Headers are the e-mail's footprints in the sand, and will allow one to trace the message from its origin to destination. Each computer that the mail passes through will attach identifying information in a received line, such as where the mail came from, the machines name, date, and time the mail passed through it. There can be one received line or there can be many, the newest one is always placed on top. Since newer headers are placed on top, the first 'Received' line will usually show the message origin. Take a look at the sample header below:
Return-Path:
Received: from mail4.sample.net (mail4.sample.net [200.197.247.2])
by mail.pacbell.net (8.8.7/(97/09/12 5.12))
id IAA10673; Tue, 4 Nov 1997 08:15:37 -0500 (EST)
Errors-To:
Received: from mai1.test.com (mai1.test.com [200.238.107.3])
by mail4.sample.net (8.8.5/8.8.5) with SMTP id IAA21240
for ; Tue, 4 Nov 1997 08:15:35 -0500 (EST)
Message-Id:
X-Mailer: ccMail Link to SMTP R6.00.02
Date: Tue, 04 Nov 97 07:18:09 -0600
From: "Administrator"
To:
Subject: NVAM
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
nslookup 200.238.107.3
And get the following response (Note: the domains and IP addresses used in this document are false, so you won't really get the following response):
Name: mail.test.com
Address: 200.238.107.3
The name should match what is in the Parentheses. If it does not, then that header was forged. The IP address is very difficult to forge, and will point back to the originating domain. Once you know where the e-mail came from you can file a complaint to the postmaster of the domain (postmaster@test.com). In the complaint you will need to include full header information, so the culprit can be tracked down. This method will not work 100% of the time due to forgeries, but this document should give you a basic understanding of e-mail headers. For more information, and further explanation of e-mail headers see: http://www.stopspam.org/email/headers/headers.html