Technical Notes

What is a Email Header?

Every email comes with a Header which is one part of an e-mail structure. It has basic information such as from whom the email comes, to whom it is addressed, date/time it was sent and the subject of the email. It is similar to an electronic postmark. This basic information comes in all brief/basic headers that most email programs will automatically show. However, there are other detail technical information that an email has. This detail technical information can be viewed in a full header. All email programs can be set to show only brief header or full header and it is up to the users to set the program whether to view only brief header or full header.

Full header will have information such as the mail servers name that the email passed through on its way to the recipeint, recipient and sender's IP address and even the name of the email program and its version used. This information is essential for analysis and investigation purposes on cases involving email abuse, spamming, mailbombing. This information could not be found in a brief header. Thus, it is important anyone reporting to their ISP or to their CERT Team, to include a full header for cases involving email abuse, worm infected email, harassment and forgeries.

Examples of Headers

Brief Header

A brief header will look like this with the following information:

Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: [email protected]
To: [email protected]
Subject: happy holiday

Full Header

And a full header will look like this with the following detail information:

Return-Path: [email protected]
Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: [email protected]
Message-Id: <[email protected]>
To: [email protected]
Subject: happy holiday
Status: RO
X-Status:

What is in a Header?

Now lets look what is in a header. The header contains the "name" and "address" of the sender, recipient and anyone who is being copied, the "date" and "time" the mail is sent and the "subject" of the mail. The header exists mainly for the computer to route mail to you. The "received:" item indicates the mailers. It shows what mailers the mail is routed through before it goes to the recipient. Usually, over the internet, the mail will go through several mailers before it finally reaches the recipient. This information will help in tracing the source IP address of the sender.

How to read Header?

Return-Path: [email protected]
Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
for ; Fri, 8 May 1998 10:01:01 +0800
Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)
Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)
From: [email protected]
Message-Id: <[email protected]>
To: [email protected]
Subject: happy holiday
Status: RO
X-Status:

Now let see what they mean,

  • Return-Path: [email protected]

    The Return-Path line mean the address in which the reply for this mail will be sent to

  • Received: from relay13.jaring.my (relay13.jaring.my [192.228.128.124])
    by ace.cdc.abu.com (8.7.1/8.7.1) with ESMTP id KAA18533
    for ; Fri, 8 May 1998 10:01:01 +0800
    Received: from hole.com (j19.kch18.jaring.my [161.142.54.153])
    by relay13.jaring.my (8.8.8/8.8.7) with SMTP id KAA21792
    for ; Fri, 8 May 1998 10:05:21 +0800 (MYT)

    The preceding lines were the routing information which told where the mail went and the time it arrived to the respective mailer. In order to follow the flow, they had to be read backwards. So, the particular mail originated from hole.com and mailed to relay13.jaring.my. Further, it went to ace.cdc.abu.com which was the recipient's Internet host. So, if your mail bounced, this part in the header showed how far the mail went and which machine rejected it.

  • Message-Id: <[email protected]>

    The message-Id line was intended mainly for tracing mail routing and uniquely identified each mail.

  • From: [email protected]

    The 'From' line showed who sent the mail and his/her email.
    This 'From' information can be easily be faked/forged.

  • To: [email protected]

    The 'To' line listed the email address/es of the recipients of the mail. There mightbe also a Cc line which listed all the people who received copies of this mail.
    This address could also be a hidden list of emails; thus your email may not appear in here eventhough you received the mail.

  • Subject: happy holiday

    The subject line gave some idea of what the mail is about.

  • Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)

    The Date line lists the date and time this mail was originally sent. It was sent on the sender's local time zone.

Note: the exact order of an email's header may vary from system to system, but it will always include these fundamental header that are vital for the delivery.

How to retrieve a full header?

Without full header of the original e-mail, it would be impossible to determine the originating IP of the email, to further trace the sender of the email. Do take note that the information in header can be forged especially the 'From' and 'To'. However, in a full header, information such as the routing information, originating IP address could not be forged. Thus it is essential to analyse on the routing information and the source/originating IP address to assist in cases involving email abuse, harrassment, forgeries etc.

By default, header is not set to full in your email program. You must reset your email program proprieties in order to retrieve the full header.

No.

Email Client

How to retrieve full header
1.
Claris E-Mailer
Under Mail select Show Long Headers.
 
2.
Eudora Light
Select Tools --> Options -->Fonts & Display then Show all headers
 
3.
Eudora Pro
Open the mail, double click on the subject line.
 
4.
Gmail
1. Open the message you'd like to view headers for.
2. Click the down arrow next to Reply, at the top-right of the message pane.
3. Select Show original.
 
5.
HotMail
To expose the full message header, click "Options" on the Hotmail Navigation Bar on the left side of the page. On the Options page, click "Preferences." Scroll down to "Message Headers" and select "Full."
 
6.
Lotus Notes 4.6.x
From the menu bar, select Actions, then Deliver Information. Copy the information from the bottom box into your e-mail report at the top of the spam.
 
7.
Lotus Notes R5
From the menu bar, select Actions, then Tools, then Delivery Information. Copy the information from the bottom box into your e-mail report at the top of the spam.
 
8.
Lotus Notes 6.x
Lotus Notes Version 6.x, you can retrieve the full header information by clicking on: View/Show/Page Source. This will show the entire contents of the message, with of course, the headers at the top of the message.
 
9.
Outlook 97
Microsoft Outlook 97 may require an update called the Internet Mail Enhancement Patch (http://office.microsoft.com/downloads/9798/outlimep.aspx) in order to display the email headers. After applying the patch, you should be able to view the headers by selecting the message, then going to the File menu and selecting Properties.
 
10.
Outlook 98 and Outlook 2000
Open the message and select View, then Options from the drop-down menus. Near the bottom of the screen you'll see a section titled INTERNET HEADERS. You can copy the headers and paste them into an email elsewhere to get them to the proper people.
 
11.
MSN Hotmail
1. Select Options from the top MSN Hotmail navigation bar.
2. Make sure the Mail category is selected.
3. Choose Mail Display Settings.
4. Set Message Headers to Full.
5. Click OK.
6. Now you can go back to the MSN Hotmail Inbox (or any folder) to open a message with full headers.
 
12.
MS Outlook Express 4, 5 and 6 for Windows

There's an even easier solution to expanding Microsoft's Outlook Express headers so that you can copy and paste it to another window. You need to be viewing the message in its own window or in a preview pane, then:

  1. Right click on the message and select Properties.
  2. Choose the Details tab and select the Message Source Button.
  3. Select All (CTRL + A) and Copy (CTRL + C).
  4. Close the Message Source window and the Properties window.
  5. Select New Mail and position your cursor in the body of the email.
  6. Paste (CTRL + V) the copied information.

If you have disabled the preview pane.

Using the keyboard:

  1. Highlight the message in the folder
  2. Press alt & enter - this will open a message information window
  3. Press Ctrl & Tab - this changes to the "Details" tab
  4. Press Alt & M - the opens the message source
  5. Press Ctrl & A - to select all the text
  6. Press Ctrl & C - to copy the selected text to the clipboard
  7. Press Alt & F4 - to close the message source window
  8. Press the Esc key - to close the information window
  9. Now, open a new message.
Address the message to the WHOA ISA who is working with you or to the abuse department to whom you wish to report the message. Move your cursor to the body of the new message. Press Ctrl & V to paste the information from the clipboard to the body of the new message.
 
13.
Outlook Express for Macintosh
Select the email. From the View menu, choose Source. A new window will appear containing the email with full headers. Press command+a to select all, then command+c to copy.
 
14.
Outlook Web Access
1. Left click on the letter you want to open and click on properties
2. When that opens click on the details tab
3. Then on message source
4. This will open the email so the full headers will be available for viewing
5. Select and copy the text. Paste into a new message.
 
15.
Netscape 3

In the mail viewing window: Options Show Headers All - When all the headers are displayed in the NS3 mail window, they are formatted. This is much more readable than the display in a text editor such as Notepad.
 
16.
Netscape 4.xx and above

Double click on the email in your inbox. Click on View - Headers - All.
17.
Nettamer
a MS DOS based email and USENET group reader you must save the message as an ASCII file, then the full header will be displayed when you open the saved file with your favorite ASCII editor.
 
18.
Pegasus mail
to view the full headers for each message, use CTRL-H. This will show the full headers for the particular message, but will not add them to any reply or forward. You need to cut/paste the message into the reply/forward to send these headers.
 
19.
PINE
In Main Menu goto Setup, type C for configure, highlight the enable-full-header-cmd and press X for set if it is not already setup. The goto the mail and press H for header.
 
20.
Thunderbird
1. Open the message you'd like to view headers for.
2. From the View menu select "Message Source"
 
21.
Windows Live Hotmail
1. Click on the desired message in the list with the right mouse button.
2. Select View source from the menu.
 
22.
Yahoo

Log into your Yahoo! Mail account.

For New Yahoo Mail:

  • Right-hand click on the email to view from message listing.
  • Choose "View Full Headers" from the action list.

For Yahoo Mail Classic:

  • Open the email to view.
  • Go to the bottom of the message.
  • Click "Full Headers" in the lower-right corner of the page.
23.
Microsoft Office 2003 & 2007
1) Right click on the message in its mailbox and select Message Options.
2) The full email header is located in the Internet Headers box at the bottom of the popup.
 
24.
Apple Mail
1) Select the email that you want to retrieve the full header.
2) Click on View, and choose Message, and select Raw Source.