This is an old revision of the document!
Sometimes you need to check to see where a message really came from. The 'From:' email address is easily forged, so that cannot be relied upon.
The first thing you have to do is to get the full message headers. These may look daunting, but are very useful for problem diagnosis.
The most important headers are those beginning with Received
. Each mail server which handles the message will add its own Received
trace header to the start of the message. So, to see the passage of the message through time you have to find the lowest Received
line in the headers, and work upwards.
This is an example of some full headers
Return-Path: <a.user@example.com> Received: from mail.example.com ([127.221.14.44]) by lmail.pscs.co.uk ([217.155.61.13] running VPOP3) with ESMTP for <support@pscs.co.uk>; Thu, 20 Oct 2011 09:36:35 +0100 Received: from [192.168.1.101] ([127.31.11.95]) by example.com (Postfix) with ESMTP id 891688127.17872.3016 for <support@pscs.co.uk>; Thu, 20 Oct 2011 04:36:25 -0400 Message-ID: <4E9FDD90.3080001@example.com> Date: Thu, 20 Oct 2011 04:36:32 -0400 From: Alex User <a.user@example.com> User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Paul Smith <support@pscs.co.uk> Subject: Re: This is a message Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-VPOP3-ORIGRCPT: paul@pscs.co.uk
This passed through
If the message came from your local VPOP3 and you use SMTP authentication, you can also check the X-Authenticated-Sender
header line, which shows which user logged in to send the message. (Note that if the passwords are weak, someone may have guessed their password and be using their account without their knowledge)