Tools Add
Rss Categories

Email Header

Reference Number: AA-00237 Created: 2012-09-19 12:59 Last Updated: 2012-10-02 07:08 0 Rating/ Voters

This Article will attempt to help you understand any forged email. It may also be beneficial to readers interested in a general-purpose introduction to mail transfer on the Internet. Note: There are fictitious domain names with associated IP address.

Simple email header

Received: from ( [123.456.78.90]) by (8.8.5/8.7.2) with ESMTP id LAA20869 for <>; Wed, 4 Dec 2002 14:39:24 -0800 (PST)
Received: from ( [123.456.78.90]) by (8.8.5) id 004A21; Wed, Dec 4 2002 14:36:17 -0800 (PST)
From: (Robin. Hood)
Date: Wed, Dec 4 2002 14:36:14 EST
Message-Id: <>
X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I)
Subject: Lunch today?

This header is the one that "abc" sees on the email when he downloads and reads his mail.

Here is a line-by-line analysis of these headers and exactly what each one means.

Received: from

This piece of mail was received from a machine calling itself

( [123.456.78.90])

...which is really named and has the IP address 123.456.78.90.

by (8.8.5/8.7.2)

The machine that did the receiving was; it is running a mail program called sendmail, version 8.8.5/8.7.2.

with ESMTP id LAA20869

The receiving machine assigned the ID number LAA20869 to the message. (This is used internally by the machine)

for <>;

The message was addressed to Note that this header is not related to the To: line.

Wed, 4 Dec 2002 14:39:24 -0800 (EST)

This mail transfer happened on Wednesday, December 4th, 2002, at14:39:24 Eastern Standard Time (which is 5 hours behind Greenwich Mean Time; hence the "-0500").

Received: from ( [123.456.78.90]) by (8.8.5) id 004A21; Wed, Dec 4 2002 14:36:17 -0800 (EST)

This line documents the mail handoff from (123's workstation) to; this handoff happened at 14:36:17 Eastern Standard Time. The sending machine called itself; it really is called, and its IP address is 123.456.78.90. Test's mail server is running sendmail version 8.8.5, and it assigned the ID number 004A21 to this letter for internal processing.

From: (Robin. Hood)

The email was sent by, who gives his real name as Robin Hood.


The email is addressed to

Date: Wed, Dec 4 2002 14:36:14 EST

The message was composed at 14:36:14 Eastern standard Time on Wednesday, December 4, 2002

Message-Id: <>

The message has been given this number (by to identify it. This ID is different from the SMTP and ESMTP ID numbers in the Received: headers because it is attached to this message for life; the other IDs are only associated with specific mail transactions at specific machines, so that one machine's ID number means nothing to another machine. Sometimes the Message-ID has the sender's email address embedded in it; more often it has no intelligible meaning of its own.

X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I)

The message was sent using a program called Mozilla 4.73 [en] (Windows NT 5.0; I).

' 'Subject: Lunch today?


Unusual Scenarios


Scenario: if and have a firewall in place. And maintain machines in many physical locations, with several separate mail servers, and uses a single machine to decide which server incoming mail should be routed.

This is the header.

'Received: from ( []) by (8.8.5/8.7.2) with ESMTP id LAA30141 for <>; Wed, 4 Dec 2002 14:41:08 -0500 (EST)
Received: from ( []) by (8.8.5/8.7.2) with ESMTP id LAA20869 for <>; Wed, 4 Dec 2002 14:40:11 -0500 (EST)
Received: from ( [123.456.78.92]) by (8.8.3/8.7.1) with ESMTP id LAA28874 for <>; Wed, 4 Dec 2002 14:39:34 -0500 (EST)
Received: from ( [123.456.78.91]) by (8.8.5) with ESMTP id LAA61271; Wed, 04 Dec 2002 14:39:08 -0500 (EST)
Received: from ( [123.456.78.90]) by (8.8.5) id 004A21; Wed, Dec 4 2002 14:36:17 -0500 (EST)
From: (Robin. Hood)
Date: Wed, Dec 4 2002 14:36:14 EST
Message-Id: <>
X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I)'

Subject: Lunch today?

The history of the message can be reconstructed by reading the Received: headers from bottom to top; it went from, to, to, to, to, to, where it waits for abc to come along and read it.


Received: from ( []) by (8.8.5) id 004B32 for <>; Wed, Dec 4 2002 16:39:50 -0500 (EST)
Received: from ([]) by (8.6.5/8.5.8) with SMTP id LAA12741; Wed, Jul 30 1997 19:36:28 -0500 (EST)
From: Anonymous Spammer <>
To: (recipient list suppressed)
Message-Id: <>
X-Mailer: Massive Annoyance

A variety of things in this header might clue the reader in to the fact that this is a piece of electronic junk mail, but the thing to focus on here is the Received: lines. This message originated at, was passed from there to, and from there to its final destination at All well and good; but how was involved since it is nothing to do with either the sender or the recipient?

Understanding this requires some knowledge of SMTP. In essence, simply connected to the SMTP port at and told it "Send this message to". It did this, probably in the most direct manner imaginable, by saying RCPT TO: At that point, took over processing the message; since it had been told to send it to a user at some other domain (, it went out and found the mail server for that domain and handed off its mail in the usual manner. This process is known as mail relaying.

The essential point here is to realize that the content of the message was formulated at the sending in the example above; the intermediate link,, is involved only as an unwilling intermediary.

NOTE: In the sample header, the message-ID: line was filed in, not by the sending machine (, but by the relayer ( This is a common feature of relayed mail; It just reflects the fact that the sending machine didn't supply a Message-Id. The mail server in was disabled for relay feature.

Rss Comments
  • There are no comments for this article.
Info Add Comment
Nickname: Your Email: Subject: Comment:
Enter the code below: