Figure 2: Headers of a Legit Email Message

These are the slightly altered, complete headers of a normal email message.

Each header in the above message is described in one of the items below. The descriptions include both what the header does and where it was added to the message.

There are many more email headers; the last section in Reading Email Headers, http://www.stopspam.org/email/headers.html, has an alphabetic list of common headers, with a description of each.

When I sent the message from my home ISP account, Netscape handed the message off to my ISP's SMTP server. At that time, it had the following headers:

Date: Wed, 06 DEC 2000 18:34:03 -0600
From: Judith Grobe Sachs <judygs@myisp.com>
X-Mailer: Mozilla 4.61 [en] (Win95; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Judith Grobe Sachs <judygs@uic.edu>
Subject: Hi there!
References: <5.0.0.25.2.20001128152553.00f90cd0@mailserv.uic.edu>
Content-Type: text/plain; charset=us-ASCII
Content-Transfer-Encoding: 7bit

X-Mailer and X-Headers in General:

I composed this message with Netscape, version 4.61, English, running on a Windows 95 machine, as the X-Mailer: header line says:

X-Mailer: Mozilla 4.61 [en] (Win95; I)

X-Mailer: is an "X-header". X-header is the generic term for headers starting with a capital X followed by a hyphen. These headers are not part of the official standard and are provided for information only. There are several X-headers that are in common use, including X-Mailer. (Though I think that its principal purpose is to advertise email programs.) Mail servers are supposed to ignore any X-headers that they don't recognize. The last section in Reading Email Headers, http://www.stopspam.org/email/headers.html, has a list of common headers, including a number of X-headers.

Date: Wed, 06 DEC 2000 18:34:03 -0600

The Date: header gives the date and time that I sent the message. For this message, it's Wednesday, December 6, 2000, in the time zone that's 6 hours (-0600) behind Greenwich Mean Time; that's Central Standard time. 18:34 is 6:34 PM; for obvious reasons, email headers and servers use 24-hour times, rather that AM and PM.

From: Judith Grobe Sachs <judygs@myisp.com>

The From: address is what I told Netscape to use. While that is my proper From: address, there doesn't have to be; there isn't anything anywhere else in the headers that confirms it. I could, and in fact often do, use my uic.edu return address when I send email from home, where I use SMTP services belonging to my home ISP. While that's perfectly OK, it could look suspicious to someone looking at the full headers of one of those messages. The From: address is almost always faked in spam email.

X-Accept-Language: en

The X-Accept-Language: header is also something that Netscape added. It's supposed to tell the receiving server that it should use en -- English -- if it has to send email back to me.

The MIME Headers:

These are MIME headers; they state the MIME version, content type, and message encoding:

MIME-Version: 1.0
Content-Type: text/plain; charset=us-ASCII
Content-Transfer-Encoding: 7bit

These headers say that this is a plain text message, in US ASCII characters, with 7bit email message encoding. "7bit" means that the data is all represented as short lines of US ASCII data. 7bit the default encoding; it's assumed whenever the Content-Transfer-Encoding: header is absent.

US ASCII is a rather limited character set that doesn't support even the standard diacritical accents used in western languages. A more international email program might use the ISO-8859-1 character set and 8bit encoding:

Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

We talked about MIME in the A3C Connection before, Making Email Talk with MIME, in the September/October 1996 issue. That was a while ago, but MIME is an Internet standard, so the basic details haven't changed since then.

To: Judith Grobe Sachs <judygs@uic.edu>

The message is To: judygs@uic.edu. I sent the message in Netscape as a reply to a message that I sent from my uic.edu account; Netscape got my name from the From: header the message that I was replying to.

Subject: Hi there!

The Subject: is obvious. It's nice to have one, but it's not required. (Yes, I did delete the Re: that Netscape added to the Subject: of my reply.)

References: <5.0.0.25.2.20001128152553.00f90cd0@mailserv.uic.edu>

I might have gotten away with pretending that I had created this as a new message, but this header that Netscape added gave me away. The References: header is a Usenet thing; news readers -- such as Netscape -- use it to trace the postings that the message is replying to.

Note:

If I were a bad guy, using a bad-guy email program, I could have added my own Received: header to the top of the message before I sent it out. That's what the spammer's spamming email program did in the spam message's headers. It added the spam message's Message-ID: header too.

My ISP's SMTP server, postbox.myisp.com, added the two additional headers to the top:

Received: from myisp.com (local212.myisp.com [111.208.141.212])
by postbox.myisp.com (8.10.2/8.10.2) with ESMTP id B70X2E26999
for <judygs@uic.edu>; Wed, 6 DEC 2000 18:33:02 -0600 (CST)
Message-ID: <3A2EDAFA.F4735272@myisp.com>
Date: Wed, 06 DEC 2000 18:34:03 -0600
From: Judith Grobe Sachs <judygs@myisp.com>
X-Mailer: Mozilla 4.61 [en] (Win95; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Judith Grobe Sachs <judygs@uic.edu>
Subject: Hi there!
References: <5.0.0.25.2.20001128152553.00f90cd0@mailserv.uic.edu>
Content-Type: text/plain; charset=us-ASCII
Content-Transfer-Encoding: 7bit

Received:

This Received: header

Received: from myisp.com (local212.myisp.com [111.208.141.212])
by postbox.myisp.com (8.10.2/8.10.2) with ESMTP id B70X2E26999
for <judygs@uic.edu>; Wed, 6 DEC 2000 18:33:02 -0600 (CST)

is discussed in Reading Email Headers. Postbox added this header, which includes the following information:

• The name that my machine called itself when it gave the message to postbox -- myisp.com,
• The results of the reverse-DNS lookup that postbox did on the IP address that my SMTP commands came from -- (local212.myisp.com [111.208.141.212]),
• The version of Sendmail postbox is using -- (8.10.2/8.10.2),
• The message's ESMTP id number on postbox -- ESMTP id B70X2E26999,
• The date and time -- Wed, 6 DEC 2000 18:33:02 -0600 (CST),
• And the address that the my machine said the message is for -- <judygs@uic.edu>.

The time on this Received: header is a bit before the time I sent the message (6:33:02 PM vs 6:34:03 PM); I'll bet it's my machine that has the time a bit off.

Message-ID: <3A2EDAFA.F4735272@myisp.com>:

A Message-ID: header is added to each message by the first mail server that handles it. It's different from the ESMPT ID numbers in Received: headers in that it stays with the message. Sometimes the ID makes some sense, as in the following Message-ID that the SMTP server on tigger generated for a note I sent using pine on tigger:

Message-ID: <Pine.A41.4.10.10101190832440.779832-100000@tigger.cc.uic.edu>

And sometimes it doesn't, like the one in this message. In either case, it's unique for the originating server, and therefore can be used to trace the message. (Not, of course, if it was generated by the spammer's bad-guy email program, as it was in the spam message.)

The message is addressed to my judygs@uic.edu email alias, which had to be resolved into my real email address before it could be delivered to me. That was done by a machine at UIC called daedalus.cc.uic.edu, which added the message's second Received: header when it handed the message off to the machine my inbox is on:

Received: from postbox.myisp.com (smtp.myisp.com [111.208.131.20])
by daedalus.cc.uic.edu (8.9.3/8.9.3) with ESMTP id SAA01839
for <judygs@uic.edu>; Wed, 6 DEC 2000 18:38:48 -0600 (CST)
Received: from myisp.com (local212.myisp.com [111.208.141.212])
by postbox.myisp.com (8.10.2/8.10.2) with ESMTP id B70X2E26999
for <judygs@uic.edu>; Wed, 6 DEC 2000 18:33:02 -0600 (CST)
Message-ID: <3A2EDAFA.F4735272@myisp.com>
Date: Wed, 06 DEC 2000 18:34:03 -0600
From: Judith Grobe Sachs <judygs@myisp.com>
X-Mailer: Mozilla 4.61 [en] (Win95; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Judith Grobe Sachs <judygs@uic.edu>
Subject: Hi there!
References: <5.0.0.25.2.20001128152553.00f90cd0@mailserv.uic.edu>
Content-Type: text/plain; charset=us-ASCII
Content-Transfer-Encoding: 7bit

Daedalus looked judygs@uic.edu up in its tables and resolved the address to my actual email account, which is judygs@email1.cc.uic.edu. No, I don't have an account on some strange machine. It's actually judygs@mailserv.cc.uic.edu, but mailserv is a cluster of two Unix machines. My mailserv account lives on the second of these, email1.cc.uic.edu; email0.cc.uic.edu is the first. (UNIX likes it when you begin counting at 0.)

Received:

Daedalus added this Received: header:

Received: from postbox.myisp.com (smtp.myisp.com [111.208.131.20])
by daedalus.cc.uic.edu (8.9.3/8.9.3) with ESMTP id SAA01839
for <judygs@uic.edu>; Wed, 6 DEC 2000 18:38:48 -0600 (CST)

It includes the following information:

• The name that my ISP's SMTP server called itself when it gave the message to daedalus -- postbox.myisp.com,
• The results of the reverse-DNS lookup that daedalus did on the IP address that my ISP's SMTP commands came from -- (smtp.myisp.com [111.208.131.20]),
• The version of Sendmail daedalus is using -- (8.9.3/8.9.3),
• The message's ESMTP id number on daedalus -- ESMTP id SAA01839,
• The date and time -- Wed, 6 DEC 2000 18:38:48 -0600 (CST),
• And the address that postbox said the message is for -- <judygs@uic.edu>.

All the domain names and IP addresses have been changed, but it is true that my ISP's SMTP server called itself a different name than the one returned by the reverse-DNS lookup on its IP address. I looked up the real-life postbox.myisp.com and it returns the same IP address as the real-life smtp.myisp.com does, so it's an alternate name for that machine.

Note that the "for" address in daedalus's Received: header is "judygs@uic.edu", even though daedalus knows -- and tells email1 in its SMTP conversation with it -- that it's really for judygs@email1.cc.uic.edu. The "for" address in the Received: header is the one the sending machine, in this case postbox.myisp.com, a.k.a. smtp.myisp.com, told the receiving machine, in this case daedalus, in its SMTP conversation with it.

When it received the message from daedalus, email1 added the final two headers to the top, the top Received: header and the Return-Path: header, and put it in my inbox. Email1 received the message at 18:35:07 -- 6:35:07 PM -- only about a minute after I sent it from home.

Return-Path: <judygs@myisp.com>
Received: from daedalus.cc.uic.edu (daedalus.cc.uic.edu [128.248.155.70])
by email1.cc.uic.edu (for <judygs@email1.cc.uic.edu>; Wed, 6 DEC 2000 18:35:07 -0600 (CST) 8.9.3/8.9.3) with ESMTP id SAA16958
Received: from postbox.myisp.com (smtp.myisp.com [111.208.131.20])
by daedalus.cc.uic.edu (8.9.3/8.9.3) with ESMTP id SAA01839
for <judygs@uic.edu>; Wed, 6 DEC 2000 18:38:48 -0600 (CST)
Received: from myisp.com (local212.myisp.com [111.208.141.212])
by postbox.myisp.com (8.10.2/8.10.2) with ESMTP id B70X2E26999
for <judygs@uic.edu>; Wed, 6 DEC 2000 18:33:02 -0600 (CST)
Message-ID: <3A2EDAFA.F4735272@myisp.com>
Date: Wed, 06 DEC 2000 18:34:03 -0600
From: Judith Grobe Sachs <judygs@myisp.com>
X-Mailer: Mozilla 4.61 [en] (Win95; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Judith Grobe Sachs <judygs@uic.edu>
Subject: Hi there!
References: <5.0.0.25.2.20001128152553.00f90cd0@mailserv.uic.edu>
Content-Type: text/plain; charset=us-ASCII
Content-Transfer-Encoding: 7bit

Received:

Email1 added the top Received: header.

Received: from daedalus.cc.uic.edu (daedalus.cc.uic.edu [128.248.155.70])
by email1.cc.uic.edu (for <judygs@email1.cc.uic.edu>; Wed, 6 DEC 2000 18:35:07 -0600 (CST) 8.9.3/8.9.3) with ESMTP id SAA16958

Note that its format is a bit different from the other two, but it does include all the same information:

• The name that daedalus called itself -- daedalus.cc.uic.edu,
• The results of the reverse-DNS lookup that email1 did on the IP address that daedalus's SMTP commands came from -- (daedalus.cc.uic.edu [128.248.155.70]),
• The version of Sendmail email1 is using -- 8.9.3/8.9.3,
• The message's ESMTP id number on email1 -- ESMTP id SAA16958,
• The date and time -- 6 DEC 2000 18:35:07 -0600 (CST),
• And the address that daedalus said the message is for -- <judygs@email1.cc.uic.edu>.

Note:

Whether spam or legitimate email, the first (top) Received: header in any email message will always involve a local machine. The mention of a local machine in the top Received: header is correct and does not mean that that machine (daedalus, eeyore, or winnie, for example) is participating in sending spam. It’s just delivering your incoming email to your account like it’s supposed to do.

Return-Path: <judygs@myisp.com>

Every message is supposed have a Return-Path: header, which identifies the email address of the message's sender. That's not necessarily the email address in the From:, Reply-To:, or Sender: headers. It's actually taken from the return path info given in the SMTP command MAIL FROM, which is the "from" address of the "SMTP envelope".

(SMTP servers speak a very simple language when talking to one another. There only five principle SMTP commands: HELO, MAIL FROM, RCPT TO, DATA, and QUIT. You can do a good job of guessing what each is used for. WWW.STOPSPAM.org's Reading Email Headers, http://www.stopspam.org/email/headers.html does a nice job of explaining in plain English the SMTP process and these commands.)

The Return-Path: address is the address that error messages are supposed to be sent to, so it's entirely possible that won't be, or even resemble, the addresses given in any of the email message's headers. That's common, for example, in messages that are sent out by mailing lists, such as the following, which is an altered version of one I got in a message from a LISTSERV list:

Return-Path: <owner-somelistserv-l@LISTSERV.someschool.edu>

The Return-Path: header is written when the email message is delivered to its final destination.

X-UID:

This leaves one header unaccounted for, the last one:

X-UID: 7

This is one of a group of headers that may be added to email messages after they arrive in your inbox; others are Status:, X-UIDL, X-Status:, and X-Keywords:. Both X-UID and X-UIDL are counters that label messages in notebooks on the server. Believe me, this message wasn't the 7th message in my inbox (more like the 207th, I'm sorry to say), and I don't see this header most other messages I have in my IMAP mailboxes on mailserv. I think it this header is also a Netscape thing, and a holdover from the original note that I replied to.