Cynthia Armistead

At some point, you’re going to need (or just want) to know the true ori­gin of an email or news­group mes­sage. To do that, you have to deci­pher the head­ers of the mes­sage. It’s a use­ful skill for any inter­net user — so this is the first in a series of how-to articles.

While most news­read­ers and email pro­grams don’t dis­play all the head­ers of mes­sages by default, you do nor­mally see the name and email address of the sender, date/time, and sub­ject for any news or email mes­sage. Those are head­ers. Any pro­gram should also have an option some­where to dis­play more head­ers, as there is far more infor­ma­tion avail­able, but most folks don’t need to see it for every mes­sage. If you don’t know how to get to the full head­ers in your soft­ware, check the help files or see if it’s listed here.

For instance, I receive email from many mail­ing lists. All I see by default is:

Date: 10 Sep 1997 05:03:01 -0000
X-massmail: webmonkey.090997
From: Webmonkey <webmonkey-info@hotwired.com>
To: Webmonkey <webmonkey-announce@hotwired.com>
Subject: Elbow Grease - the Webmonkey newsletter

(body of message)

If I tell my email pro­gram to show me all the head­ers, though, I see:

Return-Path: <webmonkey-info@hotwired.com>
Received: from hardly.hotwired.com (hardly.hotwired.com
	[204.62.131.45]) by camel10.mindspring.com (8.8.5/8.8.5)
	with SMTP id RAA21069 for <cynthia@dev.null>;
	Wed, 10 Sep 1997 17:46:35 -0400 (EDT)
Received: (qmail 25634 invoked by uid 1100);
	10 Sep 1997 05:03:09 -0000
Date: 10 Sep 1997 05:03:01 -0000
Message-ID: <19970910050301.25630.qmail@hardly.
	hotwired.com>
Precedence: bulk
X-massmail: webmonkey.090997
From: Webmonkey <webmonkey-info@hotwired.com>
To: Webmonkey <webmonkey-announce@hotwired.com>
Subject: Elbow Grease - the Webmonkey newsletter

Because users can add cus­tom head­ers, and because some pro­grams don’t use some head­ers, you won’t always see exactly the same things in every mes­sage. There are cer­tain fields, though, that the inter­net news­group (NNTP) and email (SMTP) pro­to­cols require for every mes­sage, so you’ll always have those. I’m going to stick with the basics. The head­ers may not always appear in the same order, either.

Don’t believe every­thing you see in the head­ers of a mes­sage. The cur­rent inter­net pro­to­cols were not designed with secu­rity in mind, so it is far too easy to forge some of the infor­ma­tion in the head­ers. It’s harder, but not impos­si­ble, to forge oth­ers, and you can usu­ally count on those for clues as to the sys­tem and user with whom the mes­sages orig­i­nated. Users with shell accounts can do far more to hide their ori­gins than those with dial-up accounts, like the accounts Earth­Link sells.

If it’s so easy to forge head­ers, why bother? Because they aren’t, in most cases forged–or not forged well. And most peo­ple do leave clues as to who they really are, even when they’re forg­ing mes­sages. It takes a lot of know-how to com­pletely hide who you are and where a mes­sage orig­i­nated (with­out using an anony­mous remailer, any­way), so it doesn’t hap­pen very often. I know that some things can be forged, but haven’t a clue as to how to forge them–it isn’t some­thing most peo­ple ever bother to learn, even if they are heavy inter­net users. Only net abusers and those who want to stop them have to go to such lengths.

Even know­ing what each of the header fields means, you need to learn how to use the tools to track down domain names and IP addresses and so on. The Unix com­mands whois, nslookup and tracer­oute are invalu­able here. If you don’t have a shell account, there are plenty of pro­grams for Mac and PC users that will do the same, and there are also web sites that will allow you to use the same com­mands. (I use a pro­gram called NetScanT­ools for Win9x.) And Spam­Cop has a lovely fea­ture, the Host Tracker, which lets you put in a domain name or IP address into their spam report­ing field and get an email address to use for send­ing complaints.

As we go on I’ll for­mat the head­ers dif­fer­ently from the rest of the arti­cle text and place the header for each line or sec­tion just after it, but also show the whole mes­sage we’re using at the begin­ning of the sec­tion. Please under­stand that I’ve learned what I know on this sub­ject through hav­ing to trace many mes­sages over the past five years, that I know absolutely zilch about the setup and admin­is­tra­tion of mail and news servers, and that when I’m puz­zled I do not hes­i­tate to hie myself to more learned indi­vid­u­als. What I do know, though, I’ll share, so that you’ll be bet­ter able to track the ori­gin of any harass­ing mes­sages or spam you receive. If I’ve made any errors here, I pray that you will be kind enough to email me to cor­rect my misunderstanding.

In the next arti­cle, we’ll look more closely at the head­ers of email mes­sages.

Orig­i­nally pub­lished Feb­ru­ary 1, 2001