HelpDesk
Email Headers
To handle complaints about email, it is often necessary to obtain detailed information about a particular message. This information is included in every message but isn't normally displayed to the computer operator. However, every email client can be configured to show this information. After the information is displayed, it can be cut and pasted into another email message or other document to be forwarded to the investigator. Here is how.
WebMail
After clicking on a message to read it, at the top of the message will be a line of commands labeled:
- Delete Prev Next Reply/All Forward/Inline Open
Click the Open link and the full headers will be displayed along with the message in a new window.
Outlook Express 6.0
- Highlight the message
- File Menu->Properties
- Click Details tab
- Right-click mouse in text area and pick Select All. All the text should now be highlighted.
- Type control-C (hold down control key and type the C key). This puts the selected text in the clipboard.
- You can now open an email message, Notepad, Word, or any other document and insert the selected text by clicking once on the document text area and typing control-V (hold down control key and type the V key).
- Note: The View->All Headers option available when a message is opened in a separate window does not show all headers.
Outlook
- Highlight the message line
- Right-click the message line and choose Options
- The headers will be shown in the Internet Headers area. You can now cut and paste them into another mail message or document.
Netscape Messenger 4.7 and 6.x
- View Menu->Headers->All
FYI
The lines preceded by "Received:" are supposed to show the systems through which the message traveled. The last "Received" line should show the IP address of the originating computer. This is useful to find the true sender of things like the Klez virus. An example message is shown below.
The apparent (faked) address seen by the recipient is in green.
The true sending computer's address is in RED. This is the address you want to plug into one of the Internet registry sites to determine what ISP hosts this infected computer.
If the mail system authenticates sending users, there may be a field that contains the true sending email address. There is one in this message in blue.
Return-Path: <flynngn@jmu.edu>
Received: from heron.jmu.edu (heron2.jmu.edu [134.126.10.52])
by roc.jmu.edu (8.8.8/8.8.8) with ESMTP id IAA07219
for <flynngn@mail.jmu.edu>; Thu, 8 Aug 2002 08:50:32 -0400 (EDT)
Received: from kiwi.jmu.edu (kiwi.jmu.edu [134.126.10.57])
by heron.jmu.edu (Switch-2.1.0/Switch-2.1.0) with ESMTP id g78CoJ508749
for <flynngn@jmu.edu>; Thu, 8 Aug 2002 08:50:19 -0400 (EDT)
Received: from jmu.edu (sslmail.jmu.edu
[134.126.74.91])
(authenticated)
by kiwi.jmu.edu (8.11.6/8.11.0) with ESMTP id g78Cnep07891
for <flynngn@jmu.edu>; Thu, 8 Aug 2002 08:49:40 -0400
Message-ID: <3D526976.D4EBAA34@jmu.edu>
Date: Thu, 08 Aug 2002 08:52:06 -0400
From: Santa Claus@isp.com
X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: flynngn@jmu.edu
Subject: Test Message
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Blah. Blah. Blah. SPAM. SPAM. SPAM. Virus. Virus. Virus.
Note that almost all the information in the headers, and thus all the information normally displayed in the message, can be forged in one way or another.