K
%Start Email Headers Can Tell You About the Origin of Spam GA
S
REGULAR Menu Lifewire Tech for Humans Newsletter! Search Close GO Email, Messaging, & Video Calls > Email
visibility
258 views
thumb_up
1 likes
N
Spammers will see their profits tumble if nobody buys from them (because you don't even see the junk emails). This is the easiest way to fight spam, and certainly one of the best.
thumb_up
13 likes
L
Complaining About Spam
You can affect the expenses side of a spammer's balance sheet, too. If you complain to the spammer's internet service provider (ISP), they will lose their connection and might have to pay a fine (depending on the ISP's acceptable usage policy).
thumb_up
36 likes
S
Since spammers know and fear such reports, they try to hide. That's why finding the right ISP isn't always easy. However, there are tools like SpamCop that simplify reporting spam correctly to the accurate address.
thumb_up
46 likes
C
Tim Robberts / Stone / Getty Images
Determining the Source of Spam
How does SpamCop find the right ISP to complain to? It takes a close look at the spam message's header lines.
thumb_up
35 likes
Z
These headers contain information about the path an email took. SpamCop follows the path until the point from which the spammer sent the email.
thumb_up
11 likes
S
From this point, also know as an IP address, it can derive the spammer's ISP and send the report to this ISP's abuse department. Let's take a closer look at how this works.
Email Header and Body
Every email message consists of two parts, the body and the header.
thumb_up
1 likes
L
The header is like the email envelope containing the sender's address, the recipient, the subject, and other information. The body has the text and the attachments.
thumb_up
12 likes
E
Some header information usually displayed by your email program includes: From: The sender's name and email address. To: The recipient's name and email address.
thumb_up
24 likes
C
Date: The date when the message was sent. Subject: The subject line.
Header Forging
The actual delivery of emails doesn't depend on any of these headers.
thumb_up
21 likes
V
They are just convenient. Usually, the From line, for example, will be sent to the sender's address so you know who the message is from and can reply quickly. Spammers want to make sure you cannot reply easily, and certainly don't want you to know who they are.
thumb_up
37 likes
S
That's why they insert fictitious email addresses in the From lines of their junk messages.
Received Lines
The From line is useless in determining the real source of an email.
thumb_up
18 likes
V
You don't need to rely on it. The headers of every email message also contain Received lines.
thumb_up
32 likes
L
Email programs do not usually display these, but they can be beneficial in tracing spam.
Parsing Received Header Lines
Just like a postal letter will go through several post offices on its way from sender to recipient, an email message is processed and forwarded by several mail servers. Imagine every post office putting a unique stamp on each letter.
thumb_up
22 likes
L
The stamp would say exactly when the mail was received, where it came from, and where it was forwarded to by the post office. If you got the letter, you could determine the exact path taken by the letter. This is precisely what happens with email.
thumb_up
46 likes
W
Received Lines for Tracing
As a mail server processes a message, it adds a particular line to the message's header. The Received line contains the server name and IP address of the machine the server received the message from, and the name of the mail server.
thumb_up
33 likes
E
The Received line is always at the top of the message header. To reconstruct an email's journey from sender to a recipient, start at the topmost Received line and go down to the last one, which is where the email originated.
Received Line Forging
Spammers know that people apply this procedure to uncover their whereabouts.
thumb_up
0 likes
D
They might insert forged Received lines that point to somebody else sending the message to fool the intended recipient. Since every mail server will always put its Received line at the top, the spammers' forged headers can only be at the bottom of the Received line chain.
thumb_up
10 likes
J
This is why you should start your analysis at the top and not just derive the point where an email originated from the first Received line (at the bottom).
How to Tell a Forged Received Header Line
The forged Received lines inserted by spammers look like all the other Received lines (unless they make an obvious mistake).
thumb_up
11 likes
E
By itself, you can't tell a forged Received line from a genuine one, which is where one distinct feature of Received lines comes into play. Every server notes who it is and where it got the message from (in IP address form).
thumb_up
23 likes
M
Compare what a server claims to be with what the server one notch up in the chain says it is. If the two don't match, the earlier is a forged Received line.
thumb_up
17 likes
L
In this case, the email's origin is what the server placed immediately after the forged Received says.
Example Spam Analyzed and Traced
Now that we know the theoretical underpinning, let's analyze a junk email to identify its origin in real life.
thumb_up
8 likes
H
We've just received an exemplary piece of spam that we can use for exercise. Here are the header lines: Received: from unknown (HELO 38.118.132.100) (62.105.106.207) by mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000 Received: from [235.16.47.37] by 38.118.132.100 id ; Sun, 16 Nov 2003 13:38:22 -0600 Message-ID: From: "Reinaldo Gilliam" Reply-To: "Reinaldo Gilliam" To: ladedu@ladedu.com Subject: Category A Get the meds u need lgvkalfnqnh bbk Date: Sun, 16 Nov 2003 13:38:22 GMT X-Mailer: Internet Mail Service (5.5.2650.21) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="9B_9.._C_2EA.0DD_23" X-Priority: 3 X-MSMail-Priority: Normal Can you tell the IP address where the email originated?
Sender and Subject
First, look at the forged From line.
thumb_up
19 likes
N
The spammer wants to make it look like the message came from a Yahoo! Mail account. With the Reply-To line, this From address aims to direct all bouncing messages and angry replies to a non-existing Yahoo!
thumb_up
18 likes
M
Mail account. Next, the Subject is a curious accumulation of random characters.
thumb_up
34 likes
A
It is barely legible and designed to fool spam filters (every message gets a slightly different set of random characters). Still, it is also quite skillfully crafted to get the message across despite this.
thumb_up
17 likes
C
The Received Lines
Finally, the Received lines. Let's begin with the oldest, Received: from [235.16.47.37] by 38.118.132.100 id ; Sun, 16 Nov 2003 13:38:22 -0600.
thumb_up
45 likes
A
There are no hostnames in it, but two IP addresses: 38.118.132.100 claims to have received the message from 235.16.47.37. If this is correct, 235.16.47.37 is where the email originated, and we'd find out which ISP this IP address belongs to, then send an abuse report to them.
thumb_up
1 likes
I
Let's see if the next (and in this case last) server in the chain confirms the first Received line's claims: Received: from unknown (HELO 38.118.142.100) (62.105.106.207) by mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000. Since mail1.infinology.com is the last server in the chain and indeed "our" server, we know that we can trust it. It has received the message from an "unknown" host claiming to have the IP address 38.118.132.100 (using the SMTP HELO command).
thumb_up
8 likes
A
So far, this is in line with what the previous Received line said. Now let's see where our mail server did get the message from. To find out, look at the IP address in brackets immediately before by mail1.infinology.com.
thumb_up
23 likes
D
This is the IP address the connection was established from, and it is not 38.118.132.100. No, 62.105.106.207 is where this piece of junk mail was sent from. With this information, you can now identify the spammer's ISP and report the unsolicited email to them to kick the spammer off the net.
thumb_up
7 likes
S
Was this page helpful? Thanks for letting us know!
thumb_up
1 likes
C
Get the Latest Tech News Delivered Every Day
Subscribe Tell us why! Other Not enough details Hard to understand Submit More from Lifewire How to View Full Message Headers in Mozilla Thunderbird How to Forward an Email as an Attachment in Outlook How to Find the IP Address of an Email Sender How to Send Email From a PHP Script How to Use AOL Mail Through an Email Client How to Send Email to Bcc Recipients in iPhone Mail What You Need to Know About Mailer Daemon Spam Ignore Delivery Failures of Messages You Did Not Send How to View the Source of a Message in Gmail How to Send Email From a PHP Script Using SMTP Authentication How to See Full Email Headers in Outlook.com How to Search Mail in iPhone Mail The 5 Best Secure Email Services for 2022 How to Send Spam to the Spam Folder in Yahoo Mail How to Access an Email Message Source in Outlook.com Differences Between the Email Body and the Header Newsletter Sign Up Newsletter Sign Up Newsletter Sign Up Newsletter Sign Up Newsletter Sign Up By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. Cookies Settings Accept All Cookies
thumb_up
10 likes
Similar Discussions
-
IND vs SA 2022 3 Indian players whose form is still questionable heading into the South Africa T20I series
-
Crosshair profiles of all players from Valorant Champions 2022 Istanbul yay stax Boaster and more
-
He s doing well but I think there s much more room for improvement for him because he has so many skills Ten Hag lavishes praise on Manchester United star after Sheriff win
-
Efforts will be made to reduce the disparity in salary between male and female footballers New AIFF chief Kalyan Chaubey
-
PUBG Mobile PMPL SEA 2022 Play Ins teams schedule map order and more
-
Cleveland Clinic At Work
-
Wi Fi monitor Analyzer APK Download for Android APKfun com
-
Kids Frames APK Download for Android
-
KPOST APK Download for Android
-
VÚB Mobile Banking APK Download for Android
-
Base Tracking APK Download for Android
-
Old Maid APK Download for Android
-
Fällt halt nix APK Download for Android
-
Hair salon APK Download for Android
-
Ligue des champions formule diffusion gratuite les Lyonnaises et les Parisiennes concurrenc es Tout ce qu il faut savoir sur la comp tition Ligue Des Champions Sports
-
Furlan ne regrette pas ses doigts d honneur aux supporters de Clermont Football Ligue 1
-
EDF sonne la mobilisation g n rale pour aider ses clients baisser leur consommation
-
P nurie de carburant Que la CGT permette au pays de fonctionner revivez l interview d Emmanuel Macron Politique
-
M dicos alertan de que existir a una relaci n l gica de las muertes repentinas cardiovasculares con el COVID 19
-
Tiktok to introduce adult only content feature
-
Guerra en Ucrania Rusia se prepara para dar la batalla por Jers n Guerra En Ucrania Rusia
-
Razer merch drop sets its sights on a brand new market Dexerto
-
Ironmouse breaks down as CDawg raises $300k for charity helping her condition Dexerto
-
Nobody 2 Cast plot amp everything we know
-
Asmongold celebrates the crypto and NFT crash I don t feel bad
-
Johnny Depp Top 10 Movies Of All Time The Nerd Stash
-
Guy Tweets Adorable Story Of How He Ended Up Adopting A Tiny Tree Frog He Discovered In His Lettuce Box
-
Stuff 30 Folks In This Online Group Would Do Differently If They Had Their Current Knowledge When They Were 15 Years Old
-
Roku Jumps Into Connected Living With Its Own Smart Home Devices
-
How to Display the Menu Bar in Internet Explorer