Reading email headers
Usually you only see an abbreviated version of the sender's details, but the full version offers more information. You can see it by pressing the "blah blah blah" button in Eudora. In Outlook it appears when you click on View > Options.
If you're using a different mailer, you can find the full header viewing procedures on this page at the WHOA site. I don't agree with some of the things they say about headers, but the disagreements are minor and the procedure links are good.
Here's an example of a full header:
Received: from uberhost.net
The other big complication is that much of the information is useless - it can be tampered with by the sender. This is often called faking or spoofing, but these words seem harsh since most of the time it's adjusted for perfectly legitimate reasons. Almost every mail I send has an adjusted header because I use so many different email addresses, computers and ISPs.
The main item of genuine information in a full header is the name of the sender's ISP (Internet Service Provider).
Here's a procedure for extracting the sender's ISP from a header. If it doesn't work for you, let me know.
Discount all of the following:
Anything left over that looks like an email address or Internet domain is of interest. In this case the only thing left over is three references to the domain uberhost.com, so we've easily identified the ISP that originally handled the message for the sender. That's valuable information and it's genuine.
If you discount all the bits mentioned above and there's nothing left over, then the address the email claims to come from is a true address and the domain (the bit after the @ in the email address) is the sender's ISP.
Webmail companies such as Yahoo Mail and Hotmail are effectively their own ISPs, and so are some other big companies.
If you have lots of interesting
stuff left over, you're looking at mail that's gone through a forwarding system.
The sender's ISP is usually
Once you've identified the ISP, enter it as a Web site address in the URL field of your Web browser and see what comes up.
An additional complication is that people sometimes disguise themselves by using what are called remailers, which forward mail anonymously. The only information you get from their headers is the name of the remailer, and they're usually not very helpful organisations.
If you receive mail via a remailer, the sender is making an effort to stay anonymous. There's no other reason to use one.
Another bit of interesting information that's sometimes shown in full headers is the X-Mailer. It's missing from the example above. This tells you what kind of mail program was used to create the original message, and sometimes even the operating system.
Sometimes you also see "helo=" and after this (unbelievably) appears the sender's username from their own computer. How secure is that?
copyright Foxglove Media Ltd 2002. See disclaimer and republishing guidelines.