From myhosting.com Knowledge Base

Contents 1 How To Retrieve Message Headers In Various Email Clients 1.1 Microsoft Outlook Express 5 and 6 1.2 Microsoft Outlook 2000,2002/XP and 2003 1.3 Microsoft Outlook 2007 1.4 Microsoft Outlook Express for Macintosh 1.5 Microsoft Entourage 2004 for Mac 1.6 Microsoft Exchange 1.7 Netscape 1.8 Eudora 2 How to Read Email Headers

How To Retrieve Message Headers In Various Email Clients

This article will help you understand how to retrieve the message headers from various email clients.

Microsoft Outlook Express 5 and 6

1. Click the "File" menu.
2. Click "Properties".
3. Click the "Details" tab.
4. Click "Message Source".
5. Highlight, copy and paste everything from this window (Ctrl-A, Ctrl-C).

Microsoft Outlook 2000,2002/XP and 2003

1. Open the message in a separate window (double click).
2. Under the View menu select Options.
3. Copy the text in the Internet Headers window.

Microsoft Outlook 2007

1. Right click on the message while in the Inbox column (it is not necessary to open the message)
2. Select “Message Options”
3. A new window will appear containing the email with full headers.
4. Place the curser in the “Internet headers:” box
5. Press command+a to select all, then command+c to copy.

Microsoft Outlook Express for Macintosh

1. Select the email.
2. From the View menu, choose Source.
3. A new window will appear containing the email with full headers.
4. Press command+a to select all, then command+c to copy.

Microsoft Entourage 2004 for Mac

1. double click the message to view it its own window
2. click "View"
3. click "Internet Headers"
4. Copy the entire text in the headers box at the top

Microsoft Exchange

1. Click the "File" menu.
2. Click "Properties".
3. Click the "Details" tab.
4. Click "Message Source".
5. Highlight, copy and paste everything from the "Message Source" window (Ctrl-A, Ctrl-C).

Netscape

1. Click on the "View" menu.
2. Then "Page Source," (ctrl-U in windows, meta-U in Unix, ?-U on the Mac).
3. Then copy the contents of the window (Ctrl-A, Ctrl-C windows).

Eudora

1. Open the email by double clicking on the subject line.
2. Click the 'blah blah blah' button to reveal the headers.
3. Place your cursor anywhere in the body of the email and select the entire message (Edit/Select All or Ctrl-A).
4. Copy the entire email (right click and click copy OR Ctl/C OR Edit/Copy

How to Read Email Headers

This Article will attempt to help you understand any forged email. It may also be beneficial to readers interested in a general-purpose introduction to mail transfer on the Internet. Note: There are fictitious domain names with associated IP address.

Simple email header

Received: from mail.test.com (mail.test.com [123.456.78.90]) by mailhost.domainname.com (8.8.5/8.7.2) with ESMTP id LAA20869 for <abc@domainame.com>; Wed, 4 Dec 2002 14:39:24 -0800 (PST)
Received: from alpha.test.com (alpha.test.com [123.456.78.90]) by mail.myhosting.com (8.8.5) id 004A21; Wed, Dec 4 2002 14:36:17 -0800 (PST)
From: 123@test.com (Robin. Hood)
To: abc@domainname.com
Date: Wed, Dec 4 2002 14:36:14 EST
Message-Id: <rth031897143614-00000298@mail.test.com>
X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I)
Subject: Lunch today?

This header is the one that "abc" sees on the email when he downloads and reads his mail.

Here is a line-by-line analysis of these headers and exactly what each one means.

Received: from mail.test.com

This piece of mail was received from a machine calling itself mail.test.com...

(mail.test.com [123.456.78.90])

...which is really named mail.test.com and has the IP address 123.456.78.90.

by mailhost.domainname.com (8.8.5/8.7.2)

The machine that did the receiving was mailhost.domainname.com; it is running a mail program called sendmail, version 8.8.5/8.7.2.

with ESMTP id LAA20869

The receiving machine assigned the ID number LAA20869 to the message. (This is used internally by the machine)

for <abc@domainame.com>;

The message was addressed to abc@domainame.com. Note that this header is not related to the To: line.

Wed, 4 Dec 2002 14:39:24 -0800 (EST)

This mail transfer happened on Wednesday, December 4th, 2002, at14:39:24 Eastern Standard Time (which is 5 hours behind Greenwich Mean Time; hence the "-0500").

Received: from alpha.test.com (alpha.test.com [123.456.78.90]) by mail.test.com (8.8.5) id 004A21; Wed, Dec 4 2002 14:36:17 -0800 (EST)

This line documents the mail handoff from alpha.test.com (123's workstation) to mail.test.com; this handoff happened at 14:36:17 Eastern Standard Time. The sending machine called itself alpha.test.com; it really is called alpha.test.com, and its IP address is 123.456.78.90. Test's mail server is running sendmail version 8.8.5, and it assigned the ID number 004A21 to this letter for internal processing.

From: 123@test.com (Robin. Hood)

The email was sent by 123@test.com, who gives his real name as Robin Hood.

To: abc@domainname.com

The email is addressed to abc@domainname.com.

Date: Wed, Dec 4 2002 14:36:14 EST

The message was composed at 14:36:14 Eastern standard Time on Wednesday, December 4, 2002

Message-Id: <rth031897143614-00000298@mail.test.com>

The message has been given this number (by mail.test.com) to identify it. This ID is different from the SMTP and ESMTP ID numbers in the Received: headers because it is attached to this message for life; the other IDs are only associated with specific mail transactions at specific machines, so that one machine's ID number means nothing to another machine. Sometimes the Message-ID has the sender's email address embedded in it; more often it has no intelligible meaning of its own.

X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I)

The message was sent using a program called Mozilla 4.73 [en] (Windows NT 5.0; I).

' 'Subject: Lunch today?

Self-explanatory.

Unusual Scenarios

Firewall

Scenario: if domainname.com and test.com have a firewall in place. And domainname.com maintain machines in many physical locations, with several separate mail servers, and uses a single machine to decide which server incoming mail should be routed.

This is the header.

'Received: from mailgate.domainname.com (mailgate.domainname.com [121.214.11.102]) by mailhost3.domainname.com (8.8.5/8.7.2) with ESMTP id LAA30141 for <abc@domainname.com>; Wed, 4 Dec 2002 14:41:08 -0500 (EST)
Received: from firewall.domainname.com (firewall.domainname.com [121.214.13.129]) by mailgate.domainname.com (8.8.5/8.7.2) with ESMTP id LAA20869 for <abc@domainname.com>; Wed, 4 Dec 2002 14:40:11 -0500 (EST)
Received: from firewall.test.com (firewall.test.com [123.456.78.92]) by firewall.domainname.com (8.8.3/8.7.1) with ESMTP id LAA28874 for <abc@domainname.com>; Wed, 4 Dec 2002 14:39:34 -0500 (EST)
Received: from mail.test.com (mail.test.com [123.456.78.91]) by firewall.test.com (8.8.5) with ESMTP id LAA61271; Wed, 04 Dec 2002 14:39:08 -0500 (EST)
Received: from alpha.test.com (alpha.test.com [123.456.78.90]) by mail.test.com (8.8.5) id 004A21; Wed, Dec 4 2002 14:36:17 -0500 (EST)
From: 123@test.com (Robin. Hood)
To: abc@domainname.com
Date: Wed, Dec 4 2002 14:36:14 EST
Message-Id: <rth031897143614-00000298@mail.test.com>
X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I)'
Subject: Lunch today?

The history of the message can be reconstructed by reading the Received: headers from bottom to top; it went from alpha.test.com, to mail.test.com, to firewall.test.com, to firewall.domainname.com, to mailgate.domainname.com, to mailhost3.domainname.com, where it waits for abc to come along and read it.

Relaying

Received: from unwilling.intermediary.com (unwilling.intermediary.com [98.134.11.32]) by mail.test.com (8.8.5) id 004B32 for <123@test.com>; Wed, Dec 4 2002 16:39:50 -0500 (EST)
Received: from anydomain.com ([104.128.23.115]) by unwilling.intermediary.com (8.6.5/8.5.8) with SMTP id LAA12741; Wed, Jul 30 1997 19:36:28 -0500 (EST)
From: Anonymous Spammer <junkmail@anydomain.com>
To: (recipient list suppressed)
Message-Id: <w45qxz23-34ls5@unwilling.intermediary.com>
X-Mailer: Massive Annoyance
Subject: WANT TO MAKE ALOT OF MONEY???

A variety of things in this header might clue the reader in to the fact that this is a piece of electronic junk mail, but the thing to focus on here is the Received: lines. This message originated at anydomain.com, was passed from there to unwilling.intermediary.com, and from there to its final destination at mail.test.com. All well and good; but how was unwilling.intermediary.com involved since it is nothing to do with either the sender or the recipient?

Understanding this requires some knowledge of SMTP. In essence, anydomain.com simply connected to the SMTP port at unwilling.intermediary.com and told it "Send this message to 123@test.com". It did this, probably in the most direct manner imaginable, by saying RCPT TO: 123@test.com. At that point, unwilling.intermediary.com took over processing the message; since it had been told to send it to a user at some other domain (test.com), it went out and found the mail server for that domain and handed off its mail in the usual manner. This process is known as mail relaying.

The essential point here is to realize that the content of the message was formulated at the sending point--anydomain.com in the example above; the intermediate link, unwilling.intermediary.com, is involved only as an unwilling intermediary.

NOTE: In the sample header, the message-ID: line was filed in, not by the sending machine (anydomain.com), but by the relayer (unwilling.intermediary.com). This is a common feature of relayed mail; It just reflects the fact that the sending machine didn't supply a Message-Id. The mail server in myhosting.com was disabled for relay feature.