In previous columns, I’ve mentioned that it’s possible to
identify forged e-mail by reading the e-mail headers. This generated a lot of
feedback, mostly from readers wanting to know how to do it.
E-mail headers, as a topic for Internet security, aren’t as
exciting as an exploit or the latest Internet worm. But learning how to quickly
determine the authenticity of e-mail is important—especially if someone is
abusing an open SMTP relay on your network.
I remember when forging e-mail was unthinkable. Now, I get
so many forged e-mails that I hardly consider any subject to be valid unless I
know the sender personally—with the exception of forged e-mails that claim to
have come from my own e-mail account. There’s nothing that can stop people from
manipulating e-mail headers, and they’re generally not verifiable unless you
understand how to read them.
When you receive a letter via postal mail, it has a
postmark. If e-mail followed the same logic, you’d be able to see where the
message originated before you opened it. Encrypted e-mails are the exception to
this rule, but the vast majority of e-mail travels as clear text.
While e-mail headers show the path the message took in
reverse order, this doesn’t conclusively identify the e-mail as genuine and
sourced from the specified sender. It’s no surprise that thousands of e-mail
plagues continue to eat bandwidth and infest the Internet.
Every e-mail program that I’ve seen can display message
headers. How you view the headers depends on the program that you use.
You can toggle some programs, such as Mutt (the UNIX console
e-mail program), to always show e-mail headers. In Mutt, simply press the [H]
key to toggle the display of message headers.
To display e-mail headers in Microsoft Outlook, right-click
a message, choose Options, and scroll through the Internet Headers section
that’s located at the bottom of the Options dialog box. For Outlook Express,
right-click the e-mail, select Properties, and choose the Details tab. If you
use a different e-mail program, the Help file should provide adequate
Here are the actual headers from a forged unsolicited
commercial e-mail (UCE) that I received in one of my e-mail accounts. The only
thing I’ve altered is my actual e-mail account to email@example.com:
From firstname.lastname@example.org Mon Mar 27 16:54:12 2006 Return-Path: email@example.com Received: from trademeca.co.kr (unknown [184.108.40.206]) by mail.someplace.com (Postfix) with SMTP id 2304964253A for
; Mon, 27 Mar 2006 16:54:10 -0500 (EST) Received: from smtp0422.mail.yahoo.com (220.127.116.11) by trademeca.co.kr (18.104.22.168) with [Nmail V3.1 20010905(S)] for from ; Thu, 23 Mar 2006 15:55:00 +0900 Date: Thu, 23 Mar 2006 11:34:52 GMT From: "Prendawen" firstname.lastname@example.org Subject: Hey buddie! What's going on?
The Received: headers tell the real story of this poor
forgery, but you have to examine several of these to truly understand the
details. This particular e-mail is identifiable because it doesn’t make any
sense for a person with an AOL account to use one of Yahoo’s e-mail servers to
relay e-mail through a server in the .kr top-level domain, which is Korea.
Furthermore, a DNS lookup failed to find
smtp0422.mail.yahoo.com, so this IP address doesn’t exist. Even if it did, the
IP address 22.214.171.124 belongs to a network in Germany, which I discovered by
checking the online American Registry for
Internet Numbers (ARIN) database. So don’t waste your time sending a nasty
reply, because chances are that email@example.com didn’t have anything to do
If it’s so important to view e-mail headers, why don’t all
commercial e-mail programs display them by default? That’s a good question, but
I don’t have the answer. In today’s UCE-infested inboxes, companies should
automatically display e-mail headers with the message. Despite the numerous
e-mail filtering tools that are available, it’s impossible to filter e-mail
perfectly—unless you have the in-depth header information.
Since forgeries are becoming more difficult to identify,
gain experience examining e-mail headers so you can differentiate the good from
the bad. This knowledge will help you report junk e-mails to ISPs or reporting
agencies that track junk e-mailers.
For example, Julian Haight’s SpamCop service scans e-mail headers and
identifies forged e-mail, plus it tells the ISP where the message originated.
SpamCop’s output will, at the very least, give you a better understanding of
how to read e-mail headers.
Miss an issue?
Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.