Email Headers - How to View them and Include them in Reporting a Spam or Scam

Email Headers -
How to View them and Include them in Reporting a Spam or Scam

Do you want to find out who REALLY sent that email? Or do you want to know how to copy the email header so that an enforcement agency can track down a spammer or scammer? Read on for:

• a brief explanation of headers and
• step by step instructions to view and copy the headers

---

A Brief Explanation of Email Headers

Internet e-mails include a "header" which usually includes (at least) the following:

1. From: The e-mail address, and optionally name, of the sender of the message
2. To: The e-mail address[es], and optionally name[s], of the receiver[s] of the message
3. Subject: A brief summary of the contents of the message
4. Date: The local time and date when the message was originally sent
5. Received: the route the message took when it was sent to you (which is important to trace the real origin of the email).

Each header field has a name and a value.

To:

Note that the "To" field in the header is not necessarily related to the addresses to which the message is delivered. The actual delivery list is supplied in the SMTP protocol, not extracted from the header content. The "To" field is similar to the greeting at the top of a conventional letter which is delivered according to the address on the outer envelope.

From:

Also note that the "From" field does not have to be the real sender of the e-mail message. It is very easy to fake the "From" field and let a message seem to be from any mail address. It is possible to digitally sign e-mail, which is much harder to fake. Some Internet service providers do not relay e-mail claiming to come from a domain not hosted by them, but very few (if any) check to make sure that the person or even e-mail address named in the "From" field is the one associated with the connection. Some internet service providers apply e-mail authentication systems to e-mail being sent through their MTA (email system) to allow other MTAs to detect forged spam that might apparently appear to be from them.

Received:

The "Received:" headers of any email message will tell you where the message originated and what route it took to get to you. That's what you need to know to be able to trace the email to it's real sender.

The Received header lists the steps in the email deliver process, in reverse order (most recent, your pc, at the top, and the starting point at the bottom). The the first one will be your own computer, and the last one should be the sender. The domain names and IP addresses in "Received: headers" are those of the actual machines that performed a portion of the delivery service. These headers can be faked, but it's harder to do than spoofing (faking) simple "From" addresses.

Other common header fields include:

1. Cc: carbon copy
2. Bcc: Blind Carbon Copy
3. Received: Tracking information generated by mail servers that have previously handled a message
4. Content-Type: Information about how the message has to be displayed, usually a MIME type

---

Step by step instructions on how to view and copy the headers

The email headers are generally hidden by most email programs.  To see them requires a couple of steps, which vary depending upon the email program you use. Here are directions for some of the more common email clients (programs):

While you are viewing the message,

• Outlook:
  • Select View
  • Select Options
• Outlook Express:
  • Right-click on an email message in the Inbox
  • Click on Properties on the menu that pops up.
  • Select the Details tab.
• AOL: 
  • Under the "To address"
  • click "Details"
• Yahoo mail
  • Open the email
  • click on "Standard Headers" on the right side, then
  • click on "Full Headers"
• Hotmail:
  • Login
  • Options(to the right of the "Contacts" tab)
  • Mail Display Settings link under the Additional Options column.
  • Message Headers.
  • Select Full
  • Click OK
  • Go back to your Inbox and view your mail, which will now show the headers
• Eudora:
  • Click the "Blah Blah Blah" button.
• Netscape:
  • Select: View
  • Click Headers
  • Select All
• WebMail:
  • Click "View Full Headers".

Once you can see the headers, you need only highlight them with your mouse, then copy and paste them into our feedback form.

If these directions aren't enough, Spamcop.com, a website that sells spam-blocking software (completely unaffiliated with CFR.org),  has an excellent set of visual directions to help you see and copy the full-headers in many of the popular email programs. These links take you to those pages:

Click on your email program:

• AOL
• Eudora
• Excite Webmail
• Forte Agent
• Hotmail
• IncrediMail
• Mozilla
• Microsoft Internet Mail
• Netscape 3
• Netscape 4
• Netscape Webmail
• Opera
• Outlook 2000
• Outlook Express
• Pegasus
• Yahoo Webmai

---

Want More Information?

How Internet e-mail works

These websites can provide more detail about email headers, what they are and how to read and use them!

• Reading Email Headers
  from Stopspam.org
  An in-depth analysis of how e-mail is sent and how to read its headers

• Reading Email Headers
  from UIC.edu

• Anatomy of an Email Message
  from bath.ac.uk
• How do I get my email program to reveal the email headers?
  from SpamCop.net
• How to Interpret Email Headers
  from Mindspring.com
  How to Interpret Email Headers. Table of Contents. Basic Mail Headers · Extended Mail headers · Resources · "Figuring Out Fake Email & News Posts"
• What Email Headers Can Tell You About the Origin of Spam - About Email
  from About.com
  Want to know where all the junk mail is really coming from? Find out how the source of spam can be determined using an email's header lines
• Tracking the source of email spam
  from rahul.net
  Spammers often forge the headers of their email in an attempt to avoid losing the trail. This line is not actually part of the email header, but mail transfer listing