Question about Geo-Location information when tracing email header.

Post your questions about tracing the source IP address of an email here.
New Member
Posts: 1
Joined: Tue Aug 23, 2016 6:29 am

Question about Geo-Location information when tracing email header.

Post by srpottershouse » Tue Aug 23, 2016 6:37 am

Hello. I have been receiving some emails from a sender who will not identify themselves because of the content they are sending me. They are using a "hotmail" account and i know that Microsoft blocks the original sending IP. When i past the header into your email trace it does give me the ip address of the sender which is Microsoft's servers. If i do a direct lookup of the IP Address alone it will point to their servers in Redmond Washington but if i use the Email tracing tool that analysis the header it gives me a Geo-location of Moreno Valley California. Is their something it's looking at in the header that would give this location? I just want to verify that it may be incorrect or is their more information in the header that would give this Geo-Location that other tools are missing. Here is the header to look at: Thanks.

Delivered-To: {removed}
Received: by with SMTP id k77csp1550858wmh;
Mon, 15 Aug 2016 10:44:56 -0700 (PDT)
X-Received: by with SMTP id u9mr23632034pab.113.1471283095900;
Mon, 15 Aug 2016 10:44:55 -0700 (PDT)
Return-Path: <{removed}>
Received: from ( [])
by with ESMTPS id pl3si27560338pac.22.2016.
(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Mon, 15 Aug 2016 10:44:55 -0700 (PDT)
Received-SPF: pass ( domain of {removed} designates as permitted sender) client-ip=;
spf=pass ( domain of {removed} designates as permitted sender) smtp.mailfrom={removed};
dmarc=pass (p=NONE dis=NONE)
Received: from ([]) by over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008);
Mon, 15 Aug 2016 10:44:39 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;
s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
Received: from
( by
( with Microsoft SMTP Server (version=TLS1_0,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.567.7; Mon, 15 Aug
2016 17:44:27 +0000
Received: from ( by ( with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
15.1.577.8 via Frontend Transport; Mon, 15 Aug 2016 17:44:17 +0000
Received: from ([]) by ([]) with mapi id
15.01.0544.023; Mon, 15 Aug 2016 17:44:11 +0000
From: PH Insider <{removed}>
Subject: Fw: The Mitchells....
Thread-Topic: The Mitchells....
Thread-Index: AQHR9xyhE+VPBW/1xEexpFxN8QutZQ==
Date: Mon, 15 Aug 2016 17:44:11 +0000
Message-ID: <>
References: <>,<>,<>,<>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
authentication-results: spf=softfail (sender IP is;; dkim=none (message not signed)
header.d=none;; dmarc=fail action=none;
received-spf: SoftFail ( domain of transitioning discourages use of as permitted sender)
x-tmn: [Wn29la9yoPW5PSblac9HcPeHvEY3aKKt]
x-eopattributedmessage: 0
x-forefront-antispam-report: CIP:;IPV:NLI;CTRY:;EFV:NLI;SFV:NSPM;SFS:(10019020)(98900003);DIR:OUT;SFP:1102;SCL:1;SRVR:VE1EUR01HT041;;FPR:;SPF:None;LANG:en;
x-microsoft-exchange-diagnostics: 1;VE1EUR01HT041;5:79FFD60fdja1+P9dmhj+I4lyJVzGsJGf/pjeFQmRBZ+etcC/fqK3hFrCelxK2iPdcl33c/GmaTjYpUhSLosMceD/AxyCzzQFxZA/I0X6Fujcqi8O93VLol38zlg6BB43w/sy1xuk8L1W8XXBF6X27A==;24:MZMOwpCjz1YClEEiuXhFNRBUhCSMf6nCsSRkcLJB+dddaoAP1ol6jfxyaEi1NuF1mMp2bt2xv3jDTm//R1m34VT0MVQVB0AyJoR4a7+ZCC0=;7:Q5tuGEbq+Kbvu4BT4fh74KjamOCQ1OF+glKMNBv9oAMAmtlP9vUd/47dvuDLL2agVAg9j16jxRrqVIuaHEbGxN+72FnMwjDLCO3SyAVaW+rRwN54sQomdbLPmlq2yIEA17EmjCoBVf6PCaMdPYkhiieoNEylclRksszP/m5NShN/5CSi6TC39H+1EshulzUMc/Pu1c3mnx33jNkg8BewPTfI0kqiAFllxnvO/OIicsIjgIPTmvOGBHrI4v61/W9q
x-ms-office365-filtering-correlation-id: 99f6930b-542f-4472-4abe-08d3c533c47f
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(1601124038)(1601125047);SRVR:VE1EUR01HT041;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(432015012)(102415321)(82015046);SRVR:VE1EUR01HT041;BCL:0;PCL:0;RULEID:;SRVR:VE1EUR01HT041;
x-forefront-prvs: 0035B15214
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/mixed;
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Aug 2016 17:44:11.5677
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1EUR01HT041
Return-Path: {removed}
X-OriginalArrivalTime: 15 Aug 2016 17:44:39.0760 (UTC) FILETIME=[B2935500:01D1F71C]

Content-Type: multipart/alternative;

Content-Type: text/plain; charset="iso-8859-1"

User avatar
Forum Administrator
Posts: 2458
Joined: Tue Mar 02, 2010 5:41 pm
Location: | ::1

Re: Question about Geo-Location information when tracing email header.

Post by Chrispcritters » Tue Aug 23, 2016 7:29 am

Unfortunately Hotmail/Outlook emails now longer contain the sender's IP address. It will take a court order (subpoena) for them to reveal the IP address of their customer.
Founder & CEO of
You can follow me on Twitter and Facebook for some behind the scenes info.


Who is online

Users browsing this forum: No registered users and 2 guests