Header files are monitored to extract the information about the sender, the route taken and certain other things. Now, every header file does not give you enough information, mostly in the case of web based mail programs like gmail and yahoo. But hotmail has the trend of attaching “ X- originating IP” in the header file which contains the email and IP address of the computer from which the email was sent. e.g.
I have masked the IP address for security purpose.
However, same is not true for Gmail or Yahoo mail. They don’t add any such information if the email is sent from a web based mail program. Hotmail or live mail does this to figure out the origin of spam or phishing mails. Not a foolproof method to counter spam but effective sometimes.
But if the sender uses a desktop based mail program like Outlook or Eudora or Incredimail etc., you may find the IP of the sender’s computer. The IP address and machine name is one of the first things that get added to the header file. The IP address could be the IP address of the computer which is directly connected to Internet or it could be the address of a router. Well, even this can be faked.
Let us understand through some examples of the header files …
NOTE : unimportant data is not shown.
Header files of an email received from a web based mail program :
X-Apparently-To: ******@yahoo.com via 184.108.40.206; Mon, 20 Sep 2010 07:21:31 -0700
Received-SPF: pass (mta1188.mail.sk1.yahoo.com: domain of firstname.lastname@example.org designates 220.127.116.11 as permitted sender)
X-YMailISG: zhjciiocZAr0A1zpFh5t5Rj.LSVeZFGWC8HYRDb.qOGPnalU LVLBncoIcmp05C2ma3amJN_.PDdW5gmqKebX3OzwpOL4h7vxwSbdqD6oGdd5 ……
Authentication-Results: mta1188.mail.sk1.yahoo.com from=gmail.com; domainkeys=pass (ok); from=gmail.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO mail-pw0-f42.google.com) (18.104.22.168) by mta1188.mail.sk1.yahoo.com with SMTP; Mon, 20 Sep 2010 07:21:30 -0700
Received: by mail-pw0-f42.google.com with SMTP id 9so1549545pwj.1 for <*******@yahoo.com>; Mon, 20 Sep 2010 07:21:30 -0700 (PDT)
Received: by 10.143.40.18 with SMTP id s18mr7678419wfj.283.1284992490002; Mon, 20 Sep 2010 07:21:30 -0700 (PDT)
Received: by 10.143.161.2 with HTTP; Mon, 20 Sep 2010 07:21:29 -0700 (PDT)
Date: Mon, 20 Sep 2010 19:51:29 +0530
Subject: checking again
From: This sender is DomainKeys verified check checkk <email@example.com> Add sender to Contacts
Content-Type: multipart/alternative; boundary=001636e0b5e4e7d9e10490b1a0a2
None of this contains the IP address of the sender.
Let us have a look at another header file sent from Microsoft Outlook 2007:
X-Apparently-To: ******@yahoo.com via 22.214.171.124; Mon, 20 Sep 2010 07:18:31 -0700
Received-SPF: pass (mta1082.mail.ac4.yahoo.com: domain of firstname.lastname@example.org designates 126.96.36.199 as permitted sender)
Authentication-Results: mta1082.mail.ac4.yahoo.com from=gmail.com; domainkeys=pass (ok); from=gmail.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO mail-px0-f182.google.com) (188.8.131.52) by mta1082.mail.ac4.yahoo.com with SMTP; Mon, 20 Sep 2010 07:18:28 -0700
Received: by pxi17 with SMTP id 17so1777220pxi.41 for <email@example.com>; Mon, 20 Sep 2010 07:18:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com;
Received: by 10.114.46.8 with SMTP id t8mr10160141wat.32.1284992307235; Mon, 20 Sep 2010 07:18:27 -0700 (PDT)
Received: from myPC ([***.234.80.49]) by mx.google.com
with ESMTPS id o17sm13595920wal.21.2010.09.20.07.18.24 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 20 Sep 2010 07:18:26 -0700 (PDT)
From: This sender is DomainKeys verified “check.wsx” <firstname.lastname@example.org> Add sender to Contacts
Date: Mon, 20 Sep 2010 19:48:19 +0530
X-Mailer: Microsoft Office Outlook 12.0
Have a look at the underlined data which shows the name and IP of the computer from where the mail was sent.
With this piece of info in hand you can find out the ISP with which the IP address is registered and can report any suspicious activity. However, the law enforcement ppl can go a step ahead, they can even get the residential address of the registered user from the ISP.
Do a google search or bing 🙂 to find out how you can view the headers in your email clients.