Most Innovative Company, South Africa, 2016, African Business Awards
Best Forensic Investigation Company, Africa, 2016, African Corporate Excellence Awards
Best in Security, Forensics & Investigations – 2016 – International Business Awards

How to send Untraceable Emails

What makes an email untraceable is not that it is impossible to trace at all, but rather that tracing it would cost too much money, time or effort to do. Most of the methods and tools we describe will provide adequate anonymity and protection against the recipient being able to identify or locate you. But be warned, your actions can still be monitored from elsewhere (like your ISP or network administrator) so don’t be an idiot.

Email Alias

At the simplest level you could set up email forwarding or email aliasing. This won’t fool many people because while your name and email address in the “from” field might be unrecognizable to the recipient, the email header would expose your originating IP address and domain, the email delivery route and as well as the main email address that your alias is linked to.

Here’s the email header from an email I sent my colleague from an alias I created. The parts highlighted in green show the bogus information but the parts highlighted in red would give me away.

Return-path: A N Onymous <>
Delivery-date: Wed, 12 Apr 2017 19:02:26 +0200
Received: from ([]
   by with esmtpa (Exim 4.80)
   (envelope-from <>)
   id 1cyLf0-0000JK-LZ; Wed, 12 Apr 2017 19:02:26 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
Date: Wed, 12 Apr 2017 19:02:26 +0200
From: A N Onymous <>
Subject: Guess =?UTF-8?Q?What=3F?=
Organization: Bogus Company Ltd
Message-ID: <>
User-Agent: InterMail
X-Virus-Scanned: Clear (ClamAV 0.99.2/23290/Wed Apr 12 14:48:39 2017)
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=UTF-8

Anonymous Account

An obvious solution to many of the pitfalls of the email alias method would simply be to create a brand new email address, e.g. a Gmail account, using bogus details.

Return-path: <>
Delivery-date: Fri, 14 Apr 2017 04:08:48 +0200
Received: from ([])
   by with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128)
   (Exim 4.80)
   (envelope-from <>)
   id 1cyqfD-0005lO-Fy
   for; Fri, 14 Apr 2017 04:08:48 +0200
Received: by with SMTP id r69so35305494vke.2
   for <>; Thu, 13 Apr 2017 19:08:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025;
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025;
X-Gm-Message-State: AN3rC/7/ugEMndhXdEcFsvjEZN7f5ge1DJXUkK90GCsVZ0UfBAXY2ghH
X-Received: by with SMTP id y65mr2552872vka.46.1492135717028; Thu,
   13 Apr 2017 19:08:37 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 13 Apr 2017 19:08:36 -0700 (PDT)
From: A N Onymous <>
Date: Fri, 14 Apr 2017 04:08:36 +0200
Message-ID: <>
Subject: Guess who?
Content-Type: multipart/alternative; boundary=001a114da8b25ec83f054d16ebc0
X-Virus-Scanned: Clear (ClamAV 0.99.2/23294/Thu Apr 13 22:53:07 2017)
X-Unfudged-Spam-Score: -1.6 (-)

Examining the header you could be forgiven for thinking that this email is anonymous. It doesn’t seem to show any data that could be traced back to me, and even my IP address has been removed from the header by Google (for privacy reasons). Don’t be fooled. This email is traceable. Our Cyber Investigation Team was able to link the “originating” IP address to my actual client IP address which pointed to my home DSL connection (below).

server logs

To get from that point to the point of identifying me took a single phone call. Granted, the ability to make those connections and trace such an email isn’t within the reach of most people. Not many people would go to the trouble (or expense) of trying unless you’ve been an idiot and used your Gmail account to commit a crime or harass someone.

Anonymous Emailer

Now things start to get trickier for anyone wanting to trace you. An anonymous emailer consists of a web form and a script that runs on a server. You’ll enter the from, to, subject and message into the web form and that will be submitted to the script which will compose an email (along with headers) that is then sent from the server to the recipient. If the owner of the server doesn’t keep logs that link your IP address to each email then anyone tracing that email will only get as far as identifying the server from which it was sent.

Return-path: <>
Delivery-date: Sun, 16 Apr 2017 04:08:45 +0200
Received: from ([])
  by with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
  (Exim 4.80)
  (envelope-from <>)
  id 1czZcG-0003qs-VG
  for; Sun, 16 Apr 2017 04:08:45 +0200
Received: from brettint by with local (Exim 4.88)
  (envelope-from <>)
  id 1czZc9-003eyX-Kv
  for; Sat, 15 Apr 2017 20:08:33 -0600
Subject: Guess who?
Message-ID: <>
Date: Sun, 16 Apr 2017 02:08:33 +0000
From: “A N Onymous” <>
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname –
X-AntiAbuse: Originator/Caller UID/GID – [1499 1500] / [47 12]
X-AntiAbuse: Sender Address Domain –
X-Virus-Scanned: Clear (ClamAV 0.99.2/23300/Sat Apr 15 22:55:19 2017)
X-Unfudged-Spam-Score: 3.3 (+++)

Here’s an anonymous emailer to test. Please be warned that all emails are logged (along with your actual IP address and other information). Please don’t be silly and use this mailer for any shady emails – its for educational purposes only.

The Origin

IP Address

Internet Cafe

Header Fudging

Proxies / VPNs

Mail Servers