Mar 29 2007, 12:36 PM, updated 19y ago
If you have more information on the headers, please do add them here. Thanks.
-------------------------------------------------------------------------------------------
My company has been irritated by spam mails and all these unwanted mails.
After some research, i found that we could SOMETIMES, but not always determine where the email originates from. Maybe with this information we are able to inform our email hosting, ISP to be more careful if mail is from this source.
One method to trace is by looking at the email header. All emails sent on the internet has the header included and it stores the information of the route taken by that email to reach it's recipient.
First stepTo do this, Source is from Abika
-----------------------------------------------------------------------------------------------
To accurately trace the origins of any email the email along with its header information should be included with your order. Highlight the full header text in the box and press the Ctrl key and the c key simultaneously on your keyboard. This will copy the text. Now click here and submit that text. To paste please press Ctrl key and the v key simultaneously. The header should include the senders and the recipients email address. Including the body of the email helps in increasing the accuracy. The following guide will provide instructions on how to extract headers from various email clients and programs.
Instructions to open headers for various email clients and services like Outlook, Hotmail, Yahoo, AOL, Eudora, Lotus and many more..
Hotmail
. Log into Hotmail.
. Click on "Options" tab on the top navigation bar.
. Click on the "Mail Display Settings" link.
. Change the "Message Headers" option to "Full".
. Click the "OK" button.
Yahoo Mail
. Log into your Yahoo! Mail account.
. Click the "Options" link on the navigation bar.
. Click the "General Preferences" link.
. Go to the paragraph titled Messages and Locate the Show Headers heading and select "All."
. Click the "Save" button to put your new settings into effect.
Once this setting is saved, go back and open your email and you should view the headers.
AOL Mail
If the email is sent from anywhere OTHER then AOL, and you are receiving it in AOL, then open the email you want to trace, or have your client open the email, and look for the link Details. This link is usually just below the To:email in the email message. If the email is sent from an AOL user to another AOL user then our Reverse AOL Screenname search can get you the sender's information.
Gmail
1. Log into your Gmail Account
2. open the Email whose headers you want to view
3. Click on the more options link in the message next to the date of the email.
If the link says hide options then do not worry u have already
clicked on the more options link.
4. Now click the link called show original.
5. This will bring up a new window
with headers and the body of the message.
Thunderbird (Firefox - Mozilla)
To view email headers,
Go to "View"
Then go to Headers
and select "All" to view email headers.
XtraMail
. Log into XtraMail
. Click on "Options" in the Left-hand navigation bar.
. Click the "Display" button.
. Change the "Message Headers" option to "Full".
. Click the "OK" button.
Outlook Express 4, 5 and 6
Start by opening the message in its own window (or when viewing the message in the preview pane). Then:
With the keyboard:
1. CTRL-F3 (Message Source Window)
2. CTRL-A (select all)
3. CTRL-C (copy)
4. ALT-F4 (close)
With the mouse:
1. Click the "File" menu
2. Click "Properties"
3. Click the "Details" tab
4. Click "Message Source"
5. Highlight, copy and paste everything from this window (Ctrl-A, Ctrl-C)
With viruses, worms and trojans being spread via email, many users now work with the preview screen in Outlook Express turned off. Viewing the contents of email in the preview screen is no different than opening the message. If the email has malicious content, it may execute in the preview screen.
The following is instructions to obtain the full message source if you have the preview panel turned off:
Using the keyboard:
1. Highlight the message in the folder
2. Press alt & enter - this will open a message information window
3. Press Ctrl & Tab - this changes to the "Details" tab
4. Press Alt & m - the opens the message source
5. Press Ctrl & a - to select all the text
6. Press Ctrl & c - to copy the selected text to the clipboard
7. Press Alt & F4 - to close the message source window
8. Press the Esc key - to close the information window
Outlook 97
Microsoft Outlook 97 may require an update called the Internet Mail Enhancement Patch in order to display the email headers AT ALL.
Outlook 98 and 2000
1. Open the message in a separate window (double click)
2. Under the View menu select Options
3. Copy the text in the Internet Headers window (unfortunately it doesn't include the message itself).
4. Paste
5. Close the options window
Outlook Express for Macintosh
Select the email. From the View menu, choose Source. A new window will appear containing the email with full headers. Press command + a, to select all, then command + c to copy.
Microsoft Exchange
1. To get the complete headers and message source using Microsoft Exchange Click the "File" menu
2. Click "Properties"
3. Click the "Details" tab
4. Click "Message Source"
5. Highlight, copy and paste everything from the "Message Source" window (Ctrl-A, Ctrl-C)
Microsoft Entourage (Office X for Mac)
To access the full message source with Microsoft Entourage:
* After clicking on the message, select "Source" from the View menu
* A new window will open showing the full message source with complete headers.
* Copy and paste
Mac OS X
To get the full message source:
1. Select a message
2. Select menu item Message, Show, Raw Source.
3. Click on the resulting text
4. Click Edit, Select All, then Edit, Copy
5. Paste
Netscape
Preferred method: Click on the "View" menu, then "Page Source," (ctrl-U in windows, meta-U in UNIX,?-U on the Mac) then copy the contents of the window (Ctrl-A, Ctrl-C windows).
Old versions: Click on the "View" menu, then "Headers," then "All." Note: This method will not work correctly with HTML.
Eudora
Note: Using the cut and paste to the web form method is the only option available to Eudora users. To display the full message source for cut and paste:
Eudora for the Mac:
1. Open the email and click the button on the upper left hand corner of the message. This shows the extended headers.
2. Select the whole message including headers and paste.
Eudora for the PC - there are 2 slightly different methods depending on whether the mail contains HTML or not.
In any case, to prepare for HTML email, you should turn off the use of Microsoft's HTML viewer. To do so, click Tools, then Options, then Viewing Mail. Uncheck the box labeled "Use Microsoft's viewer."
How to know if it's HTML mail: once you have opened the email, look near the bottom of the headers (see below for revealing headers) for a line like the following: Content-Type: text/html ... you can frequently spot HTML email because it has font effects, pictures, etc but this is not always true so you have to take a quick look at the headers.
Eudora for the PC - non-HTML mail:
1. Open the email by double clicking on the subject line. Click the button to reveal the headers.
2. Place your cursor anywhere in the body of the email and select the entire message (Edit/Select All or Ctrl-A)
3. Copy the entire email (right click and click copy OR Ctrl/C OR Edit/Copy)
4. Paste (right click/paste or Ctrl/V).
Eudora for the PC - HTML mail:
1. Open the email and click the button to reveal the headers.
2. Highlight the headers only. Copy and paste the headers.
3. Hit enter twice after the pasted headers to force a blank line after the headers.
4. Back in Eudora window, place your cursor anywhere in the body of the message and right click and click "view source". A new window will open.
5. In the new window, select all (as above) and copy the contents of the new window.
6. Paste
Pine
If the feature is enabled, you simply press "H" to toggle full headers. If the feature is not enabled, you must enable it first: From the main menu, press (S)etup, (C)onfig. Scroll down about 40 lines to the option labeled "enable-full-header-cmd." Press [ENTER]. Press (E)xit, (Y)es - to save. Then you can return to the message window and use "H" to display the headers.
Lotus Notes (v.4.x and v.5.x)
Open the email, click on "Actions" then on "Delivery Information."
Next, you have to pick out the internet-style mail header information from the window that appears when you select Delivery Information.
Lotus Notes v.4.x
Look for the first line that begins with "Received". There should be a blank line just above it. Then, scroll down to the next blank line. The stuff in-between the two blank lines are the headers you need.
Lotus Notes v.5.x
Look for the separator line that reads
-------- Additional Header ------.
Select everything from there down to the next separator line, usually
-------- Routing Information ------.
The stuff in between the two separator lines are the headers you need.
Lotus Notes v.5.x (easier method)
1. Open your inbox
2. Highlight the message that you wish to get header information for.
3. Choose File -> Export...
4. Type in a filename, leave the type as "Structured Text" and click Export
5. From the Dialog Box that comes up, choose "Selected Documents" and click OK
6. Now you can open that message you saved in WordPad and Cut and Paste it.
Pegasus Mail
In the New Mail or other folder window:
1. Right click the message, and select Message Properties.
2. In the right hand column uncheck the box beside Contains HTML data.
3. Click OK. That should allow you to see the message as a text message only.
4. Click Ctrl-H to bring up the full headers.
Another way:
1. Highlight the HTML in the new mail folder
2. Open a new email message
3. Drag the HTML onto the new message
4. In the dialog that appears select "Show All Headers"
5. Highlight the entire message, then copy to clipboard
6. Paste
Claris Emailer
Version 2.0 and higher:
Use the "Show Long Headers" option in the "Mail" menu while you have the message open.
Versions earlier than 2.0:
Click the blue triangle near the "from" information to show additional message information, then click the "Show Original Headers..." button to bring up the full header info.
kmail (KDE Desktop)
In the KDE Mail Client that comes with the KDE desktop for Linux, select Message, View Source. Copy and paste the text from the "Message as Plain Text" window.
GNU/Emacs integrated email
Press the keys 'W', then 'v' in the summary or mail buffer.
Another method of temporarily switching to ALL headers is by pressing "Ctrl-u g" on the article in the summary buffer.
Mail Warrior
To get full "message source"
1. When viewing the message, click File, then Save Message As.
2. A standard save window will appear.
3. Save the message as a .txt file (document.txt).
4. Open the file you created, select all (ctrl-A) and copy (ctrl-c).
5. And paste (ctrl-v).
These instructions written for v.3.56.
Juno Version 4+
On the drop down menu "Options", choose "Email Options..." (press ctrl-E) Under "Show Message Headers", select the "full" option. Click the OK button to save the setting.
Juno version 4+ can display MIME and HTML email, but does not provide a way of Viewing the HTML Source for the message within Juno.
To get the full source, including HTML codes:
1. In the Juno mail client, click "file" and then "Save Message as Text File..." (ctrl-T).
2. Give the file a name which you will remember (many people save temporary files to the desktop).
3. Double-click on the resulting file and then cut-and-paste the contents.
Mutt
To get mutt (the mail user agent) to forward the full headers (not display them for viewing), use the command "unset forward decode" in your rc file or directly in the command interface.
The Bat!
To get the full text of an HTML message from TheBat email software in preparation for pasting it:
- Message -> Save As -> Save as Type - I
- Select Unix Mailboxes[*.mbx]
- Open the file in your preferred editor, then simply cut and paste.
For The Bat! v1.53bis:
- Select the message in question
- Click on the "Messages" menu
- Select "View Source"
- Alternatively, you may push F9 instead of the last two steps.
Pronto mail (GTK/UNIX)
1. Click "Message", then "View Source"
2. Highlight the message source as normal with the mouse
3. Copy using Control + C
4. Paste
StarOffice
1. Right click on the container name in the explorer panel (either a top-level mail box or a specific mail folder).
2. Select the Properties item from the pop-up menu.
3. In the properties notebook, select the Headers tab.
4. Click the "All" button on the right.
5. Press "OK" and you're done, the complete header is available in the header panel and can be selected/pasted.
Novell GroupWise
1. Open the message
2. In the message window select: File > Attachments > View
3. Select the Mime.822 attachment
Blitzmail
With the message open, go to the Options menu and choose Verbose Header. This will put the full header inside the upper pane of the message's window.
Forté Agent
Forté Agent versions 1.5 to 1.8:
Press CTRL-R to display in RAW mode, then CTRL-A and CTRL-C
Don't forget to press CTRL-R again to display in normal mode after you do this
Ximian Evolution
http://www.Ximian.com/products/ximian_evolution/
Go to the "View" menu, select "Message Display" and click on "Show Full Headers".
Sylpheed
Sylpheed is an email client for Linux, BSD and Unix systems. Sylpheed offers three ways to view the full source code of messages:
* Select the email
* Right click and mouse-over "View"
* Select "Source" from the popup menu
or....
* Select the email
* Left click on the "View" menu
* Select "View Source"
or....
* Select the email
* Press Ctrl-U (default keymap setting
Web-Based Email Software
Hotmail
To see the full, untangled headers in Hotmail:
1. First, configure your options:
Click on "Options." In the "Additional Options" column, click on "Mail Display Options" and find the item "Message Headers." Choose "Advanced" and click the "OK" button.
2. Then, to report spam:
When viewing a message, use the "View E-mail Message Source" to display the message in raw mode before copying.
Yahoo Mail
Follow these steps:
First you must turn on "Full Headers". From your Yahoo! mail account, click on "Mail Preference". Scroll down the page to "Message Headers" and click on the "all" radio button. Save your preferences at the bottom of the page.
Next, view the message you want to report. If the message is in plain text, copying from this page and pasting it will work.
If the message to be reported is HTML, a two stepped process must be used:
1. View the message and copy the complete headers. Paste these then add a blank line.
2. Go back to the Yahoo! window and select to "Forward" the message as "inline text" (drop down menu). Scroll down the message to the start of the message body. (The first line of the HTML body will usually begin <HTML). Copy the body of the message and paste. Make sure a blank line remains between the header and body.
Excite web-mail
To view the full header information with Excite Webmail:
* Sign in to your email account.
* Click on Preferences on the Email home page
* Click on Email Preferences
* Check the box to display headers
* Click on Save
You can then see the headers in all messages in your folders.
Netscape Webmail
While viewing the message, click on the yellow triangle to the right of the brief message headers. This will display the full headers along with the message body, which can be cut and pasted
To close the full headers and return to brief headers, click the yellow triangle again.
Blitzmail
After opening the message, click on the Verbose Header link at the top of the window.
Operamail
Choose Options and enable [x] Show Message Headers in Body of Message
Lycos Mail (mailcity.com)
When viewing an individual message, click on the tool bar menu item above the message "All Headers". Highlight and copy the complete message from the viewing window and paste it.
Onebox.com
Click on the subject of the email in your inbox or other folder. This displays the message.
At the top of the message you will see the following links in the message frame right above the "reply" buttons:
[folder name]: Prev | Next: Download
Select "Download" from the above.
A new browser window will spawn with both the headers and the message text. At this point, simply copy all the text and paste it.
Outlook Web Access
(as accessed through http://mymail.outlookmail.com/exchange/logon.asp)
Left click on the letter you want to open and click on properties
When that opens click on the details tab
Then on message source
This will open the email so the full headers will be available for viewing
Select and copy the text then paste it.
----------------------------------------------------------------------------------------------
After that , you need to understand what is being written:
Source is from stopspam.org
List of Common Headers
* Apparently-To: Messages with many recipients sometimes have a long list of headers of the form "Apparently-To: rth@bieberdorf.edu" (one line per recipient). These headers are unusual in legitimate mail; they are normally a sign of a mailing list, and in recent times mailing lists have generally used software sophisticated enough not to generate a giant pile of headers.
* Bcc: (stands for "Blind Carbon Copy") If you see this header on incoming mail, something is wrong. It's used like Cc: (see below), but does not appear in the headers. The idea is to be able to send copies of email to persons who might not want to receive replies or to appear in the headers. Blind carbon copies are popular with spammers, since it confuses many inexperienced users to get email that doesn't appear to be addressed to them.
* Cc: (stands for "Carbon Copy", which is meaningful if you remember typewriters) This header is sort of an extension of "To:"; it specifies additional recipients. The difference between "To:" and "Cc:" is essentially connotative; some mailers also deal with them differently in generating replies.
* Comments: This is a nonstandard, free-form header field. It's most commonly seen in the form "Comments: Authenticated sender is <rth@bieberdorf.edu>". A header like this is added by some mailers (notably the popular freeware program Pegasus) to identify the sender; however, it is often added by hand (with false information) by spammers as well. Treat with caution.
* Content-Transfer-Encoding: This header relates to MIME, a standard way of enclosing non-text content in email. It has no direct relevance to the delivery of mail, but it affects how MIME-compliant mail programs interpret the content of the message.
* Content-Type: Another MIME header, telling MIME-compliant mail programs what type of content to expect in the message.
* Date: This header does exactly what you'd expect: It specifies a date, normally the date the message was composed and sent. If this header is omitted by the sender's computer, it might conceivably be added by a mail server or even by some other machine along the route. It shouldn't be treated as gospel truth; forgeries aside, there are an awful lot of computers in the world with their clocks set wrong.
* Errors-To: Specifies an address for mailer-generated errors, like "no such user" bounce messages, to go to (instead of the sender's address). This is not a particularly common header, as the sender usually wants to receive any errors at the sending address, which is what most (essentially all) mail server software does by default.
* From (without colon) This is the "envelope From" discussed above.
* From: (with colon) This is the "message From:" discussed above.
* Message-Id: (also Message-id: or Message-ID:) The Message-Id is a more-or-less unique identifier assigned to each message, usually by the first mailserver it encounters. Conventionally, it is of the form "gibberish@bieberdorf.edu", where the "gibberish" part could be absolutely anything and the second part is the name of the machine that assigned the ID. Sometimes, but not often, the "gibberish" includes the sender's username. Any email in which the message ID is malformed (e.g., an empty string or no @ sign), or in which the site in the message ID isn't the real site of origin, is probably a forgery.
* In-Reply-To: A Usenet header that occasionally appears in mail, the In-Reply-To: header gives the message ID of some previous message which is being replied to. It is unusual for this header to appear except in email directly related to Usenet; spammers have been known to use it, probably in an attempt to evade filtration programs.
* Mime-Version: (also MIME-Version:) Yet another MIME header, this one just specifying the version of the MIME protocol that was used by the sender. Like the other MIME headers, this one is usually eminently ignorable; most modern mail programs will do the right thing with it.
* Newsgroups: This header only appears in email that is connected with Usenet---either email copies of Usenet postings, or email replies to postings. In the first case, it specifies the newsgroup(s) to which the message was posted; in the second, it specifies the newsgroup(s) in which the message being replied to was posted. The semantics of this header are the subject of a low-intensity holy war, which effectively assures that both sets of semantics will be used indiscriminately for the foreseeable future.
* Organization: A completely free-form header that normally contains the name of the organization through which the sender of the message has net access. The sender can generally control this header, and silly entries like "Royal Society for Putting Things on Top of Other Things" are commonplace.
* Priority: An essentially free-form header that assigns a priority to the mail. Most software ignores it. It is often used by spammers, usually in the form "Priority: urgent" (or something similar), in an attempt to get their messages read.
* Received: Discussed in detail above.
* References: The References: header is rare in email except for copies of Usenet postings. Its use on Usenet is to identify the "upstream" posts to which a message is a response; when it appears in email, it's usually just a copy of a Usenet header. It may also appear in email responses to Usenet postings, giving the message ID of the post being responded to as well as the references from that post.
* Reply-To: Specifies an address for replies to go to. Though this header has many legitimate uses (perhaps your software mangles your From: address and you want replies to go to a correct address), it is also widely used by spammers to deflect criticism. Occasionally a naive spammer will actually solicit responses by email and use the Reply-To: header to collect them, but more often the Reply-To: address in junk email is either invalid or an innocent victim.
* Sender: This header is unusual in email (X-Sender: is usually used instead), but appears occasionally, especially in copies of Usenet posts. It should identify the sender; in the case of Usenet posts, it is a more reliable identifier than the From: line.
* Subject: A completely free-form field specified by the sender, intended, of course, to describe the subject of the message.
* To: The "message To: "described above. Note that the To: header need not contain the recipient's address!
* X-headers is the generic term for headers starting with a capital X and a hyphen. The convention is that X-headers are nonstandard and provided for information only, and that, conversely, any nonstandard informative header should be given a name starting with "X-". This convention is frequently violated.
* X-Confirm-Reading-To: This header requests an automated confirmation notice when the message is received or read. It is typically ignored; presumably some software acts on it.
* X-Distribution: In response to problems with spammers using his software, the author of Pegasus Mail added this header. Any message sent with Pegasus to a sufficiently large number of recipients has a header added that says "X-Distribution: bulk". It is explicitly intended as something for recipients to filter against.
* X-Errors-To: Like Errors-To:, this header specifies an address for errors to be sent to. It is probably less widely obeyed.
* X-Mailer: (also X-mailer:) A freeform header field intended for the mail software used by the sender to identify itself (as advertising or whatever). Since much junk email is sent with mailers invented for the purpose, this field can provide much useful fodder for filters.
* X-PMFLAGS: This is a header added by Pegasus Mail; its semantics are nonobvious. It appears in any message sent with Pegasus, so it doesn't obviously convey any information to the recipient that isn't covered by the X-Mailer: header.
* X-Priority: Another priority field, used notably by Eudora to assign a priority (which appears as a graphical notation on the message).
* X-Sender: The usual email analogue to the Sender: header in Usenet news, this header purportedly identifies the sender with greater reliability than the From: header. In fact, it is nearly as easy to forge, and should therefore be viewed with the same sort of suspicion as the From: header.
* X-UIDL: This is a unique identifier used by the POP protocol for retrieving mail from a server. It is normally added between the recipient's mail server and the recipient's actual mail software; if mail arrives at the mail server with an X-UIDL: header, it is probably junk (there's no conceivable use for such a header, but for some unknown reason many spammers add one).
-----------------------------------------------------------------------------------------
So by now you would have some clue as to where the email originated from and which places it visited.
To add insult to how emails can be easily forged, below is my own code i have used to write my mailling list program to clients of my company. It's just to illustrate to non programmers who are reading, that you can easily change the name and sender of the email via the email program.
After that, maybe do some settings on the mail server,or use a 3rd party mail relay to cheat some more.
CODE
System.Net.Mail.Attachment myAttachment = new System.Net.Mail.Attachment(Server.MapPath(@"~/myDirectory/uploads/Finally.pdf"));
System.Net.NetworkCredential myCredentials = new System.Net.NetworkCredential("Ultraman@lalaland.com","seeham123");
//Just change chicks@england to anything you like. In a repeat loop, this From
// field can be swapped with another email address from a list.
System.Net.Mail.MailAddress myFromAddress=new System.Net.Mail.MailAddress("chicks@england.com","hottie");
//Just change spicychicken@yahoo to anything you like. In a repeat loop, this To
// field can be swapped with another email address from a list.
System.Net.Mail.MailAddress myToAddress = new System.Net.Mail.MailAddress("spicychicken@yahoo.com", "coolie");
System.Net.Mail.SmtpClient mySMTPsender = new System.Net.Mail.SmtpClient();
mySMTPsender.Host= "mail.lalaland.com";
mySMTPsender.Credentials = myCredentials;
System.Net.Mail.MailMessage myMail = new System.Net.Mail.MailMessage(myFromAddress,myToAddress);
myMail.Subject = "test spam baby";
myMail.Body = "aaaaa asdfasdfsadf";
myMail.Attachments.Add(myAttachment);
mySMTPsender.Send(myMail);
-------------------------------------------------------------------------------------------
Additionally, you may find some ip addresses in the headers like 201.65.26.89.
So get this number and put into:
ip address lookup 1
Ip address lookup 2
IP address lookup 3
This post has been edited by nlik: Mar 30 2007, 03:14 PM
Quote
. Our reports also will help in their statistics anyway.
0.0180sec
0.27
5 queries
GZIP Disabled