Who sent that email?

Have you ever wanted to figure out where that funky piece of spam or other email originated? I’ve been doing this for a long time and I’ve explained it to a lot of people but I’ve never found a clear, annotated description of how to do it. Well, with a caveat, this page has a good introduction to how to trace it.

The caveat is this: it’s easy to put fake headers on the email — they will be propogated to the next mail server and carried throughout the sever chain. How is this done? By simply including them in the message! Why is this possible? Because Received headers are a part of the data stream passed from one mail server to the other. If someone is faking email, they can easily include fake Received headers.

Yes, Received headers can be fakes! But, and here’s the good part, once the message starts its journey, subsequent entries on the Received chain are legit.

So, how do you account for that? By tracing from the top of the email — start from your mail server (which you know you can trust). As you parse the header, determine for yourself if you can trust that machine’s information. If so, try the next one. If not, the last one you parsed is really the first machine in the chain.

1 thought on “Who sent that email?”

  1. Chuck Beyer

    I know you like to personally chase the bits, but in case someone wants a quicker solution to tracing an email, suggest they use spamcop.net — and check the ‘technical details’ box if you want to see how they trace. You can also let them report the spam to the ISP and involved web sites, if you so choose.

Leave a Comment