How to decode Spam HeadersWritten by Carl E. Reid on December 1, 2008
Spammers know that they can be tracked through the “Received:” lines in the headers. Therefore, they often attempt to obfuscate the headers to confuse matters. Although “Received:” headers can also be forged, it is somewhat more difficult than simply forging the return address.
Most of your incoming email (including junk email) will have a total of only two “Received:” lines in the headers: One generated by your ISP’s incoming mail machine (indicating the address of the spammer’s outgoing SMTP server), and one generated by the outgoing SMTP server indicating the originating IP. Although not unheard of, you should be suspicious of any additional “Received:” headers below the second one.
Sometimes, you will only find one “Received:” line in the headers. This is because some spam software runs the outgoing mail server right on the spammer’s PC (so they can avoid anti-bulk-email measures in place on their ISP’s outgoing mail server). In this case, the originating address in that sole header is the source of the junk email. When you perform a traceroute or DNS lookup on that address (more on that in the next section), you often find it indicates a PPP or DSL dialup connection, with a name like “ppp-207-105-157-159.psdn11.pacbell.net”
Very rarely, the remote SMTP server will be running an outdated version of the software, and it will not provide information about where the incoming connection originated. Junk emailers love to find one of these servers because it hides their location. Your only hope in this case is to contact the owner of that server and ask them to check their logs (and to upgrade their mail server software!)
Forged headers will usually show discrepancies (mostly because the forger can’t control headers generated by later mail machines in the path).
- Time stamps will often be inconsistent.
- Impossible IP addresses will be indicated in the headers (IP numbers over 255, IP address of 0.0.0.0)
- Compare the host name in the “Message ID:” header, which should match the host in the bottom-most “Received:” header.
Work your way down from the topmost “Received:” header. Once you identify a forged “Received:” line, you can also safely ignore all additional “Received:” lines below it.