JVLNET Internet Services - Support - Spam

Other Support Topics

Transmission Headers:
Understanding transmission headers to find the true source of the abusive email.

Finding the Transmission Headers
Many modern email clients hide the complete header information, because software vendors consider this information unnecessary for the end user. Finding the complete headers is different for almost every email client. Outlined below is the method used to find headers using the most common email clients. The transmission headers consist of one or more lines beginning with "Received". If you don't see these lines then you don't have the full header information. If you don't know how to view the full header information, and your client is not listed below, please contact your software vendor for help.

Eudora Pro/Lite
Open the message and click on the little button at the top of the message window that says "blah blah blah".

Outlook
Open the message. Then go to the "options" menu item. The full headers will be in the little window at the bottom of the option window.

Sample Transmission Header
Received: from timeoto.com (web9.prometeus.com [209.150.128.211]) by spar=
row.prod.itd.earthlink.net (8.8.7/8.8.5) with SMTP id XAA08953; Thu, 8 Ap=
r 1999 23:56:13 -0700 (PDT)
Message-ID: <73896.71140@timeoto.com>
From: "John Doe"
Reply-To: test@spoofed.com
Subject: Hey look at me!
Date: Fri, 09 Apr 1999 02:41:38 -0400 (EDT)

Understanding the Headers
The first rule of interpreting email headers is ignore everything except the "Received" header lines. The format of the header is laid out according to RFC822. This RFC essentially states that all transmission headers except the "Received" lines are supplied by the sender. That means that the "From:" and "Reply-to:" lines are supplied by the abusive person. Many people make the mistake of using this information to determine the originator of the email. Since this information is supplied by the sender, it is obviously unreliable as a form of source determination.

In the example above there is one "Received" line. More often than not, there are multiple "Received" lines. For each mail server an email goes through a "Received" line is added to the top of the header. This makes it possible to trace the exact route from sender to destination. When tracing spam you should look at the received header that is closest to the body of the email. This header is the initial point where the email was injected onto the Internet.

In plain english the received header states that on April 8, 1999 at 23:56:13 PDT the machine with an IP address 209.150.128.211 connected to the mail server sparrow.prod.itd.earthlink.net. When reading email headers it is important to only use unspoofable information, which is why we use the IP address rather than any naming information. In the example above, the IP address corresponds to web9.prometeus.com. If you don't know how to convert IP addresses into names you should get an nslookup tool for your computer. There are many shareware ones available. In all circumstances, you should not depend on the name information in the email itself unless you have no alternative.

The received header in our example shows another type of spoofing that is common. When an email client connects to a mail server the server asks it for its hostname. In the example above the client said its name was timeoto.com. Many older mail servers will use this information as the originating host rather than the IP address. Since the IP address is taken from the mail server's connection table it is not spoofable, and should be used instead of the name.