Legend:  new window    outside link    tools page  glossary link   

Exposing mail headers

What we’re doing on this page: Exposing the (usually invisible) parts of the e-mail message that tell where it came from and how it traveled to us. You need to do this in order to be able to file any useful sort of spam report.

The very first thing to do in analyzing a spam message is to figure out where it came from (i.e., from which internet providers’ facilities it was sent to us). This information is locked inside the mail header of the message, so we’ll have to figure out how to open and read this header.

Pretty much all internet e-mail messages are structured according to the standard for Internet Message Bodies, which is defined in the IETF standard RFC-2822. This standard requires all messages to have at least a rudimentary header (a block of strutctured text data that appears at the top of the e-mail packet, just before the body). The header contains a variety of information that is normally of no interest to the sender or the recipient. For this reason, most e-mail programs hide this information by default (except for the familiar To:, From:, Subject:, Date:, and (if any) cc: fields).

Every good e-mail program should have a command (or sequence of commands) that will show you the full header of a mail message. Unfortunately, each of these programs does it a bit differently, and with some it can be criminally difficult to show the headers (as with the Exchange-based business version of Microsoft Outlook, which I have to use in my job). Fortunately, the folks at SpamCop have compiled a comprehensive set of instructions for showing headers with the most popular e-mail client programs. You can find these at http://spamcop.net/fom-serve/cache/19.html.

Once you reveal the header of your message, you should be able to see that it looks something like the following (it may be longer or shorter, and of course will have different host names, IP addresses, times & dates, etc.):

From hidden-address Sat Aug 17 16:00:24 2002
Return-Path: hidden-address
Received: from exanpcn4.arinc.com ([]) by mta009.verizon.net
     (InterMail vM. 201-253-122-126-109-20020611) with ESMTP
     id <20020817200009.CWZT20372.mta009.verizon.net@exanpcn4.arinc.com>
     for hidden-address; Sat, 17 Aug 2002 15:00:09 -0500
Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com
     (Content Technologies SMTPRS 4.1.5) with ESMTP id      <T90f3203cca5cc55c0da9@exanpcn4.arinc.com> for hidden-address;
    Sat, 17 Aug 2002 16:02:15 -0400
Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19)
     id <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400
Message-ID: <09328AED5429D311A3000008C7911B100778B52C@exanpmb1.arinc.com>
From: "Conner, Richard C." hidden-address
To: "my-home-address" hidden-address
Subject: Hello
Date: Sat, 17 Aug 2002 16:00:26 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain

If this is more or less what you see, then you’re ready to proceed with tracking down the message source by reading what’s in the header.

 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2008, Richard C. Conner ( )

04801 hits since March 28 2009

Updated: Sat, 14 Jun 2008