Emails are made of (2) parts: the header and the body. The complete headers are useful when trying to figure out where a spam or virus email came from. They contain information on the sender, as well as the channels via which the email arrived.
The header is made up of a number of lines, from the first line to the first blank line. Everything after the first blank line is the body, i.e. the actual message.

 

The format is:

 <Header>: <body>

Without the ‘<’ and ‘>’ signs.

Read Headers

Example:

 Return-Path: <abuse@example.com>
 Delivered-To: info@example.org
 Received: (qmail 11690 invoked by uid 0); 23 Jun 2006 12:57:33 -0000
 Received: from smtp-vbr2.xs4all.nl (194.109.24.22)
 by net3-nl-mail-07.ad.vevida.net with SMTP; 23 Jun 2006 12:57:33 -0000
 Received: from [192.168.42.191] (kantoor.example.com [82.93.xx.xxx])
 by smtp-vbr2.xs4all.nl (8.13.6/8.13.6) with ESMTP id k5NCvXNK094019
 for <info@example.org>; Fri, 23 Jun 2006 14:57:33 +0200 (CEST)
 (envelope-from abuse@example.com)
 Message-ID: <449BE537.60909@example.com>
 Date: Fri, 23 Jun 2006 14:57:27 +0200
 From: Abusedesk VEVIDA Services BV <abuse@example.com>
 Organization: VEVIDA Services BV
 User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
 MIME-Version: 1.0
 To: info@example.org
 Subject: test voorbeeld
 Content-Type: text/plain; charset=ISO-8859-15; format=flowed
 Content-Transfer-Encoding: 7bit
 X-Virus-Scanned: by XS4ALL Virus Scanner
 X-Spam-Status: No, hits=0.0 required=5.0, tests=none, version=3.0.2

From this, we can infer that info@example.org is the receiver (To:) and Abusedesk VEVIDA Services BV is the sender (From:).
The subject (Subject:) is test voorbeeld (test example) and the email was sent at 14:57:27. But there’s more:

 Received: from [192.168.42.191] (kantoor.example.com [82.93.xx.xxx])
 by smtp-vbr2.xs4all.nl (8.13.6/8.13.6) with ESMTP id k5NCvXNK094019
 for <info@example.org>; Fri, 23 Jun 2006 14:57:33 +0200 (CEST)
 (envelope-from abuse@example.com)

From this header, we can infer that [192.168.42.191] (an internal IP address) sent the email via kantoor.example.com [82.93.xx.xxx] using smtp-vbr2.xs4all.nl. The envelope-from is abuse@example.com.

 Received: from smtp-vbr2.xs4all.nl (194.109.24.22)
 by net3-nl-mail-07.ad.vevida.net with SMTP; 23 Jun 2006 12:57:33 -0000

The server (smtp-vbr2.xs4all.nl) forwards the email to net3-nl-mail-07.ad.vevida.net. This occurs at time 12:57:33 -0000 (14:57:33 +0200).

Delivered-To: info@example.org
Received: (qmail 11690 invoked by uid 0); 23 Jun 2006 12:57:33 -0000

Qmail picks the email up and delivers it to box info@example.org.

As seen in this example, Received: headers are read from bottom to top in order to follow the route from its source. Do this from a trusted server.
Example:

 Received: (qmail 11345 invoked by uid 0); 22 Jun 2006 17:51:51 -0000
 Received: from net2-nl-mail-09.ad.vevida.net (HELO net2-nl-mail-09.vevida.net) (80.84.240.248)
 by net3-nl-mail-12.ad.vevida.net with SMTP; 22 Jun 2006 17:51:51 -0000
 Received: from lpzxiua (unknown [80.239.120.94])
 by net2-nl-mail-09.vevida.net (Postfix) with SMTP id 72824D5364
 for <hostmaster@example.com>; Thu, 22 Jun 2006 19:51:48 +0200 (CEST)
 Received: from jrttm.ndeox ([80.239.139.118])
 by lpzxiua (8.13.2/8.13.2) with SMTP id k5MHs4sU070395;
 Thu, 22 Jun 2006 19:54:04 +0200

This bottom ‘Received:’ header has been falsified, probably by spamware.

Received: from jrttm.ndeox ([80.239.139.118])
 by lpzxiua (8.13.2/8.13.2) with SMTP id k5MHs4sU070395;
 Thu, 22 Jun 2006 19:54:04 +0200

The PC/server with IP address 80.239.139.118 is called jrttm.ndeox. There are two things wrong with this picture:

  • jrttm.ndeox is not a valid host name
  • The server is called bondageseile.de:
 $ host 80.239.139.118
 118.139.239.80.in-addr.arpa is an alias for 118.0-25.139.239.80.in-addr.arpa.
 118.0-25.139.239.80.in-addr.arpa domain name pointer bondageseile.de.

The mail server which can still be trusted is net2-nl-mail-09.vevida.net. Therefore, the actual sending PC must be: [80.239.120.94].

Client programs like abuse! and SamSpade (but also organizations/websites like Spamcop) can help parse (interpret, read through) headers and offer options to find the correct abuse addresses.

How can I view the headers?

Each email program has its own solution for this. The list below gives the relevant information for some common email programs.

Outlook

  • Open an email, click on Options in the View menu.
    Often you can edit a registry key to view the entire email, not just the header, in the popup window.

Mozilla Mail, Thunderbird

  • Use the ctrl-u hotkey combination to display a new screen with all headers plus the message itself.

Netscape

  • Open the email.
  • Use the ctrl-u hotkey combination (for Windows) or alt-v (for Linux) to display a new screen with all headers and the message itself.

Outlook Express

  • Click on Properties in the File menu.
  • Click on the Details tab and then on Internet headers (Message source)
  • Or press the F3 hotkey for the same result.

Please Note

You can use ‘select all’ (usually: control-a) to select the entire email, including headers and body, and the control-c hotkey combination to copy the entire email. You can then paste it in a new email (usually: control-v).

« Back

Customer service

Cannot find what you are looking for? Please contact our customer service:

We are glad to be of service.