Spam and Email Headers (II/II)

Hey, welcome back! I knew you wanted to know more about deciphering email headers. If you haven’t done so already, please do go through the first part of this series. In this part we’ll be looking into email headers in detail and I’ll disclose what information they hold.

As discussed in the first part of the article:

How do I see the email headers ?

There are different ways to check email headers in email clients, here is a list by This list is quite comprehensive, but if your email client is not listed there, a quick search on the internet or your email clients documentation should get you what you need.

Here are the email headers from a spam mail I received. Let us start to dissect it and hopefully by the end of this post they wont seem Greek to you 🙂
1. Delivered-To:
Received: by xxx..222.22.22 with SMTP id l19cs98734wec;
Tue, 3 Aug 2010 14:01:22 -0700 (PDT)
Received: by with SMTP id
Tue, 03 Aug 2010 14:01:15 -0700 (PDT)

2. Return-Path: <>

3. Received: from
( [xxx.170.170.170])
by with ESMTP id l4si10692605wba.10.2010.;
Tue, 03 Aug 2010 14:01:15 -0700 (PDT)

4. Received: from
( [])
by (Postfix) with ESMTP id 76F9268428B;
Tue, 3 Aug 2010 22:01:10 +0100 (BST)

5. X-MS-Has-Attach:
Thread-Topic: Winning number:PL/09788/60
Thread-Index: AcszTv6mcIdwDQt+QNiNHXTdKKg31g==
From: “WEB LINK” <>
X-OriginalArrivalTime: 03 Aug 2010 21:01:09.0684 (UTC) FILETIME=[FF79F740:01CB334E]
To: undisclosed-recipients:;
This is a multi-part message in MIME format.
Euro Lotto Promotion Company of Scotland.
Edinburgh, Scotland EH12 8LP,United Kingdom.
Ref: XYL /xxxxxxxxxxxxx
Batch: 24/xxxxxxxxxxxxx
Winning number:PL/09xxxxx
Congratulations winner.
.Blah Blah Blah…

Deciphering the headers.

1. Delivered-To: The message was send to the email address on 3 Aug 2010 at 14:01:22 PDT (which is 7 hours behind GMT). Mail servers do not use AM/PM clock time.

2. Return-Path: If we reply to this mail, it will reach the inbox of mail id This may or may not be forged, depending on the intention of the spammer.

3. Received: This received header specifies mail was delivered from to So can be the spammer. Lets note down their IP address as follows.

On Linux:
$host has address xxx.171.171.171

On Windows:
Use nslookup, check my previous post for more information on how to use it. is the actual machine name of the server from where the mail was sent. This facility is provided by many popular mail servers and the IP address beside it is‘s own IP address.
In email headers, any line can be forged. The most forged line is the “From” and least one is the “Received“. Some mailservers are kind enough to state the actually machine name from where the mail was sent.
Let us check the Received line again:

Received: from
( [xxx.170.170.170])

As you can see, the mail is pretending to come from but actually coming from whose IP address is xxx.170.170.170. So now we have the name of the server from where the spam was sent,, use the host command as mentioned in my previous post to get its IP address. Then do the whois for the IP address, check the abuse mail part and complain to the concerned ISP. In many cases the host, in this case, might be an open relay .

So, we have two IP address now in our note.

4. Received: From here we can see that the message was delivered from to Since is pointing it to a local mail server, it is not much of a help. There is more here though, the mail server used to send the spam is Postfix and the mail ID is 76F9268428B. This unique identifier can be used by the mail server administrator to identify the sender of the e-mail.

5. Here we get general information of the mail. The noticeable part is the “From:” section which says This is same as Return-Path: . Most of the time, the email address in the Return-Path: section is not forged, since a spammers wants to get replies (potential customers) for his spam. So we see the domain here is Lets get its IP address now.

$host has address xxx.88.88.88 mail is handled by 10
$ host has address xxx.172.172.172

Thus we have 3 IP addresses of mail servers xxx.171.171.171, xxx.170.170.170 and xxx.172.172.172 . Since all of them are similar, we can do a whois on any one of them.
On Linux, we can use the command whois.
$whois xxx.171.171.171
On windows, we can check this site for whois information.
There I found the line given below.
remarks: report abuse to

Now you can shoot an email to the email address above with all your heartfelt complaints! I hope this has been a knowledgeable journey for you, as it has been for me.

Note: All IP addresses and names in the article have been changed for obvious reasons and are completely imaginary.

About the Author

It has been over 6 months since Vicky Karmakar joined the Poornam family. A graduate in Information Technology, Vicky has always been interested in exploring the newer ventures of the Open source technology with an acute inclination towards network security. He also harbors a passion towards writing poetry and cooking culinary delicacies.

Co-Authored by Hamish O. Lawrence



Security specialists will audit, update, patch, harden and monitor your server 24/7.

Starting at $69.99/month