Email Headers

Full mail headers, also know as extended or long email headers) are bits of hidden information sent with every email. Normally we do not see them, yet they may reveal quite a bit of information that assists in investigating an incident.

What do email headers look like? Lets consider a job offer received out of the blue for a job at The Langham, London Hotel (Please note this is a scam).

Return-Path: <[email protected]>
Delivered-To: (removed)
Received: from ( [])
	by (removed) (Postfix) with ESMTP id 29AF7EBC8136
	for <(removed)>; Wed, 15 Aug 2012 12:50:58 +0000 (UTC)
Received: from localhost ([])
        by (Merak 8.0.3) with SMTP id FCA84925;
        Wed, 15 Aug 2012 09:48:38 -0300
Date: Wed, 15 Aug 2012 09:47:15 +0100
From: "The Langham Hotel London" <[email protected]>
Reply-To: [email protected]
Subject: Vacancy!
Message-ID: <[email protected]>
X-Mailer: IceWarp Web Mail 5.4.2
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

We require the services of devoted and hardworking workers, who are ready to 
relocate to London and to work at The Langham, London Hotel after undergoing
enlistment training in current job opportunities at our 5 star hotel, as the 
management intends to increase its man power base due to an increase in the 
number of customers.

The headers are the part of the message above the first blank line, ending with “Content-Transfer-Encoding: 7bit”. The full headers end with the first blank line (many articles neglect to mention this).

The blank line separates the headers from the message body, “We require the services of ….”.

Most telling is the line “X-Originating-IP:”. is an IP address that allows us to track this email back to Visafone Communications Limited in Nigeria! There is simply no way a legitimate UK hotel would be sending out spam job offers from a Nigerian cellular service. Likewise we can see the scammer abused, in fact the scammer left quite a trail of abuse.

So how do we get to these headers? This depends on the email program you use to receive emails, each one is different. Obtaining headers may seem like a daunting task at first, but once you have the knack of it, it's really easy. It may also assist you in other issues in day to day life. In fact it's considered an essential skill in surviving on the net.

We'll refer to SpamCop's most excellent page on how to obtain email headers: also has a most excellent forum:

If you get stuck, please contact us.

Related references:

Verifying an IP address location: