This document describes the process used to read full ARPA email headers.
The reason for reading the full ARPA email headers is usually to determine where an email message originated. In most cases the full ARPA headers will provide this information while the displayed headers may be inaccurate or forged. Also, displayed headers can be modified by intermediate or receiving systems and in some cases, replaced entirely. Each of these areas will be discussed within this document.
Viewing Full ARPA Email Headers
This procedure assumes that you have an email client that is capable of displaying full ARPA email headers. This varies from client to client and some of the more common client methods are shown below.
Email Client Method to View Full ARPA Email Headers Microsoft Outlook The full ARPA header appears on the bottom of the current message as a text attachment with the name being the same as the subject except that any colons are replaced with underscores. Simply open the attachment to view the full ARPA headers. NOTE: Make sure that the attachment you are opening is a text attachment before opening it.
Netscape Messenger From the "View" pull down menu select "Headers", then select "All". Full ARPA headers will display from this point forward until the same process is following again selecting "Normal" or "Brief" instead of "All". OpenMail GUI If ARPA headers are present in the message they are displayed in full by default in their own section (usually section 2). OpenMail Web Open the message to be viewed, Click on the link, which is usually the same text as the subject, immediately before the text "ARPA MESSAGE HEADER" and after an object that looks like a parcel. The ARPA headers for this message are then displayed by themselves and you return to the message by clicking on the large check mark. This view is for the current message. If the link described above does not show, the message originated in our OpenMail system and has no ARPA headers.
Pine While viewing a message, press the "H" key. Full headers will be shown for the remained of the pine session or until the "H" key is pressed again while viewing a message. UNIX mail or mailx User "P" or "T" commands to display the message (note the case of the commands). All headers will be displayed regardless of any set to be ignored. Reading Full ARPA Email Headers
The following is an example of full ARPA headers from a typical SPAM message (some headers have been changed to protect the recipient):
Received: from firebird.bruce.k12.wi.us (mailserver.bruce.k12.wi.us [64.33.149.2]) by rubens.artisan.calpoly.edu (8.8.6 (PHNE_17135)/8.8.6) with ESMTP id TAA10454 for <jdoe@polymail.cpunix.calpoly.edu>; Sun, 3 Feb 2002 19:54:00 -0800 (PST) Date: Sun, 3 Feb 2002 19:54:00 -0800 (PST) From: oblzbspyifjrtkso@yahoo.com Message-Id: <200202040354.TAA10454@rubens.artisan.calpoly.edu> Received: from xuzzj.yahoo.com ([209.177.61.130]) by firebird.bruce.k12.wi.us (Post.Office MTA v3.5.3 release 223 ID# 0-57191U400L100S0V35) with SMTP id us; Fri, 1 Feb 2002 23:42:26 -0600 To: ngvbviubuwudmlsi@yahoo.com Reply-To: dorothacilento541@altavista.com Subject: Want to make more money for this year? [1elpd] X-Mailer: AOL 6.0 for Windows US sub 10527We can learn several things from this message by reading these headers.
First, we read the Received headers from bottom to top. They tell us
The message originated from "xuzzj.yahoo.com ([209.177.61.130])"
Was sent to "firebird.bruce.k12.wi.us"
The firebird machine then forwarded the message to "rubens.artisan.calpoly.edu" for "jdoe@polymail.cpunix.calpoly.edu"
The presence of the "for" clause in the last (top most) Received indicates that "<jdoe@polymail.cpunix.calpoly.edu>" is the only recipient of the message on that host.
NOTE: The "for" clause may be the only clue as to what address they are using to get the message to you. It is not unusual to see target addresses that haven't been used for a while.
NOTE: A "for" clause may also appear in intermediate Received headers where the user is the only target address or when the single target address is actually a list that gets expanded upon delivery and resent.As we look at all of the information in the headers we see
That the destination (jdoe) is not in the "To:" header
That the firebird machine, which looks to be a Wisconsin Schools machine (k12.wi.us) and is an open email relay (it allowed an off-site machine to relay mail through it bound for another site).
That the firebird machine has a secondary name (mailserver.bruce.k12.wi.us [64.33.149.2])
ARPA Headers will also vary depending on the sending client/system, the systems that they pass through, and the receiving system. What is displayed will also vary by the viewing client as well as the system they are stored on (mailx and pine, while both UNIX clients, will display these headers slightly different).
A mailer program or user can also attempt to hide its origin by adding several Received headers to an outgoing message before its sent to the first SMTP server. In this case, all of the Received headers after the message is sent will be accurate and the first ones may be in question as they will attempt to lead you to a source earlier than the actual source by falsely extending the path.
What follows are several examples of various message headers from various clients/systems to various clients/systems:
Outlook MAPI to OMGUI Web
Subject: alias test Creator: Jane User /cpslo,employee1 Priority: Normal Importance: Normal Sensitivity: Normal Created: 01.12.01 Requested Ack Level: No Ack TO: my-list / cpslo, pdla CC: jdoe@calpoly.eduSince MAPI, in this case is a direct interface to OpenMail and the recipient is also in OpenMail, only OpenMail headers exist.
OM to Internet
Received: from degas.artisan.calpoly.edu (root@degas.artisan.calpoly.edu [129.65.60.42]) by foobar.org (8.9.3/8.9.3) with ESMTP id DAA07664 for <jdoe@foobar.org>; Thu, 16 Nov 2000 03:46:47 -0800 (PST) From: jdoe@calpoly.edu Received: from localhost (root@localhost) by degas.artisan.calpoly.edu (8.8.6 (PHNE_17135)/8.8.6) with SMTP id DAA09168 for jdoe@foobar.org; Thu, 16 Nov 2000 03:46:46 -0800 (PST) X-OpenMail-Hops: 3 X-OpenMail-Autoreplied: TRUE Date: Thu, 16 Nov 2000 03:46:37 -0800 Message-ID: <"AUTOANS-0f129887*"@MHS> In-Reply-To: <200011161146.DAA07656@foobar.org> Subject: You have e-mail at dome To: jdoe@foobar.org Content-Type: text Content-Length: 197The Received headers in this message break down as follows (reading bottom to top):
The first Received header is the OpenMail host UNIX system receiving the message from OpenMail
The second Received header is the receipt of the message on the target system from the OpenMail host UNIX system.
Internet to @calpoly.edu to OM
Received: from rubens.artisan.calpoly.edu (daemon@rubens.artisan.calpoly.edu [129.65.60.41]) by davinci.artisan.calpoly.edu (8.8.6 (PHNE_17135)/8.8.6) with ESMTP id QAA19872 for <Doe_John/cpslo_employee1@openmail2.calpoly.edu>; Fri, 5 Jan 2001 16:34:27 -0800 (PST) Received: (from daemon@localhost) by rubens.artisan.calpoly.edu (8.8.6 (PHNE_17135)/8.8.6) id QAA23158 for Doe_John/cpslo_employee1@polymail.cpunix.calpoly.edu; Fri, 5 Jan 2001 16:34:26 -0800 (PST) Received: from foobar.org (794@dome.foobar.org [63.194.98.42]) by rubens.artisan.calpoly.edu (8.8.6 (PHNE_17135)/8.8.6) with ESMTP id QAA23140 for <jdoe@calpoly.edu>; Fri, 5 Jan 2001 16:34:25 -0800 (PST) Received: (from jdoe@localhost) by foobar.org (8.9.3/8.9.3) id QAA02780; Fri, 5 Jan 2001 16:34:22 -0800 (PST) Date: Fri, 5 Jan 2001 16:34:22 -0800 (PST) X-PH: V4.4@rubens.artisan.calpoly.edu From: John Doe <john@foobar.org> Message-Id: <200101060034.QAA02780@foobar.org> To: jdoe@calpoly.edu Subject: This is a test for classThe Received headers in this message break down as follows (reading bottom to top):
The first Received header is the first SMTP server receiving the message from a client on that machine.
The second Received header is the receipt of the message from the first SMTP server for delivery at the "calpoly.edu" address which is actually a reflector using Ph (note the X-PH header) which resolves the address to the "Doe_John/cpslo_employee1@polymail.cpunix.calpoly.edu" address.
The third Received header is a resend of the message to "polymail.cpunix.calpoly.edu", which happens to be on the same machine as "calpoly.edu".
The fourth Received header is a resend by "polymail.cpunix.calpoly.edu" to the OpenMail gateway machine for final delivery to one OpenMail address based on a sendmail rule.
Internet to @polymail.calpoly.edu with .forward to @calpoly.edu to OM
Received: from rubens.artisan.calpoly.edu (rubens.artisan.calpoly.edu [129.65.60.41]) by davinci.artisan.calpoly.edu (8.8.6 (PHNE_17135)/8.8.6) with ESMTP id UAA05369 for <Doe_John/cpslo_employee1@openmail2.calpoly.edu>; Sun, 14 Jan 2001 20:56:31 -0800 (PST) Received: (from daemon@localhost) by rubens.artisan.calpoly.edu (8.8.6 (PHNE_17135)/8.8.6) id UAA27882 for Doe_John/cpslo_employee1@polymail.cpunix.calpoly.edu; Sun, 14 Jan 2001 20:56:00 -0800 (PST) Received: from foobar.org (0@dome.foobar.org [63.194.98.42]) by rubens.artisan.calpoly.edu (8.8.6 (PHNE_17135)/8.8.6) with ESMTP id UAA27867 for <jdoe@polymail.cpunix.calpoly.edu>; Sun, 14 Jan 2001 20:55:55 -0800 (PST) Received: from foobar.org (dan.foobar.org [63.194.98.43]) by foobar.org (8.9.3/8.9.3) with ESMTP id UAA03723 for <jdoe@polymail.calpoly.edu>; Sun, 14 Jan 2001 20:55:35 -0800 (PST) Message-ID: <3A628257.FFB17243@foobar.org> Date: Sun, 14 Jan 2001 20:53:43 -0800 X-PH: V4.4@rubens.artisan.calpoly.edu From: John Doe <john@foobar.org> X-Mailer: Mozilla 4.73 [en] (Win95; I) X-Accept-Language: en,pdf MIME-Version: 1.0 To: jdoe@polymail.cpunix.calpoly.edu Subject: This is a test of jdoe@polymail.calpoly.edu Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bitThis message's Received headers break down as follows (reading bottom to top):
The first Received header is the receipt of the message by an organization's SMTP server from a client machine within that organization.
The second Received header is the receipt of the message from the SMTP server for delivery at the "polymail.calpoly.edu", also known as "rubens.artisan.calpoly.edu", which also rewrites the address to "polymail.cpunix.calpoly.edu", that machine's fully qualified SMTP name. This delivery to the UNIX address which contained a ".forward" file which redirected the message to a "@calpoly.edu" address. This in turn has been remapped by Ph (note the X-PH header) to an OpenMail address.
The third header is a result of the resend via the Directory Server to the OpenMail address at "polymail.cpunix.calpoly.edu".
The fourth Received header is a resend by "polymail.cpunix.calpoly.edu" to the OpenMail gateway machine for final delivery to one OpenMail address based on a sendmail rule.
OM to Central UNIX alias to OM
Received: from rubens.artisan.calpoly.edu (rubens.artisan.calpoly.edu [129.65.60.41]) by davinci.artisan.calpoly.edu (8.8.6 (PHNE_17135)/8.8.6) with ESMTP id QAA17048; Fri, 12 Jan 2001 16:38:33 -0800 (PST) Received: (from daemon@localhost) by rubens.artisan.calpoly.edu (8.8.6 (PHNE_17135)/8.8.6) id QAA18979; Fri, 12 Jan 2001 16:38:00 -0800 (PST) Received: (from daemon@localhost) by rubens.artisan.calpoly.edu (8.8.6 (PHNE_17135)/8.8.6) id QAA18575 for my-list-members; Fri, 12 Jan 2001 16:37:21 -0800 (PST) X-PH: V4.4@rubens.artisan.calpoly.edu From: juser@calpoly.edu X-OpenMail-Hops: 2 Date: Fri, 12 Jan 2001 16:37:06 -0800 Message-Id: <H0000073062bbf51@MHS> Subject: alias test MIME-Version: 1.0 TO: my-list/cpslo_pdla@degas.artisan.calpoly.edu CC: jdoe@calpoly.edu Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit Sender: my-list-request@polymail.cpunix.calpoly.eduThis message's Received headers break down as follows (reading bottom to top):
The first Received header is the receipt of the message on Rubens (Polymail) for a UNIX alias.
The second Received header is the receipt of the message on Rubens for a number of addresses after resolving the address in the alias and in-turn resolving any "calpoly.edu" addresses.
The third Received header is the receipt of the message on the OpenMail gateway machine for multiple addresses destined for OpenMail recipients.
Messages can have several Received headers depending on the number of machines the message had to go through to get delivered. Also note that not all Received headers can be trusted.
A description of the more standard ARPA headers can be found on the document "rfc822 - Standard for the format of ARPA Internet text messages" on the Internet FAQ Consortium web site.
What if the Originating Machine is only described by an IP Number?
If the originating machine shows an IP number only (e.g., 129.65.20.100), it indicates that the machine does not have full reverse name lookup capability. In this case, you can use the web tool at "ARIN Whois" to determine the network that the address belongs to and potentially, who to send complaints to. Sometimes the ARIN site will refer you to other NIC (Network Information Center) sites as well for networks that are not registered with ARIN.
An example of the ARIN output for the example address above is:
Search results for: 129.65.20.100
California Polytechnic State University (NET-CALPOLY)
San Luis Obispo, CA 93407
US
Netname: CALPOLY
Netblock: 129.65.0.0 - 129.65.255.255
Coordinator:
Feld, James (JF270-ARIN) jfeld@CALPOLY.EDU
(805) 756-1295
Domain System inverse mapping provided by:
MOE.CALPOLY.EDU 129.65.16.254
LARRY.CALPOLY.EDU 129.65.21.254
Record last updated on 13-Jun-1994.
Database last updated on 21-May-2002 19:59:44 EDT.As you can see, this is one of our own addresses
What Headers does a Receiving System Change and Why
Some email systems, our own UNIX SMTP server included, will fully qualify any unqualified address if the "From:", "To:", and "Cc:" headers. As an example, a "From:" of "MyCustomers" would become "MyCustomers@polymail.cpunix.calpoly.edu".
While this is misleading, it is a feature designed to fully qualify local addresses before they are sent out to other systems (some UNIX clients, such as mailx, do not fully qualify addresses by default, without this feature, these messages would go out without a hostname in the address). Always check the Received headers to verify the sender.
This is often the cause of confusion for users, who may assume polymail.calpoly.edu is the source system for SPAM or other unwanted email.
When are the Full ARPA Email Headers Replaced and Why
Sometimes, the full ARPA email headers can get replaced. This usually happens when the message is resent. For example, an OpenMail auto-forward will strip the Received headers and start a new set indicating the flow from the auto-forward to the recipient. Sometimes this is done to limit the number of "hops" that a message is seen as having gone through; most email system stop a message after 16 hops.
Some forwarding mechanisms, such as a "filter" forward on UNIX, will create a totally new message and include the old message as in-line text which does preserve some of the old headers.
Provide user with the general method used to read full ARPA email headers.
Acknowledgement: Dan Malone for his input and examples used within this document.
Last Revised: April 1, 2003
Revised by: gwestlun@calpoly.edu