home page
home page
Archived article from the year 2000
"Your data has a social life too"


As safe as a postcard


Reading headers

Main email index

home page

You can find out a lot more about e-mails you recieve by looking at the header details, which are normally hidden.

Reading email headers

Usually you only see an abbreviated version of the sender's details, but the full version offers more information. You can see it by pressing the "blah blah blah" button in Eudora. In Outlook it appears when you click on View > Options.

If you're using a different mailer, you can find the full header viewing procedures on this page at the WHOA site. I don't agree with some of the things they say about headers, but the disagreements are minor and the procedure links are good.

Here's an example of a full header:

Received: from uberhost.net (websmostlinked.com [])
by springer.magweb.net.uk (8.9.3/8.9.3) with ESMTP id FAA06564
for <astarling@xtinhat.com>; Wed, 31 May 2000 05:14:48 +0100 (BST)
From: sub@websmostlinked.com
Received: from nobody by uberhost.net with local (Exim 3.14 #2)
id 12x7Lx-00004L-00
for astarling@xtinhat.com; Wed, 31 May 2000 05:12:05 -0700
To: astarling@xtinhat.com
Subject: tinhat
Message-Id: <E12x7Lx-00004L-00@uberhost.net>
Date: Wed, 31 May 2000 05:12:05 -0700
Content-Type: text
X-UIDL: EOc!!3WMd9SK&e9b"De9

There's a lot of nonsense there to wade through, and the way they're presented varies a hell of a lot, which complicates the business of reading them.

The other big complication is that much of the information is useless - it can be tampered with by the sender. This is often called faking or spoofing, but these words seem harsh since most of the time it's adjusted for perfectly legitimate reasons. Almost every mail I send has an adjusted header because I use so many different email addresses, computers and ISPs.

The main item of genuine information in a full header is the name of the sender's ISP (Internet Service Provider).

Here's a procedure for extracting the sender's ISP from a header. If it doesn't work for you, let me know.

Discount all of the following:

  • Your own emai address, in this case astarling@xtinhat.com
  • Your own incoming mailbox details, in this case springer.magicweb.net.uk. if you're not sure what this is, you'll find it hidden away in the depths of your mailing program, but often it's easily recognisable - it's either got your ISP's name in it or your Web site host if you run a site.
  • The address the mail claims to come from (the "from" address that you see when reading the email in its normal form), in this case webmostlinked.com

Anything left over that looks like an email address or Internet domain is of interest. In this case the only thing left over is three references to the domain uberhost.com, so we've easily identified the ISP that originally handled the message for the sender. That's valuable information and it's genuine.

If you discount all the bits mentioned above and there's nothing left over, then the address the email claims to come from is a true address and the domain (the bit after the @ in the email address) is the sender's ISP.

Webmail companies such as Yahoo Mail and Hotmail are effectively their own ISPs, and so are some other big companies.

If you have lots of interesting stuff left over, you're looking at mail that's gone through a forwarding system. The sender's ISP is usually
- the first of the left-overs
- mentioned twice or more

Once you've identified the ISP, enter it as a Web site address in the URL field of your Web browser and see what comes up.

An additional complication is that people sometimes disguise themselves by using what are called remailers, which forward mail anonymously. The only information you get from their headers is the name of the remailer, and they're usually not very helpful organisations.

If you receive mail via a remailer, the sender is making an effort to stay anonymous. There's no other reason to use one.

Another bit of interesting information that's sometimes shown in full headers is the X-Mailer. It's missing from the example above. This tells you what kind of mail program was used to create the original message, and sometimes even the operating system.

Sometimes you also see "helo=" and after this (unbelievably) appears the sender's username from their own computer. How secure is that?


Email - as safe as a postcard


Code-breaking by the authorities

Personal data
Mobile phones


About TinHat
Privacy policy

copyright Foxglove Media Ltd 2002. See disclaimer and republishing guidelines.