Every e-mail has a visible set of information
on sender (From:), recipient (To:), subject (Subject:), Organization
of the sender (Orgn:) etc. However, there's a great deal more hidden
within, that can reveal significant information about the sender.
A little scrutiny of this hidden information may help you locate
sender's country, genuineness of the e-mail used in 'From:' column,
whether the sender tried to conceal his/her identity etc.
A fake sender attempting to confuse identity usually means a fraudster
trying to steal your money or a virus attack, a potential hazard
in either case, that can cost you a lot in terms of financial loss,
computer crash etc. A little time spent on analyzing suspicious
looking e-mails is an insurance against such disasters.
Those using Yahoo, Rediffmail, Hotmail or any such web-based e-mail
service may think that their true identity and location are hidden.
In reality - one may still find information about them by analyzing
their e-mail headers.
What is E-mail Header
The part of an e-mail where such hidden information
is stored is called 'header'. Header of an e-mail stores various
information on the path it has traversed while reaching your mailbox
- right from sender's computer. Normally, one doesn't need this
kind of information and mail clients (Eudora, Outlook, Netscape
etc. ) do not display it.
To see e-mail header in Netscape, open any e-mail and click
View > Page Source
For Outlook, right-click on the mail message that is still in your
Inbox, select 'Options...' from the resulting popup menu Examine
the 'Internet Headers' in the 'Message Options' dialog
At first look - the header may look confusing and puzzling. This
is more so for spam e-mails as spammers try their best to make the
header misleading. Do not lose heart - I am going to explain how
to pick up right information from it.
Examining a Typical Header
Let us examine following e-mail header:
1. Delivery-date: Wed, 03 Nov 2004 23:59:47 -0600
2. Received: from bani by arjuna.banijya.com with local-bsmtp (Exim 4.43)
3. id 1CPaev-00057o-Q4
4. for firstname.lastname@example.org; Wed, 03 Nov 2004 23:59:47 -0600
5. Received: from [22.214.171.124] (helo=rediffmail.com)
6. by arjuna.banijya.com with smtp (Exim 4.43)
7. id 1CPaev-00057f-8T
8. for email@example.com; Wed, 03 Nov 2004 23:59:45 -0600
9. Received: (qmail 28471 invoked by uid 510); 4 Nov 2004 05:59:09 -0000
10. Date: 4 Nov 2004 05:59:09 -0000
11. Message-ID: <firstname.lastname@example.org>
12. Received: from unknown (126.96.36.199) by rediffmail.com
13. via HTTP; 04 nov 2004 05:59:08 -0000
14. MIME-Version: 1.0
15. From: "Raj International "
16. Reply-To: "Raj International "
17. To: "InfoBanc"
18. Subject: Thanks for activation
I have added line numbers for clarity and help in discussion - you
will not see such line numbers in actual e-mail heading.
Explanation of Header Elements
If you look carefully at e-mail header above, a pattern
is clearly visible. The header is composed of several lines of text
- each starting with header name (e.g. Delivery-date) , a colon
(:), a space and finally header value. If a line starts with a tab
or spaces (line nos. 2-4 and 5-8) - that line is a continuation
of the previous header value line. So, the header name 'Received:'
in line 2 has a header value that spans lines 2 to 4.
Some of the header names are simple and self-explanatory, such as
the 'Delivery-date:', 'From:', 'Reply-To:, 'Subject:' etc. For example,
sender's e-mail address appears after header name 'From:' and the
recipients e-mail address appears after the 'To:' header name.
Please note - mail servers have no way to check if the sender is
using his or her own e-mail address. This lack of verification is
a weakness - that spammers and fraudsters use ruthlessly to confuse
recipients. So, do not accept sender's e-mail address at face value.
A fraudster or spammer, in all likelihood, will never use his/her
actual e-mail address. Instead, he/she may use a legitimate e-mail
address (it could even be your own e-mail) as sender.
We shall not discuss each and every header name - as many of these
can be forged or a fake one inserted by spammer. What is most important
for our purpose (and most difficult to forge) is the 'Received:'
headers. Analysis of 'Received:' header names can reveal a great
deal of information about the sender.
We shall discuss how to analyze the Received header and locate sender's
country in next issue.
Happy and Productive Surfing
Dr. Amit K Chatterjee
- Newsletter on Business Opportunties from India and Abroad
Vol: 5, Issue 11
; November 18' 2004
Dr. Amit K. Chatterjee
(Amit worked in blue-chip Indian and MNCs for 15 years in various
capacities like Research and Information Analysis, Market Development,
MIS, R&D Information Systems etc. before starting his e-commerce
venture in 1997. The views expressed in this columns are of
his own. He may be reached at email@example.com