Analyzing e-mail headers and tracking e-mail
The complete headers provide much information on the origin of a message and are a useful tool for tracking and stopping SPAM and virus-laden e-mail. Most e-mail readers only show the To: and From: headers, which can be easily forged. The complete message headers will look something like this:
Your headers may look a little different than the one above, but all of the information is similar, so you'll be able to at least get the gist of what I'm talking about today.
In particular, the header lines beginning with Received: provide a trace of the message from its origin to your mail server. In many cases with spam and virus e-mail, not all of the information in the "Received:" headers can be trusted, but it can still provide many valuable clues as to the message source.
The first step in the analysis process is to find the full e-mail headers.The method for doing so varies depending on your mail reader.Instructions to open headers for various email clients and services like Outlook, Hotmail, Yahoo, AOL
What not to trust in mail headers
The above example is contrived, but illustrates several of the aspects of common forged e-mail headers. Of course, you may be lucky enough to have received a message from a verifiable source; if so, you will find some consistency to the results seen when analyzing the headers.
In the above example, the following headers are contrived by the sender's system:
To: My.Friends@pilot.msu.eduThe contents of the To: header can be arbitrary. There is no account "My.Friends" at MSU. The true recipients of a message are determined by the e-mail "envelope" address, which is not displayed in these headers.
From: Hot Summer Deals <email@example.com>
Likewise, the sender's name is arbitrary. There may or may not be an account named "hot_deals" at AOL, and the sender may not be the valid owner of the account if it does exist.
Analyzing the "Received:" headersThe most useful clues to a message's origin come from the headers that begin with Received:. Each mail server which handles an e-mail message adds a Received: header set to the front of the message; the first set is therefore added by your mail server. For this example, we're assuming you read e-mail delivered to MSU's Pilot e-mail system.
Let's start with the first header:
Received: from server.mymailhost.com (mail.mymailhost.com [22.214.171.124])
by pilot01.cl.msu.edu (8.10.2/8.10.2) with ESMTP id NAA23597;
Fri, 12 Jul 2002 16:11:20 -0400 (EDT)
The first line shows three important pieces:
Mail server IP address: 126.96.36.199
Mail server domain name: mail.mymailhost.com
Mail server identification: server.mymailhost.com
The second header gives more clues:
Received: from aol.com (127-34-56-98.dsl.mybigisp.com [127.34.56.98])
by server.mymailhost.com; Fri, 12 Jul 2002 13:09:38 -0700 (PDT)
In this header, the receiving mail server name (server.mymailhost.com) matches the name shown in the first header (so far so good). The first line of this header reveals the source:
Originating IP address: 127.34.56.98
Originating domain name: 127-34-56-98.dsl.mybigisp.com
Originating system identification: aol.com