Emails are made of (2) parts: the header and the body. The complete headers are useful when trying to figure out where a spam or virus email came from. They contain information on the sender, as well as the channels via which the email arrived.
The header is made up of a number of lines, from the first line to the first blank line. Everything after the first blank line is the body, i.e. the actual message.
The format is:
Without the ‘<’ and ‘>’ signs.
Return-Path: <email@example.com> Delivered-To: firstname.lastname@example.org Received: (qmail 11690 invoked by uid 0); 23 Jun 2006 12:57:33 -0000 Received: from smtp-vbr2.xs4all.nl (126.96.36.199) by net3-nl-mail-07.ad.vevida.net with SMTP; 23 Jun 2006 12:57:33 -0000 Received: from [192.168.42.191] (kantoor.example.com [82.93.xx.xxx]) by smtp-vbr2.xs4all.nl (8.13.6/8.13.6) with ESMTP id k5NCvXNK094019 for <email@example.com>; Fri, 23 Jun 2006 14:57:33 +0200 (CEST) (envelope-from firstname.lastname@example.org) Message-ID: <449BE537.email@example.com> Date: Fri, 23 Jun 2006 14:57:27 +0200 From: Abusedesk VEVIDA Services BV <firstname.lastname@example.org> Organization: VEVIDA Services BV User-Agent: Thunderbird 188.8.131.52 (Windows/20060516) MIME-Version: 1.0 To: email@example.com Subject: test voorbeeld Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by XS4ALL Virus Scanner X-Spam-Status: No, hits=0.0 required=5.0, tests=none, version=3.0.2
From this, we can infer that firstname.lastname@example.org is the receiver (To:) and Abusedesk VEVIDA Services BV is the sender (From:).
The subject (Subject:) is test voorbeeld (test example) and the email was sent at 14:57:27. But there’s more:
Received: from [192.168.42.191] (kantoor.example.com [82.93.xx.xxx]) by smtp-vbr2.xs4all.nl (8.13.6/8.13.6) with ESMTP id k5NCvXNK094019 for <email@example.com>; Fri, 23 Jun 2006 14:57:33 +0200 (CEST) (envelope-from firstname.lastname@example.org)
From this header, we can infer that [192.168.42.191] (an internal IP address) sent the email via kantoor.example.com [82.93.xx.xxx] using smtp-vbr2.xs4all.nl. The envelope-from is email@example.com.
Received: from smtp-vbr2.xs4all.nl (184.108.40.206) by net3-nl-mail-07.ad.vevida.net with SMTP; 23 Jun 2006 12:57:33 -0000
The server (smtp-vbr2.xs4all.nl) forwards the email to net3-nl-mail-07.ad.vevida.net. This occurs at time 12:57:33 -0000 (14:57:33 +0200).
Received: (qmail 11690 invoked by uid 0); 23 Jun 2006 12:57:33 -0000
Qmail picks the email up and delivers it to box firstname.lastname@example.org.
As seen in this example, Received: headers are read from bottom to top in order to follow the route from its source. Do this from a trusted server.
Received: (qmail 11345 invoked by uid 0); 22 Jun 2006 17:51:51 -0000 Received: from net2-nl-mail-09.ad.vevida.net (HELO net2-nl-mail-09.vevida.net) (220.127.116.11) by net3-nl-mail-12.ad.vevida.net with SMTP; 22 Jun 2006 17:51:51 -0000 Received: from lpzxiua (unknown [18.104.22.168]) by net2-nl-mail-09.vevida.net (Postfix) with SMTP id 72824D5364 for <email@example.com>; Thu, 22 Jun 2006 19:51:48 +0200 (CEST) Received: from jrttm.ndeox ([22.214.171.124]) by lpzxiua (8.13.2/8.13.2) with SMTP id k5MHs4sU070395; Thu, 22 Jun 2006 19:54:04 +0200
This bottom ‘Received:’ header has been falsified, probably by spamware.
Received: from jrttm.ndeox ([126.96.36.199]) by lpzxiua (8.13.2/8.13.2) with SMTP id k5MHs4sU070395; Thu, 22 Jun 2006 19:54:04 +0200
The PC/server with IP address 188.8.131.52 is called jrttm.ndeox. There are two things wrong with this picture:
- jrttm.ndeox is not a valid host name
- The server is called bondageseile.de:
$ host 184.108.40.206 220.127.116.11.in-addr.arpa is an alias for 118.0-18.104.22.168.in-addr.arpa. 118.0-22.214.171.124.in-addr.arpa domain name pointer bondageseile.de.
The mail server which can still be trusted is net2-nl-mail-09.vevida.net. Therefore, the actual sending PC must be: [126.96.36.199].
Client programs like abuse! and SamSpade (but also organizations/websites like Spamcop) can help parse (interpret, read through) headers and offer options to find the correct abuse addresses.
How can I view the headers?
Each email program has its own solution for this. The list below gives the relevant information for some common email programs.
- Open an email, click on Options in the View menu.
Often you can edit a registry key to view the entire email, not just the header, in the popup window.
Mozilla Mail, Thunderbird
- Use the ctrl-u hotkey combination to display a new screen with all headers plus the message itself.
- Open the email.
- Use the ctrl-u hotkey combination (for Windows) or alt-v (for Linux) to display a new screen with all headers and the message itself.
- Click on Properties in the File menu.
- Click on the Details tab and then on Internet headers (Message source)
- Or press the F3 hotkey for the same result.
You can use ‘select all’ (usually: control-a) to select the entire email, including headers and body, and the control-c hotkey combination to copy the entire email. You can then paste it in a new email (usually: control-v).