Have you ever been curious about the lines of what looks like gibberish in the headers of email messages? An email message’s header includes not only the From, To, Subject, and Date lines, but also a slew of other lines whose purpose and meaning are often far less clear.
Email programs typically hide most of these lines from you, but you can view the full header with a few mouse clicks. In Microsoft Outlook, select “View” then “Options.” In Gmail, click “More Options” then “Show original” below the subject line. In Eudora, click “Show All Headers.” Other programs offer similar means of displaying these extra lines.
Deciphering this information can indicate if the sender is faking who he is, give you information to stop the person if he’s stalking or harassing you, and tip you off on why your spam filter flagged the email as spam.
Perhaps the most interesting information in these lines is the IP (Internet protocol) address located in the Received line. An IP address is a computer address that identifies a device in a computer network. This typically is a computer, but it can also be a printer, router, or other device. An IP address, like a phone number or street address, is a unique identifier.
IP addresses, however, can be hidden or shared in a similar way that different phone extensions share the same company phone number, so it’s not a foolproof way of identifying who’s behind an email address. Still, it’s often revealing.
Look for the first string of numbers separated by periods in the Received line. One way to uncover the descriptive domain name associated with that IP address is to use the nslookup program on a Windows PC or a Mac.
With Windows XP, click on the Start menu and select Run. Type the word command and press Enter. Type nslookup followed by a space and the IP address, and press Enter. The domain name will be returned in the Name line. Type exit and press Enter to close the command-prompt window.
With Mac OS X, use the program Network Utility in the Applications/Utilities folder. Select the Lookup tab and type the IP address.
One way to use the domain name is in reporting spam, harassment, and other abuse. You can send a complaint to the sender’s Internet service provider by writing to abuse@domain, where “domain” is the domain name you uncovered.
Armed with either the IP protocol or the domain name, you can use the whois program to uncover more information, such as the associated phone numbers and other contact information on record. There are a number of Web sites that offer free whois service, including Whois.Net (www.whois.net).
Other IP addresses in the Received line show the email’s transmission path from the originating computer to you.
Some spammers, however, engage in IP “spoofing,” forging the headers in their emails, or they access computers over the Internet that are unprotected by firewall software and turn them into “zombies,” sending out spam from them.
Another interesting line in an email header is the Return-Path line. This line specifies the email address where any “bounced” or failed emails go. Email transmissions can fail if the recipient’s email address is no longer valid or is misspelled, if the recipient’s email server is busy, if the recipient’s email server blocks the message because it believes the message is spam, if the recipient’s inbox is full, or if an error occurs at some transmission point along the way.
The Content-Type line is where the software used by the sender indicates to the recipient’s email program whether the message will be plain text (text/plain) or formatted HTML (multipart/html or multipart/alternative), which is the same formatting system used by Web pages.
Header lines that begin with X are often used by spam filters to explain why they flagged a particular email as spam.
This provides the basics of what you can do with email headers. England’s University of Bath offers more detailed information about the anatomy of email messages (www.bath.ac.uk/bucs/email/anatomy.shtml). StopSpam (www.stopspam.org/email/headers.html) provides tips on reading email headers along with other information about reducing unwanted mass emails.
The University of Delaware maintains a site on cybercrime (http://126.96.36.199/default.htm) where you can get detailed instructions on how to view email headers in more than 20 different email programs as well as advice on how to avoid becoming a victim of advance-fee fraud, identity theft, and other online crimes.
About.com also has a good page on email headers (http://email.about.com/cs/spamgeneral/a/spam_headers.htm).