|
|
Email HeadersTo handle complaints about email, it is often necessary to obtain detailed information about a particular message. This information is included in every message but isn't normally displayed to the computer operator. However, every email client can be configured to show this information. After the information is displayed, it can be cut and pasted into another email message or other document to be forwarded to the investigator. Here is how.
JMU WebMail ( Mirapoint ) After clicking on a message to read it, at the top of the message will be a line of commands labeled:
Click the Open link and the full headers will be displayed along with the message in a new window.
Outlook
Outlook Express 5.5
Netscape, Thunderbird, SeaMonkey
Other Mail Clients Instructions for accessing the headers when using other mail clients can be found on the SpamCop web.
FYI The lines preceded by "Received:" are supposed to show the systems through which the message traveled. The last "Received" line should show the IP address of the originating computer. This is useful to find the true sender of things like the Klez virus. An example message is shown below. The apparent (faked) address seen by the recipient is in green. The true sending computer's address is in RED. This is the address you want to plug into one of the Internet registry sites to determine what ISP hosts this infected computer. If the mail system authenticates sending users, there may be a field that contains the true sending email address. There is one in this message in blue.
Return-Path: <JMUeID@jmu.edu> Note that almost all the information in the headers, and thus all the information normally displayed in the message, can be forged in one way or another. To locate a computer with a particular IP address, type the IP address into one of the Internet Number registry web pages below. This will typically tell you the Internet Service Provider and often the originating organization. If the address is associated with viruses or spam, an email message drafted to the ISP (typically to abuse@isp) may prompt them to disable the account or to contact the owner of the sending computer and encourage them to R.U.N.S.A.F.E or cease inappropriate behavior. Start with the ARIN registry. It will tell you if the IP address is registered somewhere else and where you need to go. ARIN ( North and South America, Caribbean, and sub-Saharan Africa ) LACNIC (Latin America and Caribbean) Many organizations maintain a mailbox for complaints named "abuse". So, for example, if you find the IP address belongs to America Online (AOL), you can send the information to abuse@aol.com. Make sure you include the full headers or they will not be able to determine the actual sender.
Other resources: Reading Email Headers - StopSpam.org
For more information on e-mail headers and tracing messages, see the alt.spam FAQ. |
|