Understanding e-mail Headers

The Header Parts

Having a good understanding of e-mail headers is crucial to accurately tracing the source of e-mail messages.
In an ideal world, message headers would be tamper-proof and accurately reflect the origin and lineage of an e-mail message. Unfortunately, this is not the case and spammers will very often "spoof" certain parts of the headers to throw people off their tracks.
There are certain parts, however, that can not be forged and will ultimately lead to the source.

The way to view your e-mail headers varies between e-mail clients. To view the headers in Microsoft Outlook, right-click the message in your inbox and select "options". The headers are displayed in the area marked: "Internet Headers". A quick check in the help files for your e-mail client should reveal how to do the same.

Below, I have presented a set of headers for a typical (actual) spam message:

Received: from dial-up-134.aist.net.ru ([81.28.162.134]) by lmg16.affinity.com with SMTP id <547807-28141>; Fri, 8 Oct 2004 12:55:25 -0700
X-Message-Info: WIEBbCR49lEHzFm513d5+TSIJg5fENBI
Received: from mail550.euo.optusnet.com.au ([144.80.145.84]) by xy92-g8.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824);
Fri, 08 Oct 2004 22:49:16 +0200
Received: from EAJZ94 (y112.18.8.162.wfzzs0.clk.optusnet.com.au [0.39.78.160])
by mail606.rrg.optusnet.com.au (02.95.8y5/5.09.2) with SMTP id s2C16Bh10617;
Fri, 08 Oct 2004 21:49:16 +0100
Message-ID: <09g036d1lz0k$bm4d16s4$zn2298n0@WOHD01>
From: "Trent Boston" <uckteiynrie@yahoo.com>
To: "Alan" <alan@someisp.com>
References: <Law7-R53AquwCkjgX7W658399p9@hotmail.com>
Subject: Perform like a sexual god corralled
Date: Fri, 08 Oct 2004 13:49:16 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--6074271505025761947"

As confusing as this all may seem, the only part of the headers that we are really interested in are the ones marked: "Received:"

Now, the important thing to know about e-mail messages is that rarely do they come direct to you from the source. The nature of the internet is such that messages take many "hops" before reaching their actual destination.
Every time a machine receives a message at one of these "hops", it adds it's own "received" information and then sends it on it's way. Sort of like tracking a UPS parcel. This happens repeatedly until the message reaches it's destination:

This means that as you read the Received headers from top to bottom, you are tracing back to the original machine/person that sent you the e-mail.

Now, if we think about it, although a spammer can forge, and add as many different "received" headers as they wish, once it leaves their machine, then it will have legitimate headers added along the way. You can see then, that our job in tracing the source of an e-mail header is to follow back (top to bottom in the headers) the route of the received headers until we come to the first legitimate entry. This one will be the spammer's ISP.

Return to top

The Anatomy of a Received Header

So, we have established that the only parts of the e-mail headers we are really interested in are the "Received" headers.
Let's now look at a typical received header in detail:

Received: from dial-up-134.aist.net.ru ([81.28.162.134]) by lmg16.affinity.com with SMTP id <547807-28141>; Fri, 8 Oct 2004 12:55:25 -0700

The most important part of the header is the four part number in between the square brackets: 81.28.162.134.
This is called an IP (Internet Protocol) address. IP addresses are how every computer that is connected to a network is identified. Every machine in the world that is connected to the internet has a unique set of numbers like this that identify it.

Now, you can open up a web browser and type the IP address directly into the address bar and it will go to the machine that has that number. Because IP addresses are hard to remember though, each address can be associated with a Domain Name, such as "Ebay.com"
Obviously, it is far easier to remember "Ebay.com" than "66.135.192.87" so there exists a process called Domain Name Resolution.
When you type "Ebay.com" into your web browser, the first thing it does is go to what is called a DNS server and ask it what IP address "Ebay.com" is associated with. The DNS server replies that "Ebay.com" is currently associated with the IP address: "66.135.192.87" and your browser dutifully connects to that IP address as in the diagram below:

Let's now return to our Received header:

Received: from dial-up-134.aist.net.ru ([81.28.162.134]) by lmg16.affinity.com with SMTP id <547807-28141>; Fri, 8 Oct 2004 12:55:25 -0700

This header is simply telling us that the message was received by affinity.com from a machine that calls itself dial-up-134.aist.net.ru, which has the IP address of 81.28.162.134. The message was received on the 8th of October at 12:55. Note the last part (the -0700). This is an optional part that, if given, is the offset from GMT.
Note: In the header above, the sending machine calls itself "dial-up-134.aist.net.ru. Remember that this is simply what the receiving machine gets told - it could be forged, whereas the IP address must be correct in a legitimate header.

Return to top

Tools for Analysing Headers

Reverse DNS Lookup
Remember that I said earlier that a machine can claim to be called anything in when it sends it's message to another server? What it can't do is pretend it has a different IP address. The receiving server will simply note it's IP address and add it to their received header so it cannot be forged. Wouldn't it be handy if we could get the name of the machine from the IP address to confirm it. Well, we can. This process is called a Reverse DNS Lookup.
There are plenty of places on the internet where you can quickly perform a reverse dns lookup, just do a search in your favourite search engine for "Reverse DNS LookUp" and you will find many. There are also many free tools on the internet available which enable you to do this from a program installed on your computer.
Using this tool, we can check whether a machine with an IP address of: 81.28.162.134 is actually called: "dial-up-134.aist.net.ru". In this case it is.

NSLookup
NSLookup is really just the reverse of the above. It will take a URL (Web address) and return the IP address associated with it.
As usual, there are many places on the internet where you can perform these lookups for free. They can, however, be performed on your own computer from a command prompt. Simply open up a command prompt, type "nslookup" a space and the Domain Name/URL that you are interested in. It will return the IP address that it resolves to. (This is exactly the process your internet browser goes through when it attempts to fetch a web page for you).

Whois
Once we finally get the IP address of the original sender of the message (more on this in the next section), we need to find the name of the ISP for that IP address. There is a process to do this and it is called "Whois Lookup".
Just like the Reverse DNS Lookup above, there are plenty of places on the internet where you can do this lookup for free, and many freeware or shareware utilities with both of these tools and more included.
Simply typing in the domain name or the IP address will return details about who owns that domain, or IP block.
If the IP address seems to disclose much information, a useful trick to get more information is to "back up the IP blocks".
For the address above, if I don't get much information from a whois search on "81.28.162.134", I will substitute zero (0) for the last three digits of the I address and perform a whois search on "81.28.162.0". Likewise, if I need more information, I may try "81.28.0.0". This is often a very useful trick which will return who really owns the IP range.

TraceRoute
Sometimes, it is useful to find not only the sender's ISP, but who provides the sender's ISP with their connection - the "upstream provider". This could be necessary when a spammer's ISP is a "roque" or "spamhaus".
I (and not doubt thousands of others) have personally been complaining to the people at chinanet.net (a chinese ISP) for many years and have yet to receive a single acknowledgement or indication of action from them. They are obviously a "spamhaus".
If they refuse to do anything, then the next step is to walk one up the chain and complain to the people that give them their service. Eventually, if enough people complain, someone along the line will do something about it.

To find the steps in this chain, there is a useful utility called "TraceRoute".
Like the previous tools, TraceRoute can be found on the internet, but is also available from the command prompt on your computer.

To use from your computer: Open up a command prompt and type "tracert", a space and the IP address or domain name/URL that you wish to trace to. The trace will show all "hops" until it reaches the destination, revealing all the providers along the way.

Here is an example traceroute for "www.google.com":

Tracing the Headers Back to the Spammer

OK, so what we need to find is the spammer's IP address.

The first thing to do is to try to follow the trail back through the received headers. We are looking for a pattern similar to this:

Received: from Machine3 ([xxx.xxx.xxx.xxx]) by Machine4
Received: from Machine2 ([xxx.xxx.xxx.xxx]) by Machine3
Received: from Machine1 ([xxx.xxx.xxx.xxx]) by Machine2

In this case, it all makes sense and the originating IP address is the one in bold.

This is the pattern we would expect to find in a legitimate e-mail message. A lot of spam messages will have fake headers added to the bottom of the list in an attempt to cover their tracks.

When tracing headers, we are looking for the first legitimate header (remember, headers are added to the top of the message so the first header is the one at the bottom of the list.
The last header (the topmost on the page) is always legitimate.
If we apply this to the our real example above, the trail falls after the first one. The message was received from dial-up-134.aist.net.ru by affinity.com.
It should follow then that the preceding received header should be something received from somebody by aist.net.ru - it is not.
At this point, we have found the first fake received header so the proper source will be the one above that. In this case, both the second and third headers were forged. The top one is the source. Our spammer's ISP is aist.net.ru, and his IP address is: 81.28.162.134.

Following this trail often involves quite a bit of logical reasoning that may even include analysing the times that the message was supposedly transferred between the servers. It is not at all uncommon to see a message that was transferred to another server some time before it was originally sent!

Doing a reverse dns lookup is often a quick way to confirm findings in your detective work through the message headers. For instance, in the message above, a reverse dns lookup on the IP address in the top header (81.28.162.134) does indeed confirm that it resolves to: dial-up-134.aist.net.ru.
Doing the same on the second header (which we now know is false) returns: "ge069.chss.iup.edu", not "mail550.euo.optusnet.com.au" as claimed. This would mean that either that complete received header is false, or the previous machine lied about it's identity. Further inspection of the header below that would confirm even more, but is unnecessary as once a fake header has been found, all the other below it must also be fake.

So, we have the spammer's IP address. We can now simply perform a whois lookup on that IP address and get the details for their ISP. A whois lookup confirms that the ISP for this spammer is: aist.net.ru.

For strategies for complaining about spam, read our section on complaining about spam...

Return to top