How Can I Put A Header On My Email Template

Whenever you receive an email, in that location is a lot more than to it than meets the middle. While you typically just pay attending to the from address, subject line and body of the message, there is lots more information available "under the hood" of each e-mail which can provide you a wealth of additional data.

Why Bother Looking at an Email Header?

This is a very adept question. For the nearly role, you actually wouldn't always need to unless:

You suspect an email is a phishing effort or spoof
Y'all want to view routing information on the email'southward path
Y'all are a curious geek

Regardless of your reasons, reading email headers is actually quite like shooting fish in a barrel and can exist very revealing.

Commodity Note: For our screenshots and information, we volition be using Gmail just about every other postal service client should provide this same information as well.

Viewing the Electronic mail Header

In Gmail, view the e-mail. For this case, nosotros will use the email below.

Then click the pointer in the upper right corner and select Show original.

The resulting window will accept the electronic mail header information in plain text.

Note: In all the email header information I show below I take changed my Gmail address to show every bit myemail@gmail.com and my external email accost to show as jfaulkner@externalemail.com and jason@myemail.com as well every bit masked the IP address of my e-mail servers.

Delivered-To: myemail@gmail.com
Received: by 10.threescore.14.3 with SMTP id l3csp18666oec;
Tue, vi Mar 2012 08:thirty:51 -0800 (PST)
Received: past x.68.125.129 with SMTP id mq1mr1963003pbb.21.1331051451044;
Tue, 06 Mar 2012 08:30:51 -0800 (PST)
Return-Path: <jfaulkner@externalemail.com>
Received: from exprod7og119.obsmtp.com (exprod7og119.obsmtp.com. [64.18.ii.sixteen])
by mx.google.com with SMTP id l7si25161491pbd.fourscore.2012.03.06.08.30.49;
Tue, 06 Mar 2012 08:30:50 -0800 (PST)
Received-SPF: neutral (google.com: 64.18.2.16 is neither permitted nor denied by best guess tape for domain of jfaulkner@externalemail.com) customer-ip=64.18.2.16;
Authentication-Results: mx.google.com; spf=neutral (google.com: 64.18.two.16 is neither permitted nor denied by best guess tape for domain of jfaulkner@externalemail.com) smtp.mail=jfaulkner@externalemail.com
Received: from mail.externalemail.com ([XXX.XXX.XXX.Thirty]) (using TLSv1) by exprod7ob119.postini.com ([64.18.6.12]) with SMTP
ID DSNKT1Y7uSEvyrMLco/atcAoN+95PMku3Y/9@postini.com; Tue, 06 Mar 2012 08:xxx:50 PST
Received: from MYSERVER.myserver.local ([fe80::a805:c335:8c71:cdb3]) by
MYSERVER.myserver.local ([fe80::a805:c335:8c71:cdb3%xi]) with mapi; Tue, 6 Mar
2012 11:30:48 -0500
From: Jason Faulkner <jfaulkner@externalemail.com>
To: "myemail@gmail.com" <myemail@gmail.com>
Appointment: Tue, half dozen Mar 2012 11:30:48 -0500
Subject: This is a legit email
Thread-Topic: This is a legit email
Thread-Index: Acz7tnUyKZWWCcrUQ+++QVd6awhl+Q==
Message-ID: <682A3A66C6EAC245B3B7B088EF360E15A2B30B10D5@MYSERVER.myserver.local>
Accept-Language: en-US
Content-Language: en-US
Ten-MS-Has-Attach:
Ten-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Blazon: multipart/culling;
purlieus="_000_682A3A66C6EAC245B3B7B088EF360E15A2B30B10D5HARDHAT2hardh_"
MIME-Version: one.0

When you lot read an email header, the data is in reverse chronological guild, meaning the info at the height is the most recent result. Therefor if you want to trace the email from sender to recipient, start at the lesser. Examining the headers of this email we tin see several things.

Hither we run across information generated by the sending client. In this case, the e-mail was sent from Outlook and then this is the metadata Outlook adds.

From: Jason Faulkner <jfaulkner@externalemail.com>
To: "myemail@gmail.com" <myemail@gmail.com>
Date: Tue, half dozen Mar 2012 eleven:thirty:48 -0500
Subject: This is a legit email
Thread-Topic: This is a legit email
Thread-Index: Acz7tnUyKZWWCcrUQ+++QVd6awhl+Q==
Message-ID: <682A3A66C6EAC245B3B7B088EF360E15A2B30B10D5@MYSERVER.myserver.local>
Have-Language: en-Usa
Content-Linguistic communication: en-US
Ten-MS-Has-Attach:
Ten-MS-TNEF-Correlator:
acceptlanguage: en-United states of america
Content-Blazon: multipart/alternative;
purlieus="_000_682A3A66C6EAC245B3B7B088EF360E15A2B30B10D5HARDHAT2hardh_"
MIME-Version: 1.0

The adjacent role traces the path the email takes from the sending server to the destination server. Keep in mind these steps (or hops) are listed in opposite chronological lodge. We have placed the respective number adjacent to each hop to illustrate the lodge. Note that each hop shows detail about the IP accost and respective contrary DNS name.

Delivered-To: myemail@gmail.com
[6] Received: by x.60.14.3 with SMTP id l3csp18666oec;
Tue, 6 Mar 2012 08:30:51 -0800 (PST)
[v] Received: past x.68.125.129 with SMTP id mq1mr1963003pbb.21.1331051451044;
Tue, 06 Mar 2012 08:30:51 -0800 (PST)
Return-Path: <jfaulkner@externalemail.com>
[4] Received: from exprod7og119.obsmtp.com (exprod7og119.obsmtp.com. [64.xviii.two.16])
by mx.google.com with SMTP id l7si25161491pbd.80.2012.03.06.08.thirty.49;
Tue, 06 Mar 2012 08:30:50 -0800 (PST)
[three] Received-SPF: neutral (google.com: 64.18.two.16 is neither permitted nor denied by best guess record for domain of jfaulkner@externalemail.com) customer-ip=64.18.ii.sixteen;
Hallmark-Results: mx.google.com; spf=neutral (google.com: 64.18.2.16 is neither permitted nor denied by best guess record for domain of jfaulkner@externalemail.com) smtp.postal service=jfaulkner@externalemail.com
[2] Received: from mail.externalemail.com ([Xxx.30.XXX.Thirty]) (using TLSv1) past exprod7ob119.postini.com ([64.xviii.6.12]) with SMTP
ID DSNKT1Y7uSEvyrMLco/atcAoN+95PMku3Y/ix@postini.com; Tue, 06 Mar 2012 08:thirty:50 PST
[1] Received: from MYSERVER.myserver.local ([fe80::a805:c335:8c71:cdb3]) by
MYSERVER.myserver.local ([fe80::a805:c335:8c71:cdb3%xi]) with mapi; Tue, 6 Mar
2012 xi:30:48 -0500

While this is pretty mundane for a legitimate email, this information can be quite telling when it comes to examining spam or phishing emails.

Examining a Phishing E-mail – Case 1

For our first phishing case, nosotros will examine an email which is an obvious phishing effort. In this case we could identify this bulletin equally a fraud simply past the visual indicators but for do we will take a await at the alarm signs within the headers.

Delivered-To: myemail@gmail.com
Received: by 10.sixty.14.3 with SMTP id l3csp12958oec;
Monday, 5 Mar 2012 23:11:29 -0800 (PST)
Received: past 10.236.46.164 with SMTP id r24mr7411623yhb.101.1331017888982;
Mon, 05 Mar 2012 23:11:28 -0800 (PST)
Return-Path: <securityalert@verifybyvisa.com>
Received: from ms.externalemail.com (ms.externalemail.com. [XXX.30.30.Thirty])
past mx.google.com with ESMTP id t19si8451178ani.110.2012.03.05.23.eleven.28;
Mon, 05 Mar 2012 23:11:28 -0800 (PST)
Received-SPF: neglect (google.com: domain of securityalert@verifybyvisa.com does non designate Xxx.30.30.XXX equally permitted sender) client-ip=XXX.Thirty.30.Thirty;
Hallmark-Results: mx.google.com; spf=hardfail (google.com: domain of securityalert@verifybyvisa.com does not designate XXX.XXX.Thirty.XXX every bit permitted sender) smtp.postal service=securityalert@verifybyvisa.com
Received: with MailEnable Postoffice Connector; Tue, half dozen Mar 2012 02:11:20 -0500
Received: from mail.lovingtour.com ([211.166.ix.218]) past ms.externalemail.com with MailEnable ESMTP; Tue, half dozen Mar 2012 02:eleven:10 -0500
Received: from User ([118.142.76.58])
past post.lovingtour.com
; Mon, 5 Mar 2012 21:38:11 +0800
Message-ID: <6DCB4366-3518-4C6C-B66A-F541F32A4C4C@mail.lovingtour.com>
Reply-To: <securityalert@verifybyvisa.com>
From: "securityalert@verifybyvisa.com"<securityalert@verifybyvisa.com>
Subject: Notice
Date: Mon, 5 Mar 2012 21:20:57 +0800
MIME-Version: ane.0
Content-Type: multipart/mixed;
boundary="—-=_NextPart_000_0055_01C2A9A6.1C1757C0″
10-Priority: 3
Ten-MSMail-Priority: Normal
Ten-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-ME-Bayesian: 0.000000

The commencement ruddy flag is in the client information area. Observe here the metadata added references Outlook Limited. Information technology is unlikely that Visa is and so far behind the times that they have someone manually sending emails using a 12 year old email client.

Reply-To: <securityalert@verifybyvisa.com>
From: "securityalert@verifybyvisa.com"<securityalert@verifybyvisa.com>
Subject: Notice
Date: Mon, 5 Mar 2012 21:xx:57 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
purlieus="—-=_NextPart_000_0055_01C2A9A6.1C1757C0″
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express vi.00.2600.0000
Ten-MimeOLE: Produced Past Microsoft MimeOLE V6.00.2600.0000
X-ME-Bayesian: 0.000000

Now examining the outset hop in the email routing reveals that the sender was located at IP accost 118.142.76.58 and their email was relayed through the mail server postal service.lovingtour.com.

Received: from User ([118.142.76.58])
by mail.lovingtour.com
; Monday, v Mar 2012 21:38:xi +0800

Looking up the IP information using Nirsoft's IPNetInfo utility, we can see the sender was located in Hong Kong and the post server is located in Communist china.

Needless to say this is a chip suspicious.

The residue of the email hops are not really relevant in this case as they show the email bouncing around legitimate server traffic before finally being delivered.

Examining a Phishing Email – Example 2

For this example, our phishing electronic mail is much more convincing. In that location are a few visual indicators here if you look difficult enough, just again for the purposes of this commodity we are going to limit our investigation to email headers.

Delivered-To: myemail@gmail.com
Received: by 10.60.fourteen.3 with SMTP id l3csp15619oec;
Tue, 6 Mar 2012 04:27:20 -0800 (PST)
Received: by 10.236.170.165 with SMTP id p25mr8672800yhl.123.1331036839870;
Tue, 06 Mar 2012 04:27:19 -0800 (PST)
Return-Path: <security@intuit.com>
Received: from ms.externalemail.com (ms.externalemail.com. [Thirty.Thirty.XXX.XXX])
by mx.google.com with ESMTP id o2si20048188yhn.34.2012.03.06.04.27.19;
Tue, 06 Mar 2012 04:27:19 -0800 (PST)
Received-SPF: fail (google.com: domain of security@intuit.com does not designate XXX.30.XXX.Xxx every bit permitted sender) customer-ip=XXX.XXX.Xxx.XXX;
Hallmark-Results: mx.google.com; spf=hardfail (google.com: domain of security@intuit.com does non designate XXX.XXX.XXX.Thirty as permitted sender) smtp.postal service=security@intuit.com
Received: with MailEnable Postoffice Connector; Tue, six Mar 2012 07:27:13 -0500
Received: from dynamic-puddle-xxx.hcm.fpt.vn ([118.68.152.212]) by ms.externalemail.com with MailEnable ESMTP; Tue, 6 Mar 2012 07:27:08 -0500
Received: from apache by intuit.com with local (Exim 4.67)
(envelope-from <security@intuit.com>)
id GJMV8N-8BERQW-93
for <jason@myemail.com>; Tue, vi Mar 2012 nineteen:27:05 +0700
To: <jason@myemail.com>
Subject: Your Intuit.com invoice.
X-PHP-Script: intuit.com/sendmail.php for 118.68.152.212
From: "INTUIT INC." <security@intuit.com>
X-Sender: "INTUIT INC." <security@intuit.com>
10-Mailer: PHP
X-Priority: ane
MIME-Version: one.0
Content-Blazon: multipart/alternative;
boundary="————03060500702080404010506″
Message-Id: <JXON1H-5GTPKV-0H@intuit.com>
Date: Tue, 6 Mar 2012 nineteen:27:05 +0700
X-ME-Bayesian: 0.000000

In this example, a mail customer application was not used, rather a PHP script with the source IP address of 118.68.152.212.

To: <jason@myemail.com>
Subject: Your Intuit.com invoice.
10-PHP-Script: intuit.com/sendmail.php for 118.68.152.212
From: "INTUIT INC." <security@intuit.com>
X-Sender: "INTUIT INC." <security@intuit.com>
X-Mailer: PHP
X-Priority: i
MIME-Version: 1.0
Content-Blazon: multipart/culling;
purlieus="————03060500702080404010506″
Message-Id: <JXON1H-5GTPKV-0H@intuit.com>
Date: Tue, half dozen Mar 2012 19:27:05 +0700
X-ME-Bayesian: 0.000000

However, when we look at the starting time email hop it appears to exist legit equally the sending server'southward domain name matches the email address. However, be wary of this as a spammer could easily name their server "intuit.com".

Received: from apache by intuit.com with local (Exim 4.67)
(envelope-from <security@intuit.com>)
id GJMV8N-8BERQW-93
for <jason@myemail.com>; Tue, 6 Mar 2012 19:27:05 +0700

Examining the next footstep crumbles this house of cards. You lot can see the second hop (where it is received by a legitimate email server) resolves the sending server back to the domain "dynamic-pool-xxx.hcm.fpt.vn", non "intuit.com" with the same IP address indicated in the PHP script.

Received: from dynamic-pool-xxx.hcm.fpt.vn ([118.68.152.212]) by ms.externalemail.com with MailEnable ESMTP; Tue, 6 Mar 2012 07:27:08 -0500

Viewing the IP address information confirms the suspicion as the mail server's location resolve dorsum to Viet Nam.

While this case is a bit more clever, you lot can encounter how quickly the fraud is revealed with only a slight flake of investigation.

Conclusion

While viewing email headers probably isn't a office of your typical twenty-four hour period to mean solar day needs, there are cases where the information contained in them can be quite valuable. As we showed above, y'all can quite easily identify senders masquerading as something they are not. For a very well executed scam where visual cues are convincing, it is extremely difficult (if not impossible) to impersonate actual mail servers and reviewing the information within of electronic mail headers can quickly reveal any chicanery.

Links

Download IPNetInfo from Nirsoft