Full mail headers, also know as extended or long email headers) are bits of hidden information sent with every email. Normally we do not see them, yet they may reveal quite a bit of information that assists in investigating an incident.
What do email headers look like? Lets consider a job offer received out of the blue for a job at The Langham, London Hotel (Please note this is a scam).
Return-Path: <firstname.lastname@example.org> Delivered-To: (removed) Received: from plesk4.origemweb.com.br (plesk4.origemweb.com.br [220.127.116.11]) by (removed) (Postfix) with ESMTP id 29AF7EBC8136 for <(removed)>; Wed, 15 Aug 2012 12:50:58 +0000 (UTC) Received: from localhost ([18.104.22.168]) by plesk4.origemweb.com.br (Merak 8.0.3) with SMTP id FCA84925; Wed, 15 Aug 2012 09:48:38 -0300 Date: Wed, 15 Aug 2012 09:47:15 +0100 From: "The Langham Hotel London" <email@example.com> Reply-To: firstname.lastname@example.org Subject: Vacancy! Message-ID: <email@example.com> X-Mailer: IceWarp Web Mail 5.4.2 X-Originating-IP: 22.214.171.124 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit We require the services of devoted and hardworking workers, who are ready to relocate to London and to work at The Langham, London Hotel after undergoing enlistment training in current job opportunities at our 5 star hotel, as the management intends to increase its man power base due to an increase in the number of customers. ... ...
The headers are the part of the message above the first blank line, ending with “Content-Transfer-Encoding: 7bit”. The full headers end with the first blank line (many articles neglect to mention this).
The blank line separates the headers from the message body, “We require the services of ….”.
Most telling is the line “X-Originating-IP: 126.96.36.199”. 188.8.131.52 is an IP address that allows us to track this email back to Visafone Communications Limited in Nigeria! There is simply no way a legitimate UK hotel would be sending out spam job offers from a Nigerian cellular service. Likewise we can see the scammer abused origemweb.com.br, in fact the scammer left quite a trail of abuse.
So how do we get to these headers? This depends on the email program you use to receive emails, each one is different. Obtaining headers may seem like a daunting task at first, but once you have the knack of it, it's really easy. It may also assist you in other issues in day to day life. In fact it's considered an essential skill in surviving on the net.
We'll refer to SpamCop's most excellent page on how to obtain email headers:
Emailquestions.com also has a most excellent forum:
If you get stuck, please contact us.
Verifying an IP address location: http://www.domaintools.com/