Spammers often forge the headers of their email in an attempt to
avoid losing their accounts and to evade email filters. These notes may
help you track the source of spam.
The most important thing is to have a mail reader that can show you the
full headers of an email in question. The important lines are as
follows:
- From:
- Who the message is from. This is the easiest to forge, and
thus the least reliable.
- From
- As distinct from the "From:" line. This line is not actually
part of the email header, but mail transfer software often
inserts it when the mail is received. Many Unix mailers use
this line to seperate messages in a mail folder. This line
will always be the first line in the headers.
This line can also be forged, but not always.
- Reply-To:
- The address to which replies should be sent. Often absent from
the message, and very easily forgeable. However, it often
provides a clue. For example, forged spam often has a
legitimate Reply-To: field so that the spammer can receive
mail orders.
- Return-Path:
- The email address for return mail. Same as Reply-To:
- Sender:
- The account that sent the message. Mail software is supposed
to insert this line if the user modifies the From: line. Most
Mail software is broken in this respect, so this line is rarely
present. Some mailers provide an X-Sender: line.
- Message-ID:
- A unique string assigned by the mail system when the message is
first created. This is also forgeable in most cases, but
requires a little more specialized knowledge than forging the
From: line. Also, the Message-ID: often identifies the system
from which the sender is logged in, rather than the actual
system where the message originated.
The format of a Message-ID: field is
<unique string>@<sitename>
Each kind of mail software has its own style of unique string.
Sloppy forgeries often get it wrong, thus a forgery can be
confirmed by comparing the message id with some legitimate
messages from that same site.
- Received:
- These are the most reliable lines in the header. They form a
list of all sites through which the message traveled in order
to reach you. They are completely unforgeable after the point
where it was injected. Up to that point, they may be forgeries.
Received: lines are read from bottom to top. That is, the first
Received: line is your own system or mail server. The last
(non-forged) Received: line is where the mail originated.
Each mail system has their own style of Received: line. A
Received: line typically identifies the machine that received
the mail and the machine that the mail was received from.
I.e.:
Received: from foo.com by bar.com id AA15057; Fri, 25 Jul 97 09:39:02
The "foo.com" part is the name that the sending machine used
to identify itself. This may be forged in the case of spam.
The id is for logging purposes and may help system administrators
track the spam if you can get them to cooperate with you.
Many mailers will add extra information. For example:
Received: from foo.com ([129.2.3.4]) by bar.com id AA15057; Fri, 25 Jul 97 09:39:02
In this case, bar.com has inserted the IP address of the
sending system. If the machine name does not match the IP
address, then you have likely identified the point where the
mail was forged. In other words, the machine whose address
is 129.2.3.4 lied when it identified itself as foo.com. Any
Received: lines that follow are likely to be forgeries.
If the IP address does not make sense (for instance, no
component may be greater than 255), then this entire Received:
line is a fake. Contact a system admin for more advice in
determining if an IP address is bogus. If the entire Received:
line is fake, then the injection point is somewhere above in
the headers.
Sometimes you will see
Received: from foo.com (x.y.alterdial.uu.net [129.2.3.4]) by bar.com id AA15057; ...
In this case, the mailer has inserted both the IP address and
the real name of the sending system. This will help you
identify forgeries and eliminate the need to look up the
IP address by hand.
- Comment:
- Some mailers may add additional information to the headers,
such as "Authenticated sender is doe@foo.com". Forged Comment:
lines can be easily added to outgoing mail, so this line is
likely to be fake, but not always.
Other mailers may insert their own authentication information
in the headers.
Here is an example of a forgery:
From webpromo@denmark.it.earthlink.net Tue Jul 8 13:05:02 1997
Return-Path:
From: webpromo@denmark.it.earthlink.net
Received: from denmark.it.earthlink.net (denmark-c.it.earthlink.net
[204.119.177.22]) by best.com (SMI-8.6/mail.byaddr) with ESMTP id
NAA21506 for ;
Tue, 8 Jul 1997 13:05:16 -0700
Received: from mail.earthlink.net (1Cust98.Max16.Detroit.MI.MS.UU.NET
[153.34.218.226]) by denmark.it.earthlink.net (8.8.5/8.8.5)
with SMTP id NAA12436; Tue, 8 Jul 1997 13:00:46 -0700 (PDT)
Received: from adultpromo@earthlink.net by adultpromo@earthlink.net
(8.8.5/8.6.5) with SMTP id GAA05239 for ;
Tue, 08 Jul 1997 15:48:51 -0600 (EST)
To: adultpromo@earthlink.net
Message-ID: <199702170025.GAA08056@no-where.net>
Date: Tue, 08 Jul 97 15:48:51 EST
Subject: Hot News !
Reply-To: adultpromo@earthlink.net
X-PMFLAGS: 12345678 9
X-UIDL: 1234567890x00xyz1x128xyz426x9x9x
Comments: Authenticated sender is
Content-Length: 672
X-Lines: 26
Status: RO
Obviously, the To: line is a forgery; the actual recipients list was
hidden, probably with a blind carbon-copy (Bcc: header)
The "From", "Return-Path:" and "From:" all identify the same email
address, but that may be a forgery. You can try mailing to the given
address and see if your complaint bounces.
The "To:", "Reply-To:" and "Authenticated sender" lines all identify
a different account. Again, these may all be forgeries.
The Message-ID: line is an obvious fake.
The first Recieved: line shows the mail arriving at my service
provider from Earthlink. I trust my service provider, so this line
is almost certainly valid.
The second Received: line shows this inconsistency:
... from mail.earthlink.net (1Cust98.Max16.Detroit.MI.MS.UU.NET [153.34.218.226])
In other words, the machine that delivered the mail to
denmark.it.earthlink.net identified itself as mail.earthlink.net but
was actually named 1Cust98.Max16.Detroit.MI.MS.UU.NET. This is
very likely a lie. However, Earthlink rents POPs from Uunet, so this
might be an Earthlink customer dialing in from Uunet.
The third Received: line is completely bogus. If the mail came from
a dial-in customer at Uunet, there wouldn't be any more Recieved: lines.
If the mail was being relayed from Uunet, this Received: line would
indicate Uunet, not Earthlink. Further, this Received: line
contains email addresses, not machine names.
Clearly, this email was forged to make it look like it came from
Earthlink but was actually injected from Uunet. Whether this was
by an Earthlink customer or some other Uunet customer is impossible
to tell without cooperation from Earthlink sysadmins.
Here is another forgery:
Received: from cola.bekkoame.or.jp (cola.bekkoame.or.jp [202.231.192.40])
by srv.net (8.8.5/8.8.5) with ESMTP id BAA00705
for ; Wed, 30 Jul 1997 01:15:27 -0600 (MDT)
From: beautifulgirls585@aol.com
Received: from cola.bekkoame.or.jp
(ip21.san-luis-obispo.ca.pub-ip.psi.net [38.12.123.21]) by
cola.bekkoame.or.jp (8.8.5+2.7W/3.5W) with SMTP id OAA11439;
Wed, 30 Jul 1997 14:35:50 +0900 (JST)
Received: from mailhost.aol.com(alt1.aol.com(244.218.07.32)) by
aol.com (8.8.5/8.6.5) with SMTP id GAA00075 for <"">;
Tue, 29 Jul 1997 22:19:42 -0600 (EST)
Date: Tue, 29 Jul 97 22:19:42 EST
Subject: You can have what you want...
Message-ID: <574857638458.HWF39862@aol.com>
Reply-To: beautifulgirls585@aol.com
X-PMFLAGS: 56354433 0
Comments: Authenticated sender is
X-UIDL: vjg79u26gfkjjrty38jf983j309jfyrw
Here, the second Received: line indicates that "cola.bekkoame.or.jp"
received the mail from a machine which identified itself as
"cola.bekkoame.or.jp", but was in fact
"ip21.san-luis-obispo.ca.pub-ip.psi.net".
This mail was probably forged from a Psi.net dial-in account.
As a final proof, the IP address mentioned in the third Received: line
cannot be matched via whois or traceroute.
It certainly doesn't match AOL, indicating that this line is bogus.
Return to TOP of page!