[Dshield] Email Headers

Hank hank at panamahank.com
Fri Jun 7 03:52:27 GMT 2002

Most of the spam I get nowadays is untraceable past the open relay.
There is so little of it that is traceable to origin that it is hardly
worth bothering, but if you want to try, view the email source code.
Some clients will show the source when you select full headers, others
require you to select source code view. pay no attention to the From:
block. It is either faked or a free throw-away address. In the sample
header below, the "Received:" line closest to the Message-ID line is the
origin. What you will find in almost every spam email is that this
address belongs to an open mail relay, and tracing beyond that point is
futile. The last one I bothered to investigate was a Win 2000 computer
on a DSL line in an Optometrist office in California.


Return-Path: <hxxxxx at cableonda.net>

Received: from cableonda.net ([64.215.xxx.xxx]) by sv16.cwpanama.net  
          with ESMTP id <20020607030156.XXXXXXXx.sv16 at cableonda.net>;   
          Thu, 6 Jun 2002 22:01:56 -0500

Received: from [200.75.xxx.xxx] (HELO xxxxxx4w79muwa) by cableonda.net
        (CommuniGate Pro SMTP 3.4.8) with SMTP id 11739xxx; Thu, 06 
        Jun 2002 22:08:33 -0500

Message-ID: <000401c20d63$12fa1d60$20c04bc8 at hxxxxx4w79xxxx>
From: "Xxxxxxx Xxxxxx" <xxxxxxx at cableonda.net>

To: <Undisclosed-Recipient:;>
Subject: YOKES

On Thu, 2002-06-06 at 20:54, Wayne Beckham wrote:
> Does anyone have a quick guide to how to tear apart e-mail headers to
> find the actual point of origin?
> - Wayne

More information about the list mailing list