At some point, you're going to need (or just want) to know the true origin of an email or newsgroup message. To do that, you have to decipher the headers of the message. It's a useful skill for any internet user - so this is the first in a series of how-to articles.

While most newsreaders and email programs don't display all the headers of messages by default, you do normally see the name and email address of the sender, date/time, and subject for any news or email message. Those are headers. Any program should also have an option somewhere to display more headers, as there is far more information available, but most folks don't need to see it for every message. If you don't know how to get to the full headers in your software, check the help files or see if it's listed here.

For instance, I receive email from many mailing lists. All I see by default is:

Date: 10 Sep 1997 05:03:01 -0000
X-massmail: webmonkey.090997
From: Webmonkey <>
To: Webmonkey <>
Subject: Elbow Grease - the Webmonkey newsletter

(body of message)

If I tell my email program to show me all the headers, though, I see:

Return-Path: <>
Received: from (
	[]) by (8.8.5/8.8.5)
	with SMTP id RAA21069 for <cynthia@dev.null>;
	Wed, 10 Sep 1997 17:46:35 -0400 (EDT)
Received: (qmail 25634 invoked by uid 1100);
	10 Sep 1997 05:03:09 -0000
Date: 10 Sep 1997 05:03:01 -0000
Message-ID: <19970910050301.25630.qmail@hardly.>
Precedence: bulk
X-massmail: webmonkey.090997
From: Webmonkey <>
To: Webmonkey <>
Subject: Elbow Grease - the Webmonkey newsletter

Because users can add custom headers, and because some programs don't use some headers, you won't always see exactly the same things in every message. There are certain fields, though, that the internet newsgroup (NNTP) and email (SMTP) protocols require for every message, so you'll always have those. I'm going to stick with the basics. The headers may not always appear in the same order, either.

Don't believe everything you see in the headers of a message. The current internet protocols were not designed with security in mind, so it is far too easy to forge some of the information in the headers. It's harder, but not impossible, to forge others, and you can usually count on those for clues as to the system and user with whom the messages originated. Users with shell accounts can do far more to hide their origins than those with dial-up accounts, like the accounts EarthLink sells.

If it's so easy to forge headers, why bother? Because they aren't, in most cases forged--or not forged well. And most people do leave clues as to who they really are, even when they're forging messages. It takes a lot of know-how to completely hide who you are and where a message originated (without using an anonymous remailer, anyway), so it doesn't happen very often. I know that some things can be forged, but haven't a clue as to how to forge them--it isn't something most people ever bother to learn, even if they are heavy internet users. Only net abusers and those who want to stop them have to go to such lengths.

Even knowing what each of the header fields means, you need to learn how to use the tools to track down domain names and IP addresses and so on. The Unix commands whois, nslookup and traceroute are invaluable here. If you don't have a shell account, there are plenty of programs for Mac and PC users that will do the same, and there are also web sites that will allow you to use the same commands. (I use a program called NetScanTools for Win9x.) And SpamCop has a lovely feature, the Host Tracker, which lets you put in a domain name or IP address into their spam reporting field and get an email address to use for sending complaints.

As we go on I'll format the headers differently from the rest of the article text and place the header for each line or section just after it, but also show the whole message we're using at the beginning of the section. Please understand that I've learned what I know on this subject through having to trace many messages over the past five years, that I know absolutely zilch about the setup and administration of mail and news servers, and that when I'm puzzled I do not hesitate to hie myself to more learned individuals. What I do know, though, I'll share, so that you'll be better able to track the origin of any harassing messages or spam you receive. If I've made any errors here, I pray that you will be kind enough to email me to correct my misunderstanding.

In the next article, we'll look more closely at the headers of email messages.

Originally published February 1, 2001

About the Author

Cynthia Armistead is a freelance technical writer, quality assurance analyst, and Internet security advocate with a broad spectrum of experience.

Please if you'd like to discuss a project.