Q: How can I find out where an e-mail message really came from?


The address listed in the From and Sender fields in an e-mail messages can be faked easily and should not be trusted (even if they seem familiar). The only way to know for sure where it came from is to examine the (full) headers of the message, especially the Received: fields.

The way to get access to the headers depends on the program you are using to read mail, but you can always get to them from the UNIX command line, by typing (verbatim):

	less /var/mail/$USER
and scrolling through your mailbox (where messages are separated by a blank line and begin with the keyword From followed by a blank space and additional text)

Here is an actual example, where the (true) recipient's address was changed to NOBODY@astro.ucla.edu for privacy reasons, and where the line number has been prepended to each line (for easier referencing in the comments below), except that lines 2 and 3 were broken down over several lines for clarity (with a letter appended to the line number accordingly):

1  From matt_ruitfr@yahoo.fr  Tue Apr 30 03:52:08 2002
2a Received: from mail.shfc.edu.cn ([202.121.252.6]) 
2b	by gateway.astro.ucla.edu (8.9.3/200109250) 
2c      with ESMTP id DAA22941 for <NOBODY@astro.ucla.edu> 
2d      at Tue, 30 Apr 2002 03:52:05 -0700 (PDT)
3a Received: from mail.montevideo.com.uy 
3b      (1Cust158.tnt2.bradenton.fl.da.uu.net [67.243.25.158]) 
3c	by mail.shfc.edu.cn with SMTP (Microsoft Exchange 
3d      Internet Mail Service Version 5.5.2653.13)
3e      id J8FDSVC1; Tue, 30 Apr 2002 18:23:59 +0800
4  Message-ID: <000045e77f54$0000742c$0000732e@mx1.mail.yahoo.com>
5  To: <VALUED_CUSTOMERS@gateway.astro.ucla.edu>
6  From: "Kelly Teller" <matt_ruitfr@yahoo.fr>
7  Subject: Enhance your Bust  Amazing Breast Enhancing Capsules  (All Natural)
8  Date: Tue, 30 Apr 2002 06:17:28 -1900
9  MIME-Version: 1.0
10 Content-Type: text/plain;
11         charset="Windows-1252"
12 Content-Transfer-Encoding: 7bit
13 X-Mailer: Mozilla 4.77 [en] (Win98; U)
14 Content-Length: 530
Received: fields are added to the message headers at each mail server the message transits through, so they provide a history of where the message has been, and thus where it originated. (It is possible to fake them as well, but that can usually be detected through inconsistencies.) Their format can vary slightly, but are almost always of the form:
Received: from HOSTNAME (DOMAINNAME [IP.ADD.RE.SS])
	by MAILSERVER (VERSION) 
	with PROTOCOL id NUMBER 
	for RECIPIENT
	DATE
The for RECIPIENT bit may not appear at all; if it does, it should list you (or a mailing list you belong to). VERSION, PROTOCOL, and NUMBER are not of much interest (unless you are investigating the MAILSERVER's capabilities). DATE can be used to establish a timeline, but some mail servers' clocks can be off significantly, so it is not very reliable. HOSTNAME, DOMAINNAME, IP.ADD.RE.SS, and MAILSERVER are the ones to pay attention to, as explained below.

The first Received: field will be the most recent, and will be the one written by the mail server that delivered the message to your mailbox. (In the case of our mail server--currently gateway.astro.ucla.edu--this field will never appear broken down over several lines, but will always be a single long line, which is very uncommon.)

In the example above, it is on line 2 (which was broken down over 4 short lines for clarity only here),

  • Section 2b identifies our MAILSERVER (gateway.astro.ucla.edu) immediately following the keyword by. This is the host that wrote that entire Received: field (i.e. line 2).

  • Section 2c shows you that the message was intended for NOBODY@astro.ucla.edu (among other possible RECIPIENTs).

  • Section 2d indicates when the message was received by our mail server.

  • But section 2a is the most interesting part because it tells us where the message came from. However, only the [IP.ADD.RE.SS] part (between parentheses) can be trusted--as we will see below... In this case, we see that the message was handed to gateway.astro.ucla.edu by a host whose IP address is 202.121.252.6. There is no DOMAINNAME before this bracketed IP address between the parentheses because none exists for it. The HOSTNAME in front of the parentheses is discussed just below.
  • Moving on to line 3:

  • Section 3c reveals that the message had previously been received by the MAILSERVER named mail.shfc.edu.cn. Looking up its IP address (through the command host mail.shfc.edu.cn), one gets 202.121.252.6. This is the same IP address that appeared on line 2 (section 2a). This just happens to be a situation where the HOSTNAME has an IP address, but that IP address does not have a DOMAINNAME associated with it (the two links are assigned independently in the DNS). The important thing is that the IP address between the from and by keywords on line 2a is the one for the MAILSERVER that follows the by keyword on line 3c. That means that we are really tracing the path of this message (as having gone through 202.121.252.6 immediately prior to being received on gateway.astro.ucla.edu).

  • To find out where the message was before reaching 202.121.252.6, we need to look at section 3b. This time, we have both a DOMAINNAME (1Cust158.tnt2.bradenton.fl.da.uu.net) and an [IP.ADD.RE.SS] ([67.243.25.158]), which match if you check with the host command. Since this is the last Received: field for this message, we conclude that the sender's computer is 1Cust158.tnt2.bradenton.fl.da.uu.net, which, based on the DOMAINNAME, appears to be a UUnet dialup customer in Bradenton, Florida. (If there had been more Received: fields, we would have continued to make sure that the computer identified after the from keyword in one field matched--through its IP address--the one listed after the by keyword in the following field.)

  • Finally, section 3a lists the HOSTNAME that claims to have sent the message (mail.montevideo.com.uy). This hostname is completely bogus in this case. (It will often be a random string of characters assigned as factory hostname by PC manufacturers that was never changed by their owner; e.g.: ifxnw.) If it says localhost, then it is most likely really the computer listed next, after the by keyword.
  • Notice how the message had nothing to do with Yahoo!, despite the fact that the sender's address listed an account on their French subsidiary. So in this case, if you wanted to complain about this junk mail, you would need to contact the owner of the domain name 1Cust158.tnt2.bradenton.fl.da.uu.net and of the IP address 67.243.25.158. To find out how to do that, see separate FAQ (#78). (It is not necessary to contact the Chinese academic institution that provided the link between UUnet and us--or any such indermediary in general--unless you want to alert them that their mail server may have been abused, since they will not be able to take any action against the original sender.)