National SOC Month

Cybertracking Using Email & Websites

  • Written by Ron Brown

mug brownI have been asked on several occasions why data brokers provide IP addresses and how are they useful to a tracer. In this article I will attempt to explain how an IP address may be used to locate a person.

If you are attempting to utilize IP addresses to trace, it is first and foremost that you have a clear understanding of what an IP address actually is and the information it can and cannot provide. Let me start by explaining exactly what an IP address is.

Every computer that has ever been connected to the Internet has been given an Internet Protocol (IP) address. This IP address is used as a type of location tool, which allows a network administrator or Internet service provider to differentiate one computer from another. While an IP address won’t be able to tell you exactly where someone lives, it will be able to confirm the general area in which they reside–sometimes within a couple of blocks of their actual location.

If you watch television you may have the impression that you can find a person’s physical location, just by knowing their IP address and running some super-secret high-tech program. This isn’t true. There is, to the best of my knowledge, no technology that will instantly tell you where someone is if you know their IP. In fact, I believe, there is no single piece of technology that could ever tell you that. With a lot of legwork and some court orders you might be able to eventually find someone, but it’s not like what you see on television and in motion pictures at all.

The professional tracer must understand what they can and cannot learn from the IP address. The IP address will indicate which Internet service provider (ISP) is being utilized by the user. Many IP addresses may be the user’s company IP. In other cases, it may be just one of the large ISPs such as ATT or Comcast. The IP will also provide the approximate physical location of the user. What the ISP address will not provide is the actual name of the person using that IP address. As for the providers, the ISPs will typically only release such information under a court order. There is no method of associating an exact physical geographical address or the computer associated with an IP address that an end user can use. Even to report abuse by a person behind an IP address you must contact local authorities or the ISP who is in control of that IP address. A professional tracer should also keep in mind that an IP address could be spoofed, stolen, or could be behind a proxy and using its IP address.

Now that we understand what an IP address is, the next step is learning how the tracer may acquire the actual IP address. Many data providers today provide all the IP addresses associated with the person the tracer is searching for, making the tracer’s job very easy. Other methods to obtain an IP address are as follows.

Examine the Header of an Incoming Email

When you want to find someone’s IP address, an email from them is one of the best places to check. IP address information can be found using a function embedded in most email programs. This method varies depending on the type of email service or program you’re using. The header’s information is the most important thing for which to look. There should be an option called “Internet Headers” or simply “Headers” in the settings of your email program. (Find detailed instructions later in this article under 3. Show Headers and Address.) Turning on this option displays a new range of data on your messages, including the sender’s IP address. The format of an IP address is numeric, written as four numbers separated by periods. As an example, Facebook’s IP address is

A professional tracer using an IP address must always be aware that header information can’t always be trusted. In fact, it can be totally fictitious. When you have located an IP address using this method, perform an IP check by using the command prompt to ping the address and confirm its validity.

Another method is the use of an IP Locator Tool to get the location of an IP address. It’s not 100% accurate, but you can roughly know the location of the user at the point he’s using the said IP address.

Once you have obtained the IP address you can attempt to trace that device or the person using the device in question. Yes, it is possible. There are various sites available on the Internet to trace location of an IP. But some of them don’t give correct information.

Now that we have a better understanding of what an IP address is, its capabilities and limitations and how to obtain it, we can proceed with how a professional tracer may utilize the IP address to trace. Knowing the IP address will allow the tracer to locate a country, city and the Internet provider. But locating someone precisely requires far more information than simply an IP address. Fortunately, there are a few methods for finding an IP address either for a website or an individual device.

A tracer may utilize Traceroute, geolocational tools, and similar utilities but the best you can realistically achieve is to find out the location of your target’s ISP.


1. Open a command console. To open a command console on a PC, click on “Start,” then “All Programs,” then “Accessories,” and then “Command Prompt.” On Windows, enter tracert . On UNIX (including Linux and Macintosh OS X), open a shell and use the command traceroute , and how long each step takes.

2. Go to a website that will allow you to look up IP address information. Google “IP Lookup” or “IP Geolocation” for a large list of sites that will freely offer this service.

Another method to trace a website IP address is to simply ping the URL from your computer’s command console, then use an IP lookup to find out where it comes from. Similarly, to trace the IP address of an email, find the IP address from the email header, then use a “whois ______” search or IP lookup to trace it back to its source.

Type “ping [URL].” You then press return/enter. The IP address should appear beside the website name, followed by how many seconds or milliseconds the ping took. When you Ping an address, the computer sends a signal out to a URL which then bounces back with the website information attached, and how long the round trip took.

3. Show Headers and Address. Open a message. From the View menu, select the option that lets you view all or extended headers, and your To/From section will blossom with new information. If you are using a Mac, click View > Message > All Headers. On a PC, click Options then the dialogue box launcher > Message Options dialogue box (Properties) > Internet Headers. Next to the Received section you will see something like “from …” and an IP address. Select one of those, and copy it to the clipboard. In this case, we’ll select, and copy it. We can see that it says “Received from http://mx-out.,” and you may run a test to see if that’s accurate.

Open a command console. Only this time, instead of doing a ping on a known address, we’re going to run a “whois” in your terminal window. By the flashing cursor, type “whois,” and press Enter. The information will be sent out to a database, queried, and then returned with the registration information for that IP address. If this function does not work with ease on your computer, entering the IP address at should produce the same information. In this case, we can verify that the message was sent through Facebook. Notice we also have the domain registrar’s full address.

Use an alternative lookup. You may not want to use the terminal, or perhaps it’s not loaded on your computer. Instead, you can try using an Internet lookup, such as “ip-lookup,” which gives you much the same information as a whois lookup, and in many cases, much more.

I will conclude with one last bit of information for tracers, a great starting point is with the site The thing that makes this website so great is having accessibility to both general public and privately-owned data. This site will give a deeper look into information not available freely. You may well uncover criminal history records, crucial data, police arrest reports, cell phone reverse lookup and social media research.

Until next time… good luck and good hunting.

Ron Brown is a member of the National Association of Fraud Investigators and the author of “MANHUNT: The Book.” Contact him at This email address is being protected from spambots. You need JavaScript enabled to view it..