How to decode Spam Headers

Written by Carl E. Reid on December 1, 2008

Decoding spam headersSpammers know that they can be tracked through the “Received:” lines in the headers. Therefore, they often attempt to obfuscate the headers to confuse matters. Although “Received:” headers can also be forged, it is somewhat more difficult than simply forging the return address.

Most of your incoming email (including junk email) will have a total of only two “Received:” lines in the headers: One generated by your ISP’s incoming mail machine (indicating the address of the spammer’s outgoing SMTP server), and one generated by the outgoing SMTP server indicating the originating IP. Although not unheard of, you should be suspicious of any additional “Received:” headers below the second one.

Sometimes, you will only find one “Received:” line in the headers. This is because some spam software runs the outgoing mail server right on the spammer’s PC (so they can avoid anti-bulk-email measures in place on their ISP’s outgoing mail server). In this case, the originating address in that sole header is the source of the junk email. When you perform a traceroute or DNS lookup on that address (more on that in the next section), you often find it indicates a PPP or DSL dialup connection, with a name like “ppp-207-105-157-159.psdn11.pacbell.net”

Very rarely, the remote SMTP server will be running an outdated version of the software, and it will not provide information about where the incoming connection originated. Junk emailers love to find one of these servers because it hides their location. Your only hope in this case is to contact the owner of that server and ask them to check their logs (and to upgrade their mail server software!)

Forged headers will usually show discrepancies (mostly because the forger can’t control headers generated by later mail machines in the path).

  • Time stamps will often be inconsistent.
  • Impossible IP addresses will be indicated in the headers (IP numbers over 255, IP address of 0.0.0.0)
  • Compare the host name in the “Message ID:” header, which should match the host in the bottom-most “Received:” header.

Work your way down from the topmost “Received:” header. Once you identify a forged “Received:” line, you can also safely ignore all additional “Received:” lines below it.

About Carl E. Reid

Developing his career from the mail room to the board room, Carl E. Reid has achieved success by skillfully blending 40 years of technology and business intelligence experience with his passion for helping companies succeed. Carl is founder and CEO of NetTECH Systems Reid & Associates, Inc., an emerging technology consulting company located in the New York City area. One of his specialties is 15 years as a collaboration and email infrastructure consultant. He has implemented and supported Lotus Notes/Domino and other types of SMTP gateway/network configurations in small to large global companies up to 33,000 employees. Some of his clients have included IBM, Citi, JPMChase, Oxygen, LVMH - Moet Hennessy, MeadWestvaco, non-profits and professional organizations. Carl is a Savvy Business Owner, Public Speaker and Author. His articles have appeared in Network World, Computer Monthly magazines and hundreds of web sites. Combining business technology consulting with professional blogging, Carl specializes in advising clients how to best leverage the Internet as a tool for high impact visibility. Carl's speaking style combines humor with expertise, and his advice is always down-to-earth and practical. He personally publishes Library of Congress recognized newsletter blog, http://www.SavvyIntrapreneur.com and http://www.iTechSpeak.com. Carl wrote the original "Professional Blogger Job Description", being used as standard document within companies. As a business career coach, Carl teaches professionals how to run their career as a profitable business.
  • (required)
  • (required)