Every single Internet e-mail message is made up of two parts–the header and the message body. Knowing how to check an Internet header can for example come in handy, if you’re tracing who the original sender of a spoofed e-mail message is, or just to see if a given e-mail message actually is spoofed.
Every single e-mail you received from other organizations on the Internet contains an Internet Header. A valid Internet e-mail header provides a detailed log of the network path taken by the message between the mail sender and the mail receiver(s), this Internet mail header can sometimes be quite long depending on the network path between sender and receiver.
Your email client program will usually hide the full header or display only lines, such as From, To, Date, and Subject, see Figure 1 for an example of the default shown headers when opening an e-mail message in Outlook 2003.
Figure 1: Default Shown Header in an Outlook 2003 E-mail Message
The Internet header of an e-mail message can have twenty lines or more showing all kinds of information about the message, like which servers the email has traveled through and when (although spammers sometimes forge some of the header to disguise the e-mail’s actual origin). Your e-mail program can also display the “full” header of an email, though it may not be obvious how. Below we will show you how this is done in an Outlook 2003 client:
Start Outlook 2003
Open an e-mail message for example by double-clicking on it
In the menu select View | Options
You should also be able to right-click the message and select Options in the context menu.
We’re now presented with the screen shown in Figure 2.
Figure 2: Internet Header in Outlook 2003
In the bottom of figure 2 you can see the Internet headers, but as the header is too big for us to be able to see it in the Internet header box, I’ve copy/pasted it below:
Microsoft Mail Internet Headers Version 2.0
Received: from delivery2.pens.phx.gbl ([184.108.40.206]) by winhosting.dk with Microsoft
Wed, 31 Mar 2004 22:44:45 +0200
Received: from TK2MSFTDDSQ03 ([10.40.1.67]) by delivery2.pens.phx.gbl with Microsoft SMTPSVC(6.0.3790.0);
Wed, 31 Mar 2004 12:46:34 -0800
Reply-To: “Bill Gates” [email protected]
From: “Bill Gates” [email protected]
To: <[email protected]>
Subject: Microsoft Progress Report: Security
Date: Wed, 31 Mar 2004 12:46:33 -0800
Message-ID: [email protected]
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
When reading a header in Outlook 2003, you have to start from the bottom and up, most of the lines are pretty logical, but in order for you to get a thorough understanding of what happens when an e-mail is sent from one e-mail client to another, we recommend you read the following article, which does a great job explaining all you ever want to know about Internet Mail headers: Reading E-mail Headers – www.stopspam.org/email/headers.html
If you have Outlook 2003 clients configured to receive e-mail messages directly from an ISP (for example via POP3), you may want to enable the new Outlook 2003 registry key SaveAllMIMENotJustHeaders, it’s a DWORD key you need to add under HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Options\Mail with a value of 1 (0x00000001). Adding this key makes it possible to retrieve the source together with the header of newly retrieved messages.
Never trust an Internet Mail Header 100%
Unfortunately, sophisticated spammers and other malicious persons know how to falsify most of the header information before you receive it. Since they can use a false name, a false “From” address, a false IP origination address, and a false “Received from” line in the header, this means every single element that should be traceable in the header could be false and therefore useless for identifying the spammer. This makes the header unreliable for determining the network path and difficult or impossible to determine the true sender. How can this happen? Well, when the rules for mail transfer (SMTP) were developed in the early 80s, we lived in a more trusting world than is the case today.
The purpose of this article was to give you a brief introduction to Internet Headers, if you really want to know the ins and outs of Internet Headers, you should consider to take a look at the RFC 2076 – Common Internet Message Headers.