abuse @ msu.edu

Computer System and Network Abuse
at Michigan State University

Finding full e-mail headers

The complete headers provide much information on the origin of a message and are a useful tool for tracking and stopping SPAM and virus-laden e-mail. Most e-mail readers only show the To: and From: headers, which can be easily forged. The complete message headers will look something like this: 

Return-Path: [fake@address.com]
Received: from server.mymailhost.com (mail.mymailhost.com [126.43.75.123])
        by sys01.cl.msu.edu (8.10.2/8.10.2) with ESMTP id NAA23597;
        Fri, 12 Jul 2002 16:11:20 -0400 (EDT)
Received: from aol.com (127-34-56-98.dsl.mybigisp.com [127.34.56.98])
        by server.mymailhost.com; Fri, 12 Jul 2002 13:09:38 -0700 (PDT)
Date: Fri, 12 Jul 2002 13:09:38 -0700 (PDT)
From: Hot Summer Deals <hot_deals@aol.com>
To: My.Friends@msu.edu
Subject: Just what you've been waiting for!!

In particular, the header lines beginning with Received: provide a trace of the message from its origin to your mail server. In many cases with spam and virus e-mail, not all of the information in the "Received:" headers can be trusted, but it can still provide many valuable clues as to the message source.

Viewing message headers

Netscape Mail (ver 2 & 3) Click Options from the pull-down menu bar. Click Show Headers and select Full
Netscape Mail (ver 4.7 and up) Click View from the pull-down menu bar. Click Headers and select All
Eudora (ver 3 and higher) Open the message by double clicking it for the full screen view. Click the title bar option: BLAH BLAH BLAH. Copy and paste the headers into the message you wish to forward.
Outlook 98 Open the message. Click View, then click Options. Copy and paste the section marked Internet Headers.
Outlook Express Open the message. Click File from the pull-down menu bar. Select Properties. Another window will open, showing two tabs. You want to choose the one titled Details. Copy and paste the headers into the message you wish to forward.
Mail.msu.edu Web mail Click the (Full Headers) icon. Copy and paste the headers into the message you wish to forward.
ELM Press "h" to display the full headers, then press "b" to "bounce" (forward) the message which you are currently displaying, including the full headers. You should preface such "bounced" messages with an explanatory message indicating what you will be forwarding, since you cannot add text during the "bounce" process.
Pine and Mutt Press "H" to display the full headers, then press "F" to forward the message which you are currently displaying. (NOTE: you must have headers enabled before forwarding)

If your mail reader is not listed above and you need assistance in finding and forwarding the full e-mail headers, contact the Computing Service Centers.

Analyzing e-mail headers

Once you have found the full e-mail headers, you can use this information to determine the sender's source IP address, or at least the address of the mail server which delivered the message to you. Consult the document Analyzing e-mail headers and tracking e-mail for further details.
Return to Abuse home page.

Updated: 17-May-2004

Copyright © 2004, MSU Board of Trustees