Examining email headers

Whether you're trying to figure out who really sent a piece of spam or checking where a piece of mail was delayed, the full headers of your email is the place to start. This page is set up with the idea of examining headers with a view to complaining about spam, but once you get used to seeing the headers you'll easily figure out how to check for other things as well. (If you don't know how to view the full headers with your mail reader, we have a help page describing the process for a number of common programs.)

Here is an example of the headers from a normal piece of email, going from Columbia University to Panix:

Received: from mhoro.cc.columbia.edu (mhoro.cc.columbia.edu [128.59.35.155]) by mail1.panix.com (8.7.5/8.7.1/PanixM1.0+) with ESMTP id MAA06371 for <vf@panix.com> Tue, 10 Sep 1996 12:30:52 -0400 (EDT) 
Received: from localhost (vcf1@localhost) by mhoro.cc.columbia.edu (8.7.5/8.7.3) with SMTP id MAA02420 for <vf@panix.com> Tue, 10 Sep 1996 12:30:47 -0400 (EDT) Date: Tue, 10 Sep 1996 12:30:47 -0400 (EDT) 
From: Desdinova <vcf1@columbia.edu>
Sender: vcf1@columbia.edu 
To: vf@panix.com 
Subject: testing
Message-ID: <Pine.SUN.3.95L.960910123027.2330A-100000@mhoro.cc.columbia.edu>
MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII 

Note that the From, Sender, and Message-ID all agree that the email came from Columbia. However, all of these can be forged, albeit with varying degrees of difficulty, Message-ID being the hardest of the three.

The ultimate authority is the Received header. These lines document every machine that the email passes through. In this case, it went from localhost (the machine I was logged into at Columbia), which is actually mhoro.cc.columbia.edu, to mail1.panix.com (Panix's mail server). No other sites are mentioned; the message must have come from Columbia.

Now, a more difficult example:

Received: from deshaw.com (deshaw.com [149.77.1.1]) by mail2.panix.com (8.7.5/8
.7.1/PanixM1.0) with ESMTP id RAA29949 for <xxxx@panix.com>; Wed, 28 Aug 1996 17:43:48 -0400 (EDT)
Received: from ip44.salisbury.dmv.com (ip44.salisbury.dmv.com [206.30.64.144]) 
by deshaw.com (8.6.13/8.7.Alpha.4/1.34.kim) with SMTP id QAA24503; Wed, 28 Aug 1996 16:46:12 -0400
Message-Id: <a99608282046.QAA24503@deshaw.com>
Comments: Authenticated sender is <denise@mail.pwrnet.com>
From: "Quantum Innovations(tm)" <q_innovations@deshaw.com>
To: q_innovations@deshaw.com
Date: Wed, 28 Aug 1996 16:32:05 +0000
Subject: QI's OnLine News(tm)
Reply-to: denise@pwrnet.com
X-mailer: Pegasus Mail for Windows (v2.10)

Upon first glance, it looks like there are two possible origins for this mail: pwrnet.com (Reply-To, Authenticated Sender) and deshaw.com (From, To, Message-ID). In fact, it probably came from neither. Note, in the Received lines, that deshaw.com was given the message by ip44.salisbury.dmv.com -- probably a PPP connection.

So, the most likely case here is that the spammer has a PPP connection through dmv.com, and configured Pegasus Mail to send the message through deshaw's mail server. Complaints would go to dmv.com and perhaps pwrnet.com (the spammer may have a backup account there), with a heads-up to deshaw.com to let them know their server is being abused.



Last Modified:Wednesday, 30-Jan-2013 12:14:10 EST
© Copyright 2006-2011 Public Access Networks Corporation