- Introduction to headers
- What full headers look like
- What full headers do not look like
- How to display and send full headers in various email programs
- Where to send abusive, spam or phishing email
In most situations, people are interested in seeing only the first few headers on a message (From, To, Cc, Subject, and Date), so most email programs such as Gmail, Outlook, Thunderbird and Apple Mail display only those when the recipient reads the message or forwards it. The rest of the headers are masked.
Unfortunately, those first few headers are easy to forge, and this commonly occurs in cases of harassment, viruses, junk email, or chain-letters. Fortunately, the Received: headers are extremely difficult to forge and can be used to identify the source of the offensive email.
If you report a case of harassment, abuse, unsolicited commercial email, chain-letters, phishing or other potentially harmful communication, you will need to send a complete copy of the message with full email headers to NC State Postmasters. Full headers allow them to track a message back to the IP address from which it was sent; a message without full headers cannot be tracked.
—————–Begin Example of Full Header—————–
Received: by 10.220.150.3 with SMTP id w3cs127581vcv;
Tue, 4 Oct 2011 14:49:35 -0700 (PDT)
Received: by 10.236.156.33 with SMTP id l21mr9893981yhk.24.1317764974722;
Tue, 04 Oct 2011 14:49:34 -0700 (PDT)
Received: from uni02mi.unity.ncsu.edu (uni02mi.unity.ncsu.edu. [184.108.40.206])
by mx.google.com with ESMTP id q64si7645508yhm.106.2011.10.04.14.49.34;
Tue, 04 Oct 2011 14:49:34 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of email@example.com designates 220.127.116.11 as permitted sender) client-ip=18.104.22.168;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of firstname.lastname@example.org designates 22.214.171.124 as permitted sender) email@example.com
Received: from psmtp.com (na3sys009amx171.postini.com [126.96.36.199])
by uni02mi.unity.ncsu.edu (8.14.4/8.14.4/Nv6.2010.0805) with ESMTP id p94LnXE9013797
for <firstname.lastname@example.org>; Tue, 4 Oct 2011 17:49:34 -0400 (EDT)
Received: from na3sys009aog108.obsmtp.com ([188.8.131.52]) (using TLSv1) by na3sys009amx171.postini.com ([184.108.40.206]) with SMTP;
Tue, 04 Oct 2011 17:49:34 EDT
Received: from mail-iy0-f177.google.com ([220.127.116.11]) (using TLSv1) by na3sys009aob108.postini.com ([18.104.22.168]) with SMTP;
Tue, 04 Oct 2011 14:49:34 PDT
Received: by mail-iy0-f177.google.com with SMTP id r31so1594200iar.22
for <email@example.com>; Tue, 04 Oct 2011 14:49:33 -0700 (PDT)
Received: by 10.231.48.149 with SMTP id r21mr2914117ibf.95.1317764972336; Tue,
04 Oct 2011 14:49:32 -0700 (PDT)
Received: by 10.231.37.131 with HTTP; Tue, 4 Oct 2011 14:49:32 -0700 (PDT)
Date: Tue, 4 Oct 2011 17:49:32 -0400
Subject: Fwd: Mail headers solution
From: XYZ ABC <XYZ_ABC@ncsu.edu>
To: John Q NCSU <firstname.lastname@example.org>
Content-Type: multipart/alternative; boundary=000e0cd1af2e12d75d04ae80119c
X-pstn-levels: (S:99.90000/99.90000 CV:99.9000 FC:93.6803 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.0225) cv GT3 gt2 gt1 r p m c
X-pstn-addresses: from <XYZ_ABC@ncsu.edu> [18/1] [the rest of the message would appear here]
—————End Example of Full Header——————-
————Begin Example of Incomplete Header————
Date: Thu, 16 May 2002 13:54:19 -0400 (EDT)
From: XYZ ABC <email@example.com>
Subject: Pager List[the rest of the message would appear here]
———-End Example of Incomplete Header—————–
For details in Gmail and other programs, see Trace an email with its full headers.
- If the message originated from on campus:
Send a copy, with full headers, to firstname.lastname@example.org.
- If the message originated from off campus:
Send a copy, with full headers, to email@example.com.
- If the message appears to be a phishing email:
Send a copy, with full headers, to firstname.lastname@example.org.