For an example of interpreting full headers, I received an unsolicited advertisement for what I suppose is a porn site (I haven't visited it). The headers on that were displayed by pine as: > Date: Fri, 22 Jan 1999 08:46:03 PM > From: lpyehg@kwtk.kttxg.xgpv.com > To: unlisted-recipients:; (no To-header on input) > Subject: Asian, Japanese, Foreign SEX Girl? Free Now !!! > [snip ad for porn site] The return address, lpyehg@kwtk.kttxg.xgpv.com is almost certainly to be a phoney. However, when I look at the full headers, I get (with a little manual line-wrapping and reformatting for readability): > Received: from vectra.netfront.net ([202.81.252.12]:2847 "EHLO > vectra.netfront.net" ident: "NO-IDENT-SERVICE") by halifax.chebucto.ns.ca > with ESMTP id <34893-23757>; Sat, 23 Jan 1999 11:38:06 -0400 > Received: from someone.netvigator.com (hhtcm010216.netvigator.com > [208.139.100.216]) by vectra.netfront.net (8.9.2/8.9.2) with ESMTP id > XAA16616; Sat, 23 Jan 1999 23:32:38 +0800 (CST) > Received: from ugjb.bnebr.brrl.com-by[pi69.myserver.com[199.200.333.555]]for > [81.82.83.84] by someone.netvigator.com (FTGate 2, 1, 1, 0); > Fri, 22 Jan 99 20:46:28 +0800 > Received: from mail.ihsjm.net (host.hdbix.net [165.874.194.259]) by > pcok.msark_er.net (8.7.3/6.7.3) with SMTP id CFF89341 > for ; Thu, 21 Jan 1999 08:46:03 PM > - 6000 (EST) > Received: (from kspeter@host.milnmn.com) by host.hdbix.net (8.6.9/8.6.9) > id AKK56394 for ; SMTP id MDD81541 > for ; Wed, 20 Jan 1999 08:46:03 PM > - 6000 (EST) > Received: from host.jdksolsls.com (money.jdhswin.com [230.356.57.69]) by > $4me.&you.com (8.6.12/8.6.12) with ESMTP id WHH36432 for ; > root@robot.bizs.ensht.net; Tue, 19 Jan 1999 08:46:03 PM - 6000 > (EST) > Received: from myserver.onmeym.net.com (root@robot.bizs.ensht.net > [284.36.221.286]) > by mail.ksnshd.com (8.6.12/8.6.12) with ESMTP id PCC38491 for > ; Mon, 18 Jan 1999 08:46:03 PM > - 6000 (EST) > Message-Id: <199901222046.XBK5552@ugjb.bnebr.brrl.com> > Date: Fri, 22 Jan 1999 08:46:03 PM > Subject: Asian, Japanese, Foreign SEX Girl? Free Now !!! > X-UIDL: 870483888.388 > From: lpyehg@kwtk.kttxg.xgpv.com > To: unlisted-recipients:; (no To-header on input) > Return-Path: > X-Orcpt: rfc822;af380@chebucto.ns.ca > [snip advertisement] Analysing the lines from the top down, I get: > Received: from vectra.netfront.net ([202.81.252.12]:2847 "EHLO > vectra.netfront.net" ident: "NO-IDENT-SERVICE") by halifax.chebucto.ns.ca > with ESMTP id <34893-23757>; Sat, 23 Jan 1999 11:38:06 -0400 Chebucto Community Net received this from [202.81.252.12]. The machine claimed to be vectra.netfront.net ("EHLO vectra.netfront.net") and was telling the truth. A lookup of 202.81.252.12 at the Sam Spade site (recently moved from "http://www.blighty.com/spam/spade.html" to "http://samspade.org/classic/") verifies this. > Received: from someone.netvigator.com (hhtcm010216.netvigator.com > [208.139.100.216]) by vectra.netfront.net (8.9.2/8.9.2) with ESMTP id > XAA16616; Sat, 23 Jan 1999 23:32:38 +0800 (CST) vectra.netfront.net received the message from [208.139.100.216] which claimed to be "someone.netvigator.com" but was really "hhtcm010216.netvigator.com" (again verified with Sam Spade). The line *could* be a forgery by someone at vectra.netfront.net but it would have to have been done by an expert with enough subtlety to forge *one* plausable-looking header and then a bunch of obvious forgeries below that to throw the blame at netvigator.com. It is *much* more likely that the spam came from netvigator -- especially considering the track record netvigator has for harbouring spammers and the fact that a relay test on vectra.netfront.net with the Sam Spade site (I use it a lot) indicates that the server there is configured to be a promiscuious server, accepting and forwarding mail from anybody to send to anybody. > Received: from ugjb.bnebr.brrl.com-by[pi69.myserver.com[199.200.333.555]]for > [81.82.83.84] by someone.netvigator.com (FTGate 2, 1, 1, 0); > Fri, 22 Jan 99 20:46:28 +0800 Either a total forgery or else someone connected to the netvigator machine and lied in the "HELO" (or "EHLO") mail command claiming to be "ugjb.bnebr.brrl.com-by[pi69.myserver.com[199.200.333.555]]for" and the netvigator machine is so misconfigured that it fails to record the actual sender but just copies what the sending machine claims to be. Note the lack of spaces between "myserver.com" and "[199.200.333.555]]" and "for" -- that's a sure sign of lying in the "HELO" command". Also, there could never be an IP number of 199.200.333.555 because all numbers in a dotted-quad IP address have to be between 0 and 255. The sending machine is [81.82.83.84] but the netvigator server does NOT put it in parentheses. The "for" in the string fraudulently passed as the machine name is intended to make recipients think that [81.82.83.84] was a recipient when it actually was the sender. Also, since that is a reserved number not for use on the Internet, it is likely another netvigator machine on an internal network so netvigator is the source of the spam. All of the headers below this are total forgeries. The "- 6000 (EST)" is one sign. (EST) is -0400 but one piece of spamware that generated forged headers got it wrong and used "-0600". Two "corrections" later it was still getting it wrong. The lack of continuity (the "by" host in each one fails to match the "from" in the next higher line) and the mismatch of the "for " parts of the lines are other signs of forgeries. (Exception: The "X-Orcpt: rfc822;af380@chebucto.ns.ca" header is added by the CCN mailing system so I can see which address of mine was used in the junk wmail even though the recipients were all specified in the (unshown) "envelope" and not in the headers. I still got spam to my "af380@ccn .cs.dal .ca" address and even to my older "af380@cfn .cs.dal .ca" on a regular basis until the day before those addresses were permanently retired. Note that I have added a space before the ".cs" and ".ca" above to stop CCN's script looking for obsolete addresses from bugging me about these two.) So my complaint will go to netvigator.com asking to discipline their spamming user and a notice about the misuse of their server will be sent to netfront.net with a link to information on how to secure several versions of servers.