Tags:





Email Forensics
February 12, 2008 2:16 PM   RSS feed for this thread Subscribe

Where can I find information about email headers? I'd like to learn how to look at an email header and answer such questions as "Was this email forged?" and "What is the IP of the sender and the sender's ISP?"

Thanks for your help. Examples of email header parsing would be welcome as well.
posted by about_time to computers & internet (9 comments total) 13 users marked this as a favorite
It's pretty much just experience; taking an e-mail and reading through it, then looking up stuff you don't know.

But try this site, it's a pretty good intro: http://www.uic.edu/depts/accc/newsletter/adn29/headers.html
posted by hubris at 2:21 PM on February 12, 2008


Also, this.

Note that each e-mail client (sending program like Outlook) and server (sending and receiving) add their own twists and turns. Spam and virus filters also add another "layer" of fingerprint info.
posted by rokusan at 2:50 PM on February 12, 2008


Sam Spade is a useful tool for investigating the bits and pieces of headers.
posted by elle.jeezy at 3:18 PM on February 12, 2008


The main thing is to follow the "received" headers. Each server adds a new header to the top of the list. So a proper email should look like:

Received from C by D;
Received from B by C;
Received from A by B;

Each time the server named after "from" should be the server named after "by" on the line below.

When headers have been forged, you will see something like:

Received from P by Q;
Received from O by P;
Received from M by N;

There is a break in the logic. P is the actual origin of the message and all headers below "Received from O by P;" are forged.
posted by winston at 3:27 PM on February 12, 2008


You mean O is the origin, yes?
posted by yclipse at 6:29 PM on February 12, 2008


alt.spam FAQ: Tracing an e-mail message
posted by DevilsAdvocate at 6:57 PM on February 12, 2008


Thanks, yclipse. You are correct.
posted by winston at 11:24 AM on February 13, 2008


Though, now that I think of it, we don't know for certain that the "received by O" part is correct, just that it was actually P who added that header
posted by winston at 11:27 AM on February 13, 2008


from O. I'll stop now
posted by winston at 11:28 AM on February 13, 2008


« Older Do any of the various car sear...   |   I am a soon-to-be graduate of ... Newer »
This thread is closed to new comments.