Q: How can I find out where an e-mail message really came from?
The address listed in the From and Sender fields in an e-mail messages can be faked easily and should not be trusted (even if they seem familiar). The only way to know for sure where it came from is to examine the (full) headers of the message, especially the Received: fields.
The way to get access to the headers depends on the program you are using to read mail, but you can always get to them from the UNIX command line, by typing (verbatim):
less /var/mail/$USERand scrolling through your mailbox (where messages are separated by a blank line and begin with the keyword From followed by a blank space and additional text)
Here is an actual example, where the (true) recipient's address was changed to NOBODY@astro.ucla.edu for privacy reasons, and where the line number has been prepended to each line (for easier referencing in the comments below), except that lines 2 and 3 were broken down over several lines for clarity (with a letter appended to the line number accordingly):
1 From email@example.com Tue Apr 30 03:52:08 2002 2a Received: from mail.shfc.edu.cn ([184.108.40.206]) 2b by gateway.astro.ucla.edu (8.9.3/200109250) 2c with ESMTP id DAA22941 for <NOBODY@astro.ucla.edu> 2d at Tue, 30 Apr 2002 03:52:05 -0700 (PDT) 3a Received: from mail.montevideo.com.uy 3b (1Cust158.tnt2.bradenton.fl.da.uu.net [220.127.116.11]) 3c by mail.shfc.edu.cn with SMTP (Microsoft Exchange 3d Internet Mail Service Version 5.5.2653.13) 3e id J8FDSVC1; Tue, 30 Apr 2002 18:23:59 +0800 4 Message-ID: <firstname.lastname@example.org> 5 To: <VALUED_CUSTOMERS@gateway.astro.ucla.edu> 6 From: "Kelly Teller" <email@example.com> 7 Subject: Enhance your Bust Amazing Breast Enhancing Capsules (All Natural) 8 Date: Tue, 30 Apr 2002 06:17:28 -1900 9 MIME-Version: 1.0 10 Content-Type: text/plain; 11 charset="Windows-1252" 12 Content-Transfer-Encoding: 7bit 13 X-Mailer: Mozilla 4.77 [en] (Win98; U) 14 Content-Length: 530Received: fields are added to the message headers at each mail server the message transits through, so they provide a history of where the message has been, and thus where it originated. (It is possible to fake them as well, but that can usually be detected through inconsistencies.) Their format can vary slightly, but are almost always of the form:
Received: from HOSTNAME (DOMAINNAME [IP.ADD.RE.SS]) by MAILSERVER (VERSION) with PROTOCOL id NUMBER for RECIPIENT DATEThe for RECIPIENT bit may not appear at all; if it does, it should list you (or a mailing list you belong to). VERSION, PROTOCOL, and NUMBER are not of much interest (unless you are investigating the MAILSERVER's capabilities). DATE can be used to establish a timeline, but some mail servers' clocks can be off significantly, so it is not very reliable. HOSTNAME, DOMAINNAME, IP.ADD.RE.SS, and MAILSERVER are the ones to pay attention to, as explained below.
The first Received: field will be the most recent, and will be the one written by the mail server that delivered the message to your mailbox. (In the case of our mail server--currently gateway.astro.ucla.edu--this field will never appear broken down over several lines, but will always be a single long line, which is very uncommon.)
In the example above, it is on line 2 (which was broken down over 4 short lines for clarity only here),
Moving on to line 3:
Notice how the message had nothing to do with Yahoo!, despite the fact that the sender's address listed an account on their French subsidiary. So in this case, if you wanted to complain about this junk mail, you would need to contact the owner of the domain name 1Cust158.tnt2.bradenton.fl.da.uu.net and of the IP address 18.104.22.168. To find out how to do that, see separate FAQ (#78). (It is not necessary to contact the Chinese academic institution that provided the link between UUnet and us--or any such indermediary in general--unless you want to alert them that their mail server may have been abused, since they will not be able to take any action against the original sender.)