Decode that E-Mail Header

Decode That E-Mail Header

Track down the real sender of that message.

Ever get spammed and want to track down the actual source of that e-mail? Here’s how: To look at the headers of your own messages, select a message then right click it, choose properties, then choose the details tab of the resulting dialog. We’ll dice the header from a message I received some time ago. It appears below with section numbers I have added for identification:

		From: “Eraldo” <yek@ntt.it>
		Received: from news.ntt.it (w2.ntt.it [194.73.95.85]) by pegasus.nwol.net (8.8.8/8.8.8) with SMTP id PAA24953 for <tylerstravels@cableone.net>; Tue, 22 Sep 1998 15:39:57 -0500 (CDT)
		Return-Path: <yek@ntt.it>
		Received: from r1p103.ntt.it by news.ntt.it (AIX 4.2/UCB 5.64/4.03) id AA44060; Tue, 22 Sep 1998 22:37:20 +0200
		Message-Id: 000701bde679$e035dea0$675e49c2@polo Date: Tue, 22 Sep 1998 22:39:22 -0000
		Reply-To: yek@ntt.it
		To: <tylerstravels@cableone.net> Subject: congratulations

What does all this mean?

This line identifies the message’s supposed author, but anyone can fabricate the “From” information in most Internet mail programs.

This section records the path the message took through the network of computers at my ISP NWOL.NET. The mail server “pegasus” received the message and sent it to my mailbox at 3:39PM. One server may send it to another before forwarding it to your mailbox. The SMTP ID is the message’s identification number on the originating mail server. The message was received from a server “news” at ntt.it. The DNS (domain name server) address is 194.73.95.85

Don’t trust the accuracy of the Return-Path data. This bit of information is easy to forge-and spammers know it.

This is where the actual source of the message is listed. In this case it was a server “news” at the ISP ntt.it (ntt in Italy). A spammer would likely put bogus information in the From and Reply To fields. If one complains to either of those ISPs without verifying the accuracy then they would be complaining to the wrong party.

Message-Id: The originating mail server assigned this ID number to the e-mail message. This is a final, important clue in ascertaining where a spam originated. Spammers can forge the From, Return-Path, and Reply-To fields, but they can’t counterfeit message Ids. Together with the information in the Received field, the data in this line proves conclusively where the message originates.

A spammer can set up this field to direct angry replies to some poor guy anywhere on the net. In this case it appears to be genuine.

The To field can be undisclosed and then be the spammers best friend and no help to anyone attempting to trace the missile.