for outlook simple right click on any mail and go in option a pop's window will open there you can see the internet header of a mail and below the method how to trace the mail:-
All Headers are in BLACK / Explanation to Each HEADER is in RED
HEADER :-Return-Path: vikasdhingra@speciality-india.com
EXPLAIN :-This is the Reply to ID: This means this is the sender (vikasdhingra@speciality-
indina.com
HEADER :-Received: from lx4.system3hosting.com (LHLO lx4.system3hosting.com)
(203.185.191.34) by lx4.system3hosting.com with LMTP; Sat, 4 Apr 2009 ,10:56:17
+0530 (IST)
EXPLAIN -:This is the mail received at System3 / mail server is called lx4.system3hosting.com
with the ip 203.185.191.34, it shows that we received the email on LX4 at
10:56AM IST on 4th April 2009.
This date is important to understand message analysis
HEADER :-Received: from localhost (localhost.localdomain [127.0.0.1])by
lx4.system3hosting.com (Postfix) with ESMTP id 89992119000D; Sat, 4 Apr 2009
10:56:17 +0530 (IST)
EXPLAIN :- Before mail is given to LX4, it is scanned by Anti virus / Anti-spam. This shows
that the mail was received by o Anti-spam on Lx4 (Local host) at 10:56:17
HEADER :-X-Virus-Scanned: amavisd-new at X-Spam-Flag: NO
EXPLAIN :- Antivirus Scanned the email and did not find any virus infection in this email. This
does not mean, the sender is not infected, it means any attachment in the email
does not have a virus.
HEADER :-X-Spam-Score: 0
EXPLAIN :-Anti-spam trusts the sender as he is a good friend, and also a customer, and hence
this email was given a spam score of (ZERO) 0.
HEADER :-X-Spam-Level: X-Spam-Status: No, score=x tagged_above=-10 required=6.6
tests=[]l
EXPLAIN :- No tests were done on the email here, hence you see tests=[], for a mail to be called
SPAM, it has to receive 6.6 Points, this mail received 0, hence it was not marked as
spam
HEADER :-Received: from lx4.system3hosting.com ([127.0.0.1]) by localhost
(lx4.system3hosting.com [127.0.0.1]) (amavisd-new, port 10024)with ESMTP id
5CCTkK0Y5zjq; Sat, 4 Apr 2009 10:56:17 +0530 (IST)
EXPLAIN :-this is the transfer from sender server to our anti-spam server
HEADER:-Received: from lx1.system3hosting.com (lx1.system3hosting.com [203.185.191.31])
by lx4.system3hosting.com (Postfix) with ESMTP id 0CCDED904ABfor
<hks@system3group.com>; Sat, 4 Apr 2009 10:56:17 +0530 (IST)
This is a very important line: You see here, that the email was sent using server
lx1.system3hosting.com (203.185.191.31) which is the server that hosts
the sender domain, and was sent to server lx4.system3hosting.com which hosts receiver domain. The email was for hks@system3group.com
HEADER:- Received: (qmail 5180 invoked by uid 511); 4 Apr 2009 10:50:49 +0530
EXPLAIN :-This line shows the sender mail server (in this case, lx1), the mail was processed by
QMAIL with an ID 511 on that server. The server processed this email at 10:50:49
IST that means it took roughly 6 minutes before the mail reached
hks@system3group.com
HEADER:-Received: from 122.173.243.137 by lx1.system3hosting.com (envelope-from
<vikasdhingra@speciality-india.com>, uid 510) with qmail-scanner-1.25-st-qms
Clear: RC:0(122.173.243.137):.Processed in 33.207305 secs); 04
Apr 2009 05:20:49 -0000
EXPLAIN :-This is again a very important line, this shows that vikasdhingra@speciality-
india.com had the IP Address 122.173.243.137 on his broadband / PC
depending on the connection when he submitted the mail to his SMTP Server
lx1.system3hosting.com. The envelope from means, the sender email id.
HEADER :-X-Anti-virus-MYDOMAIN-Mail-From: vikasdhingra@speciality-india.com via
lx1.system3hosting.com
EXPLAIN :-Anti-virus on Lx1 ran and saw this email as clean
HEADER:-X-Antivirus-MYDOMAIN: 1.25-st-qms (Clear:RC:0(122.173.243.137):. Processed in
33.207305 secs Process 5018)
EXPLAIN :- Q processor for Qmail run on LX1 and precessed this email in 33 Seconds. It took
this long, because it must have had a very long BCC List or the load on the server
was very high.
HEADER:-Received: from abts-north-dynamic-137.243.173.122.airtelbroadband.in (HELO
VikasPC2) (122.173.243.137) by lx1.system3hosting.com with SMTP; 4 Apr 2009
05:20:16 -0000
EXPLAIN :- This shows that the mail was received from 122.173.243.137 using VIKASPC2 by
Lx1 Server
HEADER :-Message-ID:
EXPLAIN :- This is one of the most important lines, that help us identify the PC. Some viruses
have the capability of using someone’s PC and using some one else
email id. The VikasPC2 will help us find the PC in the customer network
HEADER :-Reply-To: “Vikas Dhingra” <vikasdhingra@speciality-india.com>
EXPLAIN :- This shows the reply to field
HEADER:-From: “Vikas Dhingra” <vikasdhingra@speciality-india.com>
EXPLAIN :- This shows the From field
HEADER :-To: <”Undisclosed-Recipient:;”@lx4.system3hosting.com>
EXPLAIN :- This basically shows that the email was sent to a lot of people using BCC, clear
indication, that either the customer was doing BCC, or an virus infection was
sending these emails.
HEADER:-Subject: Best Pool Shot Ever by a Naked White Chick
EXPLAIN :- This is the Subject of the email
HEADER:-Date: Sat, 4 Apr 2009 11:08:21 +0530
EXPLAIN :- This is the Date on the PC of the customer, now this is where you see, that the
servers had a time of 10:56, while the customer PC had 11:08, now why this
difference, though both the server and Customer are in IST (+0530). The problem
is that desktops set the time manually, while servers are synchronized to an Atomic
Clock, hence we see this difference.
HEADER:-Organization: Specialty Merchandising Services
EXPLAIN :- When we configure email software, we put in the company name, this comes from
there
HEADER:-MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=”—-
=_NextPart_000_014A_01C9B515.AA782130″
EXPLAIN :- This shows that The Content was MIME / Mixed, ie Attachment Type
HEADER:-X-Priority: 3
EXPLAIN :- This again means, Priority of the Email was Normal
HEADER :-X-MSMail-Priority: Normal
EXPLAIN :- The Priority of the mail (Microsoft also uses some properitary formats, and hence
we see the header X-MSMail-Priority) was set as NORMAL
HEADER :-X-Mailer: Microsoft Windows Mail 6.0.6001.18000
EXPLAIN :- This shows the mail software the customer was using. He was using Microsoft
Windows Mail (Which is the replacement of Outlook Express in Windows Vista) to
send this email.
HEADER :-x-mimeole: Produced By Microsoft MimeOLE V6.0.6001.18049
EXPLAIN :- This line means that the mail was generated using a MIMEOLE command,
typically this is done when you right click a file and send email to, the email is
automatically created, and attached to the mail. This can be done manually,
especially by viruses, as they pick up random files from the PC and send them to
people.
3 comments:
its a gr8 artical thanks Ram
Not a gr8 but its super gr8 bit helps me a lot.
from where you got this header ...
can anyone tell me.... how this email header is related to you
Post a Comment