Tuesday, June 28, 2005
Understanding email headers
First, lets talk about how to view an email header information using various clients:
Yahoo: Open an email. There is an option on the right side that says "Full Headers".
Hotmail: Goto Options -> Mail Display Settings -> Message Headers. Then select "Advanced". Now you will start seeing the headers along with each email.
Here are some of the interesting headers:
- Message-ID: It is a unique ID that is assigned, usually, by the first mail server. Looks something like this: 26371062.1119955958999.JavaMail.root@fac501 Infact, having a JavaMail in this field, indicates that the backend used to send out emails is Java. This can be useful information for hackers/crackers.
- Return-Path: This is usually an email address that receives an "bounced message" if the delivery fails. This is part of the trace field group.
- Received: Every relay MTA (Mail Transfer Agent) will add its own "Received" header to the message. This field is also used by SMTP gateways to detect message looping. Going through all the Received headers can give you a trace of how the message was passed around before reaching you. Also, this field usually contains an IP address and/or domain name. You can easily find out information about the various MTA's by doing an IPWHOIS search on the IP address. (check out my Find who what where from IP Address post).
- From: This field contains the email of the sender. This field can easily be forged.
- Reply-To: This field contains an email address that will be used when you hit the reply button on your email client. Usually this field has the same value as the From field.
- X-Mailer: Usually this field indicates what kind of application/client was used to send out the email. If someone sent you an email using Outlook the X-Mailer would look like: Microsoft Outlook, Build 10.0.6626. This is an optional field, but if present it can reveal the environment of the guy sending you the email. So dont reply to spam emails. You might end up giving information about your environment.
- X-Headers: Basically any header field starting with an X- is a custom field and is used by many applications/services for proprietory reasons. These fields also reveal some nice inner details/workings of the application/client/service that sent out the email. X-Mailer (above) is an example of an X-Header.
Copyright Anand Jain 2004, 2005. All rights