[Dshield] Email Headers

Micheal Patterson micheal at cancercare.net
Fri Jun 7 14:14:41 GMT 2002

To find the actual origin system of any email, check the info just above the
From: line.

Received: from ip-91-210.gst.pe.net (HELO den) (wbeckham at with
by smtp.mail.vip.sc5.yahoo.com with SMTP; 7 Jun 2002 01:54:39 -0000
From: "Wayne Beckham" <wbeckham at yahoo.com>
To: <list at dshield.org>

The "Received: from" field is the ip/host that actually connected to the
SMTP server listed in the "by" just below it. To find out which system sent
the message to your server, find the last "by" line near the bottom of the
header area. The headers are read from bottom to top.

The above headers are from the message that I'm responding to.

Micheal Patterson
Network Administration
Cancer Care Network

----- Original Message -----
From: "Wayne Beckham" <wbeckham at yahoo.com>
To: <list at dshield.org>
Sent: Thursday, June 06, 2002 8:54 PM
Subject: [Dshield] Email Headers

> Does anyone have a quick guide to how to tear apart e-mail headers to
> find the actual point of origin?  Specifically, we're getting a lot of
> spam-mail from web-based e-mail services, such as Yahoo, and I was
> wondering if there was anyway to find out where they're really coming
> from.
> - Wayne
> [[ Attachement of type text/html deleted]]
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list