How to read Email Headers

Information Avenue Tutorial - Reading Email Headers (Source Code)

Now you will see the "source code" of the email that you are checking. The sample below is one that we received and it appears to have come from "us" when in fact it did not. This is one of the "tricks" viruses and worms do to confuse people. It makes itself appear to come from a random address in the infected users address book. In this case, our address was in an infected person's address book and it actually sent a copy to us!  Don't worry; you cannot get infected by viewing the source code of a mail!

Now to see where this really came from, you will have to look closer at all the text that you see in this window. The window does not resize, so go ahead and click the "Message Source" Button to see the text in fuller view.

Click Message Source Button to see last step

 

***********

 

This is what the text from the last step shows when detailed.  We have used highlighted text to help guide you.

1.  The part highlighted in pink (see below), shows where the letter really came from. In this case, the letter came from an infected computer from onetel.net.uk.    

2.  The part highlighted in peach shows who received it; in this case, we (thundercloud.net) received the email On April 26, 2002.

3.  The address highlighted in yellow   shows it "appears" to have come from join-cloudeightstationerynews. This letter did not come from us as it does not match the Received: from msgdirector2.onetel.net.uk

4.  So, what you want to match up is the Received: from from the From: and if they do NOT match, it is a faked header and shows the mail is not from the source it appears to be from.

 

Received: from msgdirector2.onetel.net.uk [212.32.44.149]
(You can take this IP Address 212.32.44.149 and go to http://www.samspade.org/ and paste it in the "do stuff" form and it will show you exactly who it is and where it came from. Try it now if you like, you will not lose this page.) It is really from rtr-adsl-1.ensign.ftech.net.
 


by thundercloud.net with ESMTP
(SMTPD44-7.33) id ADC354A00B4; Fri, 26 Apr 2002 11:18:13 -0500
Received: from Szez (async121-4.nas.onetel.net.uk [212.32.44.149])
    by msgdirector2.onetel.net.uk (Mirapoint)
    with SMTP id AFV01601;
    Fri, 12 Mar 2004 17:17:40 +0100 (BST)
Date: Fri, 12 Mar 2004 17:17:39 +0100 (BST)
Message-Id: <200204261617.AFV01601@msgdirector2.onetel.net.uk>
From: join-cloudeightstationerynews <join-cloudeightstationerynews@mailpro.ws>
To: cloudeight2@thundercloud.net
Subject: Cellpadding
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary=WEeN6bu49ho8737
X-RCPT-TO: <cloudeight2@thundercloud.net>
Status: U
X-UIDL: 310625859

Close This Window