Email & News Full Headers
So you've gotten a response back from our Abuse department asking for the full headers?
What are the full headers? Every email and newsgroup message on the Internet has headers. Headers are the part of the email address that specify who the message was from, who it was addressed to, the subject of the message and the date it was sent. Those are the basic headers that most email programs will automatically show, but there are lot of other headers that all messages have, they will include information like all the servers that the message passed through on its way to you and more detailed information on who sent it - sometimes it will even include what mail program they used! Since it's unnecessary for most users to see all this extra information, your mail or news program will hide it for you -- that doesn't mean it is not there though!
A lot of times you will see the basic headers that might look like this:
From: Some Spammer <spammer@spam.com>
To: youraddress@ RV ISP.com
Subject: [±¤°í]ÀÚµ¿Â÷º¸Çè ÇÑ°÷¿¡¼¸ðµçº¸Çè»çÀǺ¸Çè·á¸¦È®ÀÎÇϼ¼¿ä
or, you might see something like this:
From: Some Spammer <spammer@spam.com>
Date: 24 Jan 2002 15:25:55 +0900
To: someoneelse@somewhereelse.com
Subject: [±¤°í]ÀÚµ¿Â÷º¸Çè ÇÑ°÷¿¡¼¸ðµçº¸Çè»çÀǺ¸Çè·á¸¦È®ÀÎÇϼ¼¿ä
Reply-to: spammer@spam.com
X-[anything]: 123123
Keep in mind that the headers you see can and probably will look a little different!
This basic header information is very easy to forge or load with bogus information, which makes it unreliable for investigating abuse complaints. Forging "all of the headers" is generally much more difficult. The full headers contain much more information that most mail readers will hide from you because most people consider them to be clutter. A full message header can look something like this - the parts that are most important to our Abuse Department are in bold:
Return-Path: <spammer@spam.com>
Delivered-To: youraddress@ RV ISP.net
Received: (qmail 15614 invoked from network); 24 Jan 2002 07:07:23 -0000
Received: from unknown (HELO 3w-smtp-ab.korea.com) (211.109.1.152) by smtp2.mx.pitdc1. RV ISP.net with SMTP; 24 Jan 2002 07:07:23 -0000 Received: from 3w-smtp-aj.korea.com ([172.31.1.69]) by 3w-smtp-ab.korea.com with Microsoft SMTPSVC(5.0.2195.3651); Thu, 24 Jan 2002 16:05:37 +0900
Received: from 3W-POP3-AB.korea.com ([211.109.1.12]) by 3w-smtp-aj.korea.com with Microsoft SMTPSVC(5.0.2195.3651); Thu, 24 Jan 2002 15:25:55 +0900
Received: from korea.com ([211.243.99.28]) by 211.109.1.12 with Trend Micro InterScan Messaging Security Suite for SMTP v5; Thu, 24 Jan 2002 14:41:38 +0900
From: Some Spammer <spammer@spam.com >
To: youraddress@ RV ISP.net
Content-Type: text/plain; charset=euc-kr
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.5
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Subject: [±¤°í]ÀÚµ¿Â÷º¸Çè ÇÑ°÷¿¡¼¸ðµçº¸Çè»çÀǺ¸Çè·á¸¦È®ÀÎÇϼ¼¿ä
Return-Path: spammer@spam.com
Message-ID: <3W-SMTP-AJzhDrFKKQL0000c5cf@3w-smtp-aj.spam.com>
X-OriginalArrivalTime: 24 Jan 2002 06:25:55.0434 (UTC) FILETIME=[FA9B94A0:01C1A49F]
Date: 24 Jan 2002 15:25:55 +0900
Now you can see why most mail readers hide many of the headers from you! These additional headers are necessary for our Abuse Department to figure out who sent a specific message and where it came from. Without them, it is impossible for us to track down the spammer.
Usenet news message headers are somewhat different from mail headers, but they also contain important information that our Abuse department needs to track down the source of a message. News headers typically look like this (the information important to our Abuse department is in bold):
Path: sn-us!sn-xit-04!supernews.com!ntli.net!news.server.com.POSTED!not-fo r-mail
From: "Make Money <someone@somewhere.com>
Newsgroups: alt.some.newsgroup
Subject: DO YOU WANT TO MAKE MORE $$$$MONEY$$$$
Lines: 30
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <wXK%7.19537$1s6.2834297@news.server.com>
Date: Fri, 11 Jan 2002 23:50:50 -0000
NNTP-Posting-Host: machine.server.com
X-Complaints-To: abuse@server.com
X-Trace: news.server.com 1010793308 213.104.90.250 (Fri, 11 Jan 2002 23:55:08 GMT)
NNTP-Posting-Date: Fri, 11 Jan 2002 23:55:08 GMT
Organization: News Service
Xref: sn-us alt.some.newsgroup:103998
How do I know if I'm seeing the full headers?
This is easy - If you are looking at an email message and you don't see any Received: lines, you are not seeing everything. There are no known exceptions to this. Our mail system puts a Received: line on every email that comes in, so they are guaranteed to have at least one valid, usable piece of header information. If you are looking at a news post, if you do not see a Path: line or an NNTP-Posting-Host: line, you are not seeing everything.
Since most mail and news clients will hide the full headers from you, you will need to know how to find the full headers:
How do I view the full headers?
This depends on the software you are using. Here are some quick instructions for some of the most popular mail and news programs:
Program |
OS |
Instructions |
Outlook Express 4, 5, & 6 |
Windows |
This must be done for each email or news message: While viewing the message, click the File menu, then click Properties. On the Details tab, you will need to right click, choose select all (this should highlight all the text). Then right click again, and choose copy. You must then paste the headers into the forwarded message (click the Edit menu, then choose Paste)
|
Outlook Express 4.5 & 5 |
Macintosh |
This must be done for each email or news message: While viewing the message, click the View menu, then click Source. Highlight the headers of the message, then copy them (either control click and choose copy, or use the keyboard shortcut CMD+C). You must then paste the headers into the forwarded message (click the edit menu, then choose Paste).
|
AOL |
Windows & Macintosh |
While viewing the email message, click the File menu and select Save as...
Select the Desktop as the Save in folder and provide a name in the file name box (such as spam).
If possible, select the type as html. If your browser does not show html tpe, select All Files and add .asp to the file name (such as spam.asp).
Click Save.
You can now report this spam message by attaching the html file to the abuse report.
|
Eudora |
Windows & Macintosh |
Open the spam and click the BLAH BLAH BLAH button on the upper left hand corner of the message
|
Netscape Mail & News |
Windows, Macintosh & Linux |
Click the Options menu, choose Show Headers, then select All. (Note: Some older versions of Netscape may not be able to show the complete headers)
|
Pine 3.9x |
DOS & UNIX |
Load Pine. Select option "M" to go to the main menu. Select option "S" to go to the setup options, then select option "C" to change your configuration. Scroll through the options until you find "enable-full-headers-cmd" and enable it. Now when you read a message, use the option "H" to view the full headers, and option "H" again to hide them. You must be viewing the full headers when you forward the message for them to be included.
|
Forté Agent |
Windows |
Press CTRL-R to display in RAW mode. Use CTRL-A to highlight all the message and headers, then CTRL-C to copy it. You must then paste the headers into the forwarded message (click the edit menu and choose paste). Press CTRL-R again to hide the headers.
|
Mac OSX Mail |
Macintosh |
Click the Mail menu and click Preferences. Then, click Viewing and change Show header detail to All
|
Microsoft Outlook 98 & 2000 |
Windows |
Double click the message to open it in a new window. Go to the View menu and choose Options. Copy the text in the Internet Headers window by right clicking and choosing Select All, then right clicking again and choosing Copy. Then paste the headers when you forward the message (click the Edit menu and choose Paste).
|
Once you retrieve the full headers from the Spam message, you will want to forward the original message along with the full headers to spam@ RV ISP.net
Click here to return the Spam page.
Click here for links to more information about Spam.
|
