1. OIT Home
2. CIO Home
3. TELR Home
4. Account Management
5. System Status
6. Glossary
7. Help Desk

Categories

Account Info
Carmen
DialUp
Email
Listserv
Mac OS
Peoplesoft
UNITS
Virus Info
Windows OS
Web Browsers
Wireless
Other

Forms

Account Applications
Carmen Help
Feedback
Get Help
Listserv Application
Wireless Help

Links

Account Management
System Status Page
Coordinator Web Service
Mailing List Interface

 

Using Full Headers to Determine the Original Source Of Messages

In order to conceal the identity of the actual sender, or the location of the infected machine, many spammers and almost all current viruses use a fake "From" line to make the message appear to be coming from someone and somewhere other than the real origin.

In most cases, however, it's possible to use the full Internet headers of an e-mail message to determine the identity or network address of the actual computer which sent the message.

The full Internet headers of a message aren't automatically displayed in most e-mail programs. For instructions for viewing the full headers in several common e-mail programs, see:

How To Show Full E-mail Headers

Once you're able to view the full Internet headers, below is an example of what you might see:

Return-path:
Received: from mail-mta5.service.ohio-state.edu
(mail-mta5.service.ohio-state.edu [128.146.216.45])
by mail1.service.ohio-state.edu
(iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003))
with ESMTP id <0HV800K5FUYU5X@mail1.service.ohio-state.edu>
for 31191@ims-ms-daemon; Sat, 27 Mar 2004 11:54:30 -0500 (EST)
Received: from S0028926480 (dhcp065-025-151-002.columbus.rr.com [65.25.151.2])
by mail-mta5.service.ohio-state.edu
(iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003))
with SMTP id <0HV800UYT6M@mail-mta5.service.ohio-state.edu>
for recipient.9999@osu.edu (ORCPT recipient.9999@osu.edu);
Sat, 27 Mar 2004 11:54:30 -0500 (EST)
Date: Sat, 27 Mar 2004 11:54:30 -0500
From: sender_addr@osc.edu
Subject: Message To Show Full Headers
To: recipient.9999@osu.edu
Message-id:
MIME-version: 1.0
Content-type: multipart/mixed; boundary=--------644422551516515
Original-recipient: rfc822;recipient.9999@osu.edu

Depending on how and where the message originated and where it was sent to, there may be more "Received:" lines then shown above. Regardless of how many "Received:" lines there are, the important origin information should always be in the first "Received:" line above the "Date" field (highlighted red in the example).

In this example, the message came from a computer with the IP address of 65.25.151.2 . With this information you can use a utility such as ping or tracert to see if the computer is still active and try to determine the host name, if one exists. You can then use that information to report the spam or virus sender to their Internet service provider.

If you find that it is an OSU address, copy the full headers and forward them and the message body to the OIT Technology Support Center at 8help@osu.edu .

Current Record: 1735

Create Date: 04-30-2004
Last Reviewed: 04-29-2008

---

Please give us your feedback!
Was this document helpful?	Yes No
Comments

---

Search For Keywords Search 8HELP Search the 8HELP Knowledge Base Search 8HELP, OIT and CIO Web Pages

---

Home

 

return to top