OverviewThis document will give an overview of what e-mail headers are and what they do. It will also give some hints on what to look out for if you suspect false e-mail addresses.
Analyzing full e-mail headers
The complete headers provide much information on the origin of a message and are a useful tool for tracking and stopping SPAM and virus-laden e-mail. Most e-mail readers only show the To: and From: headers, which can be easily forged. The complete message headers will look something like this:
Return-Path: [email@example.com] Received: from server.mymailhost.com (mail.mymailhost.com [18.104.22.168]) by sys01.mail.msu.edu (8.10.2/8.10.2) with ESMTP id NAA23597; Fri, 12 Jul 2002 16:11:20 -0400 (EDT) Received: from aol.com (127-34-56-98.dsl.mybigisp.com [127.34.56.98]) by server.mymailhost.com; Fri, 12 Jul 2002 13:09:38 -0700 (PDT) Date: Fri, 12 Jul 2002 13:09:38 -0700 (PDT) From: Hot Summer Deals [firstname.lastname@example.org] To: My.Friends@pilot.msu.edu Subject: Just what you've been waiting for!!
In particular, the header lines beginning with Received: provide a trace of the message from its origin to your mail server. In many cases with spam and virus e-mail, not all of the information in the "Received:" headers can be trusted, but it can still provide many valuable clues as to the message source.
The first step in the analysis process is to find the full e-mail headers. The method for doing so varies depending on your mail reader. Refer to Mail.msu.edu: Finding full e-mail headers for reporting abuse issues for information on how to find full headers with your compatible e-mail client.
What not to trust in mail headers
The above example is contrived, but illustrates several of the aspects of common forged e-mail headers. Of course, you may be lucky enough to have received a message from a verifiable source; if so, you will find some consistency to the results seen when analyzing the headers.In the above example, the following headers are contrived by the sender's system:
The contents of the To: header can be arbitrary. There is no account "My.Friends" at MSU. Additionally, "pilot.msu.edu" (the old MSU e-mail server) is no longer in service.
The true recipients of a message are determined by the e-mail "envelope" address, which is not displayed in these headers.
From: Hot Summer Deals [email@example.com]
Likewise, the sender's name is arbitrary. There may or may not be an account named "hot_deals" at AOL, and the sender may not be the valid owner of the account if it does exist.
Analyzing the "Received:" headers
The most useful clues to a message's origin come from the headers that begin with Received:. Each mail server which handles an e-mail message adds a Received: header set to the front of the message; the first set is therefore added by your mail server. For this example, we're assuming you read e-mail delivered to MSU's Mail.msu.edu e-mail system.Let's start with the first header:
Received: from server.mymailhost.com (mail.mymailhost.com [22.214.171.124]) by sys01.mail.msu.edu (8.10.2/8.10.2) with ESMTP id NAA23597; Fri, 12 Jul 2002 16:11:20 -0400 (EDT)
In this header, you see that the message was received by a mail.msu.edu mail server (sys01.mail.msu.edu); the remainder of this line contains version information and the message id assigned by the mail server. The time stamp shows when the message was delivered to mail.msu.edu.
The first line shows three important pieces:
Mail server IP address: 126.96.36.199 -This is the Internet IP address from which mail.msu.edu received the message. Mail server domain name: mail.mymailhost.com -This is the domain name (DNS name) which matches the above IP address. Mail server identification: server.mymailhost.com -This is what the server claimed its name to be. This may or may not agree with the domain name; a mail server may have more than one identity.
The second header gives more clues:
Received: from aol.com (127-34-56-98.dsl.mybigisp.com [127.34.56.98]) by server.mymailhost.com; Fri, 12 Jul 2002 13:09:38 -0700 (PDT)
In this header, the receiving mail server name (server.mymailhost.com) matches the name shown in the first header (so far so good). The first line of this header reveals the source:
Originating IP address: 127.34.56.98 -This is the Internet IP address from which the remote mail server received the message. Originating domain name: 127-34-56-98.dsl.mybigisp.com -This is the domain name (DNS name) which matches the above IP address. This reveals that the IP address may be owned by an organization known as "mybigisp.com". This would appear to be a high-speed DSL subscriber to mybigisp.com, but only that organization can tell you for certain. Originating system identification: aol.com -This is what the originator claimed its name to be. In this case, the sender is claiming to be "aol.com", but the source IP address and domain name do not fit.
From these headers, the most reliable identification of the message source is the sender's IP address, 127.34.56.98. A number of tools are available for verifying the owner of an IP address. The authoritative reference for IP addresses is the American Registry of Internet Numbers. Using ARIN's "Search WHOIS" tool, you can find the identification of the IP address owner. In most instances, a message to "abuse@organization" will do the trick; be sure to include the message with its complete headers.
Note that there may be additional Received: headers that were generated by the originator of the "spam" e-mail (or by a mail virus). In general, you can only trust the "Received:" headers as far as you can verify them. If you are uncertain about their authenticity, you should go with the last one which is verifiable.
Computer System and Network Abuse at Michigan State University
Browse to http://abuse.msu.edu to learn more about network abuse issues at Michigan State University.