Support -Internet Headers
Internet headers help determine the origin of email, if our spam filter tested the message, or why the spam filter did not destroy the message.
How do we examine these Internet Headers? By looking at:
- The Return Path / Sender (not necessarily the same)
- Compare who it was 'originally' delivered to and who it was 'actually' delivered to, again they are not necessarily the same.
- The transmission route – indicates which mail servers handled the message
- Did spam filtering take place?
The Return Path - Return-Path: Sabala040@Joey.com
- The email address for return mail. Same as Reply-To unless otherwise indicated by the headers as annotated by Reply-To:
- The return path and the sender’s (who email message came from) email address may not be necessarily the same although they should be.
It may, or may not, display a valid email account. - If the return path and sender’s (from) email address are different, a sure indication that the message is spam as spammers can easily forge the return path.<.list>
The From Email address - From: Jan Dowell
The transmission route.
Received: from localhost (filter-out.adhost.com [10.211.128.5]) by localhost.adhost.com (Postfix) with ESMTP id DBEBE1CC09F; Wed, 11 Aug 2004 23:45:34 -0700 (PDT) (envelope-from Sabala040@Joey.com)
Indicates that the Adhost mail server received the message from the spam/virus filter server then places the new message into the pop account. The message came from.
Received: from mail.adhost.com ([10.211.128.3]) by localhost (filter.adhost.com [10.211.128.5]) (amavisd-new, port 10024) with LMTP id 08256-01-32; Wed, 11 Aug 2004 23:45:34 -0700 (PDT)
The Adhost spam/virus filter server (indicated by filter.adhost.com) received this message from the Adhost mail server (mail.adhost.com) so it could be tested by our spam/virus filter system.
Received: from adsl-67-112-204-162.dsl.sntc01.pacbell.net (adsl-67-112-204-162.dsl.sntc01.pacbell.net [67.112.204.162]) by mail.adhost.com (Postfix) with SMTP id A19B25A768 for
The Adhost mail server (mail.adhost.com) originally received this message from pacbell.net.
X-Message-Info: GELGxHL36mLwjxeTCPJJhmLwnXVNlg67
Received: from coequal-dns.decryptgrandnephew.com ([112.190.157.136]) by dg4-a75.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Fri, 13 Aug 2004 11:49:48 +0100
From the above transmission, the message has followed a linear path flowing from one server to the next until the final destination, the pop account of the recipient. So, here we would expect to see where pacbell.net received the message from however it is not even mentioned. This hop is a clear indication that the headers are more than likely forged from this point on down. Additionally, if I do an nslookup on coequal-dns.decryptgrandnephew.com it should resolve to the ip address 112.190.157.136 and it does not. It does not even return an ip address.
Received: from mail.befogconferred.com ([142.100.58.67]) by deus-dns.cruddybypath.com (5.52.1/9.12.8) with ESMTP id z0EBcfv6647427 for
Again, this portion does not even mention the coequal-dns.decryptgrandnephew.com server; furthermore, ip addresses do not contain slashes (/) and only contain 4 sets of number separated by dots (.). Thus, 5.52.1/9.12.8 is clearly not a valid ip number, thus a clear indication that this portion of header is also forged.
Received: from [186.48.233.148] (helo=cantabrigian4.carriage31ramada.com) by mail.awashadvocacy.com with esmtp (Exim 2.32) id 7TcdxA-7199wT-AD for everyone@adhost.com; Fri, 13 Aug 2004 12:45:48 +0200
Received: from compositor0.yardstick57dove.com (localhost.shill39brunhilde.com [127.0.0.1]) by brassy1.stupid16crocodilian.com (3.72.8r0/9.90.3) with ESMTP id s8GPlVF3590112 for < everyone@adhost.com>; Fri, 13 Aug 2004 13:42:48 +0300 (CST)(envelope-from Styons35@Kelle.com)
Received: (from animosity@localhost)by trw0.affectionate78bart.com (8.92.1c9/7.18.7/home) id y1BHaKX4340679; Fri, 13 Aug 2004 13:42:48 +0300 (CST)
Our Spam Filters: All messages going to an Adhost pop account are scanned by our spam/virus filter. This line:
(X-Virus-Scanned: by filter.adhost.com)
is the last line of the header, if and only if the message does not fail any of the spam filter tests; however in our example the message did fail some of the spam tests and wrote the following after being scanned for viruses:
X-Spam-Status: Yes, hits=7.2 tagged_above=1.0 required=7.0 tests=BAYES_90,
FROM_ENDS_IN_NUMS, HTML_60_70, HTML_IMAGE_ONLY_04, HTML_LINK_PUSH_HERE,
HTML_MESSAGE, MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI, UPPERCASE_25_50
Yes’ indicates that the message is spam
hits= indicates the sum of the score from each of the tests that have failed. Each test has a different number associated with it.
tagged_above= indicates when to begin mark a message as possible spam
- A test must receive a score (hits=) > 1 in this example before it will start being marked
- Because the number of hits were > 1 the message was tagged accordingly as indicated by the X-Spam-Level: *******
- This number is retrieved from you spam filter setting
required= this number indicates when a message will be marked as ***SPAM*** in the subject line of your message
- A test must receive a score (hits=) > 7 in this example before it will alter the subject line of the message
- Because the number of hits was > 7 the message was marked as ***SPAM*** in the subject line as indicated by the X-Spam-Flag: YES
- This number is retrieved from you spam filter setting
The ‘tests=’ indicates that these are the tests the message failed. If it passes the test then the name of test is NOT written here. Again, it writes the name of the test only when it fails.
When will the message be destroyed because it is spam versus sending you an email that indicates it is spam by the ***SPAM*** in the subject line?
- See the section regarding spam filter settings as that will determine when a message will be deleted.
.gif)