Instruct on the basics of determining the origin of email.

Learning the basics of how to read an extended email header may help you identify the appropriate ISP for sending complaints about abuse. It may also prevent you from falling victim to a con artist.

Example

Return-path: <blighsteve@pd.jaring.my>
Received: from smtp2.jaring.my (smtp2.jaring.my [192.228.128.47])
by SHRSYS.HSLC.ORG (PMDF V5.2-32 #39799)
with ESMTP id <01K3UFKP244S928GQP@SHRSYS.HSLC.ORG> for
tyburski@SHRSYS.HSLC.ORG (ORCPT rfc822;tyburski@virtualchase.com); Tue,
22 May 2001 00:27:12 EDT
Received: from psu0497 (j85.ptl40.jaring.my [161.142.31.99])
by smtp2.jaring.my (8.10.1/8.10.1) with SMTP id f4M42kb02182; Tue,
22 May 2001 12:02:46 +0800 (MYT)
Date: Thu, 21 Mar 2002 12:11:26 +0800
From: Steve Bligh <blighsteve@pd.jaring.my>
Subject: Five Is The Key To My Freedom, It Could Be Yours Too.
To: privacy@ [deleted string of email addresses]
Cc: manager@ [deleted string of email addresses]
Message-id: <023101c1d08f$4cebb120$83728ea1@psu0497>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
X-Mailer: Microsoft Outlook Express 5.00.2314.1300
Content-type: multipart/alternative;
boundary="----=_NextPart_000_01DF_01C1D0D1.865BF400"
X-Priority: 3
X-MSMail-priority: Normal
Original-recipient: rfc822;tyburski@virtualchase.com

Components of an Email Header

This expanded email header comes from an unsolicited email message sent to me under the subject line: "Five Is The Key To My Freedom, It Could Be Yours Too." It proceeds to inform me that I can make "over [a] half million dollars every 4 to 5 months from ... home for an investment of only $25 U.S. Dollars ...."

  1. First, expand the email header. Use your email software's help documentation for instructions about how to do this. Hint: look for this capability under options.
  2. Return-path: <blighsteve@pd.jaring.my>  Because of the ease with which spammers can forge the "return-path" and "from" fields, you do not want to rely on this information. It may, or may not, display a valid email account.
  3. Received: from smtp2.jaring.my (smtp2.jaring.my [192.228.128.47])
    by SHRSYS.HSLC.ORG (PMDF V5.2-32 #39799)
    with ESMTP id <01K3UFKP244S928GQP@SHRSYS.HSLC.ORG> for
    tyburski@SHRSYS.HSLC.ORG (ORCPT rfc822;tyburski@virtualchase.com); Tue,
    22 May 2001 00:27:12 EDT
    Received: from psu0497 (j85.ptl40.jaring.my [161.142.31.99])
    by smtp2.jaring.my (8.10.1/8.10.1) with SMTP id f4M42kb02182; Tue,
    22 May 2001 12:02:46 +0800 (MYT)     This is the crucial part of the header we will try to decipher.
  4. Read "received" fields (begins with red font) from bottom to top. Interpret this example as follows: A host named "psu0497," whose real name is "j85.pt140.jaring.my" at IP address 161.142.31.99 originated the message and sent it to host "smtp2.jaring.my," whose real name is smtp2.jaring.my at IP address 192.228.128.47. My email host -- shrsys.hslc.org -- received the message and routed it to me -- tyburski@shrsys.hslc.org. It has a unique message identification number on the HSLC host: 01K3UFKP244S928GQP@SHRSYS.HSLC.ORG. It also has a unique message identification number on host jaring.my -- f4M42kb02182.
  5. Forgeries also occur within the "received" lines, but many are relatively easy to spot. In the above example, the originator calls itself "psu0497," but the host machine, smtp2.jaring.my, performs a reverse-DNS lookup and discovers the IP address of the incoming email transmission. Moreover, it notes that the address belongs to j85.pt140.jaring.my; hence the translation of "psu0497" as (j85.ptl40.jaring.my [161.142.31.99]). Whenever the host name in parentheses does not match the "received from" host name a forgery may have occurred.
  6. Are we all set to go? Should we complain to the owner of smtp2.jaring.my or j85.ptl40.jaring.my? Let's gather more information first. Tools at SamSpade.org will assist. Enter 161.142.31.99 in the "address digger" and click "do stuff." We learn the reverse DNS name is valid and that MIMOS (Kuala Lumpur, Malaysia) owns the IP address. Traceroute provides the path data travels from Sam Spade to the machine at 161.142.31.99. Read the list from bottom to top. The last "hop" is jaring.my or MIMOS. Prior to arriving at MIMOS, data routed through Concert Global and GTE.
  7. When complaining about spam or other abuse, you want to send the complaint to the folks hosting the email account. In this case, it would be MIMOS. Two potential problems exist, though. First, MIMOS could be the spammer (It's not in this case. MIMOS is a large ISP in Malaysia.). Second, it may be more difficult to communication with a foreign company. If either issue is a concern, you may want to send the complaint to the first intermediary, Concert Global. Click on the IP address located next to this company's name to obtain its location (London, England).
  8. To discover whether the email host has a complaint address, use Abuse.net. Enter the domain name of the entity to which you want to complain; e.g. concert.net. It responds with an email address for forwarding complaints.

Resources

"How To Interpret Email Headers," Earthlink, 2001, reviewed online 15 March 2002.

"Internet Protocol Addressing and the Domain Name System," Samspade.org, reviewed online 15 March 2002.

"Reading Email Headers," Stopspam.org, 1997, reviewed online 15 March 2002.

Close this window

COPYRIGHT: © 2001 Ballard Spahr Andrews & Ingersoll, LLP all rights reserved.

This information appears in Teaching Internet Research Skills, a teaching Web of The Virtual Chase at URL http://www.virtualchase.com/researchskills/quality4.html.