Hiding inside of every email is a header, showing each step of the email's journey from point A to point Z and every pass through in between. The steps to view an email header vary between mail clients. If you need help displaying these headers, visit Email.About.com or post a message to the help forum at http://email.about.com/mpboards.htm.
A word of caution. Like the envelope From address, email headers can themselves be forged. So while the headers can reveal the true sender in some - or even most - cases, there are instances where it just will not be possible.
In this example, the email was supposedly sent "From" admin@internet.com, but in reality, that's an address forged by the Sobig.F worm, stolen for the purpose of masking the real infected party.
Received: by sphinx (mbox mlande) (with Cubic Circle's cucipop (v1.31 1998/05/13) Wed Aug 20 19:41:38 2003)
X-From_: admin@internet.com Wed Aug 20 19:40:22 2003
Return-Path: <admin@internet.com>
Received: from psmtp.com (exprod5mx37.postini.com [12.158.34.194]) by sphinx.got.net (8.12.3/8.12.3/Debian-6.3) with SMTP id for <mary@indefense.com>; Wed, 20 Aug 2003 19:40:05 -0700
Message-Id: <200308210240.h7L2e5A0016623@sphinx.got.net>
Received: from source ([69.9.251.177]) by exprod5mx37.postini.com ([12.158.34.245]) with SMTP; Wed, 20 Aug 2003 21:40:05 CDT
From: <admin@internet.com>
Email headers should be read from the bottom up, for that is the order in which they pass through the mail system to their ultimate destination. In this case, the email client (thanks to the worm's spoofing) says the email is:
From: <admin@internet.com>
But that's the forgery. The next step in the process, again - from the bottom up - is what happens when the email arrives at the ISP or domain's mail server:
Received: from source ([69.9.251.177]) by exprod5mx37.postini.com ([12.158.34.245]) with SMTP; Wed, 20 Aug 2003 21:40:05 CDT
In plain language, the mail server - in this case, exprod5mx37.postini.com ([12.158.34.245]) - was smart enough to know the email really came from [69.9.251.177]. The remaining From headers above this portion are indicative of the mail continuing its trek to its final destination.
To recap, the From: address that the email displays is fake, but the first (from the bottom) "Received: from" is automatically corrected by the mail server to display the IP address of the actual sender.
Armed with that piece of evidence, the next step in the process is to do an IP lookup to see who owns that IP address so they can be properly notified.
See next > Doing an IP Lookup
