Tracing a Scam Email

Trace a Scam Email

Finding Email Headers in Email Messages and Reporting Abuse-Spammers, and Scammers

Outlook (most versions)

Click the right mouse button on the message you want to view the header for, on the menu click on Options and the email header will be at the bottom of the window in a box.

Outlook Express (most versions)

Click the right mouse button on the message you want to view the header for, on the menu click on Properties, then at the top of the new window click the left mouse button on Details, you will see the header in the box.

Yahoo Mail (Web Based)

Click on the link under Subject to View the message. While viewing the message look at the top of the message on the right hand side and find the link that reads “Full Headers” and click on it. The header will be listed above the email.


  1. Open the email you want to check the headers for
  2. Next to Reply, click the Down arrow
  3. Click Show original
  4. Copy the text
  5. Open the Message header tool
  6. In “Paste email header here,” paste your header
  7. Click Analyze the header above

How to Analyze Scam Email Headers

It is possible for the sending address and IP address to be “spoofed” or faked but you will know that if you do some research.

Here is an Example of an Email Header

X-YPOPs-Folder: Inbox
X-RocketYMUMID: AIgmvs4AAV61QrzemAAYfy95Te4
X-Apparently-To: [email protected] via; Fri, 24 Jun
2005 21:33:27 -0700
X-Originating-IP: []
Return-Path: <[email protected]
X-RocketTIP: ; YAHOO
Authentication-Results:; domainkeys=pass (ok)
Received: from (HELO
by with SMTP; Fri, 24 Jun 2005
21:33:27 -0700
Received: (qmail 16766 invoked by uid 60001); 25 Jun 2005 04:33:26 -
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
Df4yoaMt92GzB bjfdBu+SjqQgK/WYubAt9y1j4bm3czqN8= ;
Message-ID: <[email protected]
Received: from [] by via HTTP;
Fri, 24 Jun 2005 21:33:26 PDT
Date: Fri, 24 Jun 2005 21:33:26 -0700 (PDT)
From: kelly lizzy <[email protected]
Subject: my pics
To: [email protected]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-643441667-
Content-Transfer-Encoding: 8bit
Content-Length: 62927

You Read Email Headers from the Bottom Up
This part can be spoofed so you can usually ignore it.

From: kelly lizzy <[email protected]
Subject: my pics
To: [email protected]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-643441667-
Content-Transfer-Encoding: 8bit
Content-Length: 62927

Then you want to look for the first Received: from line, this is the originating IP: is the originating IP.
Received: from [] by via HTTP;
Fri, 24 Jun 2005 21:33:26 PDT

Finding Out Where The IP Address Is Located

The easiest way to find out where an email originated is to copy the entire header and then paste it into a site like here.

OR use this alternative:

Another place you can go to and paste the IP address in the IPWHOIS Lookup box to find out where this IP has come from. If you want to know who owns this IP address this is the way to do it. Here it is: COBRANET-ISP-TGB. I got this from the WHOIS look up; it is the contact person that I would imagine bought the IP block:

person: Hikmat Mardo
address: Lagos-Nigeria
address: Lekki Phase 1
address: rafiu babatunde street plot 8
phone: +23417767720
phone: +234802 832 2133
phone: +23415555656
phone: +9613666325
e-mail: ***
nic-hdl: HM1517-RIPE
notify: ********
mnt-by: IABG-MNT
changed: ******* 20040617
source: RIPE

Then we Googled it and the first of two Google Results

419 Scam – Spam sources by IP address (Advance Fee Fraud) - Jun 25
COBRANET-ISP-TGB - David Hart, Weartherbys Bank Limited - [email protected] (holocaust) ... - 64k - Jun 24, 2005 - Cached - Similar pages

Reporting Abuse – Spammers, and Scammers

When we do an IP trace, it always shows where to report abuse to. If the ISPs will take action, maybe they can shut down some of the scammers on the other end. When we report them, it might be a good idea to add FTC in the email thread as well. If a bunch of people see it, a bunch of people might do something about it. Also send it to your ISP’s abuse desk.

Investment/Securities Scams

The SEC’s Office of Internet Enforcement Complaint Center

SEC indicates that investment-related scam spam can be forwarded to SEC.

Attempts to Unlawfully Sell Prescription Medications Online

If people attempt to sell you prescription medications online without requiring a physician’s prescription, the Food and Drug Administration would like to know about it. You can report emails promoting illegal medical products by forwarding those emails. (see FDA).

US Customs Service CyberSmuggling Center, Child Exploitation Unit

Occasionally you may receive spam related to child pornography. As noted at US Customs you should immediately report this to the US Customs Service at 1-800-BE-ALERT or the National Center for Missing and Exploited Children at 1-800-843-5678, or contact the ICE Cybersmuggling Center.

Please note that you should not download any child pornographic materials under any circumstances, since the mere possession of this type of material is a violation of federal and state laws. Let trained law enforcement officers conduct their own investigation when it comes to child porn spam.

Internet Fraud in General

Internet fraud complaints may be filed with the FBI .

4-1-9 Nigerian Advance Fee Fraud Spam

This type of scam spam, in which overseas, often Nigerian, con men typically offer you a share in millions of dollars worth of “over-invoiced contracts” (if only you will “temporarily” cover the cost of some “advance fees”) can be reported to the United States Secret Service by faxing a copy of the 4-1-9 solicitation to (202) 406-5031, as noted the Secret Service also has jurisdiction over online credit card fraud, among other scams.

Pyramid Schemes or Chain Letters Using the U.S. Mail

If you receive spam that’s a pyramid or chain-letter scheme and it uses the United States mail at any step along the way (for example, if it instructs you to send money to an address via the mail), it is illegal and should be reported to the U.S. Postal Service. As noted you should turn over a copy of the chain letter or pyramid scheme advertisement to your local postmaster or nearest postal inspector. The nearest Postal Inspection Service office for Oregonians is:

PO BOX 400
SEATTLE WA 98111-4000
Phone : 206-442-6300
Fax : 206-442-6304

Unsolicited Commercial Email (Spam) In General

According to its Consumer Complaint Form site at the FTC enters Internet, telemarketing, identity theft and other fraud-related complaints into a secure, online database available to hundreds of civil and criminal law enforcement agencies worldwide.

If you wish to report unsolicited commercial email to the FTC, you should forward that spam.

State Agencies and Spam

The Oregon Attorney General’s Office indicates that consumers can report email scams to the State Department of Justice Consumer Hotline. However, there is no indication what will be done with spam that gets forwarded to that address.

Some states, such as California, have been faulted for establishing spam reporting channels but then failing to follow through. Pointers to all states with anti-spam laws

Reporting Spam Directly to an ISP Spam Source: Get Help from SpamCop
If you decide to complain directly to the ISP that’s hosting spammers–or is itself the source of spam, SpamCop can help you find the right ISP.

IP Address Resource Links

The ARIN database search; whois IP numbers here:

Regional Internet Registry; also an IP lookup:

What is my IP Address?:

IP Address Lookups

Written by Jibin K

Read more of Jibin's articles.

Other Related Articles