Analyze headers of email

How do I analyze heading from an email?  for yahoo, gmail and hotmail, or is it all the same?
vulture714Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

viveksahuLead ConsultantCommented:
Hi,

If you are looking the header in outlook then just double click and open the mail and just click on option and you will have the header in outlook 2007.

If you wan this in your yahoo, hotmail or gmail then just open the mail and click on view source option and you will go..
0
BWaringCommented:
The 'standard' parts of an SMTP header are the same, but different gateway, etc.... can add in additional information.... if you are trying to trace back to where an email is coming from, look for the "Received" lines in the header and read from them backwards.... for example, a header might say:

Received: server C by server D
Received: server B by server C
Received: server A by server B
Received: client by server A

This means that client sent to server A, server A sent to server B, server B send to server C, and server C sent to server D....

There may be more or less servers involved, and the 'client' may not always be identified. The servers may also list an IP address next to them - this should be the IP address that the server actually used when connecting to the downstream server (that IP should reverse DNS back the the server name)....

The is most likely a lot of other stuff around and about these lines, most of it gateway or email system specific, SPAM/virus gateway add in stuff, etc....

That's a quick, general overview of the process...

You can find out much more here: http://tools.ietf.org/html/rfc821 and then follow the links up top for all the revisions, etc....
0
Dave BaldwinFixer of ProblemsCommented:
Here's an article from Goggle about reading email headers: http://mail.google.com/support/bin/answer.py?hl=en&answer=29436  If you're trying to find out who sent an email, your trail will stop at yahoo, gmail and hotmail because the IP addresses you get in the headers are for their servers, not the individuals who sent the email.  Emails sent thru local ISPs will get you closer because they don't have as many users as yahoo, gmail and hotmail who have hundreds of millions of users each.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

JohnDeckerCommented:
^^ Not so. Gmail certainly does that, but yahoo and hotmail don't.

What is the purpose of the analysis? If it is to identify the sender, you are probably out of luck.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnDeckerCommented:
Here's my point (taken from http://www.pcpro.co.uk/features/366349/can-you-really-be-traced-from-your-ip-address/2)

Identifying end users via IP addresses is based on the assumption that every address can be accurately traced back to an individual. That’s not necessarily the case, however.
"In general, the accuracy of IP address tracing varies depending on the type of user behind the IP address,” Tom Colvin, chief technology officer with security vendor Conseal. “Whilst big businesses can be traceable right back to their datacenters, standard family broadband connections are often hard to locate, even to county-level accuracy.
“The reason is that there are a number of sources of IP address information, the accuracy of which deteriorates with the number of hops from the backbone. There are some huge IP-to-location databases (for example Quova or MaxMind) which provide great results for backbones and carriers, but not for end users – one of the reasons being that ISPs can assign IP addresses randomly."
Locating end users becomes decidedly trickier – if not impossible – when they’re hiding behind one or more proxy servers, which are designed to re-route traffic and obscure the source as well as the destination.
"Connections through a series of anonymous proxies are transient and change rapidly," said Rolf von Roessing, international vice president of the Information Systems Audit and Control Association (ISACA). "They are not logged, and any user can operate a TOR server or relay and take it off the network at any time."
As von Roessing points out, while ISPs might be legally required to disclose connectivity data and IP logs if these are available, most tend to delete those logs after a few days anyway. By the time you've traced an IP through a series of anonymous proxies back to the originating ISP, the data could have already been deleted.
So, not only is IP address evidence potentially unreliable, but if the perpetrators are smart enough, there’s little or no hope of tracing them in the first place.
0
Alan HardistyCo-OwnerCommented:
Email headers taken from a hotmail email:
Received: from server1.mydomain.co.uk (10.0.xx.xx) by server2.mydomain.local
 (10.0.xx.xx) with Microsoft SMTP Server (TLS) id 14.1.270.1; Fri, 8 Apr 2011
 08:01:13 +0100
Received: from bay0-omc1-s6.bay0.hotmail.com (65.54.190.17) by
 server1.mydomain.co.uk (188.220.xxx.xxx) with Microsoft SMTP Server id
 14.1.270.1; Fri, 8 Apr 2011 08:01:13 +0100
Received: from BAY156-W64 ([65.54.190.61]) by bay0-omc1-s6.bay0.hotmail.com
 with Microsoft SMTPSVC(6.0.3790.4675);       Fri, 8 Apr 2011 00:03:37 -0700
Message-ID: <BAY156-w647CC8320A916845648D34B6A70@phx.gbl>
Return-Path: myaddress@hotmail.com
Content-Type: multipart/alternative;
      boundary="_f79506b4-b673-4ca1-bf26-3fee6e9e5bc7_"
X-Originating-IP: [Correct Sending IP Address]
From: <myaddress@hotmail.com>
To: <myaddress@mydomain.co.uk>
Subject: Testing
Date: Fri, 8 Apr 2011 07:03:36 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 08 Apr 2011 07:03:37.0169 (UTC) FILETIME=[1516B410:01CBF5BB]
X-MS-Exchange-Organization-Antispam-Report: SenderOnRecipientSafeList
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-AuthSource: server2.mydomain.local
X-MS-Exchange-Organization-AuthAs: Anonymous

Email headers taken from a Gmail Email:
Received: from server1.mydomain.co.uk (10.0.xx.xx) by server2.mydomain.local
 (10.0.xx.xx) with Microsoft SMTP Server (TLS) id 14.1.270.1; Fri, 8 Apr 2011
 09:25:14 +0100
Received: from mail-iy0-f173.google.com (209.85.210.173) by
 server1.mydomain.co.uk (188.220.xxx.xxx) with Microsoft SMTP Server (TLS) id
 14.1.270.1; Fri, 8 Apr 2011 09:25:14 +0100
Received: by iym10 with SMTP id 10so4620894iym.18        for
 <myemail@mydomain.co.uk>; Fri, 08 Apr 2011 01:27:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=dxx9qtKQjBgGmVliQUkY3MZIuHf0Ac6bh6ysy2jyRrc=;
        b=Tf4+WsrpCc2YWAoadHemAR5zDUB5MshJ0nCWS7h3Y2c8nEC6tiR5PS+w0UWUsfTqXs
         U/88uqJeSa2l1Vi/gG0ccTJiYoVspmuS/qHtbt2UueTO+NB7u4HmxbTER+cBXKEyYDjO
         iz9Z66Yi60UsI04uuIuAiTNqy1pSeEWVQ2n7s=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        b=M6+26zAmW04Bfziakl/CE/ueH2fBxTjt+SI9iBDj3u6z/1N0oRvcWdeBm0hT+p2CHY
         X3i0Io2Hi55F0ad9UDeBb0vfX/ZwyfiW55T7W28EwvkepfPNJPJwmBqU7SPAASdaN24o
         2LmP6Pqe+ScwWE8WAxohxehunXjWh8U2wZDcM=
MIME-Version: 1.0
Received: by 10.42.29.202 with SMTP id s10mr2932445icc.4.1302251261269; Fri,
 08 Apr 2011 01:27:41 -0700 (PDT)
Received: by 10.231.183.69 with HTTP; Fri, 8 Apr 2011 01:27:41 -0700 (PDT)
Date: Fri, 8 Apr 2011 09:27:41 +0100
Message-ID: <BANLkTikFb3-sgdCqQonAriKkoKUv81O7gQ@mail.gmail.com>
Subject: Testing
From: Me <myemail@gmail.com>
To: <myemail@mydomain.co.uk>
Content-Type: multipart/alternative; boundary="20cf3040ee56d6163f04a063ff8b"
Return-Path: myemail@gmail.com
X-MS-Exchange-Organization-Antispam-Report: v=1.1
 cv=1bAoyIsRQgn64SoI9I7GxdLUFvzlf6qCUWwDt04ldMQ= c=1 sm=1 a=nDghuxUhq_wA:10
 a=94ZsvInz6YUEwq4anqgA:9 a=wPNLvfGTeEIA:10 a=3jw5tNa44rccpHfNZAsA:9
 a=i5xzRy8GnMa4EVhs8Gqg6w==:117;OrigIP:209.85.210.173;SCL:-1
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-AuthSource: server1.mydomain.local
X-MS-Exchange-Organization-AuthAs: Anonymous

Email Headers taken from a Yahoo.co.uk email:
Received: from server1.mydomain.co.uk (10.0.xx.xx) by server2.mydomain.local
 (10.0.xx.xx) with Microsoft SMTP Server (TLS) id 14.1.270.1; Fri, 8 Apr 2011
 09:29:48 +0100
Received: from web24805.mail.ird.yahoo.com (212.82.110.39) by
 server1.mydomain.co.uk (188.220.xxx.xxx) with Microsoft SMTP Server id
 14.1.270.1; Fri, 8 Apr 2011 09:29:47 +0100
Received: (qmail 87331 invoked by uid 60001); 8 Apr 2011 08:32:16 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1302251536; bh=xkJkIpmYkRbNYCWm8pPbc0VQOtfxdjPwwU5EOaddop0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=PUK6HEa7gmZKGaZmww/GMKJjSHGMFGh7jBt/w+aTO+Zt/Oh4/Lp/Jk0Ta4vPWcd2UDzdKFZFJ8LV4XRotiiwEpJoL1k3/6QHlZFhJc2dRty+nVEMv/C9LoWEI8/EeDwPKRR+PcR9cnOHnzrc7YJpGkw1oVyH1yAvOoffZeN9v1Y=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.co.uk;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=LwiyVuEHWQtww9ayQy2wYjvkWA2K1zA1FsDq4szZJyVehbBElBcY6qihZmU/1egvJFCmYVkm6B8QuY46+xvO85rvq6mDpLSV1mGc33omFLDsENRcQ4Oo3DsOKhwWlUsDheoGq2bELn9XhenDqobgR1mCtV22vHUtuDLotl50/Qw=;
Message-ID: <278178.46431.qm@web24805.mail.ird.yahoo.com>
X-YMail-OSG: sgeuwDMVM1ks0nlslzozGZeIdXFL.LJo7GFboyeXUR5vdWr
 lbKYAIpmDd3Gp7AcpwohYsDC_2a7yIE9JsMHaJQ.3k2lVc2FvpisH2hCJog2
 JEf0PdbY6qKzhFg1iYMWdUr4TMrBhUCVI.ocKoo8LlkgXfFezEJRhV0FQew1
 MBOw0t7CDWp1Xb_o0Lz9qutG.5PKD2r59u9jV6v.AdfSknjbD_Jk_RVy_YZI
 jQKY73bt38YQEDzwSvYasgMNzXsbzmyRWUmkFXDUt6KGAjY1Vn1ZGp9T4K4L
 9qz5l8FWLRlPXa8Ib99dBg1zQN8nyRQ--
Received: from [Correct Sending IP] by web24805.mail.ird.yahoo.com via HTTP; Fri,
 08 Apr 2011 09:32:16 BST
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.295617
Date: Fri, 8 Apr 2011 09:32:16 +0100
From: Me <myemail@yahoo.co.uk>
Subject: Testing
To: <myemail@mydomain.co.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="0-236920139-1302251536=:46431"
Return-Path: myemail@yahoo.co.uk
X-MS-Exchange-Organization-Antispam-Report: v=1.1
 cv=1bAoyIsRQgn64SoI9I7GxdLUFvzlf6qCUWwDt04ldMQ= c=1 sm=1 a=PLmm6w-6prgA:10
 a=/LtPfHC4UMiFPRwQDPHeiA==:17 a=oHM1V9sc3__v4s30wF0A:9 a=QEXdDO2ut3YA:10
 a=o7lHiGkbux9Pt-umeU8A:7
 a=vNhM4OEZASu5JvUyG/uf1Q==:117;OrigIP:212.82.110.39;SCL:-1
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-AuthSource: server1.mydomain.local
X-MS-Exchange-Organization-AuthAs: Anonymous

So in the tests I performed, the sending IP Address was available in the headers for Hotmail and Yahoo but not Gmail.
0
Alan HardistyCo-OwnerCommented:
Indeed - and I was backing up that comment with evidence not just my word for it.
0
Dave BaldwinFixer of ProblemsCommented:
I said it too... ;-)
0
BWaringCommented:
I didn't say it, since his original question didn't ask it :-0

Unfortunately the OP never responded back to anyone's comments OR questions, and I would agree with alanhardisty that backing up simple statements with evidence or explanation is most prudent... but without know what the OP was really looking for, we will never know!
0
Dave BaldwinFixer of ProblemsCommented:
I know, this is one of those questions where we end up talking to each other because the questioner never responded.
0
JohnDeckerCommented:
@alanhardisty My apologies, mine was a crass comment. This place needs an edit function.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.