My email account just sent my a handful of my friends and family members an email with a spammy link to something called "Viagrow", but I can't for the life of me figure out where the email came from, or how it happened. Is there a way to track the origin of a spam email so I can keep it from happening again?
Sick of Spam
Spam is a wonderfully curious thing. In most cases, its existence makes you wonder who it's targeting and what its goal could be. Maybe more than anything, it's an annoying surprise when a friend tells you they received spam from your email address. Let's walk through how you can track down the origin of a spam email and what you can do with the information.
Track And Block The Location Of The Spammer
The first step to take is to find the sender's IP address (this is sort of like an internet phone number) by examining the header of the email. The header contains identifiers that will lead you to where the sender is located. Most email programs hide this information from you by default because most of the time, you really don't need to know everything in the header — but it's easy to find. The header is the email's history and lets your track everywhere the email went as if you're tracking a post package. If the email actually originated from your account, there's still a copy in your sent folder. If no copy exists on your end, have one of the people who received your message forward the email back to you. Here's how you find the header in most common email programs:
- Gmail: Select the spam message. Click the down arrow next to the reply arrow. Select "Show Original."
- Apple Mail: Select the spam message. Click View > Message > All Headers.
- Outlook: Double-click to select the spam message and open it in a new window. Click File > Info > Properties. The header is displayed under "Internet Headers."
- Thunderbird: Select the spam message. Click View > Headers > All.
- Yahoo!: Select the spam message. Click "Full Headers" below the email.
- Hotmail: Select the spam message. Click the down arrow next to to the reply arrow. Select "View message source."
Most other email programs have a similar method as those above. Once you have the full header, look for the words "Received from" toward the top of the header. From there, you can track the email's journey through the internet. The top line is the origin of the email and it works its way all the way to your IP address at the bottom of the header. The IP address will look something like: 220.127.116.11.
Now we're going to figure out where that origin IP address is located. Head over to DNSStuff and enter the IP address from the top of the header into the WHOIS field.
For the above IP address, we find information that this IP is registered to someone named Vladimir Sherstnev in Russia. The search results also mention this is probably a forged IP address, which means someone used it specifically to send out a bunch of spam emails to people. In this case, it means the original location of an email was faked and poor Vladimir was probably not at fault. If you like, you can report this address to the ACMA (unfortunately, the site is currently down). However, another possible origin address type exists: your own IP address.
Not long ago I received a spam email from my dad. It originated at 65.55.34.XXX, which is owned by Microsoft. This makes sense because his address is a Live email account. In this case, it means his account was either hacked or spoofed. Hacked means someone got his password and went on a junk-emailing spree. Spoofed means someone is pretending to be him (or you). So, what do we do now? We see which of those two happened.
Check Your Account Activity And Research Your Email Access History
To check if your account has been hacked you need to look into the recent history on your account. This is going to vary by email provider but here's how to do it in two of the big ones:
- Gmail: At the bottom of your inbox, click Details. This will open a pop-up window with the recent IP addresses that have accessed your account (your current IP is listed on the bottom).
- Yahoo! Click your email address > Edit my account, then "View your recent login activity."
As far as I can tell, you can't get this information in Hotmail. If you're on a private server, most webmail apps show your access history somewhere in the preferences panel.
If you see an IP address that isn't one of yours, (don't forget you can search Google for "IP" to get your current address) then your account and password were probably hacked. Change your password and continue monitoring the logins to your account over the next few days.
You have a few ways to check if your account is being spoofed. First, do the same search as above to make sure nobody is in your account. Next, check your forwarding options. Make sure your email isn't set to forward anywhere you didn't set it to. It's also a good idea to run an antivirus scan on your computer. You can find our picks for Windows and Mac if you don't have one. If you're using Gmail, look at your authorised sites to ensure no apps have access to your account that aren't supposed to.
Finally, retrace your steps. Did you click on a phishing link or reply to spam mail? If you did, find that email again. Look at the complete header and track the information the same way you did above. This doesn't solve the problem, but it does give a face (or an IP address at least) to the culprit. If its particularly irksome or continues to happen, report the address to your email provider and have them investigate the address.
Protect Yourself And Your Friends From Future Spam
While it's fun to play detective and picture yourself hunting down a crazed Viagra-loving spammer, it's easier to make sure it doesn't happen in the first place. Brush up on your phishing scam detection skills and your online fraud detection abilities. If you Gmail account was used for spoofing or was hacked, you can take steps to make sure email that you actually sent doesn't look like it's phishing.
It's unfortunate that once you track down the IP address of a spammer you don't have a lot of options for taking action against them, but it is nice to see where it comes from.
Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.