You can generally locate the originating IP of an email encoded inside its email headers if you wish to trace it back. If you know where to look, you may easily locate email headers. Open the email in a browser to discover the email header in Gmail. This section contains the code for locating the sender's server IP address. There are two primary methods used by servers to identify themselves when sending email: using their domain name and using their IP address. Using the domain name is preferred as it can be changed without having to update every document that references the server. However, many mail servers are set up with only one domain name so this method will not work unless you know the sender's provider.
If you know the sender's email address, you can use Google Search to find all messages they have sent. Click on the View All button at the top of the results page to see a list of all their emails. Here you can find out which server sent them and what its IP address is. Note that sometimes people send duplicate copies of messages so this number might be high. But still, it's best to check each email address before blocking it so don't forget these extra steps!
If you do not know the sender's email address, then searching for their domain name will not help you because it belongs to one of many different companies that can own it. You will also not be able to find their IP address through search engines like Google because they change it periodically.
To get the original email sender's IP address, look at the first received in the whole email header. The IP address of the server that sent the email is displayed alongside the first received line. This is also known as X-Originating-IP or Original-IP.
The following example shows the -o (--original) switch used with tcpdump to only display the original IP packet:
tcpdump -i eth0 -w "email_trace.pcap" -s 0 -o "email_trace.pcap" src host 192.168.1.5
Here, we are listening on interface eth0 for packets coming from host 192.168.1.5 and saving them to file "email_trace.pcap". The -s 0 argument tells tcpdump to wait forever until some packet is received.
Now you can open this saved pcap file in your favorite analysis tool to view the original IP packet along with all other packets in it. In this case, the original IP packet contains only one line with the message "bytes from 192.168.1.5 to 192.168.1.5". The other packets in the email contain various headers from different servers.
It is simple to track down the original sender of an email.
The receiver's IP address is found in the "Return-Path" field. If you know the recipient's email address, you can use a web search engine to find it. Then follow the link in the email to see who it was sent from.
If you don't know the recipient's email address, you can still find out who originally sent the message by searching through some common names for computers such as "home", "work", or "laptop". These are called "bounce backs" because they show up when people try to send email to invalid addresses. The bounce back will have the original sender's IP address listed in its "From:" field.
One more thing: depending on your email client and how it is set up, it may display both the sender and recipient IP addresses even if you only want to see one. That's why we always recommend checking all fields for information even if you think you know what it is because something may have been added in error.
The IP address may be included in Gmail. Open the message in Gmail, choose More->Show Original, and look for the line "Received: from"; it may contain the sender's IP address, which you may match to a physical place using Wolfram Alpha. Note that although most email clients display the IP address of the sending server, this isn't guaranteed by any standard.
Is it always possible to trace an email address? Both yes and no. Someone who sends a message to your hotmail account, for example, appears in the X-Originating IP portion of the headers. Someone who sends you a message using GMail, on the other hand, will ONLY be able to trace back to a Google IP address. They can never find out that you are using a proxy to access the internet.
So basically, if you use a service like Gmail or Hotmail, then no one can trace messages back to their original sender. If you use something like AIM, Yahoo!, or Facebook, then yes, someone could possibly trace messages back to its original sender.
Here's how: All email providers include the IP addresses of people who send them email. So if you wrote "Evil Uncle Bob" as part of your email address, then anyone who reads his email would know that he sent it from ip-123-45-67-89.com. This might not seem like a problem until you remember that many people share computers. It's very likely that this address belongs to both you and Evil Uncle Bob. In fact, there's a good chance that every single person on Earth shares an IP address at some point. That's why we need a proxy server - so that our identity can be hidden when sending emails.