The Value of a Full Email Header
Here are few reasons it may be necessary to review the headers:
- To investigate possible spoofing and determine the source of the message
- To analyze timestamps along the delivery route and identify the source of any delay
- To test any of the mail servers in the path to see if they are on a blacklist
- To review Spam Assassin score
- To determine if the message was routed through a filtering server prior to arrival
While reviewing email header information may seem very technical, internet investigations are NOT rocket science. If you know what has happened and to whom, the next step is to find out why by reviewing the contents of the email header.
What is a Full Email Header?
The email header is a section of code that contains information about where the email came from and how the message reached its destination. Headers will contain the email address of the originator and/or the computer the sender was using.
Below is an example of what the typical email header looks like. What you are looking for in the header is the IP address, sometimes conveniently identified as the "Originating IP." We can trace the internet service provider (ISP) with the date and time of the offending email using the IP address of the sender's computer. The IP addresses in the example below are shown in bold.
Return-Path: <[email protected]> Delivered-To: [email protected]
Received: (qmail 23699 invoked by uid 0); 12 Nov 2009 15:14:06 -0000
Received: from unknown (HELO psmtp.com) (123.546.77.0) by officemail.aeserver with SMTP; 12 Nov 2013 15:14:06 -0000
Received: from source ([2184.108.40.206]) by exprod7mx234.postini.com ([220.127.116.11]) with SMTP; Thu, 12 Nov 2013 09:14:06 CST
Received: by yxe7 with SMTP id 7so2045938yxe.25 for <[email protected]>; Thu, 12 Nov 2013 07:14:05
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; hg=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b=S5ZryZZDthVDpa+AewfoxvwgdiT4eKyEM8fR7U55kPJR5llEijqs7jGf/woOLQKkeL /Hls0HcojcsCxFW1Lkg5iCJQ3zXWZkvSoW7WSO88pNdzrpPIaYKSixbj2Ex0iao0w8p8 rqEKLQPPL8HC+AFWyikBsA9o78WQtBUzZqdmM= DomainKey-
Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=NTSUn5Bd+VSwoO7O2QDhm8Ut5KyAaQKdkEVT8pQ8wjZuag+Z3d/MTj2+NVrZVakqEB /1jOSCwyCurMMid14L4CVSF7dfCJkvla666BfdCYgLShKEK3nPec3Ap9YN2mlHPw/aRG rcYIJh1n60/BePZNJx6+YiQWIOgIYqoxtZXkk= MIME-Version: 1.0
Received: by 10.150.19.4 with SMTP id 4mr5441077ybs.216.1258038842463; Thu, 12 Nov 2013 07:14:02
Date: Thu, 12 Nov 2013 08:14:02
Message-ID: <[email protected]>
From: AEserver Tech <[email protected]>
To: [email protected]
Content-Type: text/plain; charset=ISO-8859-1 X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:72.19780/99.90000 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
Which of the IP addresses above should be traced?
Usually, the originating IP (in this case, 18.104.22.168) is either called that, and/or is closer to the bottom of the stack, nearer to the actual body of the message.
It is important to note that this source IP address (22.214.171.124) will not resolve on the Internet as it is within a block of IP addresses that are "reserved" private IP addresses. They are used behind corporate firewalls and proxy servers. They access the outside world through a NAT service, which stands for Network Address Translation. To find where this IP address is located, you will have to contact the network administrator responsible for the IP address 126.96.36.199, which is a legitimate internet IP address and through which this private IP address passes on its way to the internet.
RFC 1918 describes IP addressing guidelines for private networks and for which IANA (Internet Assigned Numbers Authority) has reserved for private networks. There are three sets of reserved private numbers, one respectively for each IP network Class A, B & C. They are:
- 10.0.0.0 to 10.255.255.255
- 172.16.0.0 to 172.31.255.255
- 192.168.00 to 192.168.255.255
The Difference Between Full and Partial Headers
This is what you normally look at in your emails. The partial headers are the most important to your daily tasks. Such headers are the From Address, To Address, Subject, Date and Time, Reply To Address, CC and BCC.
The full headers are simply more technical information than what you normally see when you check your email. Sometimes we need those extra headers to solve a problem.
The links below will guide you in turning on full headers for whichever mail program you use: