Hi spamfighter
A friend of mine posted this to me but forgot the site he copyed it from.
Yes it is spamers use all types of trick to catch you out.
Getting access to the headers of an email will depend on the kind of mail client that is being used. The instructions contained here will be of use to most individuals to extract email headers.
The header will contain a lot of information that will appear confusing to someone who is looking at one for the first time but can be deciphered using a few rules of thumb. While it may not be possible to interpret all headers using these rules they should work for the majority of headers.
1) The most important section of a mail header are the lines that begin with "Received:".
2) Read the header from the top downwards. The topmost "Received:" line shows the last stage in the delivery of the email - usually the delivery to your mailbox. The lowest "Received:" line usually shows where the email originated from.
3) In most cases there will be two "Received:" lines. The topmost line will show the delivery of the email to your ISP mail server (where you mailbox is held) from the senders mail server. The bottom most "Received:" line will show the path the email took from the system from which it was originally sent to their mail server.
4) If only one "Received:" line (with an IP address) is present it usually means that the email was delivered directly to your mailbox and that the sender was running their own mailserver. Alternatively, they could be running a proxy or mail server and it is a possibility that they may have been exploited by a third party.
5) If there are more then two "Received:" lines in the header it is possible that the header has been falsified and that the additional lines have been added to confuse you about the true origin of the email. It is also a possibility that additional lines were added due to some form of mail forwarding or by the way a particular network is organised. To tell which lines have been falsified, work from the top down and see if you can verify the existence of each of the machines listed in the "Received:" lines by using tools such as Ping or NSLookup. Once you reach an IP address or hostname that you cannot verify it is likely that everything below that line has been falsified and you can disregard it.
6) It is important to examine the time stamps included in the header for consistency. If the time stamps are inconsistent, it is possible that the headers have been falsified.
7) When you have identified what you think is the line that shows where the email originated, always look for the first IP address in square brackets, usually represented as follows: ([IP ADDRESS]). This IP address should be the one allocated to the system which sent the mail.
Example 1:
Below is an example of a genuine spam header. Certain items such as email addresses and IP addresses have been changed.
Return-Path: <
[email protected]>
Delivered-To:
[email protected]
Received: (qmail 93439 invoked by uid 23987); 30 Jan 2003 14:13:25 -0000
Received: from unknown (HELO yahoo.com) ([214.107.36.85]) (envelope-sender <
[email protected]>) by 192.220.93.179 (qmail-ldap-1.03) with SMTP for <
[email protected]>; 30 Jan 2003 14:13:25 -0000
Message-ID: <001200e4bc03$cee46486$
[email protected]>
From: <
[email protected]>
To: <
[email protected]>
Subject: News years resolution = loose weight ?
Date: Fri, 31 Jan 2003 00:47:57 -1100
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_00C5_72C71C2D.A0315B28"
X-Priority: 3
X-Mailer: Microsoft Outlook, Build 10.0.2616
Importance: Normal
Status:
Using our rules of thumb we can determine the email probably originated from IP address 214.107.36.85. However as we only have one "Received:" line that includes an IP address it is also likely that the system that was allocated the IP of 214.107.36.85 either sent the email directly (it belongs to the spammer) or they were running proxy or mail server software that was exploited. An investigation into this incident revealed that the IP address in question was allocated to a system that was running insecure proxy software and massive amounts of email was relayed through the system while the owner was oblivious to what was happening.
Did you open the email
If you are having problems post a HJT.Log into the Malware forum.
Kc