Examine e-mail headers to determine their real origin

by Jonathan Yarden | Mar 31, 2006 4:56:00 PM

Tags: Jonathan Yarden, e-mail, e-mail header, Internet Security Focus Newsletter

Takeaway: E-mail forgeries are becoming more difficult to identify, but learning how to examine e-mail headers can help you separate the good from the bad. In this edition of Internet Security Focus, Jonathan Yarden tells you how.

In previous columns, I've mentioned that it's possible to identify forged e-mail by reading the e-mail headers. This generated a lot of feedback, mostly from readers wanting to know how to do it.

E-mail headers, as a topic for Internet security, aren't as exciting as an exploit or the latest Internet worm. But learning how to quickly determine the authenticity of e-mail is important�especially if someone is abusing an open SMTP relay on your network.

I remember when forging e-mail was unthinkable. Now, I get so many forged e-mails that I hardly consider any subject to be valid unless I know the sender personally�with the exception of forged e-mails that claim to have come from my own e-mail account. There's nothing that can stop people from manipulating e-mail headers, and they're generally not verifiable unless you understand how to read them.

When you receive a letter via postal mail, it has a postmark. If e-mail followed the same logic, you'd be able to see where the message originated before you opened it. Encrypted e-mails are the exception to this rule, but the vast majority of e-mail travels as clear text.

While e-mail headers show the path the message took in reverse order, this doesn't conclusively identify the e-mail as genuine and sourced from the specified sender. It's no surprise that thousands of e-mail plagues continue to eat bandwidth and infest the Internet.

Every e-mail program that I've seen can display message headers. How you view the headers depends on the program that you use.

You can toggle some programs, such as Mutt (the UNIX console e-mail program), to always show e-mail headers. In Mutt, simply press the [H] key to toggle the display of message headers.

To display e-mail headers in Microsoft Outlook, right-click a message, choose Options, and scroll through the Internet Headers section that's located at the bottom of the Options dialog box. For Outlook Express, right-click the e-mail, select Properties, and choose the Details tab. If you use a different e-mail program, the Help file should provide adequate instructions.

Here are the actual headers from a forged unsolicited commercial e-mail (UCE) that I received in one of my e-mail accounts. The only thing I've altered is my actual e-mail account to somebody@someplace.com:

From collegebabe@aol.com  Mon Mar 27 16:54:12 2006
Return-Path: collegebabe@aol.com
Received: from trademeca.co.kr (unknown [211.219.20.86])
        by mail.someplace.com (Postfix) with SMTP id 2304964253A
        for ; Mon, 27 Mar 2006 16:54:10 -0500 (EST)
Received: from smtp0422.mail.yahoo.com (80.237.200.67)
        by trademeca.co.kr (211.219.20.86) with [Nmail V3.1 20010905(S)]
        for  from ;
        Thu, 23 Mar 2006 15:55:00 +0900
Date: Thu, 23 Mar 2006 11:34:52 GMT
From: "Prendawen" collegebabe@aol.com
Subject: Hey buddie! What's going on?

The Received: headers tell the real story of this poor forgery, but you have to examine several of these to truly understand the details. This particular e-mail is identifiable because it doesn't make any sense for a person with an AOL account to use one of Yahoo's e-mail servers to relay e-mail through a server in the .kr top-level domain, which is Korea.

Furthermore, a DNS lookup failed to find smtp0422.mail.yahoo.com, so this IP address doesn't exist. Even if it did, the IP address 80.237.200.67 belongs to a network in Germany, which I discovered by checking the online American Registry for Internet Numbers (ARIN) database. So don't waste your time sending a nasty reply, because chances are that collegebabe@aol.com didn't have anything to do with it.

If it's so important to view e-mail headers, why don't all commercial e-mail programs display them by default? That's a good question, but I don't have the answer. In today's UCE-infested inboxes, companies should automatically display e-mail headers with the message. Despite the numerous e-mail filtering tools that are available, it's impossible to filter e-mail perfectly�unless you have the in-depth header information.

Since forgeries are becoming more difficult to identify, gain experience examining e-mail headers so you can differentiate the good from the bad. This knowledge will help you report junk e-mails to ISPs or reporting agencies that track junk e-mailers.

For example, Julian Haight's SpamCop service scans e-mail headers and identifies forged e-mail, plus it tells the ISP where the message originated. SpamCop's output will, at the very least, give you a better understanding of how to read e-mail headers.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

45 comment(s)