Where’d That Email Come From?

This is the sec­ond in a series of arti­cles on read­ing inter­net mes­sage head­ers. If you haven’t already done so, please read the first arti­cle, Read­ing Inter­net Mes­sage Head­ers.

This time we’re using a mes­sage I sent to myself from a hotmail.com account I set up for this pur­pose. None of the head­ers except the received: line will nor­mally appear more than once in any message.

Return-Path: <me@hotmail.com>
Received: from f51.hotmail.com (F51.hotmail.com
	[]) by camel9.mindspring.com
	(8.8.5/8.8.5) with ESMTP id WAA29149
	for <cynthia@dev.null>;
	Thu, 11 Sep 1997 22:40:20 -0400 (EDT)
Received: (from root@localhost)
	by f51.hotmail.com (8.8.5/8.8.5) id TAA22003
	for cynthia@dev.null; Thu, 11 Sep 1997
	19:40:18 -0700 (PDT)
Message-Id: <199709120240.TAA22003@f51.hotmail.com>
Received: from by www.hotmail.com with HTTP;
	Thu, 11 Sep 1997 19:40:18 PDT
X-Originating-IP: []
From: "Suzy Smith" <me@hotmail.com>
To: cynthia@dev.null
Subject: testing headers
Date: Thu, 11 Sep 1997 19:40:18 PDT
Restrict: no-external-archive
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
  • Return-Path: <me@hotmail.com>
    This field is like the reply-to: field in usenet head­ers, and like that field it is incred­i­bly easy to forge.

  • Received: from f51.hotmail.com (F51.hotmail.com []) by camel9.mindspring.com (8.8.5/8.8.5) with ESMTP id WAA29149 for <cynthia@dev.null>; Thu, 11 Sep 1997 22:40:20 –0400 (EDT)
    Received: (from root@localhost) by f51.hotmail.com (8.8.5/8.8.5) id TAA22003 for cynthia@dev.null; Thu, 11 Sep 1997 19:40:18 –0700 (PDT)
    Received: from by www.hotmail.com with HTTP; Thu, 11 Sep 1997 19:40:18 PDT

    As in many mes­sages, there are two received: lines. Some­times forg­ers will delib­er­ately insert mis­lead­ing received: lines to make it seem as though the email went through a sys­tem that is wholly unre­lated to the ones through which it actu­ally trav­elled. Mes­sages can also be sent through mul­ti­ple servers to delib­er­ately obscure their origins–it’s called “chain­ing” when you do it with anony­mous remail­ers. Each machine that gets the mes­sage adds one received: line.

    In any case, the first line says that a machine at hotmail.com with the IP address passed this mes­sage to a machine at mindspring.com at 10:40pm east­ern day­light time on Sep­tem­ber 11, 1997, and that it was addressed to cynthia@dev.null. Some­times the name of the send­ing machine will be faked, so if I had rea­son to doubt the ori­gin of the mes­sage I’d prob­a­bly double-check to see just what machine was really Don’t worry about the (8.8.5/8.8.5) part, as (I believe) that’s just the ver­sion of send­mail the receiv­ing com­puter is using.

    The sec­ond line says that the mes­sage was received from root@localhost by a machine at hotmail.com addressed to cynthia@dev.null. The time is dif­fer­ent from the first, because it’s on pacific day­light time. Send­mail doesn’t ver­ify the sender on email, so root@localhost is just the name given to that mail server when the mes­sage was handed to it. It could be any­thing from my real name to God to the IP address of my machine. Mind­Spring now requires that a valid email address be used to send mail through their servers–but it could be anybody’s valid email address any­where, even abuse@mindspring.com, because send­mail doesn’t check.

    The third received line finally has some actual infor­ma­tion as to who cre­ated the mes­sage. It says that the machine www.hotmail.com received the email through HTTP (hyper­text trans­fer protocol–what the web uses) from Now some­one could at least look and see that who­ever sent it was using Mind­Spring, as is one of their IP addresses. It would take Mind­Spring exam­in­ing their server logs, though, to know that I was the user logged in at that IP address at that time (Mind­Spring uses dynamic IP address­ing now). The “with HTTP” part is some­what unusual (well, to me, any­way) but makes sense because hotmail.com is a web-based email service.

    The time on the three received lines could be impor­tant if you’re try­ing to fig­ure out whether any of those lines is faked–sometimes the time in one of them is patently ridiculous.

  • Message-Id: <199709120240.TAA22003@f51.hotmail.com>

    This one is the unique mes­sage ID that hotmail.com assigned to the mes­sage. With it they should be able to tell which user sent the mes­sage, even if I’d found a way to obscure my email address.

  • X-Originating-IP: []

    I’ve only see this one from hotmail.com, too. That’s the IP address of the user who sent the email. It’s the same as the third received: line, but pro­vides a cross-check in case some­one had found a way to munge that line. With this or any other IP address, if it isn’t a valid IP address for­mat you know it’s faked. IP addresses always have 4 sec­tions (like and the dig­its in each place must be within the range 0 to 255. So is valid, but wouldn’t be. I’ve never seen this one faked, but that doesn’t mean that it can’t be faked.

  • From: “Suzy Smith” <me@hotmail.com>

    Fairly simple–the name I entered in the set­tings of my hotmail.com account, and my hotmail.com address. It isn’t easy to fake this one from a hotmail.com account after you’ve cre­ated the account–but it would be laugh­ably easy to fake it any­where else, or to sim­ply cre­ate the account with a fake name. As I said above, send­mail doesn’t do any kind of ver­i­fi­ca­tion as to who is send­ing a mes­sage. Mind­Spring is the only place I’ve heard of that even requires a valid email address from the sender, and they don’t ver­ify as to whether it is really the sender’s address. Hot­mail doesn’t bother to ver­ify the iden­tity of peo­ple who sign up for their free accounts, any­way, so I could have claimed to be Sarah Fer­gu­son and they’d be no wiser.

  • To: cynthia@dev.null

    The intended recip­i­ent. It’s sim­ple here, but if there were mul­ti­ple recip­i­ents you’d see a list of names sep­a­rated by com­mas. If the name here isn’t one of your email addresses and you won­der how you got the email, look for a line that says cc: with your email address. If it isn’t there, either, you were bcc’d on the message–a com­mon tac­tic of spam­mers. Some mail soft­ware doesn’t even check to see if the address in the to: field is valid–so you could put any­thing there and put the real recipient’s name in the bcc: field. I’ve seen lots of spam with to: addresses like “all@aol.com” that are obvi­ously faked.

  • Sub­ject: test­ing head­ers
    Sub­ject of the mes­sage as assigned by the sender.

  • Date: Thu, 11 Sep 1997 19:40:18 PDT

    Time the mail was sent, usu­ally from the sender’s machine (in this case, from hotmail’s time rather than my own–it’s pacific day­light time again). I got email from a friend a lit­tle while ago, and this line said he sent it at 20:26:49. The received: line said MindSpring’s servers got it at 20:31:25, so either his clock is slightly slow or there was a five minute delay (he’s another Mind­Spring user).

  • Restrict: no-external-archive

    Actu­ally this one and the next one weren’t in the head­ers of the email from Hot­Mail, but they are in many of the mes­sages I receive. Restrict: no-external-archive is an extra header that can be used to tell any­one archiv­ing, for instance, a mail­ing list in which you par­tic­i­pate that you do not want your mes­sages included in the archive. It’s much like the x-no-archive: header for usenet mes­sages. Again, it’s an honor sys­tem — the archiv­ing entity might ignore this header.

  • X-Mailer: QUALCOMM Win­dows Eudora Pro Ver­sion 3.0.3 (32)

    This one tells you the soft­ware the sender used to send the mes­sage. Some­times it just isn’t in the head­ers at all. If, how­ever, I received an odd mes­sage from a friend who is a Mac user and noticed that it was sent by some­one using a Win­dows ver­sion of Eudora Pro, I’d know it was a fake.

In the next arti­cle, we will briefly look at mes­sages sent through mail­ing lists.

Orig­i­nally pub­lished Feb­ru­ary 10, 2001

One Comment

  1. Moses says:

    It’s hard to find knowl­edge­able peo­ple on this topic, but you sound like you know what you’re talk­ing about! Thanks

Leave a Reply

Comments links could be nofollow free.