Taken from "The Scam Survivors' Handbook"
Whenever you send an email to someone, there's some extra information sent with it that the person receiving it won't see unless they know how to look for it. These are called the email headers, and it includes a lot more information than you'd expect. If you know what to do then you can find out the path the email took, if the email address shown is the real one or if it's faked, also the exact time and date it was sent. When you join the r/s.com forum then we send you a welcome PM with several important links on the forum. How to find headers using the most common email clients is one of them. Each client is different, so the instructions for finding them on Yahoo mail is different to ones for finding them on Gmail and so on. We'll show you an example of what the email headers look like, but don't worry. Most of what you'll see is unimportant and can be ignored. We're only showing you so that you can know what they look like. Here we go, don't be afraid...
Delivered-To:
XXXXXX@gmail.comReceived: by 10.204.76.17 with SMTP id a17cs50731bkk;
Fri, 6 Aug 2010 04:06:00 -0700 (PDT)
Received: by 10.216.26.145 with SMTP id c17mr743754wea.70.1281092760535;
Fri, 06 Aug 2010 04:06:00 -0700 (PDT)
Return-Path: <odily4ritaa@yahoo.co.uk>
Received: from n25.bullet.mail.ukl.yahoo.com (n25.bullet.mail.ukl.yahoo.com [87.248.110.142])
by mx.google.com with SMTP id s66si2166278weq.66.2010.08.06.04.05.59;
Fri, 06 Aug 2010 04:05:59 -0700 (PDT)
Received-SPF: neutral (google.com: 87.248.110.142 is neither permitted nor denied by best guess record for domain of
odily4ritaa@yahoo.co.uk) client-ip=87.248.110.142;
Authentication-Results: mx.google.com; spf=neutral (google.com: 87.248.110.142 is neither permitted nor denied by best guess record for domain of
odily4ritaa@yahoo.co.uk)
smtp.mail=odily4ritaa@yahoo.co.uk; dkim=pass (test mode)
header.i=@yahoo.co.ukReceived: from [217.146.182.179] by n25.bullet.mail.ukl.yahoo.com with NNFMP; 06 Aug 2010 11:05:44 -0000
Received: from [87.248.111.151] by t5.bullet.ukl.yahoo.com with NNFMP; 06 Aug 2010 11:05:59 -0000
Received: from [127.0.0.1] by omp208.mail.ukl.yahoo.com with NNFMP; 06 Aug 2010 11:05:59 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id:
248888.94550.bm@omp208.mail.ukl.yahoo.comReceived: (qmail 87758 invoked by uid 60001); 6 Aug 2010 11:05:58 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1281092758; bh=u1nEhdUKEy+mJbnm4pJNy76/bzoDhBCAAm3IMDNgQGA=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=G8NuAZr1bKTKjgXOmW9t2nc82TQ9waB0E+SDb968tm1tMB2w69BMXyuLJmvKAVFiypG9bK+0C7IFadhJgnguER+13xXV30qeNsGaw78cLkLkzcY2SJddO77nj/sK937jBL0Jn9lKjXiGPyifBGjU+8S451IGdM4CKLQ6xB+UyNk=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.co.uk;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type;
b=XMSOGtoSb0gFyCZIYE4MxuUYUuYX16RtbAauG9jXVNyEHURAcUiO96WC0bocS316jrFIQ+RKQvnl568wku0ctOGnWb89SxgKbj4LuOi9e0egVwAXt2iCvf7bJIlwixVbHnVYneUESP1H9om/moX15BVK8a0+uNBMECszaVUNLJ8=;
Message-ID: <918394.63115.qm@web24812.mail.ird.yahoo.com>
X-YMail-OSG: J33bJbwVM1nvKW7FNVxLajOKWyRGNISyWG7dL0S8B95uZCY
QywV0SE8M2FnMjpeAhnmy2HkfW2teigeaCvMm2mkxuDqUi8Npc3qljzRefWJ
ACNS_F8VY.xXjmS0J06iJqwXeN7P0t7V3J3xY1zvwIK..tqUbJgj6eAgRPX3
Dxp4x7taqDqXrdhAxPUmrihkGtD1.LrIQ2kxvm80qd9oai5SmIIL4u0nLLtz
WyG_kUjS9ZBRSTGg6ScVcHpxJzqXr_aHxghuJ_f3Edi_wev0HuvRJNtZK5Kc
HpCOCfxOYKCJ__bc24HzEbxj92ABCOUXSFctR9wmJZJ.5FWu2fGkQk.w-
Received: from [41.208.132.212] by web24812.mail.ird.yahoo.com via HTTP; Fri, 06 Aug 2010 11:05:58 GMT
X-Mailer: YahooMailClassic/11.3.2 YahooMailWebService/0.8.105.279950
Date: Fri, 6 Aug 2010 11:05:58 +0000 (GMT)
From: Rita Usman <odily4ritaa@yahoo.co.uk>
Subject: HONEY PLEASE CONTACT THE BANK TODAY
To: My email address<XXXXXX@gmail.com>
In-Reply-To: <AANLkTikZcJeuRoaYu-W+t2cu52K3uJ1T_rgHGBHfuEQZ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-616293714-1281092758=:63115"
What you're looking for is the "Received: from" part.
You can either find it yourself, or copy and paste the headers into whatismyipaddress.com
Headers show the route from you back to the person that sent it, so you have to look at the last IP address you see rather than the first one. In this case we can see that the IP address we're looking for is 41.208.132.212 and that it leads to Senegal. All that most people will be able to get from the IP address is the location of the internet provider used, but the authorities are able to contact the provider and get the physical location of the computer used to send out the emails. No matter where the scammer claims to be, the IP address will show their true location. Of course nothing is ever that simple. It is possible to fake an IP address by using something called a proxy to connect to the internet from another computer in another part of the world, but a quick Google search will often tell you that it's a proxy and not to be trusted.