By Jonathan Yarden
In previous columns, I’ve mentioned that it’s
possible to identify forged e-mail by reading the e-mail headers.
This generated a lot of feedback, mostly from readers wanting to
know how to do it.
E-mail headers, as a topic for Internet
security, aren’t as exciting as an exploit or the latest Internet
worm. But learning how to quickly determine the authenticity of
e-mail is important–especially if someone is abusing an open SMTP
relay on your network.
I remember when forging e-mail was unthinkable.
Now, I get so many forged e-mails that I hardly consider any
subject to be valid unless I know the sender personally–with the
exception of forged e-mails that claim to have come from my own
e-mail account. There’s nothing that can stop people from
manipulating e-mail headers, and they’re generally not verifiable
unless you understand how to read them.
When you receive a letter via postal mail, it
has a postmark. If e-mail followed the same logic, you’d be able to
see where the message originated before you opened it. Encrypted
e-mails are the exception to this rule, but the vast majority of
e-mail travels as clear text.
While e-mail headers show the path the message
took in reverse order, this doesn’t conclusively identify the
e-mail as genuine and sourced from the specified sender. It’s no
surprise that thousands of e-mail plagues continue to eat bandwidth
and infest the Internet.
Every e-mail program that I’ve seen can display
message headers. How you view the headers depends on the program
that you use.
You can toggle some programs, such as Mutt (the
UNIX console e-mail program), to always show e-mail headers. In
Mutt, simply press the [H] key to toggle the display of message
To display e-mail headers in Microsoft Outlook,
right-click a message, choose Options, and scroll through the
Internet Headers section that’s located at the bottom of the
Options dialog box. For Outlook Express, right-click the e-mail,
select Properties, and choose the Details tab. If you use a
different e-mail program, the Help file should provide adequate
Here are the actual headers from a forged
unsolicited commercial e-mail (UCE) that I received in one of my
e-mail accounts. The only thing I’ve altered is my actual e-mail
account to firstname.lastname@example.org:
From email@example.com Mon Jun 7 16:54:12
Received: from trademeca.co.kr (unknown [126.96.36.199])
mail.someplace.com (Postfix) with SMTP id 2304964253A
<firstname.lastname@example.org>; Mon, 7 Jun 2004 16:54:10 -0500
Received: from smtp0422.mail.yahoo.com (188.8.131.52)
(184.108.40.206) with [Nmail V3.1 20010905(S)]
Thu, 3 Jun 2004
Date: Thu, 3 Jun 2004 11:34:52 GMT
From: “Prendawen” email@example.com
Subject: Hey buddie! What’s going on?
The Received: headers tell the real story of
this poor forgery, but you have to examine several of these to
truly understand the details. This particular e-mail is
identifiable because it doesn’t make any sense for a person with an
AOL account to use one of Yahoo’s e-mail servers to relay e-mail
through a server in the .kr top level domain, which is Korea.
Furthermore, a DNS lookup failed to find
smtp0422.mail.yahoo.com, so this IP address doesn’t exist. Even if
it did, the IP address 220.127.116.11 belongs to a network in
Germany, which I discovered by checking the online American
Registry for Internet Numbers (ARIN) database. So don’t waste your
time sending a nasty reply, because chances are that
firstname.lastname@example.org didn’t have anything to do with it.
If it’s so important to view e-mail headers,
why don’t all commercial e-mail programs display them by default?
That’s a very good question, but I don’t have the answer. In
today’s UCE-infested inboxes, companies should automatically
display e-mail headers with the message. Despite the numerous
e-mail filtering tools that are available, it’s impossible to
filter e-mail perfectly–unless you have the in-depth header
Since forgeries are becoming more difficult to
identify, gain experience examining e-mail headers so you can
differentiate the good from the bad. This knowledge will help you
report junk e-mails to ISPs or reporting agencies that track junk
For example, Julian Haight’s SpamCop service
scans e-mail headers and identifies forged e-mail, plus it tells
the ISP where the message originated. SpamCop’s output will, at the
very least, give you a better understanding of how to read e-mail
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.