How to Forward a Message with Full Email Headers

Contents

Introduction to headers

In most situations, people are interested in seeing only the first few headers on a message (From, To, Cc, Subject, and Date), so most email programs such as Gmail, Outlook, Thunderbird and Apple Mail display only those when the recipient reads the message or forwards it. The rest of the headers are masked.

Unfortunately, those first few headers are easy to forge, and this commonly occurs in cases of harassment, viruses, junk email, or chain-letters. Fortunately, the Received: headers are extremely difficult to forge and can be used to identify the source of the offensive email.

If you report a case of harassment, abuse, unsolicited commercial email, chain-letters, phishing or other potentially harmful communication, you will need to send a complete copy of the message with full email headers to NC State Postmasters.  Full headers allow them to track a message back to the IP address from which it was sent; a message without full headers cannot be tracked.

[Back to Contents]

What full headers look like

—————–Begin Example of Full Header—————–

Delivered-To: jqncsu@ncsu.edu

Received: by 10.220.150.3 with SMTP id w3cs127581vcv;

Tue, 4 Oct 2011 14:49:35 -0700 (PDT)

Received: by 10.236.156.33 with SMTP id l21mr9893981yhk.24.1317764974722;

Tue, 04 Oct 2011 14:49:34 -0700 (PDT)

Return-Path: <xyzabc@ncsu.edu>

Received: from uni02mi.unity.ncsu.edu (uni02mi.unity.ncsu.edu. [152.1.2.225])

by mx.google.com with ESMTP id q64si7645508yhm.106.2011.10.04.14.49.34;

Tue, 04 Oct 2011 14:49:34 -0700 (PDT)

Received-SPF: pass (google.com: best guess record for domain of xuzabc@ncsu.edu designates 152.1.2.225 as permitted sender) client-ip=152.1.2.225;

Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of xyzabc@ncsu.edu designates 152.1.2.225 as permitted sender) smtp.mail=xyzabc@ncsu.edu

Received: from psmtp.com (na3sys009amx171.postini.com [74.125.149.97])

by uni02mi.unity.ncsu.edu (8.14.4/8.14.4/Nv6.2010.0805) with ESMTP id p94LnXE9013797

for <jqncsu@ncsu.edu>; Tue, 4 Oct 2011 17:49:34 -0400 (EDT)

Received: from na3sys009aog108.obsmtp.com ([74.125.149.199]) (using TLSv1) by na3sys009amx171.postini.com ([74.125.148.10]) with SMTP;

Tue, 04 Oct 2011 17:49:34 EDT

Received: from mail-iy0-f177.google.com ([209.85.210.177]) (using TLSv1) by na3sys009aob108.postini.com ([74.125.148.12]) with SMTP;

Tue, 04 Oct 2011 14:49:34 PDT

Received: by mail-iy0-f177.google.com with SMTP id r31so1594200iar.22

for <jqncsu@ncsu.edu>; Tue, 04 Oct 2011 14:49:33 -0700 (PDT)

MIME-Version: 1.0

Received: by 10.231.48.149 with SMTP id r21mr2914117ibf.95.1317764972336; Tue,

04 Oct 2011 14:49:32 -0700 (PDT)

Received: by 10.231.37.131 with HTTP; Tue, 4 Oct 2011 14:49:32 -0700 (PDT)

In-Reply-To: <CAMjWoEV3JXvpvy9=SZdrsH3znJ0itQnMuMC5SpEutmgCuUdnaA@mail.gmail.com>

References: <CAMjWoEV3JXvpvy9=SZdrsH3znJ0itQnMuMC5SpEutmgCuUdnaA@mail.gmail.com>

Date: Tue, 4 Oct 2011 17:49:32 -0400

Message-ID: <CAGA6UiiDxTad=T4qQ3MVAa45JP=f3Y9XQjcfKEZ0mBjRJ=-s4w@mail.gmail.com>

Subject: Fwd: Mail headers solution

From: XYZ ABC <XYZ_ABC@ncsu.edu>

To: John Q NCSU <jqncsu@ncsu.edu>

Content-Type: multipart/alternative; boundary=000e0cd1af2e12d75d04ae80119c

X-pstn-neptune: 0/0/0.00/0

X-pstn-levels:     (S:99.90000/99.90000 CV:99.9000 FC:93.6803 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )

X-pstn-settings: 1 (0.1500:0.0225) cv GT3 gt2 gt1 r p m c

X-pstn-addresses: from <XYZ_ABC@ncsu.edu> [18/1] [the rest of the message would appear here]

—————End Example of Full Header——————-

[Back to Contents]

What full headers do not look like

————Begin Example of Incomplete Header————

Date: Thu, 16 May 2002 13:54:19 -0400 (EDT)

From: XYZ ABC <xyzabc@ncsu.edu>

Reply-To: jqncsu@ncsu.edu

To: noone@ncsu.edu

Subject: Pager List

[the rest of the message would appear here]

———-End Example of Incomplete Header—————–

[Back to Contents]

How to display and send full headers in various email programs

For details in Gmail and other programs, see Trace an email with its full headers.

Where to send abusive, spam or phishing email

  • If the message originated from on campus:
    Send a copy, with full headers, to abuse@ncsu.edu.
  • If the message originated from off campus:
    Send a copy, with full headers, to spam@ncsu.edu.
  • If the message appears to be a phishing email:
    Send a copy, with full headers, to phishing@ncsu.edu.

[Back to Contents]