Where’d That Email Come From?
This is the second in a series of articles on reading internet message headers. If you haven’t already done so, please read the first article, Reading Internet Message Headers.
This time we’re using a message I sent to myself from a hotmail.com account I set up for this purpose. None of the headers except the received: line will normally appear more than once in any message.
Return-Path: <firstname.lastname@example.org> Received: from f51.hotmail.com (F51.hotmail.com [184.108.40.206]) by camel9.mindspring.com (8.8.5/8.8.5) with ESMTP id WAA29149 for <email@example.com>; Thu, 11 Sep 1997 22:40:20 -0400 (EDT) Received: (from root@localhost) by f51.hotmail.com (8.8.5/8.8.5) id TAA22003 for firstname.lastname@example.org; Thu, 11 Sep 1997 19:40:18 -0700 (PDT) Message-Id: <199709120240.TAA22003@f51.hotmail.com> Received: from 220.127.116.11 by www.hotmail.com with HTTP; Thu, 11 Sep 1997 19:40:18 PDT X-Originating-IP: [18.104.22.168] From: "Suzy Smith" <email@example.com> To: firstname.lastname@example.org Subject: testing headers Date: Thu, 11 Sep 1997 19:40:18 PDT Restrict: no-external-archive X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
- Return-Path: <email@example.com>
This field is like the reply-to: field in usenet headers, and like that field it is incredibly easy to forge.
- Received: from f51.hotmail.com (F51.hotmail.com [22.214.171.124]) by camel9.mindspring.com (8.8.5/8.8.5) with ESMTP id WAA29149 for <firstname.lastname@example.org>; Thu, 11 Sep 1997 22:40:20 -0400 (EDT)
Received: (from root@localhost) by f51.hotmail.com (8.8.5/8.8.5) id TAA22003 for email@example.com; Thu, 11 Sep 1997 19:40:18 -0700 (PDT)
Received: from 126.96.36.199 by www.hotmail.com with HTTP; Thu, 11 Sep 1997 19:40:18 PDT
As in many messages, there are two received: lines. Sometimes forgers will deliberately insert misleading received: lines to make it seem as though the email went through a system that is wholly unrelated to the ones through which it actually travelled. Messages can also be sent through multiple servers to deliberately obscure their origins–it’s called "chaining" when you do it with anonymous remailers. Each machine that gets the message adds one received: line.
In any case, the first line says that a machine at hotmail.com with the IP address 188.8.131.52 passed this message to a machine at mindspring.com at 10:40pm eastern daylight time on September 11, 1997, and that it was addressed to firstname.lastname@example.org. Sometimes the name of the sending machine will be faked, so if I had reason to doubt the origin of the message I’d probably double-check to see just what machine was really 184.108.40.206. Don’t worry about the (8.8.5/8.8.5) part, as (I believe) that’s just the version of sendmail the receiving computer is using.
The second line says that the message was received from root@localhost by a machine at hotmail.com addressed to email@example.com. The time is different from the first, because it’s on pacific daylight time. Sendmail doesn’t verify the sender on email, so root@localhost is just the name given to that mail server when the message was handed to it. It could be anything from my real name to God to the IP address of my machine. MindSpring now requires that a valid email address be used to send mail through their servers–but it could be anybody’s valid email address anywhere, even firstname.lastname@example.org, because sendmail doesn’t check.
The third received line finally has some actual information as to who created the message. It says that the machine www.hotmail.com received the email through HTTP (hypertext transfer protocol–what the web uses) from 220.127.116.11. Now someone could at least look and see that whoever sent it was using MindSpring, as 18.104.22.168 is one of their IP addresses. It would take MindSpring examining their server logs, though, to know that I was the user logged in at that IP address at that time (MindSpring uses dynamic IP addressing now). The "with HTTP" part is somewhat unusual (well, to me, anyway) but makes sense because hotmail.com is a web-based email service.
The time on the three received lines could be important if you’re trying to figure out whether any of those lines is faked–sometimes the time in one of them is patently ridiculous.
- Message-Id: <199709120240.TAA22003@f51.hotmail.com>
This one is the unique message ID that hotmail.com assigned to the message. With it they should be able to tell which user sent the message, even if I’d found a way to obscure my email address.
- X-Originating-IP: [22.214.171.124]
I’ve only see this one from hotmail.com, too. That’s the IP address of the user who sent the email. It’s the same as the third received: line, but provides a cross-check in case someone had found a way to munge that line. With this or any other IP address, if it isn’t a valid IP address format you know it’s faked. IP addresses always have 4 sections (like 0.0.0.0) and the digits in each place must be within the range 0 to 255. So 126.96.36.199 is valid, but 188.8.131.520 wouldn’t be. I’ve never seen this one faked, but that doesn’t mean that it can’t be faked.
- From: "Suzy Smith" <email@example.com>
Fairly simple–the name I entered in the settings of my hotmail.com account, and my hotmail.com address. It isn’t easy to fake this one from a hotmail.com account after you’ve created the account–but it would be laughably easy to fake it anywhere else, or to simply create the account with a fake name. As I said above, sendmail doesn’t do any kind of verification as to who is sending a message. MindSpring is the only place I’ve heard of that even requires a valid email address from the sender, and they don’t verify as to whether it is really the sender’s address. Hotmail doesn’t bother to verify the identity of people who sign up for their free accounts, anyway, so I could have claimed to be Sarah Ferguson and they’d be no wiser.
- To: firstname.lastname@example.org
The intended recipient. It’s simple here, but if there were multiple recipients you’d see a list of names separated by commas. If the name here isn’t one of your email addresses and you wonder how you got the email, look for a line that says cc: with your email address. If it isn’t there, either, you were bcc’d on the message–a common tactic of spammers. Some mail software doesn’t even check to see if the address in the to: field is valid–so you could put anything there and put the real recipient’s name in the bcc: field. I’ve seen lots of spam with to: addresses like "email@example.com" that are obviously faked.
- Subject: testing headers
Subject of the message as assigned by the sender.
- Date: Thu, 11 Sep 1997 19:40:18 PDT
Time the mail was sent, usually from the sender’s machine (in this case, from hotmail’s time rather than my own–it’s pacific daylight time again). I got email from a friend a little while ago, and this line said he sent it at 20:26:49. The received: line said MindSpring’s servers got it at 20:31:25, so either his clock is slightly slow or there was a five minute delay (he’s another MindSpring user).
- Restrict: no-external-archive
Actually this one and the next one weren’t in the headers of the email from HotMail, but they are in many of the messages I receive. Restrict: no-external-archive is an extra header that can be used to tell anyone archiving, for instance, a mailing list in which you participate that you do not want your messages included in the archive. It’s much like the x-no-archive: header for usenet messages. Again, it’s an honor system – the archiving entity might ignore this header.
- X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
This one tells you the software the sender used to send the message. Sometimes it just isn’t in the headers at all. If, however, I received an odd message from a friend who is a Mac user and noticed that it was sent by someone using a Windows version of Eudora Pro, I’d know it was a fake.
In the next article, we will briefly look at messages sent through mailing lists.
Originally published February 10, 2001