Home » Other »SMTP Headers

Reading SMTP Headers

If you're looking to read SMTP headers, then you probably have an email that you want to trace the origin of.

In this email, you will find a lot of Received: headers. Read these from the top down to get them in reverse chronological order. That means that the particular header that you are most interested in is going to be the one bottom (the earliest one).

Here's some headers from a piece of spam that I recently received: 

Received: by 10.58.96.2 with SMTP id do2csp211828veb;
        Tue, 14 Jan 2014 03:43:36 -0800 (PST)
X-Received: by 10.224.172.9 with SMTP id j9mr1898821qaz.96.1389699816103;
        Tue, 14 Jan 2014 03:43:36 -0800 (PST)
Return-Path: <vynzyjoggd@uthru.com>
Received: from uthru.com ([183.80.38.202])
        by mx.google.com with ESMTP id b11si316360qen.141.2014.01.14.03.43.26
        for <multiple recipients>;
        Tue, 14 Jan 2014 03:43:36 -0800 (PST)
Received-SPF: neutral (google.com: 183.80.38.202 is neither permitted nor denied by best guess record for domain of vynzyjoggd@uthru.com) client-ip=183.80.38.202;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 183.80.38.202 is neither permitted nor denied by best guess record for domain of vynzyjoggd@uthru.com) smtp.mail=vynzyjoggd@uthru.com
Message-ID: <IKMPUYOLOBTLMLCZGLGVFL@uthru.com>
From: "Male Enhancement" <vynzyjoggd@uthru.com>
Reply-To: "Male Enhancement" <vynzyjoggd@uthru.com>
To: <REDACTED1@example.com>
Cc: <REDACTED2@example.com>,
	<REDACTED3@example.com>,
	<REDACTED4@example.com>
Subject: A Stronger, Thicker, Improved Performance Penis
Date: Tue, 14 Jan 2014 03:43:44 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="--3105531770320552"
X-Priority: 2

Here, we have only one such header to pay attention to. It tells us the IP address from which the message originated, which is 183.80.38.202.

So what now? Now, we use a WHOIS tool to look up that IP address:

[root@centos6 ~]# whois 183.80.38.202
[Querying whois.arin.net]
[Redirected to whois.apnic.net]
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '183.80.32.0 - 183.80.47.255'

inetnum:        183.80.32.0 - 183.80.47.255
netname:        FPTDYNAMICIP-NET
country:        vn
descr:          FPT Telecom Company
descr:          2nd floor FPT Building, Pham Hung Road, Cau Giay District, Hanoi
admin-c:        TTH19-AP
tech-c:         NOC21-AP
status:         ALLOCATED NON-PORTABLE
remarks:        For spamming matters, mail to abuse@fpt.vn
changed:        hm-changed@vnnic.net.vn 20120809
mnt-by:         MAINT-VN-FPT
mnt-irt:        IRT-VNNIC-AP
source:         APNIC

And we see that the IP address is part of a netblock which is registered to a telco in Vietnam. In their remarks section, they have provided an abuse email address, so you can contact them to report abuse of their network, such as sending spam emails like this one. Good luck with that.

If you do not have access to a WHOIS tool, you can use a web-based service to look up the IP address with the relevant regional internet registry (RIR). European IP addresses are registered through RIPE. North American IPs are registered through ARIN. Asian and Pacific Rim IP addresses are registered via APNIC. African IP addresses can be found with AFRINIC. Central and Southern American IP addresses are registered with LACNIC. If you're not sure which one to query, you can query either LACNIC or APNIC, as these two will refer your query to other RIRs to get the right answer. Or you can just cheat and use something like ping.eu.