What makes an email untraceable is not that it is impossible to trace at all, but rather that tracing it would cost too much money, time or effort to do. Most of the methods and tools we describe will provide adequate anonymity and protection against the recipient being able to identify or locate you. But be warned, your actions can still be monitored from elsewhere (like your ISP or network administrator) so don’t be an idiot.
At the simplest level you could set up email forwarding or email aliasing. This won’t fool many people because while your name and email address in the “from” field might be unrecognizable to the recipient, the email header would expose your originating IP address and domain, the email delivery route and as well as the main email address that your alias is linked to.
Here’s the email header from an email I sent my colleague from an alias I created. The parts highlighted in green show the bogus information but the parts highlighted in red would give me away.
Delivery-date: Wed, 12 Apr 2017 19:02:26 +0200
Received: from roundcubeweb3.jnb1.host-h.net ([184.108.40.206] helo=InterMail.cpt.host-h.net)
by dedi951.jnb1.host-h.net with esmtpa (Exim 4.80)
id 1cyLf0-0000JK-LZ; Wed, 12 Apr 2017 19:02:26 +0200
Date: Wed, 12 Apr 2017 19:02:26 +0200
From: A N Onymous <firstname.lastname@example.org>
Subject: Guess =?UTF-8?Q?What=3F?=
Organization: Bogus Company Ltd
X-Virus-Scanned: Clear (ClamAV 0.99.2/23290/Wed Apr 12 14:48:39 2017)
Content-Type: text/plain; charset=UTF-8
An obvious solution to many of the pitfalls of the email alias method would simply be to create a brand new email address, e.g. a Gmail account, using bogus details.
Delivery-date: Fri, 14 Apr 2017 04:08:48 +0200
Received: from mail-vk0-f43.google.com ([220.127.116.11])
by dedi951.jnb1.host-h.net with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128)
for email@example.com; Fri, 14 Apr 2017 04:08:48 +0200
Received: by mail-vk0-f43.google.com with SMTP id r69so35305494vke.2
for <firstname.lastname@example.org>; Thu, 13 Apr 2017 19:08:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
X-Received: by 10.31.75.68 with SMTP id y65mr2552872vka.46.1492135717028; Thu,
13 Apr 2017 19:08:37 -0700 (PDT)
Received: by 10.176.74.91 with HTTP; Thu, 13 Apr 2017 19:08:36 -0700 (PDT)
From: A N Onymous <email@example.com>
Date: Fri, 14 Apr 2017 04:08:36 +0200
Subject: Guess who?
Content-Type: multipart/alternative; boundary=001a114da8b25ec83f054d16ebc0
X-Virus-Scanned: Clear (ClamAV 0.99.2/23294/Thu Apr 13 22:53:07 2017)
X-Unfudged-Spam-Score: -1.6 (-)
Examining the header you could be forgiven for thinking that this email is anonymous. It doesn’t seem to show any data that could be traced back to me, and even my IP address has been removed from the header by Google (for privacy reasons). Don’t be fooled. This email is traceable. Our Cyber Investigation Team was able to link the “originating” IP address 10.176.74.91 to my actual client IP address which pointed to my home DSL connection (below).
To get from that point to the point of identifying me took a single phone call. Granted, the ability to make those connections and trace such an email isn’t within the reach of most people. Not many people would go to the trouble (or expense) of trying unless you’ve been an idiot and used your Gmail account to commit a crime or harass someone.
Now things start to get trickier for anyone wanting to trace you. An anonymous emailer consists of a web form and a script that runs on a server. You’ll enter the from, to, subject and message into the web form and that will be submitted to the script which will compose an email (along with headers) that is then sent from the server to the recipient. If the owner of the server doesn’t keep logs that link your IP address to each email then anyone tracing that email will only get as far as identifying the server from which it was sent.
Delivery-date: Sun, 16 Apr 2017 04:08:45 +0200
Received: from bitsy.mit.edu ([18.104.22.168])
by dedi951.jnb1.host-h.net with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
for firstname.lastname@example.org; Sun, 16 Apr 2017 04:08:45 +0200
Received: from brettint by bitsy.mit.edu with local (Exim 4.88)
for email@example.com; Sat, 15 Apr 2017 20:08:33 -0600
Subject: Guess who?
Date: Sun, 16 Apr 2017 02:08:33 +0000
From: “A N Onymous” <firstname.lastname@example.org>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – bitsy.mit.edu
X-AntiAbuse: Originator/Caller UID/GID – [1499 1500] / [47 12]
X-AntiAbuse: Sender Address Domain – mail.com
X-Virus-Scanned: Clear (ClamAV 0.99.2/23300/Sat Apr 15 22:55:19 2017)
X-Unfudged-Spam-Score: 3.3 (+++)
Here’s an anonymous emailer to test. Please be warned that all emails are logged (along with your actual IP address and other information). Please don’t be silly and use this mailer for any shady emails – its for educational purposes only.