Spam and Email Headers (II/II)
Hey, welcome back! I knew you wanted to know more about deciphering email headers. If you haven’t done so already, please do go through the first part of this series. In this part we’ll be looking into email headers in detail and I’ll disclose what information they hold.
As discussed in the first part of the article:
How do I see the email headers ?
There are different ways to check email headers in email clients, here is a list by spamcop.net. This list is quite comprehensive, but if your email client is not listed there, a quick search on the internet or your email clients documentation should get you what you need.
Here are the email headers from a spam mail I received. Let us start to dissect it and hopefully by the end of this post they wont seem Greek to you 🙂
1. Delivered-To: email@example.com
Received: by xxx..222.22.22 with SMTP id l19cs98734wec;
Tue, 3 Aug 2010 14:01:22 -0700 (PDT)
Received: by 10.227.128.4 with SMTP id
Tue, 03 Aug 2010 14:01:15 -0700 (PDT)
2. Return-Path: <firstname.lastname@example.org>
3. Received: from exchange-in-49.abcdmail.co.uk
by mx.google.com with ESMTP id l4si10692605wba.10.2010.08.03.14.01.12;
Tue, 03 Aug 2010 14:01:15 -0700 (PDT)
4. Received: from exch-exch.exchange.internal
by exchange-in-49.abcdmail.co.uk (Postfix) with ESMTP id 76F9268428B;
Tue, 3 Aug 2010 22:01:10 +0100 (BST)
Thread-Topic: Winning number:PL/09788/60
From: “WEB LINK” <email@example.com>
X-OriginalArrivalTime: 03 Aug 2010 21:01:09.0684 (UTC) FILETIME=[FF79F740:01CB334E]
This is a multi-part message in MIME format.
Euro Lotto Promotion Company of Scotland.
Edinburgh, Scotland EH12 8LP,United Kingdom.
Ref: XYL /xxxxxxxxxxxxx
.Blah Blah Blah…
Deciphering the headers.
1. Delivered-To: The message was send to the email address firstname.lastname@example.org on 3 Aug 2010 at 14:01:22 PDT (which is 7 hours behind GMT). Mail servers do not use AM/PM clock time.
2. Return-Path: If we reply to this mail, it will reach the inbox of mail id email@example.com. This may or may not be forged, depending on the intention of the spammer.
3. Received: This received header specifies mail was delivered from exchange-in-49.abcdmail.co.uk to mx.google.com. So abcdmail.co.uk can be the spammer. Lets note down their IP address as follows.
exchange-in-49.livemail.co.uk has address xxx.171.171.171
Use nslookup, check my previous post for more information on how to use it.
mail188.8.131.52.abcdmail.co.uk is the actual machine name of the server from where the mail was sent. This facility is provided by many popular mail servers and the IP address beside it is
mail184.108.40.206.abcdmail.co.uk‘s own IP address.
In email headers, any line can be forged. The most forged line is the “From” and least one is the “Received“. Some mailservers are kind enough to state the actually machine name from where the mail was sent.
Let us check the Received line again:
Received: from exchange-in-49.abcdmail.co.uk
As you can see, the mail is pretending to come from
exchange-in-49.abcdmail.co.uk but actually coming from
mail220.127.116.11.abcdmail.co.uk whose IP address is xxx.170.170.170. So now we have the name of the server from where the spam was sent,
mail18.104.22.168.abcdmail.co.uk, use the host command as mentioned in my previous post to get its IP address. Then do the whois for the IP address, check the abuse mail part and complain to the concerned ISP. In many cases the host, in this case
mail22.214.171.124.abcdmail.co.uk, might be an open relay .
So, we have two IP address now in our note.
4. Received: From here we can see that the message was delivered from
exch-exch.exchange.internal is pointing it to a local mail server, it is not much of a help. There is more here though, the mail server used to send the spam is Postfix and the mail ID is 76F9268428B. This unique identifier can be used by the mail server administrator to identify the sender of the e-mail.
5. Here we get general information of the mail. The noticeable part is the “From:” section which says
firstname.lastname@example.org. This is same as Return-Path: . Most of the time, the email address in the Return-Path: section is not forged, since a spammers wants to get replies (potential customers) for his spam. So we see the domain here is
abt45ye.co.uk. Lets get its IP address now.
abt45ye.co.uk has address xxx.88.88.88
abt45ye.co.uk mail is handled by 10 mailserver.abt45ye.co.uk.
$ host mailserver.abt45ye.co.uk.
mailserver.abt45ye.co.uk has address xxx.172.172.172
Thus we have 3 IP addresses of mail servers xxx.171.171.171, xxx.170.170.170 and xxx.172.172.172 . Since all of them are similar, we can do a whois on any one of them.
On Linux, we can use the command whois.
On windows, we can check this site for whois information.
There I found the line given below.
remarks: report abuse to email@example.com
Now you can shoot an email to the email address above with all your heartfelt complaints! I hope this has been a knowledgeable journey for you, as it has been for me.
Note: All IP addresses and names in the article have been changed for obvious reasons and are completely imaginary.