What Some Of The Stuff In An Email Header Means

There are 5 SMTP (Simple Mail Transfer Protocol) commands used to send email via a SMTP mailserver. They are:

Helo
Mail From:
Rcpt To:
Data
Quit

Your average, everyday SMTP transaction (sending some email) would look like this:

[the Sender connects to the Mailserver]
Mailserver says: 220 mailserver.domain.com SMTP ... Greetings
    Sender says: Helo sender.host.name
Mailserver says: 250 Nice to meet you
    Sender says: Mail From:<sender@his.address>
Mailserver says: 250 Sender ok
    Sender says: Rcpt To:<recipient@his.address>
Mailserver says: 250 Recipient ok
    Sender says: Data
Mailserver says: 354 Enter mail, end with "." on a line by itself
    Sender says: Blah, blah, blah...            
    Sender says: <enter>.<enter>
Mailserver says: 250 Message accepted for delivery
    Sender says: Quit
and the SMTP transaction is complete, the email is on its way to the recipient.

A mailserver doesn't have to say "ok", it can say "Eat my shorts, spammer!" if it doesn't like anything the Sender has to say to it in any of the commands, but the open relays the spammers use to send their spam always say "ok".

Helo
The Helo is *supposed* to be the host name of the computer that has connected to the mailserver, but in the world of spam the Helo is just whatever the spammer feels like saying. Servers that are vulnerable to being relay-raped by spammers generally don't care what a spammer might say in the Helo. "Helo dust-bunny-gobbler" would generally be acceptable to a mailserver that is configured such that that it would allow spammers to relay-rape it. In fact, it would probably be acceptable to most mailservers running on the Internet. In general, the Helo can be anything the sender feels like saying.

Mail From:
This is *supposed* to be the email address of the sender, but similar to the Helo it is just what the sender *says*. Most mailservers will require the Mail From: to contain a valid domain name, but in the world of spam emanating from relay-raped servers, that isn't always the case. In any case the Mail From: is just what the sender *says*, and is totally unreliable.

Many mailservers create a Return-Path line when they recieve an email.. The email address in the Return-Path line is the email address entered with the Mail command. You may have seen references to the email "Envelope". The address entered with the Mail command is the "Envelope From" address. The "Envelope From" address is always there in the email from a mailserver point of view, but isn't always present in the received email. You won't see the "Envelope From" address unless a mailserver goes out of its way to present that address to you.

Rcpt To::
This is the email address of the recipient. This will always be valid. The email address entered here is the "Envelope To" address. The "Envelope To" address often doesn't appear anywhere in an email.

Data
This is where the message itself goes. Note that Received: lines generated by mailservers that have previously handled a message are passed along in the Data. Note also that header lines like To: and From: etc. are passed along in the Data, and that these lines can say anything the spammer wants them to say.

Sometimes a spammer doesn't include lines like To: and From: in his spam. Some mailservers don't like it that these header lines aren't present and will create them based on the "Envelope". Other mailservers don't care and will pass the email along with those lines absent. The positioning of lines like To:, From:, Date:, etc. are not good indicators of header forgery.


The most commonly used mailserver software on the Internet is Sendmail. Here's an example of the relevant part of a Sendmail Received: line.

Received: from [dial45.neoms.mail.us[245.15.75.158]] (kol-dial35.asysijd.cz
[195.75.66.68]) by mail.domain.com (8.8.7/8.8.7) with SMTP ..[snip]
The spammer said "Helo [dial45.neoms.mail.us[245.15.75.158]]". Sendmail reported the actual connecting IP address (195.75.66.68), and reported the rDNS lookup of 195.75.66.68 (kol-dial35.asysijd.cz). Other mailservers do things differently, from reporting *only* the Helo to reporting the connecting IP address and explicitly saying "Helo=[dial45.neoms.mail.us[245.15.75.158]]". That's the tricky bit to sorting out spam headers, knowing what a mailserver is actually telling you in its Received: line.

So, the Sendmail format looks like this: Received: from Helo (rDNS [IP.address]) by ....

Other formats are:
Received: from rDNS (Helo) (IP.address) by ....
Received: from rDNS by ....
Received: from IP.address by ....
Received: from [IP.address] by ....
Received: from Helo by ....
and more.


For an in depth header analysis tutorial check out http://www.stopspam.org/email/headers/headers.html

For more information on SMTP, see
http://www.faqs.org/rfcs/rfc821.html
and
http://www.faqs.org/rfcs/rfc822.html




Comments Welcome