What is a Email Header?
Every email comes with a Header which is one part of an e-mail structure. It has basic information such as from whom the email comes, to whom it is addressed, date/time it was sent and the subject of the email. It is similar to an electronic postmark. This basic information comes in all brief/basic headers that most email programs will automatically show. However, there are other detail technical information that an email has. This detail technical information can be viewed in a full header. All email programs can be set to show only brief header or full header and it is up to the users to set the program whether to view only brief header or full header.
Full header will have information such as the mail servers name that the email passed through on its way to the recipeint, recipient and sender's IP address and even the name of the email program and its version used. This information is essential for analysis and investigation purposes on cases involving email abuse, spamming, mailbombing. This information could not be found in a brief header. Thus, it is important anyone reporting to their ISP or to their CERT Team, to include a full header for cases involving email abuse, worm infected email, harassment and forgeries.
Examples of Headers
A brief header will look like this with the following information:
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: [email protected]
To: [email protected]
Subject: happy holiday
And a full header will look like this with the following detail information:
Return-Path: [email protected]
Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: [email protected]
Message-Id: <[email protected]>
To: [email protected]
Subject: happy holiday
Status: RO
X-Status:
What is in a Header?
Now lets look what is in a header. The header contains the "name" and "address" of the sender, recipient and anyone who is being copied, the "date" and "time" the mail is sent and the "subject" of the mail. The header exists mainly for the computer to route mail to you. The "received:" item indicates the mailers. It shows what mailers the mail is routed through before it goes to the recipient. Usually, over the internet, the mail will go through several mailers before it finally reaches the recipient. This information will help in tracing the source IP address of the sender.
How to read Header?
Return-Path: [email protected]
Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: [email protected]
Message-Id: <[email protected]>
To: [email protected]
Subject: happy holiday
Status: RO
X-Status:
Now let see what they mean,
- Return-Path: [email protected]
The Return-Path line mean the address in which the reply for this mail will be sent to
-
Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)The preceding lines were the routing information which told where the mail went and the time it arrived to the respective mailer. In order to follow the flow, they had to be read backwards. So, the particular mail originated from hole.com and mailed to relay13.jaring.my. Further, it went to ace.cdc.abu.com which was the recipient's Internet host. So, if your mail bounced, this part in the header showed how far the mail went and which machine rejected it.
-
Message-Id: <[email protected]>
The message-Id line was intended mainly for tracing mail routing and uniquely identified each mail.
-
From: [email protected]
The 'From' line showed who sent the mail and his/her email.
This 'From' information can be easily be faked/forged. -
The 'To' line listed the email address/es of the recipients of the mail. There mightbe also a Cc line which listed all the people who received copies of this mail.
This address could also be a hidden list of emails; thus your email may not appear in here eventhough you received the mail. -
Subject: happy holiday
The subject line gave some idea of what the mail is about.
-
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
The Date line lists the date and time this mail was originally sent. It was sent on the sender's local time zone.
Note: the exact order of an email's header may vary from system to system, but it will always include these fundamental header that are vital for the delivery.
How to retrieve a full header?
Without full header of the original e-mail, it would be impossible to determine the originating IP of the email, to further trace the sender of the email. Do take note that the information in header can be forged especially the 'From' and 'To'. However, in a full header, information such as the routing information, originating IP address could not be forged. Thus it is essential to analyse on the routing information and the source/originating IP address to assist in cases involving email abuse, harrassment, forgeries etc.
By default, header is not set to full in your email program. You must reset your email program proprieties in order to retrieve the full header.
|