Consumer Fraud Reporting
Email Headers
Reporting on the Latest Frauds, Scams, Fake Lotteries, Spams and Hoaxes

Home Email this page GovernmentAgencies Recognize a scam Report a Scam If you are scammed Your wallet is stolen? Prevent scams Free Publications Recommended Feedback to CFR Glossary Search Credit Card Rights Bookmark and Share
 

Up

Recommended:
books


Recommended
AV product:

Email Headers -
How to View them and Include them in Reporting a Spam or Scam

Do you want to find out who REALLY sent that email? Or do you want to know how to copy the email header so that an enforcement agency can track down a spammer or scammer? Read on for:


A Brief Explanation of Email Headers

Internet e-mails include a "header" which usually includes (at least) the following:

  1. From: The e-mail address, and optionally name, of the sender of the message
  2. To: The e-mail address[es], and optionally name[s], of the receiver[s] of the message
  3. Subject: A brief summary of the contents of the message
  4. Date: The local time and date when the message was originally sent
  5. Received: the route the message took when it was sent to you (which is important to trace the real origin of the email).

Each header field has a name and a value.

To:

Note that the "To" field in the header is not necessarily related to the addresses to which the message is delivered. The actual delivery list is supplied in the SMTP protocol, not extracted from the header content. The "To" field is similar to the greeting at the top of a conventional letter which is delivered according to the address on the outer envelope.

From:

Also note that the "From" field does not have to be the real sender of the e-mail message. It is very easy to fake the "From" field and let a message seem to be from any mail address. It is possible to digitally sign e-mail, which is much harder to fake. Some Internet service providers do not relay e-mail claiming to come from a domain not hosted by them, but very few (if any) check to make sure that the person or even e-mail address named in the "From" field is the one associated with the connection. Some internet service providers apply e-mail authentication systems to e-mail being sent through their MTA (email system) to allow other MTAs to detect forged spam that might apparently appear to be from them.

Received:

The "Received:" headers of any email message will tell you where the message originated and what route it took to get to you. That's what you need to know to be able to trace the email to it's real sender.

The Received header lists the steps in the email deliver process, in reverse order (most recent, your pc, at the top, and the starting point at the bottom). The the first one will be your own computer, and the last one should be the sender. The domain names and IP addresses in "Received: headers" are those of the actual machines that performed a portion of the delivery service. These headers can be faked, but it's harder to do than spoofing (faking) simple "From" addresses.

Other common header fields include:

1. Cc: carbon copy
2. Bcc: Blind Carbon Copy
3. Received: Tracking information generated by mail servers that have previously handled a message
4. Content-Type: Information about how the message has to be displayed, usually a MIME type


Step by step instructions on how to view and copy the headers

The email headers are generally hidden by most email programs.  To see them requires a couple of steps, which vary depending upon the email program you use. Here are directions for some of the more common email clients (programs):

While you are viewing the message,

  • Outlook:
    • Select View
    • Select Options
  • Outlook Express:
    • Right-click on an email message in the Inbox
    • Click on Properties on the menu that pops up.
    • Select the Details tab.
  • AOL: 
    • Under the "To address"
    • click "Details"
  • Yahoo mail
    • Open the email
    • click on "Standard Headers" on the right side, then
    • click on "Full Headers"
  • Hotmail:
    • Login
    • Options(to the right of the "Contacts" tab)
    • Mail Display Settings link under the Additional Options column.
    • Message Headers.
    • Select Full
    • Click OK
    • Go back to your Inbox and view your mail, which will now show the headers
  • Eudora:
    • Click the "Blah Blah Blah" button.
  • Netscape:
    • Select: View
    • Click Headers
    • Select All
  • WebMail:
    • Click "View Full Headers".

Once you can see the headers, you need only highlight them with your mouse, then copy and paste them into our feedback form.

If these directions aren't enough, Spamcop.com, a website that sells spam-blocking software (completely unaffiliated with CFR.org),  has an excellent set of visual directions to help you see and copy the full-headers in many of the popular email programs. These links take you to those pages:

Click on your email program:


Want More Information?

How Internet e-mail works

These websites can provide more detail about email headers, what they are and how to read and use them!


Copyright CFR 2005, 2006, 2007, 2008, 2009  - Definition of scam, fraud, etc.Legal disclaimer / corrections / complaints  -  Privacy Policy
Names used by scammers in the examples on this page and others often belong to real people and businesses who often have no knowledge of nor connection to the scammer's use of their name and information.  Sample scam emails and other documents are copies of the scam to help potential victims recognize and avoid it.  You should presume that any names used and presented here in a scam are either fictitious or used without their legitimate owner's permission.
Email us at: