How to view my email header
What is an email header?
An email can be considered to b like a train. The engine is the email headers and the message or content is the carriages. The engine controls WHERE the email goes, the email's credentials and any extra instructions picked up on the journey. The content is fairly passive in that it gets to the destination (the recipient) unaltered.
Analysis of an email header and an explaination of what each part means
Most of a mail header looks like gobbledygook, however there are a couple of lines that will tell you if the email you are looking at contains spammy content.
Below is approximately what you will see in an email's header. The spam reporting is highlighted in Blue. Comments and annotations are in Red. The headers are simplified and the originating message was in chinese (charcters)
Microsoft Mail Internet Headers Version 2.0
Received: from exchange.mymailserver.co.uk ([199.125.11.14]) by exch-xe22.exchange.local with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 14 Aug 2012 01:33:34 +0100
Received: from smtp-in-136.mymailserver.co.uk ([199.125.216.136]) by exchange.mymailserver.co.uk with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 14 Aug 2012 01:33:34 +0100
Received: from virus_14.mymailserver.co.uk (virus-cluster.mymailserver.co.uk [199.125.216.10])
by smtp-in-136.mymailserver.co.uk (Postfix) with SMTP id C70F428E1EF
The above received notices are the individual servers that passed the email to each other before being delivered to your mailbox (shown on the next line). Each server performs a service such as routing, anti-virus or censoring etc
for <sales@myemailaddress.com>; Tue, 14 Aug 2012 01:33:34 +0100 (BST)
Above is the intended recpient (sales@myemailaddress.com) after basic checking and roting occurs. Next is the SPAM CHECK which is discussed in detail AFTER this mail header example
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spam_128.myemailproviders.co.uk
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.8 required=5.0 tests=HTML_MESSAGE,MPART_ALT_DIFF,
RCVD_DOUBLE_IP_LOOSE,RDNS_NONE shortcircuit=no autolearn=disabled
version=3.3.1
X-Spam-Report:
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 2.2 MPART_ALT_DIFF BODY: HTML and text parts are different
* 2.4 RDNS_NONE Delivered to internal network by a host with no rDNS
* 1.1 RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses
Received: from mail.hzbtv.com (unknown [60.191.126.67])
Above is the SENDER'S EMAIL ADDRESS AND IP ADDRESS - Note the IP address is stated as UNKNOWN
by smtp-in-77.mymailserver.co.uk (Postfix) with ESMTP id ZZ897F80F0
for <sales@myemailaddress.com>; Tue, 14 Aug 2012 01:33:32 +0100 (BST)
Above is the recipients email address
Received: from [192.168.225.1] by [192.168.255.203] with StormMail ESMTP id 50872443886.850099843;
Tue, 14 Aug 2012 04:40:40 +0800 (CST)
Message-ID: <201209274537407418008@hzbtv.com>
From: =?utf-8?B?5p6X5piA5YWB?= <wq@hzbtv.com>
To: <sales@myemailaddress.com>
Subject: -----SPAM----- =?utf-8?B?Ymg1LeWRmOW3peWKs+WKqOWFs+ezu+e7iOatouaXtueahOazleW+i+mjjumZqeWPiuaOpw==?=
=?utf-8?B?5Yi25pa55qGI?=
Above is the SUBJECT of the message
Date: Tue, 14 Aug 2012 03:43:02 +0800
The date/time carried within the original email
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_05E3_01AC81CB.12B30BB0"
The 3 lines above are the MIME TYPE
and boundary declaration
X-mailer: Nzruldugn 1
Above is the sender's email programme
X-Spam-Prev-Subject: =?utf-8?B?Ymg1LeWRmOW3peWKs+WKqOWFs+ezu+e7iOatouaXtueahOazleW+i+mjjumZqeWPiuaOpw==?=
The sender's SPAM APPLICATION
is stated in the two lines above
X-Original-To: sales@myemailaddress.com
Above is the TO ADDRESS as originally entered by the sender (ie before any forwarding etc)
X-AntiVirus: checked by Vexira MailArmor
Above the email is allegedly checked by Virexa MailArmor
Return-Path: wq@hzbtv.com
Above is the Return path; the email address to which any BOUNCE notice is sent if the mail isn't delivered or rejected
X-OriginalArrivalTime: 14 Aug 2012 00:33:34.0666 (UTC) FILETIME=[702CA2A0:01CD79B4]
------=_NextPart_000_05E3_01AC81CB.12B30BB0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_07DE_01AC81CB.12B30BB0"
The 3 lines above are the MIME TYPE
and boundary declaration
------=_NextPart_001_07DE_01AC81CB.12B30BB0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: base64
The 4 lines above are the MIME TYPE
and boundary declaration
------=_NextPart_000_05E3_01AC81CB.12B30BB0
Content-Type: application/vnd.ms-excel;
name=¡¶Éç»á±£ÏÕ·¨¡·Êµ²ÙÓ¦¶Ô²ßÂÔר³¡nb.xls
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=¡¶Éç»á±£ÏÕ·¨¡·Êµ²ÙÓ¦¶Ô²ßÂÔר³¡tplxy7py.xls
Above this line is the virus attachment (a spreadsheet macro virus presumably) The filename is in Chinese characters
SPAM ANALYSIS
In the mail header example above, the SPAM information is contained within the BLUE portion.
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spam_128.myemailproviders.co.uk
This is the name of the SPAM PROGRAMME and version running on the server
named spam_128.myemailproviders.co.uk
X-Spam-Flag: YES
Spam Assassin has determined this email is spam because of the following ...
X-Spam-Level: *****
The spam level is calculated using the spam rules database as 5 stars (rounded)
X-Spam-Status: Yes, score=5.8 required=5.0 tests=HTML_MESSAGE,MPART_ALT_DIFF,
RCVD_DOUBLE_IP_LOOSE,RDNS_NONE shortcircuit=no autolearn=disabled
version=3.3.1
Spam Assassin says the mail spam status is YES ( its been classed as spam)
... and that the spam score is 5.8
... and that the user has set their spam filter to reject anything with a spam score of 5 or greater than 5
... and that the following test types were performs (as listed below in red)
HTML_MESSAGE,
MPART_ALT_DIFF,
RCVD_DOUBLE_IP_LOOSE,
RDNS_NONE
shortcircuit=no
autolearn=disabled
version=3.3.1
X-Spam-Report:
The spam programme reports the following reasons for classing the mail as spam
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 2.2 MPART_ALT_DIFF BODY: HTML and text parts are different
* 2.4 RDNS_NONE Delivered to internal network by a host with no rDNS
* 1.1 RCVD_DOUBLE_IP_LOOSE Received: by and from look like IP addresses
Above each test failure is given a score - if the TOTAL adds up to more than the threshold YOU set in your spam filter (or your mail company set), then the mail will be classed as spam. In this example the APPROXIMATE TOTAL is 5.8 = 0.0 + 2.2 + 2.4 + 1.1
A list of common spam infringements and spam rules can be found on the Calco UK website -> Commonly abused Spam Rules.
A list of the Apache Spam Rules and short codes can be found here
HOW TO VIEW EMAIL HEADERS
Here is how to "see" the email headers in the following email applications and on-line mail programmes :-
In most of the applications the header is not very readable to its worth opening notepad or simpletext to see the content better. To do this swipe or select the whole header or use the shortcut Control + A (its the key labelled CTRL on either side of the keyboard). For CTRL+A You would HOLD DOWN the CTRL key and TAP ONCE the lower case A key.
When its all selected (highlighted) COPY it using CTRL+C and then PASTE it into your text editor (notepad Word etc) using CTRL+V
(In the above instructions substitute the apple key for the CTRL key if using a Mac)
WINDOWS MAIL or LIVE MAIL
- To View the email headers in YOURemailhost the Microsoft email programme that comes with Vista and windows 7
- Highlight the row of the message that you wish to inspect (click it once to turn it blue).
- RIGHT CLICK the same message now its changed colour and is highlighted.
- SELECT PROPERTIES
- Go to the DETAILS TAB.
OUTLOOK EXRESS
- To see the email header with Outlook Express
- Highlight the row of the message that you wish to inspect (click it once to turn it blue).
- RIGHT CLICK the same message now its changed colour and is highlighted.
- SELECT PROPERTIES
- Go to the DETAILS TAB and choose Message Source
OUTLOOK 2003 (and previous versions to 2000)
- Open the email in a new wndow (ie double click the email to be examined)
- Select VIEW then OPTIONS
- The header is listed in the bottom of the box labelled INTERNET HEADERS
OUTLOOK 2007
- RIGHT CLICK the message in the message list
- Click MESSAGE OPTIONS with the normal mouse button
- The header is listed in the bottom of the box labelled INTERNET HEADERS
OUTLOOK 2010
- Highlight the row of the message that you wish to inspect (click it once to turn it blue).
- In the TOP MENU (the tabs that say file, home, Send / receive etc) choose FILE
- In the column menu choose INFO
- Choose PROPERTIES
- The header is listed in the bottom of the box labelled INTERNET HEADERS
THUNDERBIRD (Mozila)
- Its easy to see the email headers in Thunderbird
- Open the email (double-click it)
- VIEW then HEADERS then VIEW ALL
HOTMAIL
- Viewing the email header with HOTMAIL
- In your IN-BOX.. HOVER over the email you wish to inspect.
- RIGHT CLICK to get the CONTECT MENU
- Choose VIEW MESSAGE SOURCE
YAHOO MAIL
- Viewing the email header with YAHOO
- Open the message
- At the top of the message click FULL HEADERS
GOOGLE MAIL or GMAIL
- Viewing the email header with GMAIL
- Open the message
- Click the down arrow next to Reply; it's at the top-right on the message window
- Click SHOW ORIGINAL
AOL
- To see the email header or Internet Headers in AOL mail programme
- Open the email you want to look at. (check that it says "Sent from the Internet" near the top)
- Click DETAILS adjacent to "sent from Internet"
APPLE MAIL
- Viewing the email header with Apple Mail
- Double click to open message.
- In the top menu choose VIEW the CUSTOMIZE TOOLBARS.
- Drag the FULL HEADERS ICON (or Long headers) into the TOOLBAR and SAVE.
- Use the new button to view your headers on the selected email to wish to examine.
ENTOURAGE
- To View the email headers with Entourage
- Double click to open message.
- Select VIEW then INTERNET HEADERS
WHY WOULD I VIEW MY EMAIL HEADERS
To:-
Check the Spam Score of a mailshot
To check for Fake Emails
To see where an email originated
To see when it was sent
HOW TO CHECK IF YOU ARE ON A SPAM BLACKLIST .. and how get off it!