Examples of Valid Email Headers

This header is pretty clear-cut. The email was sent to mango@snowcrash.pobox.com. Although there is no From: field, the Originating-IP: field tells us which machine sent us the mail. If this were a spammer, it would be impossible to track the abuser because we have no specific user identification, only an address: 208.194.21.2. An IP address is the number associated with the machine that sent the email. Furthermore, any field starting with an X- is an optional field added by the user, their email client software, filter system, or mailing list manager. Therefore, any field starting with X- is forgeable.

The subject line of an email is generally optional, and we can see that this is the case here because the sender has left it blank.

The date line tells us when exactly the email was sent, and the line following tells us the size of the mail.

Here's a question: could this header have been forged? A tough question indeed. Actually, it could have been. Email headers are much longer that the one above, since a header documents every step of the mail's travels. Now, most folks could care less whether or not they know the path of the mail they receive, so their mail program is set to truncate the header information to the bare essentials above. After all, unless you're analyzing headers, all you want to know is:

1. Who sent me the mail?
   
2. Which address was it sent to?
   
3. When was it sent?
   
4. What is it about?
   

But since the goal here is to learn how to read headers, let's get the full headers. How you access full headers depends upon your mail program - we have a web page with instructions for most email clients. Here's what I get (again, I added the colors to help clarify the explanation):

Let's start from the top down and figure out where this email has been. First we see a detailed From field. Note that there is no colon. This is because it is the "envelope sender", a non-authenticated user address. It is forgeable only in an SMTP transaction.

Now we know where the mail came from, the next most important thing is knowing how the mail got here. This line of the header is actually the end of the email's voyage. This mail ended up in my mailbox, the address indicated above. Note: the Delivered To: line is not contained in all email transactions. It is specific to the mail exchanger that receives the email. In this case, that exchanger is snowcrash.pobox.com.

Before that, the mail was sent from the Hotmail domain (hotmail.com)to the domain where I have my email account, snowcrash.pobox.com. Of course, the domain names are just that: names, not addresses. That's why following the Hotmail domain name we see the mail exchanger and IP address: f148.hotmail.com 207.82.251.27 (Note that the IP address for snowcrash isn't marked; I should know my own IP address, right?). We also know how the mail got here: by SMTP transactions from hotmail to snowcrash.. In that same line, there is a message identification (id 194D517D0C) and the exact time that the transaction took place including time zone: Tue, 11 Aug 2000 15:57:26 -0400 (EDT).

The next line shows where the email was before it left for my email address's domain: Received: (qmail 10862 invoked by uid 0); 11 Aug 2000 19:59:38 -0000. The mail was received into the mail transport agent, qmail, on August 11, 2000, at 7:59:38PM (hour:minutes:seconds). Doesn't something seem unusual about this? After all, the email arrived at 15:57:26, or 3:57PM.

A note about computer time: Computers aren't set like watches; you don't just type in what time it is. Instead, for a more accurate system, computer time is set in two steps. First, all computers are set to Greenwich Mean Time, a sort of sort of "starting point" for organizing time. Greenwich Mean Time is indicated by -0000. Then, each computer is set to the time zone it's in by adding or subtracting the difference from this starting point. Confused? Let's look at an example from the headers above.

Snowcrash notes the time it received this email in the header like this: Tue, 11 Aug 2000 15:57:26 -0400 (EDT). After the date and time, it says -0400 (EDT). EDT means Eastern Daylight Time, the time zone in which snowcrash is located. But what if you didn't know what EDT meant? In that case, look at the -0400. Simply subtract four hours from Greenwich mean time.

According to the header, the email leaves Hotmail's servers at 19:59:38 in Greenwich Mean Time. According to the rules, Eastern Daylight Time (for Daylight Savings Time, which becomes EST during Eastern Standard Time)is four hours behind that. Does it match up? Sure -- the email arrives at Hotmail's servers moments earlier at 15:57:26 EDT.

Let's get back to the header. The next line is a Message-ID, which is very important for tracking email through mail servers. After that is another Received: field. Does the number 208.194.21.2 look familiar? It's an IP address. So let's read through that received line: Received: from 208.194.21.2 by www.hotmail.com with HTTP. This mail was received from machine 208.194.21.2 by Hotmail's World Wide Web site. My friend sent the mail on Tue, 11 Aug 2000 12:59:36 PDT. That's Tuesday, August 11, 2000, at 12:59:36 Pacific Standard Time. You may be wondering why the Greenwich Mean Time standard isn't added there -- honestly, I'm not sure. The person who programmed that machine must have thought it sufficient to mark only the time zone.

The rest of the header is pretty self-explanatory -- basic to, from, and content information. Before I go on let's have a quick recap: My friend Megan V. sent this mail from Hotmail's website at 12:59:36 Pacific Standard Time. It arrived two seconds later at Hotmail's server which is set to Greenwich Mean Time. Then it arrived at snowcrash at 15:57:26 (don't let the unsynchronized clocks throw you), which delivered it to my mailbox at 15:58:02.

Now that we understand how to read the header, let's get back to the original question: could this have been forged? First we need to know which fields of a header are forgeable. For example, when I originally gave the truncated header, everything you saw could have been forged -- even the date. Those To: and From: fields can be easily faked in an SMTP transaction. However, it is next to impossible to forge the Received: headers, because the original sender can't delete them (although he or she can add them).

When Megan sent me this email, she filled in the information for the To: and From: fields. Then her machine filled in the date. After that, it was up to Hotmail and subsequent machines to document the passage of her e received headers, but they would be huddled together at the beginning or end of the rest of the Received: lines. Her forged lines could never get in between the entries that machines would be making after she sent the mail.

The header above would be very hard to forge, so I'm going to assume that the email is authentic. As you can see, the Received: headers go in a logical order. Also, the address in the To: field is indeed my address (this is often not the case with forged mail).

Click here to continue with this tutorial

Click here to learn about forged headers