This Article will attempt to help you understand any forged email. It may also be beneficial to readers interested in a general-purpose introduction to mail transfer on the Internet. Note: There are fictitious domain names with associated IP address.
Simple email header
Received: from mail.test.com (mail.test.com [123.456.78.90]) by mailhost.domainname.com (8.8.5/8.7.2) with ESMTP id LAA20869 for <abc@domainame.com>; Wed, 4 Dec 2002 14:39:24 -0800 (PST)
Received: from alpha.test.com (alpha.test.com [123.456.78.90]) by mail.myhosting.com (8.8.5) id 004A21; Wed, Dec 4 2002 14:36:17 -0800 (PST)
From: 123@test.com (Robin. Hood)
To: abc@domainname.com
Date: Wed, Dec 4 2002 14:36:14 EST
Message-Id: <rth031897143614-00000298@mail.test.com>
X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I)
Subject: Lunch today?
This header is the one that "abc" sees on the email when he downloads and reads his mail.
Here is a line-by-line analysis of these headers and exactly what each one means.
Received: from mail.test.com
This piece of mail was received from a machine calling itself mail.test.com...
(mail.test.com [123.456.78.90])
...which is really named mail.test.com and has the IP address 123.456.78.90.
by mailhost.domainname.com (8.8.5/8.7.2)
The machine that did the receiving was mailhost.domainname.com; it is running a mail program called sendmail, version 8.8.5/8.7.2.
with ESMTP id LAA20869
The receiving machine assigned the ID number LAA20869 to the message. (This is used internally by the machine)
for <abc@domainame.com>;
The message was addressed to abc@domainame.com. Note that this header is not related to the To: line.
Wed, 4 Dec 2002 14:39:24 -0800 (EST)
This mail transfer happened on Wednesday, December 4th, 2002, at14:39:24 Eastern Standard Time (which is 5 hours behind Greenwich Mean Time; hence the "-0500").
Received: from alpha.test.com (alpha.test.com [123.456.78.90]) by mail.test.com (8.8.5) id 004A21; Wed, Dec 4 2002 14:36:17 -0800 (EST)
This line documents the mail handoff from alpha.test.com (123's workstation) to mail.test.com; this handoff happened at 14:36:17 Eastern Standard Time. The sending machine called itself alpha.test.com; it really is called alpha.test.com, and its IP address is 123.456.78.90. Test's mail server is running sendmail version 8.8.5, and it assigned the ID number 004A21 to this letter for internal processing.
From: 123@test.com (Robin. Hood)
The email was sent by 123@test.com, who gives his real name as Robin Hood.
To: abc@domainname.com
The email is addressed to abc@domainname.com.
Date: Wed, Dec 4 2002 14:36:14 EST
The message was composed at 14:36:14 Eastern standard Time on Wednesday, December 4, 2002
Message-Id: <rth031897143614-00000298@mail.test.com>
The message has been given this number (by mail.test.com) to identify it. This ID is different from the SMTP and ESMTP ID numbers in the Received: headers because it is attached to this message for life; the other IDs are only associated with specific mail transactions at specific machines, so that one machine's ID number means nothing to another machine. Sometimes the Message-ID has the sender's email address embedded in it; more often it has no intelligible meaning of its own.
X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I)
The message was sent using a program called Mozilla 4.73 [en] (Windows NT 5.0; I).
' 'Subject: Lunch today?
Self-explanatory.
Unusual Scenarios
Firewall
Scenario: if domainname.com and test.com have a firewall in place. And domainname.com maintain machines in many physical locations, with several separate mail servers, and uses a single machine to decide which server incoming mail should be routed.
This is the header.
'Received: from mailgate.domainname.com (mailgate.domainname.com [121.214.11.102]) by mailhost3.domainname.com (8.8.5/8.7.2) with ESMTP id LAA30141 for <abc@domainname.com>; Wed, 4 Dec 2002 14:41:08 -0500 (EST)
Received: from firewall.domainname.com (firewall.domainname.com [121.214.13.129]) by mailgate.domainname.com (8.8.5/8.7.2) with ESMTP id LAA20869 for <abc@domainname.com>; Wed, 4 Dec 2002 14:40:11 -0500 (EST)
Received: from firewall.test.com (firewall.test.com [123.456.78.92]) by firewall.domainname.com (8.8.3/8.7.1) with ESMTP id LAA28874 for <abc@domainname.com>; Wed, 4 Dec 2002 14:39:34 -0500 (EST)
Received: from mail.test.com (mail.test.com [123.456.78.91]) by firewall.test.com (8.8.5) with ESMTP id LAA61271; Wed, 04 Dec 2002 14:39:08 -0500 (EST)
Received: from alpha.test.com (alpha.test.com [123.456.78.90]) by mail.test.com (8.8.5) id 004A21; Wed, Dec 4 2002 14:36:17 -0500 (EST)
From: 123@test.com (Robin. Hood)
To: abc@domainname.com
Date: Wed, Dec 4 2002 14:36:14 EST
Message-Id: <rth031897143614-00000298@mail.test.com>
X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I)'
Subject: Lunch today?
The history of the message can be reconstructed by reading the Received: headers from bottom to top; it went from alpha.test.com, to mail.test.com, to firewall.test.com, to firewall.domainname.com, to mailgate.domainname.com, to mailhost3.domainname.com, where it waits for abc to come along and read it.
Relaying
Received: from unwilling.intermediary.com (unwilling.intermediary.com [98.134.11.32]) by mail.test.com (8.8.5) id 004B32 for <123@test.com>; Wed, Dec 4 2002 16:39:50 -0500 (EST)
Received: from anydomain.com ([104.128.23.115]) by unwilling.intermediary.com (8.6.5/8.5.8) with SMTP id LAA12741; Wed, Jul 30 1997 19:36:28 -0500 (EST)
From: Anonymous Spammer <junkmail@anydomain.com>
To: (recipient list suppressed)
Message-Id: <w45qxz23-34ls5@unwilling.intermediary.com>
X-Mailer: Massive Annoyance
Subject: WANT TO MAKE ALOT OF MONEY???
A variety of things in this header might clue the reader in to the fact that this is a piece of electronic junk mail, but the thing to focus on here is the Received: lines. This message originated at anydomain.com, was passed from there to unwilling.intermediary.com, and from there to its final destination at mail.test.com. All well and good; but how was unwilling.intermediary.com involved since it is nothing to do with either the sender or the recipient?
Understanding this requires some knowledge of SMTP. In essence, anydomain.com simply connected to the SMTP port at unwilling.intermediary.com and told it "Send this message to 123@test.com". It did this, probably in the most direct manner imaginable, by saying RCPT TO: 123@test.com. At that point, unwilling.intermediary.com took over processing the message; since it had been told to send it to a user at some other domain (test.com), it went out and found the mail server for that domain and handed off its mail in the usual manner. This process is known as mail relaying.
The essential point here is to realize that the content of the message was formulated at the sending point--anydomain.com in the example above; the intermediate link, unwilling.intermediary.com, is involved only as an unwilling intermediary.
NOTE: In the sample header, the message-ID: line was filed in, not by the sending machine (anydomain.com), but by the relayer (unwilling.intermediary.com). This is a common feature of relayed mail; It just reflects the fact that the sending machine didn't supply a Message-Id. The mail server in myhosting.com was disabled for relay feature.