We’ve all received anonymous emails…probably multiple anonymous emails. It can be both annoying and frustrating. Wouldn’t it be great to know where these anonymous emails are coming from? Well, there is a way!

The usual method for tracking anonymous emails is to look at the header of the email. If the email is sent using a mail client like Outlook, Lotus Notes, Iphone, etc. the email header will have the router/computer ip address. If the email is sent directly from a web interface, like logging into gmail.com or yahoo.com, then the ip address of the router/computer will not be present in the header. Tracking these kinds of emails can be very tricky, but not impossible.

Most often when you get an anonymous email from a web interface, you might be able to come up with a “Suspect List” of email addresses. If you have this “Suspect List” of emails you can use a tool called SpyPig to track it. SpyPigis a very simple online program, which helps you to request a read receipt for the email you sent. In addition to sending the read receipt, it also gives you the ip address of the pc/router from which the user opened his email. SpyPig does not need registration; just follow the directions in the SpyPig Farm.

SpyPig works by attaching a specific html img tag src with a SpyPig generated url to identify your email. All you have to do is copy the generated image into the email you are sending and send the email. The email header the recipient receives will read SpyPig Notification [oink@spypig.com] – hiding your identity (like a spy!). Once the recipient opens the email and downloads the image (depending on security settings the image may not be downloaded automatically) a read receipt email will be sent back to you. The read receipt email will have the recipient’s ip address and domain, date and time, and location – all the information you need to identify the anonymous sender.

So how does SpyPig work? What happens internally to generate this informative read receipt is very simple. When the recipient opens the email and the image is downloaded, an http request is sent, which has the client ip address. SpyPig then includes this information in an easy-to-read receipt email for you.

This same technique can be used for tracking emails. Suppose you received an anonymous email from user xyz.unknown@gmail.com. You suspect that your friend ‘Mike’ (whose personal email is MikeSmith@gmail.com) is the author of this email. Using SpyPig, send one email to the anonymous email id and also send another email to your friend. Be sure to use two different subject lines so you can later tell the returned emails apart. If both emails are opened and the read receipt contains the the same ip address, you can conclude that both these email ids are accessed from the same computer or router. You can then conclude that “Mike” was the one who sent you the anonymous email, meaning he might have a virus or might not be a good email friend.

What about homes using routers? The home router ip address is fairly static. I have a home router and I have the same ip address for at least one week.

Curious to see what the read recipt looks like? See the sample below.

Remember, this method works only if the anonymous user opens his inbox.

Email Title: Test

Sent by You: Wednesday, May 12, 2010, 2:25:47 PM (GMT -5:00)

Opened by Recipient: Wednesday, May 12, 2010 3:12:54 PM (CMT -5:00)

Recipient Location: Houston, Texas, United States (May be inaccurate)

Recipient IP:75.185.xxx.zzz – Houston.hfc.comcastbusiness.net

Recipient Browser: Internet Explorer 7.0 – possibly used within another application such as Outlook (Windows) (Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SU 3.28; InfoPath2; NET CLR 2.0.50727; NET CLR 3.0.4506.2152; NET CLR 3.5.30720; AskTB5.4; MSOffice12)) URL: [Information not available]