Menu Close

Reading Internet Message Headers

At some point, you’re going to need (or just want) to know the true ori­gin of an email or news­group mes­sage. To do that, you have to deci­pher the head­ers of the mes­sage. It’s a use­ful skill for any inter­net user, so this is the first in a series of how-to articles.

While most news­read­ers and email pro­grams don’t dis­play all the head­ers of mes­sages by default, you do nor­mal­ly see the name and email address of the sender, date/time, and sub­ject for any news or email mes­sage. Those are head­ers. Any pro­gram should also have an option some­where to dis­play more head­ers, as there is far more infor­ma­tion avail­able, but most folks don’t need to see it for every mes­sage. If you don’t know how to get to the full head­ers in your soft­ware, check the help files or see if it’s list­ed here.

For instance, I receive emails from many mail­ing lists. All I see by default is:

Date: 10 Sep 1997 05:03:01 -0000
X-massmail: webmonkey.090997
From: Webmonkey <webmonkey-info@hotwired.com>
To: Webmonkey <webmonkey-announce@hotwired.com>
Subject: Elbow Grease - the Webmonkey newsletter

(body of message)

If I tell my email pro­gram to show me all the head­ers, though, I see:

Return-Path: <webmonkey-info@hotwired.com>
Received: from hardly.hotwired.com (hardly.hotwired.com
	[204.62.131.45]) by camel10.mindspring.com (8.8.5/8.8.5)
	with SMTP id RAA21069 for <cynthia@dev.null>;
	Wed, 10 Sep 1997 17:46:35 -0400 (EDT)
Received: (qmail 25634 invoked by uid 1100);
	10 Sep 1997 05:03:09 -0000
Date: 10 Sep 1997 05:03:01 -0000
Message-ID: <19970910050301.25630.qmail@hardly.
	hotwired.com>
Precedence: bulk
X-massmail: webmonkey.090997
From: Webmonkey <webmonkey-info@hotwired.com>
To: Webmonkey <webmonkey-announce@hotwired.com>
Subject: Elbow Grease - the Webmonkey newsletter

Because users can add cus­tom head­ers, and because some pro­grams don’t use some head­ers, you won’t always see exact­ly the same things in every mes­sage. There are cer­tain fields, though, that the inter­net news­group (NNTP) and email (SMTP) pro­to­cols require for every mes­sage, so you’ll always have those. I’m going to stick with the basics. The head­ers may not always appear in the same order, either.

Don’t believe every­thing you see in the head­ers of a mes­sage. The cur­rent inter­net pro­to­cols were not designed with secu­ri­ty in mind, so it is far too easy to forge some of the infor­ma­tion in the head­ers. It’s hard­er, but not impos­si­ble, to forge oth­ers, and you can usu­al­ly count on those for clues as to the sys­tem and user with whom the mes­sages orig­i­nat­ed. Users with shell accounts can do far more to hide their ori­gins than those with dial-up accounts, like the accounts Earth­Link sells.

If it’s so easy to forge head­ers, why both­er? Because they aren’t, in most cas­es forged–or not forged well. And most peo­ple do leave clues as to who they real­ly are, even when they’re forg­ing mes­sages. It takes a lot of know-how to com­plete­ly hide who you are and where a mes­sage orig­i­nat­ed (with­out using an anony­mous remail­er, any­way), so it does­n’t hap­pen very often. I know that some things can be forged, but haven’t a clue as to how to forge them–it isn’t some­thing most peo­ple ever both­er to learn, even if they are heavy inter­net users. Only net abusers and those who want to stop them have to go to such lengths.

Even know­ing what each of the head­er fields means, you need to learn how to use the tools to track down domain names, IP address­es, and so on. The Unix com­mands whois, nslookup and tracer­oute are invalu­able here. If you don’t have a shell account, there are plen­ty of pro­grams for PC users that will do the same, and there are also web­sites that will allow you to use the same com­mands. If you’re a Mac user, just open Ter­mi­nal and use the Unix com­mands direct­ly. Spam­Cop has a love­ly fea­ture, the Host Track­er, which lets you put in a domain name or IP address into their spam report­ing field and get an email address to use for send­ing com­plaints. There’s also the Email Head­er Ana­lyz­er, which makes head­er analy­sis about as easy as it can be.

As we go on, I’ll for­mat the head­ers dif­fer­ent­ly from the rest of the arti­cle text and place the head­er for each line or sec­tion just after it, but also show the whole mes­sage we’re using at the begin­ning of the sec­tion. Please under­stand that I’ve learned what I know on this sub­ject through hav­ing to trace many mes­sages over the past 25+ years, that I know absolute­ly zilch about the set­up and admin­is­tra­tion of mail and news servers, and that when I’m puz­zled, I do not hes­i­tate to hie myself to more learned indi­vid­u­als. What I do know, though, I’ll share, so that you’ll be bet­ter able to track the ori­gin of any harass­ing mes­sages or spam you receive. If I’ve made any errors here, I pray that you will be kind enough to email me to cor­rect my misunderstanding.

In the next arti­cle, we’ll look more close­ly at the head­ers of email mes­sages.

Orig­i­nal­ly pub­lished 1 Feb­ru­ary 2001. Last updat­ed 12 Sep­tem­ber 2021.