the scam hound

Email Headers

Full mail headers, also know as extended or long email headers) are bits of hidden information sent with every email. Normally we do not see them, yet they may reveal quite a bit of information that assists in investigating an incident.

What do email headers look like? Lets consider a job offer received out of the blue for a job at “The Langham London Hotel” (Please note this is a scam).

Return-Path: <[email protected]> Delivered-To: (removed)
Received: from plesk4.origemweb.com.br (plesk4.origemweb.com.br [189.126.192.15])
by (removed) (Postfix) with ESMTP id 29AF7EBC8136
for <(removed)>; Wed, 15 Aug 2012 12:50:58 +0000 (UTC)
Received: from localhost ([189.126.192.15])
by plesk4.origemweb.com.br (Merak 8.0.3) with SMTP id FCA84925;
Wed, 15 Aug 2012 09:48:38 -0300
Date: Wed, 15 Aug 2012 09:47:15 +0100
From: "The Langham Hotel London" <[email protected]> Reply-To: [email protected]
Subject: Vacancy!
Message-ID: <[email protected]>
X-Mailer: IceWarp Web Mail 5.4.2
X-Originating-IP: 41.71.173.36
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

We require the services of devoted and hardworking workers, who are ready to
relocate to London and to work at The Langham, London Hotel after undergoing
enlistment training in current job opportunities at our 5 star hotel, as the
management intends to increase its man power base due to an increase in the
number of customers.

The headers are the part of the message above the first blank line, ending with “Content-Transfer-Encoding: 7bit”. The full headers end with the first blank line (many articles neglect to mention this).

The blank line separates the headers from the message body, “We require the services of ….”.

Most telling is the line “X-Originating-IP: 41.71.173.36”. 41.71.173.36 is an IP address that allows us to track this email back to Visafone Communications Limited in Nigeria! There is simply no way a legitimate London hotel would be sending out spam job offers from a Nigerian cellular service. Likewise we can see the scammer abused origemweb.com.br, in fact the scammer left quite a trail of abuse.

So how do we get to these headers? This depends on the email program you use to receive emails, each one is different. Obtaining headers may seem like a daunting task at first, but once you have the knack of it, it’s really easy. It may also assist you in other issues in day to day life. In fact it’s considered an essential skill in surviving on the net.

 

If you are using an iPhone or Android phone, you can’t (easily) get to the email headers. Follow the below steps on a normal PC based system. Then refer to SpamCop’s most excellent page on how to obtain email headers:
http://spamcop.net/fom-serve/cache/19.html

Emailquestions.com also has an excellent forum:
http://www.emailquestions.com/full-email-headers/

If you get stuck, please contact us.

Related references:

Verifying an IP address location: http://www.domaintools.com/