iiNet support web australia search

• home
• >my ii
  • my ii
  • my account
  • my email
  • media lounge
• products
  • broadband
  • Naked DSL
  • dialup
  • phone
  • iiTalk
  • voip
  • domains & hosting
• business
  • broadband & naked
  • phone & voip
  • vpn
  • domains
  • web hosting
  • wireless hotspots
  • FAQs
• about
  • who we are
  • Follow the Sun
  • customer charter
  • timeline
  • investor relations
  • agent program
  • media information
  • sponsorships
  • newsletter
  • cra
  • compliance
  • iinet openday
  • employment
  • contact us
• support
  • overview
  • settings
  • broadband
  • dialup
  • phone
  • VOIP
  • email
  • wireless
  • billing
  • general internet
  • the iinetwork
  • glossary
  • search
• sign up

understanding email headers

Home Support Email Faq Spam understanding email headers

• Where does Email come from?
• Examples of Email headers
• Analysis of an Email Header
• The Importance of Received Headers

Where does Email come from?

To understand what email headers tell us, we need to analyse the life of a piece of email.

Most of the time to the Internet user, it appears that email is passed directly from the sender's machine to the recipient's. Normally, this isn't true; a typical piece of email passes through at least four computers during its lifetime.

This happens because the email needs to pass through computers dedicated to handling email, called Mail Servers. Most of the time the Mail Server is not the same machine that sent the email you are looking at when you read your email.

iiNet customers dial in from their home computers, the "client" computer is the user's home machine, and the "server" is a machine that handles mail at iiNet. When a user sends mail, he or she normally composes the message on her own computer, then sends it off our Mail Server. At this point the client computer is finished with the job, but the Mail Server still has to deliver the message. It does this by finding the recipient's Mail Server, talking to that server and delivering the message. It then sits on that second Mail Server until the recipient comes along to read his mail, when he retrieves it onto his own computer, normally deleting it from the mail server in the process.

Examples of Email headers

Consider two users, one: someone@hotmail.com and the other janedoe@iinet.net.au who uses Eudora. Let's look at an email from janedoe's iiNet account to someone at Hotmail.

From: janedoe@iinet.net.au Thu, 27 Dec 2001 17:41:08 -0800 Received: from [203.59.3.37] by hotmail.com (3.2) with ESMTP id MHotMailBDF51881003A400438D0CB3B032508460; Thu, 27 Dec 2001 17:40:18 -0800 Received: (qmail 31174 invoked by uid 666); 28 Dec 2001 01:40:10 -0000 Received: from unknown (HELO i101-177.nv.iinet.net.au) (203.59.101.177) by mail.iinet.net.au with SMTP; 28 Dec 2001 01:40:10 -0000 Message-Id: <5.0.2.1.0.20011228094127.00a96c30@mail.iinet.net.au> X-Sender: janedoe@mail.iinet.net.au X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Fri, 28 Dec 2001 09:42:29 +0800 To: someone@hotmail.com From: Jane Doe Subject: Testing Email Headers Cc: janedoe@start.com.au Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed

When janedoe sends email to someone@hotmail.com, they compose it from their machine, which is dialled up to iiNet (i101-177.nv.iinet.net.au). The composed text is passed from there to the mail server, mail.iinet.net.au. This is the last janedoe will see of it as further processing is handled by machines with no intervention from her. The mail server, seeing that it has a message for someone@hotmail.com, contacts Hotmail's mail server and delivers the mail to it. The message is stored on hotmail.com until someone dials in from janedoe's home computer and checks their Hotmail.

Analysis of an Email Header

Here's a line-by-line analysis of these headers and exactly what each one means.

From janedoe@iinet.net.au Thu, 27 Dec 2001 17:41:08 -0800iJust like From: (no colon here), generated by the receiving server -
here by the Hotmail server. Time and Date are shown as per when the email
was received by the Hotmail server - 8 hours behind GMT.Received: from [203.59.3.37] by hotmail.com (3.2) with ESMTP id MHotMailBDF51881003A400438D0CB3B032508460; Thu, 27 Dec 2001 17:40:18 -0800Also generated by the receiving server. The Hotmail server indicates which server it
got the message from, and what time and date. Again 8 hours behind the GMT.Received: (qmail 31174 invoked by uid 666); 28 Dec 2001 01:40:10 -0000Indicates that the program called qmail is running on the mail server, shows the
version and the time of the processing. The program running on the mail server
could also be sendmail. iiNet's mail server will show the time stamp in GMT.Received: from unknown (HELO i101-177.nv.iinet.net.au) (203.59.101.177) by mail.iinet.net.au with SMTP; 28 Dec 2001 01:40:10 -0000This email was received from a computer via dial-up connection to iiNet. The
IP address is shown. Sometimes you will be able to see the name of the senders
Windows machine such as Default or OEMXXX. Mail transfer happened on December
28 Dec 2001, at 09:42:29 (morning as 9pm would be 21:42:29 using 24-hourt time).
-0000 indicates the GMT. Remember that this is the most important header when
trying to determine who is the email from.Message-Id: <5.0.2.1.0.20011228094127.00a96c30@mail.iinet.net.au>The receiving machine assigned the ID number to the message. (Used internally by the
machine, it's something an administrator would need to know to look up the message
in the machine's log files, but it's usually meaningless to anyone else.)X-Sender: janedoe@mail.iinet.net.auThe sender as per the users identification on the mail serverX-Mailer: QUALCOMM Windows Eudora Version 5.0.2The email softwareDate: Fri, 28 Dec 2001 09:42:29 +0800This is the time as set on the machine that the email was composed on - mail transfer
happened on Friday, December 28, 2001, at 09:42:29 - 8 hours past the GMT.To: someone@hotmail.comThe recipient's email addressFrom: Jane Doe The mail was sent by janedoe@iinet.net.au who gives her name as Jane Doe. You can set
the address and name to whatever you want in your email software.Subject: Testing Email HeadersSelf explanatoryCc: janedoe@start.com.auThis message was also emailed to janedoe@start.com.auMime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowedType of the format and content composition. In this case, text and not html.

The Importance of Received Headers

The Received: headers provide a detailed log of a message's history, and so make it
possible to draw some conclusions about the origin of a piece of email even when
other headers have been forged.

The single most valuable forgery protection in the Received: headers is the information logged by the receiving host from the sender. The sender can lie about its identity (by putting garbage in its HELO command to the receiver); fortunately, modern mail transfer programs are able to detect such false information and correct it.

Received: from blahblahoh.org ([104.128.23.115]) by mail.iinet.net.au ...You look up the IP address 104.128.23.115 (with a tool like the UNIX program nslookup, or a web tool for nslookup ) and find that that address in fact belonged to turmeric.com (not blablahoh.org).

Many modern mail programs actually automate this process, looking up the name of the sending machine on their own. (The lookup process is called reverse DNS )

Another trick used by forgers of email, is to add spurious Received: headers before sending the offending mail. This means that the hypothetical email sent from turmeric.com might have Received: lines that looked something like this:

Received: from blahblahoh.org ([104.128.23.115]) by mail.iinet.net.au (8.8.5)... Received: from nowhere by fictitious-site (8.8.3/8.7.2)... Received: No Information Here, Go Away!Obviously, the last two lines are complete nonsense, written by the sender and attached to the message before it was sent.

Since the sender has no control over the message once it leaves turmeric.com, and Received: headers are always added at the top, the forged lines have to appear at the bottom of the list. This means that someone reading the lines from top to bottom, tracing the history of the message, can safely throw out anything after the first forged line; even if the Received: lines after that point look plausible, they're guaranteed to be forgeries.

Of course, the sender doesn't have to use obvious garbage; a really devious forger could create a plausible list of Received: lines like this:

Received: from blahblahoh.org ([104.128.23.115]) by mail.iinet.net.au (8.8.5)... Received: from lemongrass.org by blahblahoh.org (8.7.3/8.5.1)... Received: from graprao.com by lemongrass.org (8.6.4)...Here the only dead giveaway is the inaccurate IP address for blahblahoh.org in the very first Received: line. The forgery would be still harder to detect if the forger had written in correct IP addresses for lemongrass.org and graprao.com, but the IP mismatch in the first line would still reveal that the message had been forged and "injected" into the network at the site 104.128.23.115 (i.e., turmeric.com). However, most header forgeries are considerably less sophisticated, and the extra Received: lines are obvious garbage.