10 December 2008

Howto Read Email Header

Now some of you may think that headers are too simple or boring to waste
time on. However, a few weeks ago I asked the 3000+ readers of the Happy
Hacker list if anyone could tell me exactly what email tricks I was playing
in the process of mailing out the Digests. But not one person replied with a
complete answer -- or even 75% of the answer -- or even suspected that for
months almost all Happy Hacker mailings have doubled as protests. The

targets: ISPs offering download sites for email bomber programs. Conclusion:
it is time to talk headers!

In this Guide we will learn:
· what is a header
· why headers are fun
· how to see full headers
· what all that stuff in your headers means
· how to get the names of Internet host computers from your headers
· the foundation for understanding the forging of email and Usenet posts,
catching the people who forge headers, and the theory behind those email
bomber programs that can bring an entire Internet Service Provider (ISP) to
its knees

This is a Guide you can make at least some use of without getting a shell
account or installing some form of Unix on your home computer. All you need
is to be able to send and receive email, and you are in business. However,
if you do have a shell account, you can do much more with deciphering
headers. Viva Unix!

Headers may sound like a boring topic. Heck, the Eudora email program named
the button you click to read full headers "blah blah blah." But all those
guys who tell you headers are boring are either ignorant -- or else afraid
you'll open a wonderful chest full of hacker insights. Yes, every email
header you check out has the potential to unearth a treasure hidden in some
back alley of the Internet.

Now headers may seem simple enough to be a topic for one of our Beginners'
Series Guides. But when I went to look up the topic of headers in my library
of manuals, I was shocked to find that most of them don't even cover the
topic. The two I found that did cover headers said almost nothing about
them. Even the relevant RFC 822 is pretty vague. If any of you
super-vigilant readers looking for flame bait happen to know of any
literature that *does* cover headers in detail, please include that
information in your tirades!

Technical tip: Information relevant to headers may be extracted from
Requests for Comments (RFCs) 822 (best), as well as 1042, 1123, 1521 and
1891 (not a complete list). To read them, take your Web browser to
http://altavista.digital.com and search for "RFC 822" etc.

Lacking much help from manuals, and finding that RFC 822 didn't answer all
my questions, the main way I researched this article was to send email back
and forth among some of my accounts, trying out many variations in order to
see what kinds of headers they generated. Hey, that's how real hackers are
supposed to figure out stuff when RTFM (read the fine manual) or RTFRFC
(read the fine RFC)doesn't tell us as much as we want to know. Right?

One last thing. People have pointed out to me that every time I put an email
address or domain name in a Guide to (mostly) Harmless Hacking, a zillion
newbies launch botched hacking attacks against these. All email addresses
and domain names below have been fubarred.

Newbie note: The verb "to fubar" means to obscure email addresses and
Internet host addresses by changing them. Ancient tradition holds that it is
best to do so by substituting "foobar" or "fubar" for part of the address.


If you are new to hacking, the headers you are used to seeing may be
incomplete. Chances are that when you get email it looks something like this:

From: Cool Guy
Date: Fri, 1 March 2002
To: hacker@techbroker.com

But if you know the right command, suddenly, with this same email message,
we are looking at tons and tons of stuff:

Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)
for techbr@fooway.net id OAA07210; Fri, 1 March 2002
Received: from ifi.foobar.no by o200.fooway.net via ESMTP
for id OAA18967; Fri, 1 March 2002
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no
[129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4)
id for ; Fri, 1 March 2002
From: Vegbar Fubar
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no ; Fri,
1 March 2002
Date: Fri, 1 March 2002
Message-Id: <199704111809.13156.gyllir@ifi.foobar.no>
To: hacker@techbroker.com

Hey, have you ever wondered why all that stuff is there and what it means?
We'll return to this example later in this tutorial. But first we must
consider the burning question of the day:


Why bother with those "fucking" headers? They are boring, right? Wrong!

1) Ever hear a wannabe hacker complaining he or she doesn't have the
addresses of any good computers to explore? Have you ever used one of those
IP scanner programs that find valid Internet Protocol addresses of Internet
hosts for you? Well, you can find gazillions of valid addresses without the
crutch of one of these programs simply by reading the headers of emails.

2) Ever wonder who really mailed that "Make Money Fast" spam? Or who is that
klutz who email bombed you? The first step to learning how to spot email
forgeries and spot the culprit is to be able to read headers.

3) Want to learn how to convincingly forge email? Do you aspire to write
automatic spam or email bomber programs? (I disapprove of spammer and email
bomb programs, but let's be honest about the kinds of knowledge their
creators must draw upon.) The first step is to understand headers.

4) Want to attack someone's computer? Find out where best to attack from the
headers of their email. I disapprove of this use, too. But I'm dedicated to
telling you the truth about hacking, so like it or not, here it is.


So you look at the headers of your email and it doesn't appear have any good
stuff whatsoever. Want to see all the hidden stuff? The way you do this
depends on what email program you are using.

The most popular email program today is Eudora. To see full headers in
Eudora, just click the "blah, blah, blah" button on the far left end of the
tool bar.

The Netscape web browser includes an email reader. To see full headers,
click on Options, then click the "Show All Headers" item.

Sorry, I haven't looked into how to do that with Internet Explorer. Oh, no,
I can see the flames coming, how dare I not learn the ins and outs of IE
mail! But, seriously, IE is a dangerously insecure Web browser because it is
actually a Windows shell. So no matter how often Microsoft patches its
security flaws, chances are you will be hurt by it one of these days. Just
say "no" to IE.

Another popular email program is Pegasus. Maybe there is an easy way to see
full headers in Pegasus, but I haven't found it. The hard way to see full
headers in Pegasus -- or IE -- or any email program -- is to open your mail
folders with Wordpad. It is included in the Windows 95 operating system and
is the best Windows editing program I have found for handling documents with
lots of embedded control characters and other oddities.

The Compuserve 3.01 email program automatically shows full headers. Bravo,


We'll start by taking a look at a mildly interesting full header. Then we'll
examine two headers that reveal some interesting shenanigans. Finally we
will look at a forged header.

OK, let us return to that fairly ordinary full header we looked at above. We
will decipher it piece by piece. First we look at the simple version:

From: Cool Guy
Date: Fri, 1 March 2002
To: hacker@techbroker.com

The information within any header consists of a series of fields separated
from each other by a "newline" character. Each field consists of two parts:
a field name, which includes no spaces and is terminated by a colon; and the
contents of the field. In this case the only fields that show are "From:,"
"Date:," and "To:".

In every header there are two classes of fields: the "envelope," which
contains only the sender and recipient fields; and everything else, which is
information specific to the handling of the message. In this case the only
field that shows which gives information on the handling of the message is
the Date field.

When we expand to a full header, we are able to see all the fields of the
header. We will now go through this information line by line.

Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for
techbr@fooway.net id OAA07210; Fri, 1 March 2002

This line tells us that I downloaded this email from the POP server at a
computer named o200.fooway.net. This was done on behalf of my account with
email address of techbr@fooway.net. The (950413.SGI.8.6.12/951211.SGI) part
identifies the software name and version running that POP server.

Newbie note: POP stands for Post Office Protocol. Your POP server is the
computer that holds your email until you want to read it. Usually your the
email program on your home computer or shell account computer will connect
to port 110 on your POP server to get your email.
A similar, but more general protocol is IMAP, for Interactive Mail Access
Protocol. Trust me, you will be a big hit at parties if you can hold forth
on the differences between POP and IMAP, you big hunk of a hacker, you!
(Hint: for more info, RTFRFCs.)

Now we examine the second line of the header:

Received: from ifi.foobar.no by o200.fooway.net via ESMTP
(950413.SGI.8.6.12/951211.SGI)for id OAA18967; Fri,
1 March 2002

Well, gee, I didn't promise that this header would be *totally* ordinary.
This line tells us that a computer named ifi.foobar.no passed this email to
the POP server on o200.fooway.net for someone with the email address of
hacker@techbroker.com. This is because I am piping all email to
hacker@techbroker.com into the account techbr@fooway.net. Under Unix this is
done by setting up a file in your home directory named ".forward" with the
address to which you want your email sent. Now there is a lot more behind
this, but I'm not telling you. Heh, heh. Can any of you evil geniuses out
there figure out the whole story?

"ESMTP" stands for "extended simple mail transfer protocol." The
"950413.SGI.8.6.12/951211.SGI" designates the program that is handling my email.

Now for the next line in the header:

Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no
[129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4) id
for ; Fri, 1 March 2002

This line tells us that the computer ifi.foobar.no got this email message
from the computer gyllir.ifi.foobar.no. These two computers appear to be on
the same LAN. In fact, note something interesting. The computer name
gyllir.ifi.foobar.no has a number after it, 129.xxx.64.230. This is the
numerical representation of its name. (I substituted ".xxx." for three
numbers in order to fubar the IP address.) But the computer ifi.foobar.no
didn't have a number after its name. How come?

Now if you are working with Windows 95 or a Mac you probably can't figure
out this little mystery. But trust me, hacking is all about noticing these
little mysteries and probing them (until you find something to break,
muhahaha -- only kidding, OK?)

But since I am trying to be a real hacker, I go to my trusty Unix shell
account and give the command:

>nslookup ifi.foobar.no

Server: Fubarino.com

Non-authoritative answer:
Name: ifi.foobar.no
Address: 129.xxx.64.2

Notice the different numerical IP addresses between ifi.foobar.no and
gyllir.ifi.foobar.no. Hmmm, I begin to think that the domain ifi.foobar.no
may be a pretty big deal. Probing around with dig and traceroute leads me to
discover lots more computers in that domain. Probing with nslookup in the
mode "set type=any" tells me yet more.