[Dshield] Email Header

Doug White doug at clickdoug.com
Fri Sep 26 23:40:51 GMT 2003

Here is the header information viewable by my email client for the message you
just sent to the discussion list.  As you can see the message transited a number
of places while various tasks were performed before passing it to the next step.
The indicated a transit through an internal proxy for tasks such as
virus-scanning, etc.  This is a header that is RFC compliant, and anything
(other than the X notations) could be considered a forgery, and with the
increasing number of states outlawing header forgery, I believe that full RFC
compliance will be forthcoming.  Not all servers add all this stuff, and some
mail clients strip much of it before delivery.

The actual source IP is which resolves to dns.aric.com

Received: from GULF.clickdoug.com [] by bayou with ESMTP
  (SMTPD32-8.01) id AAAC1F5014E; Fri, 26 Sep 2003 18:24:28 -0500
Received: from localhost (GULF [])
 by GULF.clickdoug.com (Postfix) with ESMTP id 53DF23E007C
 for <doug at clickdoug.com>; Fri, 26 Sep 2003 18:21:28 -0500 (CDT)
Received: from GULF.clickdoug.com ([])
 by localhost (GULF.clickdoug.com []) (amavisd-new) with ESMTP
 id 15258-20 for <doug at clickdoug.com>; Fri, 26 Sep 2003 18:21:25 -0500 (CDT)
Received: from iceman.incidents.org (mail2.giac.net [])
 by GULF.clickdoug.com (Postfix) with SMTP id A21F63E006C
 for <doug at clickdoug.com>; Fri, 26 Sep 2003 18:21:23 -0500 (CDT)
Received: (qmail 32038 invoked from network); 26 Sep 2003 23:24:26 -0000
Received: from chipper2-int (HELO viper.incidents.org) (
  by 0 with SMTP; 26 Sep 2003 23:24:26 -0000
Received: from localhost.localdomain (chipper2 [])
 by viper.incidents.org (8.11.6/8.11.6) with ESMTP id h8QNMNH21823;
 Fri, 26 Sep 2003 19:22:23 -0400
Received: from dshield.org (charlie [])
 by viper.incidents.org (8.11.6/8.11.6) with ESMTP id h8QLTtH28993
 for <list at viper.uunet>; Fri, 26 Sep 2003 17:29:56 -0400
Received: (qmail 27790 invoked from network); 26 Sep 2003 21:29:55 -0000
Received: from mail2.giac.net (HELO iceman.incidents.org) (
  by 0 with SMTP; 26 Sep 2003 21:29:55 -0000
Received: (qmail 7008 invoked from network); 26 Sep 2003 21:29:55 -0000
Received: from sea2-f58.sea2.hotmail.com (HELO hotmail.com) (
  by 0 with SMTP; 26 Sep 2003 21:29:55 -0000
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
  Fri, 26 Sep 2003 14:29:54 -0700
Received: from by sea2fd.sea2.hotmail.msn.com with HTTP;
 Fri, 26 Sep 2003 21:29:52 GMT
X-Originating-IP: []
X-Originating-Email: [jbeck80 at hotmail.com]
From: "john beck" <jbeck80 at hotmail.com>
To: list at dshield.org
Date: Fri, 26 Sep 2003 16:29:52 -0500
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <Sea2-F58fWOWTgROa8V0000fdfc at hotmail.com>
X-OriginalArrivalTime: 26 Sep 2003 21:29:54.0237 (UTC)
Old-X-Envelope-To: list at dshield.org
X-Seen-By: bob list
X-Envelope-To: UNKNOWN
X-Mailman-Approved-At: Fri, 26 Sep 2003 19:16:15 -0400
Subject: [Dshield] Email Header
X-BeenThere: list at dshield.org
X-Mailman-Version: 2.1
Precedence: list
Reply-To: General DShield Discussion List <list at dshield.org>
List-Id: General DShield Discussion List <list.dshield.org>
List-Unsubscribe: <http://www.dshield.org/mailman/listinfo/list>,
 <mailto:list-request at dshield.org?subject=unsubscribe>
List-Archive: <http://www.dshield.org/pipermail/list>
List-Post: <mailto:list at dshield.org>
List-Help: <mailto:list-request at dshield.org?subject=help>
List-Subscribe: <http://www.dshield.org/mailman/listinfo/list>,
 <mailto:list-request at dshield.org?subject=subscribe>
Sender: list-bounces at dshield.org
Errors-To: list-bounces at dshield.org
X-Virus-Scanned: by amavisd-new & H+BEDV AntiVir
X-RCPT-TO: <doug at clickdoug.com>
Status: U
X-UIDL: 364522135


Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "john beck" <jbeck80 at hotmail.com>
To: <list at dshield.org>
Sent: Friday, September 26, 2003 4:29 PM
Subject: [Dshield] Email Header

| I have an email header question.  This would pertain to "what is best
| practice"?  Because they run an application firewall, and it has an smtp
| daemon, which directs smtp traffic to a machine internally that sweeps for
| malicious code, etc, then sends "cleansed email" on to email server which is
| internal also.  The mail headers in conclusion have the internal addresses
| of the mail server and sweeper.
[ snip ]|

More information about the list mailing list