What step comes after collecting the IP address of the sender from the email header?

After collecting the IP address of the sender from the email header, the next logical step is to search the IP in WHOIS. This process involves querying a WHOIS database to obtain detailed registration information about the IP address in question. This information can reveal important insights, such as the organization to which the IP is registered, as well as the geographic location of the IP address.

Tracing the header provides the necessary details for understanding the origin of the email, but it is the subsequent search in WHOIS that allows for further investigation and helps in identifying potential threats, especially in cases of phishing or spam. It's crucial in incident handling to establish the context and relevance of the source of communication.

Options such as notifying the sender or deleting the email might seem tempting, but they do not aid in furthering the investigation or understanding the nature of the threat, which is the primary concern after identifying the sender's IP address.