Select Page

Spam and Email Headers (II/II)

Hey, welcome back! I knew you wanted to know more about deciphering email headers. If you haven’t done so already, please do go through the first part of this series. In this part we’ll be looking into email headers in detail and I’ll disclose what information they hold.

As discussed in the first part of the article:

How do I see the email headers ?

There are different ways to check email headers in email clients, here is a list by spamcop.net. This list is quite comprehensive, but if your email client is not listed there, a quick search on the internet or your email clients documentation should get you what you need.

Here are the email headers from a spam mail I received. Let us start to dissect it and hopefully by the end of this post they wont seem Greek to you 🙂
————————————————————————
1. Delivered-To: examplemanforspam@gmail.com
Received: by xxx..222.22.22 with SMTP id l19cs98734wec;
Tue, 3 Aug 2010 14:01:22 -0700 (PDT)
Received: by 10.227.128.4 with SMTP id
i4mr6900607wbs.106.1280869275233;
Tue, 03 Aug 2010 14:01:15 -0700 (PDT)

2. Return-Path: <mailer@abt45ye.co.uk>

3. Received: from exchange-in-49.abcdmail.co.uk
(mail234.170.170.170.abcdmail.co.uk [xxx.170.170.170])
by mx.google.com with ESMTP id l4si10692605wba.10.2010.08.03.14.01.12;
Tue, 03 Aug 2010 14:01:15 -0700 (PDT)

4. Received: from exch-exch.exchange.internal
(exch-exch.exchange.internal [10.15.15.15])
by exchange-in-49.abcdmail.co.uk (Postfix) with ESMTP id 76F9268428B;
Tue, 3 Aug 2010 22:01:10 +0100 (BST)

5. X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Winning number:PL/09788/60
Thread-Index: AcszTv6mcIdwDQt+QNiNHXTdKKg31g==
From: “WEB LINK” <mailer@abt45ye.co.uk>
X-OriginalArrivalTime: 03 Aug 2010 21:01:09.0684 (UTC) FILETIME=[FF79F740:01CB334E]
To: undisclosed-recipients:;
This is a multi-part message in MIME format.
Euro Lotto Promotion Company of Scotland.
Edinburgh, Scotland EH12 8LP,United Kingdom.
Ref: XYL /xxxxxxxxxxxxx
Batch: 24/xxxxxxxxxxxxx
Winning number:PL/09xxxxx
Congratulations winner.
.Blah Blah Blah…
————————————————————————

Deciphering the headers.

1. Delivered-To: The message was send to the email address examplemanforspam@gmail.com on 3 Aug 2010 at 14:01:22 PDT (which is 7 hours behind GMT). Mail servers do not use AM/PM clock time.

2. Return-Path: If we reply to this mail, it will reach the inbox of mail id mailer@abt45ye.co.uk. This may or may not be forged, depending on the intention of the spammer.

3. Received: This received header specifies mail was delivered from exchange-in-49.abcdmail.co.uk to mx.google.com. So abcdmail.co.uk can be the spammer. Lets note down their IP address as follows.

On Linux:
$host exchange-in-49.abcdmail.co.uk
exchange-in-49.livemail.co.uk has address xxx.171.171.171

On Windows:
Use nslookup, check my previous post for more information on how to use it.

mail234.170.170.170.abcdmail.co.uk is the actual machine name of the server from where the mail was sent. This facility is provided by many popular mail servers and the IP address beside it is mail234.170.170.170.abcdmail.co.uk‘s own IP address.
In email headers, any line can be forged. The most forged line is the “From” and least one is the “Received“. Some mailservers are kind enough to state the actually machine name from where the mail was sent.
Let us check the Received line again:

Received: from exchange-in-49.abcdmail.co.uk
(mail234.170.170.170.abcdmail.co.uk [xxx.170.170.170])

As you can see, the mail is pretending to come from exchange-in-49.abcdmail.co.uk but actually coming from mail234.170.170.170.abcdmail.co.uk whose IP address is xxx.170.170.170. So now we have the name of the server from where the spam was sent, mail234.170.170.170.abcdmail.co.uk, use the host command as mentioned in my previous post to get its IP address. Then do the whois for the IP address, check the abuse mail part and complain to the concerned ISP. In many cases the host, in this case mail234.170.170.170.abcdmail.co.uk, might be an open relay .

So, we have two IP address now in our note.

4. Received: From here we can see that the message was delivered from exch-exch.exchange.internal to exchange-in-49.abcdmail.co.uk. Since exch-exch.exchange.internal is pointing it to a local mail server, it is not much of a help. There is more here though, the mail server used to send the spam is Postfix and the mail ID is 76F9268428B. This unique identifier can be used by the mail server administrator to identify the sender of the e-mail.

5. Here we get general information of the mail. The noticeable part is the “From:” section which says mailer@abt45ye.co.uk. This is same as Return-Path: . Most of the time, the email address in the Return-Path: section is not forged, since a spammers wants to get replies (potential customers) for his spam. So we see the domain here is abt45ye.co.uk. Lets get its IP address now.

$host abt45ye.co.uk
abt45ye.co.uk has address xxx.88.88.88
abt45ye.co.uk mail is handled by 10 mailserver.abt45ye.co.uk.
$ host mailserver.abt45ye.co.uk.
mailserver.abt45ye.co.uk has address xxx.172.172.172

Thus we have 3 IP addresses of mail servers xxx.171.171.171, xxx.170.170.170 and xxx.172.172.172 . Since all of them are similar, we can do a whois on any one of them.
On Linux, we can use the command whois.
$whois xxx.171.171.171
On windows, we can check this site for whois information.
There I found the line given below.
remarks: report abuse to abuse@abt45ye.co.uk

Now you can shoot an email to the email address above with all your heartfelt complaints! I hope this has been a knowledgeable journey for you, as it has been for me.

Note: All IP addresses and names in the article have been changed for obvious reasons and are completely imaginary.


Bobcares
Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.
MORE ABOUT BOBCARES