(The original of this page is here, we have made a local copy available at this location in case the original is offline. Please view the original if the link is OK, and please inform us if the original link does not work by sending mail to RAMCharger (at) RAMCharger.com)
 
Spam
spacer Deciphering Email Headers 


Why look at email headers?

If you want to write to the domain administrators where the spam originated, you need to understand email headers. You cannot just 'Reply' to the message to give the spammer a piece of your mind, because it is very easy to fake an email address. In fact, some spammers leave clear hints that they have forged an address.

Searching through headers

Here is a sample email header (colors added). The final receiver's address is 'you@your.domain.com'. 
Received: (2228 bytes) by <your.domain.com> via sendmail with P:stdio/D:user/T:local (sender: <29086328@compuserve.com>) id m0xUFxr-001cL6C@your.domain.dom for you@your.domain.com; Sat, 8 Nov 1997 10:50:35 -0800 (PST) (Smail-3.2.0.98 1997-Oct-16 #12 built 1997-Oct-28) Received: from simon.pacific.net.sg (simon.pacific.net.sg [203.120.90.72]) by your.domain.com (8.8.7/8.7.3) with ESMTP id KAA01565; Sat, 8 Nov 1997 10:43:34 -0800 (PST) From: 29086328@compuserve.com Received: from pop1.pacific.net.sg (pop1.pacific.net.sg [203.120.90.85]) by simon.pacific.net.sg with ESMTP id CAA25373; Sun, 9 Nov 1997 02:44:51 +0800 (SGT) Received: from po.pacific.net.sg (hd58-032.hil.compuserve.com [199.174.238.32]) by pop1.pacific.net.sg with SMTP id CAA12179; Sun, 9 Nov 1997 02:43:10 +0800 (SGT) Received: from mail.compuserve.com (mail.compuserve.com (205.5.81.86)) by compuserve.com (8.8.5/8.6.5) with SMTP id GAA04211 for <87789123456@aol.com>
It may look confusing, but there are some patterns that tell you everything you need to know. The header can be broken into several sections, each beginning with the word "Received". 

The first 'Received' is from your email server. This section lists the supposed sender, the message ID number, and when the message came in. The other 'Received: from' tags are from remailers that the spammer used to make it more difficult to track him/her down.

     
  1. Find the last 'Received: from' entry in the header. This usually shows the originating server. 
  2. Find and write down the server domain and its IP address. This information appears in parenthesis in each 'Received: from' entry. 
 
Machine Name
IP Address
mail.compuserve.com 205.5.81.86
hd58-032.hil.compuserve.com 199.174.238.32
popl.pacific.net.sg 203.120.90.85
simon.pacific.net.sg 203.120.90.72