Manage Learn to apply best practices and optimize your operations.

Can email header information be used to track down spoofers?

Expert Mike Cobb explains how to use your received headers to trace unwanted emails.

Can the header information received from rejected spoofed emails help track down spoofers?

Unfortunately, Simple Mail Transfer Protocol (SMTP), the main protocol used when sending email, does not include a way to authenticate where the email message originated. However, the mail server inserts a Received: header at the top of every email message it processes, providing a continuous track of the message's route and making it possible to determine the origin of the message.

In fact, the only part of the email header that can't be faked is the Received: line, which references your mail server. Spammers often add spoofed Received: headers to try to hide the true origin of the unwanted email, but modern mail transfer programs record the sender's correct IP address. So even if the sender uses a fictitious or false name when contacting the receiving server, you can determine the origin of the spoofed message.

Let's take a look at a typical Received header:

Received: from bay121-f19.bay121.hotmail.com ([] helo=hotmail.com) by argon.webfusion.co.uk with esmtp (Exim 4.54) id 1FvB5u-0007UK-Qd for; Tue, 27 Jun 2006 11:46:58 +0100

This header indicates the message was received by argon.webfusion.co.uk (which runs esmtp Message Transfer Agent) from a server named bay121-f19.bay121.hotmail.com on June 27, 2006 at 11:46:58, which is one hour ahead of the Universal clock Time. It also shows us that the host bay121-f19.bay121.hotmail.com has an IP address of Using the WHOIS tool we know that this IP address is registered to Microsoft.

Since Received: headers are always added to the top of the message, check each of the subsequent Received headers to find the first one that is suspicious. Perform a whois lookup of the IP addresses in the Received: header to see who, if anyone, owns the address. Any headers after such a header can be safely ignored. This first invalid header means that it must be spoofed. You can presume that the general origin of the spam is the server that received the message with this false information. Using the IP address you can look up the name and contact details of the registered owner of the receiving server, probably an ISP. Email them and provide a sample of the spam you received, making sure to include the full message headers. Even if the ISP can use their logs to trace who sent the email, it may well have come from a zombie machine -- a PC taken over by a spammer to send spam unbeknown to the owner. You can also report spam via the CERT Web-based Incident Reporting Form at https://irf.cc.cert.org if you do not get a satisfactory response from the ISP.

In order to provide as much information as possible to help trace unwanted emails, increase the level of logging on your mail server. Also, consider configuring your firewall to route SMTP connections from outside your firewall through a central mail hub. This will provide you with a single point of entry for email and central logging capabilities. Finally, consider using digital signatures, like PGP, to exchange authenticated email messages. This provides a mechanism for ensuring that a message is from who it appears to be, as well as ensuring that the message has not been altered in transit. Similarly, you may want enable SSL/TLS in your mail transfer software to increase the amount of authentication performed when sending mail.

This was last published in September 2006

Dig Deeper on Email and Messaging Threats-Information Security Threats