Email messages, as in the case of their non-electronic cousins, have “envelopes” of a sort. In the case of email the envelope is composed of a series of “Headers”. These are just a series of lines of characters which precede the actual email message. Email programs such as Outlook do not normally display these Headers when displaying a message. From these Headers however, the email program is able to extract important information about the message, such as the message encoding method, the creation date, the message subject, the sender and receiver, etc.
Moreover, just as a postal envelope contains an address, a return address and the cancellation stamp of the post office of origin, an email message in these “Headers” carries with it a history of its journey to your email inbox. Because of this, it’s possible to determine the original IP address of the sender.
Since email programs do not normally display these Headers, we must first learn how to display them. Depending on the program, this is done in a variety of ways. The following sequence details the way to do this using the Windows default email program, “Outlook Express”.
Thank you very much for the congratulations! It has been my pleasure to work with such a wonderful company for five years. Everything has been running smoothly, the staff in the Catering Department is a joy to work with. It has been a great opportunity to work with such a hard working team of people. I appreciate you taking the time to check up with me, and I do have a couple questions I’d like to ...
First, select “Properties” from the “File” Menu, or just press ALT+Enter. Next, select the “Details” tab.
Open Outlook Express menu to see email headers
Headers in Outlook Express
Here’s how to view the Headers in the Microsoft Office version of Outlook:
Open a message.
On the View menu, click Options.
Note:If you do not see the Options command, make sure you click View on the toolbar in an open message window. The View menu on the standard Outlook toolbar does not have the Options command.
The Header information appears under the Delivery options in the Internet Headers box.
Headers in MS Office
See how to show email headers in Yahoo, HotMail, Gmail, and AOL web mail.
As you can see on these pictures, a Header consists of two sections separated by a colon “:”. The first part is the Header’s name. The second is the Header’s data. In the case of postal mail, in principle, it is possible to write any kind of information (c/o, suite or apartment number, etc.) into the address information. Similarly email Headers can include any kind of information also. Usually however, an email Header will contain at least the following basic Header information:
Header Name Header Data Sample
To: The name and email address of the recipient To: “John Doe”
From: The name and email address of the sender From: “Alice Smith”
Date: Date the message was created Date: 1 Nov 2004 22:49:20 -0000
Subject: The subject of the message which follows the Headers Subject: How are you?
Return-Path: The email address for responding to the message Return-Path:
Received: Delivery stamp Received: from [220.127.116.11]
by web41013.mail.yahoo.com via HTTP; Sun, 25 Apr 2004 23:13:34 PDT
In some cases, a number of these Headers may not be necessary.
To determine the address of origin, special attention must be paid to the ‘Received:’ Headers. These Headers are selected on our screenshot illustration. ‘Received’ Headers have the following format:
I have tried the method a least a dozen times and it has worked on all but 2 occasions, I don't know the reason why it failed a couple of times, but on every other occasion it has got me the password for the requested email address. This is how it is done: STEP 1- Log in to your own yahoo account. Note: Your account must be at least 30 days old for this to work. STEP 2- Once you have logged into ...
Received: from [computer name and/or IP address from sender]
by [server name] (maybe Internet protocol too); date.
Received: from [18.104.22.168]
by web41013.mail.yahoo.com via HTTP; Sun, 25 Apr 2004 23:13:34 PDT
Briefly this means that the server web41013.mail.yahoo.com received the message from the IP address 22.214.171.124 on the 25th of April 2004, at 11:13:34 pm PDT via the HTTP protocol (i.e. through the web).
So, we have observed, it is from the ‘Received’ Header that we retrieve the IP address or domain name. Using this IP address, Active Whois is able to look up additional information such as associated postal and email addresses. You can easily select and copy the IP address from the Outlook Internet Headers box by using CTRL-C to place it on the clipboard.
We are faced with an additional problem however. Email messages frequently contain more than one ‘Received’ Headers. How can we know which of these several Headers contains the originating IP address belonging to the sender? ‘Received’ Headers are appended to the front of the email message as it travels through the internet to your email inbox. The flow diagram below will show you how these ‘Received’ Headers are appended to the message as we travel backwards from the receiver to the sender:
The Recipient’s mailbox receives his message from his POP3 or webmail server. No new ‘Received’ Header is added at this stage. Headers from the top of Headers sequence:
The Recipient’s email server (POP3, Yahoo, Hotmail, etc.) receives the email message from the original sender’s server. (e.g. bay15.hotmail.msn.com)
A ‘Received: from [sender mail server] by [recipient mail server]’ field is appended to the top of the current sequence of Header strings.
Any previous ‘Received’ Headers will appear below this new one .
The newest ‘Received:’ Header at the top of the sequence of Headers now contains the IP address belonging to the email server of the sender; (e.g. Hotmail.com) It is not the true IP address of the sender himself.
Automatic Private IP Addressing feature in Windows DHCP processing that assigns a class B IP address in the 169. 254. 0. 0 range to the client when a DHCP server is unavailable While APIPA can automatically self-assign a TCP/IP address to a Windows 98 system, it does not generate all of the information typically provided by a DHCP server, such as DNS and WINS Server addresses. Therefore, a system ...
Received: from bay15.hotmail.com (HELO hotmail.com) (126.96.36.199)
by mail2.aol.com with SMTP; 30 Sep 2004 02:27:02 -0000
The sender’s email server receives an email message from the sender’s computer.
The first ‘Received’ Header containing the true IP address of the sender(e.g. 188.8.131.52), is appended to the message, appearing now at the very top of the sequence of Headers.
As the message travels over the Internet, new ‘Received’ fields will be appended to the top of the sequence of Headers. This means that the sender’s actual IP address will always be in the very bottommost “Received:” Header.
Received: from 184.108.40.206 by bay15.hotmail.msn.com with HTTP;
Thu, 30 Sep 2004 02:26:37 GMT
The Sender sends an email message to his own email server to begin its journey to the receiver. A common Headers strings is created. From: “John Doe”
To: “Alice Smith”
Subject: Nice meeting!
Date: Thu, 30 Sep 2004 02:26:37 +0000
There are other possible variations in email routing. Your Email Service Provider (or the provider of the sender) may use several ‘pass-through’ email servers and these servers can add several ‘Received’ Headers. Also, if you and the sender use the same server, the message will have only one ‘Received’ Header.
Practice… or tips for traps
Unfortunately there are those who for various reasons want to conceal their IP address from the message receiver. About 95% of Internet email is composed of spam, viruses and other types of illicit material. Most spammers use clever tricks to hide their true IP address. They can, for example, place fake ‘Received’ headers into the email headers. They might look something like the following:
Received: from %RNDUCCHAR1524 (j220.127.116.11.%RNDLCCHAR15357.ti.yahoo.com 18.104.22.168)
by mail08.t.yahoo.com (47.1.777akv719/%RNDDIGIT12.4.50) with SMTP id fwf54N4Wnto%RNDDIGIT15;
Wed, 06 Oct 2004 09:22:39 +0500
Microsoft (R) Windows (R) 2000 Professional, Windows 2000 Server, and Windows 2000 Advanced Server Release Notes This document provides late-breaking or other information that supplements the Microsoft Windows 2000 documentation. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, ...
In this example, symbols such as %RNDDIGIT12 or %RNDLCCHAR15357 seem like instructions to a mass-mailer application to insert RaNDom CHARacters or DIGITS to confuse you as well as your anti-spam filter. In this case, the true sender IP could be in the first ‘Received’ Header, that is, the one that was inserted by your email service provider’s email server, because most spammers send their messages directly to your mailbox without using any intermediate servers. In this case only one of the ‘received’ Headers can be the one we’re looking for. Once we find it, we can conclude that all of the others are fake.
We may safely conclude that since there are often several ‘Received’ headers in an email message, servers deliver email using a ‘chained’ process. For that reason the sender indicated in the current ‘Received’ Header should always correspond directly to the server indicated in the previous Received’ Header!
It is also useful to check the DNS of senders by using Active Whois. ‘Received:’ Headers with random domain names will never resolve to random IP addresses.
While viruses have not yet attained this level of deviousness, you can easily retrieve the IP address administrator email from Active Whois and quickly stem a new virus outbreak by warning the administrator that someone sent numerous viruses to you using his server.
Some additional facts in conclusion:
There is a useful Header: ‘X-Mailer’ that not only specifies the email program of the sender, but allows you to indicate what message was originally sent by the email bot, and whether this Header is currently missing from the message.
The email address of sender can be easily faked. The SMTP (Simple Mail Transfer Protocol) by which email is handled, allows this deception because it doesn’t verify all Headers such as the ‘From’ Header that contains email address of sender.