:
6: To: <>
7: Subject: Long Distance - 4.9 cents per min - NO FEES!
8: Date: Tue, 12 Oct 2004 13:24:26 -0400
9: X-Sender:
10: X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
11: Content-Type: text/plain; charset="us-ascii"
12: X-Priority: 3
13: X-MSMail-Priority: Normal
14: X-UIDL: 8`Y!!0GR!!"?H"!k:O!!
15: Status: U

Header Line Syntax: The Internet Header Fields are just a series of text lines, where each line looks like:

Header-Name: Header-Value

And if a line starts with a tab or spaces, like line 4 above, that line is a continuation of the previous Header-Value line. So, the Header-Name Received in line 3 has a Header-Value that spans lines 3 and 4.

3. 'Received' Headers

The most important header field for tracking purposes is the Received header field, which usually has a syntax similar to:

Received: from ? by ? via ? with ? id ? for ? ; date-time

Where from, by, via, with, id, and for are all tokens with values within a single Header-Value, which may span multiple lines. Note: Some mail servers may not include all of these tokens -- or additional tokens/values may be added to this field, but now you are prepared to break it apart and understand it.

Every time an email moves through a new mail server, a new Received header line (and possibly other header lines, like line 2 above) is added to the beginning of the headers list. This is similar to FedEx package tracking, when your package enters a new sorting facility and is 'swiped' through a tracking machine.

This means that as you read the Received headers from top to bottom, that you are gradually moving closer to the computer/person that sent you the email.

But please note that as you read through the Received header fields and get closer to the computer/person that sent you the email, you need to consider the possibility that the sender added one or more false Received header lines to the list (at the time, the senders beginning of the list) in an attempt to redirect you to another location and prevent you from finding the true sender. But, now that you know false header lines are possible, just stay alert.

You will probably find it very useful to break a single Received line into multiple lines, with one token per line. Namely, the header line:

Received: from ([]) by (8.11.6) id f9CIVSk24480; Tue, 12 Oct 2004 12:31:29 -0600 (MDT)

is much easier to read and understand when formatted so that each token is on a new line, as in:

  from ([])
  by (8.11.6)
  id   f9CIVSk24480
  ;    Tue, 12 Oct 2004 12:31:29 -0600 (MDT)


4. The Sender's IP Address

For tracking purposes, we are most interested in the from and by tokens in the Received header field. In general, you are looking for a pattern similar to:

Received: from BBB (dns-name [ip-address]) by AAA ...
Received: from CCC (dns-name [ip-address]) by BBB ...
Received: from DDD (dns-name [ip-address]) by CCC ...

In other words, mail server AAA received the email from BBB and provides as much information about BBB, including the IP Address BBB used to connect to AAA. This patterns repeats itself on each Received line. The syntax of the from token most times looks like:

name (dns-name [ip-address])

Where: name is the name the computer has named itself. Most of the time we never look at this name because it can be intentionally misnamed in an attempt to foil your tracking (but it may leak the windows computer name). dns-name is the reverse dns lookup on the ip-address. ip-address is the ip-address of the computer used to connect to the mail server that generated this Received header line. So, the ip-address is gold to us for tracking purposes.

The by token syntax just provides us with the name that the mail server gives itself. But since the last mail server could be under the control of a spammer, we should not trust this name.

So, what is crucial for tracking, is to pay attention to the trail of ip-address in the from tokens and not necessarily the host name provided to us in the by tokens. Hopefully an example will make the reason why very clear:

1: Received: from ([]) by (8.11.6) id f9CIVSk24480; Tue, 12 Oct 2004 12:31:29 -0600 (MDT)
3: Received: from (IIM1608 []) by with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0)

If you ignore line 1, you would conclude from line 3 that mail server sent you an email, but this would be wrong. When you trace to the host name, you are actually tracing to the IP Address lookup on that host name, which is But as you can see from line 1, the IP Address used was really Do not be fooled by this attempted misdirection by spammers and fraudsters.

Determine the IP Address of the Sender: Using the example email headers above and analyzing the Received header lines we can conclude:


So, we have just tracked this email to the source -- IP Address

TIP: Practice! Track down the emails received from friends and family. Since you know where they are really located, that will help you to analyze the Internet Headers. You will quickly gain experience and confidence in your ability to track down the computer/person that sent you an email message.


5. Report Email Abuse

In most cases eMailTrackerPro will identify the IP address of the sender's computer, the sender's geographical location, and the company providing Internet service (or ISP) for the IP address. Reports for email abuse -- such as spam, email-borne viruses and email threats -- should be directed to the sender's ISP.

In eMailTrackerPro, spam can be easily reported by following the steps below:


The registered 'owner' of the sender's IP address can be viewed in the 'further owner details' section of the eMailTrackerPro report, in the 'Domain Owner Information' column.


6. Leaked Sender Information

The Internet Headers for an email message may contain some really interesting information about the sender.

A) Windows Computer Name: It appears that the Windows computer name is sometimes leaked. Consider the following partial header information from an actual email:

Received: from hanksdell ( []) by (8.8.5) id SAA26331; Mon, 11 Oct 2004 18:46:53 -0600 (MDT)

Where we can clearly see the IP Address of the sender, but we can also see the computer name of hanksdell. While the computer name can be named anything, in this case, I might assume that the person is named Hank and uses a Dell computer.

This computer name may be intentionally misleadingly named or not be meaningful but it can become very useful confirming information if law enforcement can confirm that the name of the suspect's computer matches the name in the email header.

B) Timezone Information: Consider lines 3 and 4 from the Internet Header discussion above:

3: Received: from (IIM1608 []) by with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0)
4:     id 4XNK9ATR; Wed, 13 Oct 2004 01:19:10 +0800

Notice that in the Internet Headers, when a time is displayed, many times it is followed with a plus/minus and four digits, which represent HHMM (hour and minutes) from GMT (Greenwich Mean Time), or London, UK time. Plus means east of GMT. Minus means west of GMT.

So, according to +0800, the server is 8 hours east of GMT. TIP: Go into the Windows Control panel and enter into the Date/Time dialog, where there is a Time Zone list. This time zone appears to be in Singapore. Then, the .sg in means Singapore, which is one more confirmation of this information. A final confirmation comes from performing a VisualRoute trace (the IP Address for TIP: Trace to the IP Address, not the host name.

C) X-Mailer: This will usually tell you the mailer software used by the sender of the email. Consider:

10: X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1

This may or may not be immediately useful, but it can be very useful if there is a follow-up investigation by authorities.

D) X-Originating-IP: If you are attempting to track down an email received from a Hotmail email account, look for the X-Originating-IP header field, which will tell you the IP Address of the computer that sent the email. Consider:

1: Received: from ( []) by (8.11.6) id f9BIvve34655; Mon, 11 Oct 2004 12:58:00 -0600 (MDT)
2: Received: from mail pickup service by with Microsoft SMTPSVC; 3:     Mon, 11 Oct 2001 11:57:51 -0700 4: Received: from by with HTTP; 5:     Mon, 11 Oct 2004 18:57:51 GMT 6: X-Originating-IP: []

However, notice that we could have obtained the same IP Address information by examining the Received header fields. But it is nice to have this extra confirmation.