Mail Headers Question

[LSainsbury]

When looking at mail headers, where does it say who the senders ISP is?

I'm looking at a a particular email that I have recieved, which has been forwarded through a number of server and a corporate spam solution (MessageLabs)...

Any ideas on what I should look for?

Thanks
Lee

[sparky621]

Hi Lee
Take it you're trying to trace some spam to its source?
Have a look here:
http://www.lse.ac.uk/itservices/help/emailheader.htm
it explains quite well.
Some paths can be long (and winding) but the last in the list is where its come from.
Sparky

[Toto]

As per Sparky621's comments.

The bottom most "Received from:" section contains the network IP address that sent the email.

By performing a lookup on that IP address in a regional registrar database, you should be able to find the network abuse contact, which is normally abuse@domain. A good free tool is http://geektools.com/whois.php.

The top most received from section usually contains your networks mail transport address, this will not be the sender of the email.

[Rob M]

Don't forget though that even if you can identify the originating IP it might not necessarily belong to the actual sender.

[webcrawler2050]

Could you post the header here -

With headers, you are suppost to read them bottom to top - Bottom being the start

I.E:

Microsoft Mail Internet Headers Version 2.0
Received: from GLOSFW0003.gloucester.serco.com ([192.168.50.6]) by glosex0001.internal-x.serco.com with Microsoft SMTPSVC(6.0.3790.3959);
Mon, 7 Apr 2008 00:40:16 +0100
Received: from coremtaexm04.core.serco.com (unknown [217.22.1.162])
by GLOSFW0003.gloucester.serco.com (BorderWare MXtreme Mail Firewall) with SMTP id C7B3D1F26A
for <richard.copestake@gloucester.serco.com>; Mon, 7 Apr 2008 00:17:02 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
coremtaexm04.core.serco.com
X-Spam-Level:
X-Spam-Status: No, score=-6.6 required=4.0 tests=BAYES_00,RCVD_IN_DNSWL_MED
autolearn=ham version=3.2.3
Received: from mail188.messagelabs.com ([85.158.139.163]:48246)
by coremtaexm04.core.serco.com with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.50)
id 1JieT6-00050j-81
for richard.copestake@serco.com; Mon, 07 Apr 2008 00:40:12 +0100
X-VirusChecked: Checked
X-Env-Sender: email.bounces@mobilefun.co.uk
X-Msg-Ref: server-12.tower-188.messagelabs.com!1207525202!6333335!1 <<- Here is the message labs sending spam servers
X-StarScan-Version: 5.5.12.14.2; banners=-,-,-
X-Originating-IP: [62.89.145.108]
Received: (qmail 26880 invoked from network); 6 Apr 2008 23:40:02 -0000
Received: from mail.mobilefun.co.uk (HELO mail.mobilefun.co.uk) (62.89.145.108) These few lines are the sending servers and IPs
by server-12.tower-188.messagelabs.com with AES256-SHA encrypted SMTP; 6 Apr 2008 23:40:02 -0000
Received: from 62-89-145-109.pool.free.th.hotchilli.net ([62.89.145.109] helo=www.mobilefun.co.uk)
by mail.mobilefun.co.uk with esmtp (Exim 4.63) << Heres the Sending Server
id 1JieSw-0008KI-FB
for richard.copestake@serco.com; Mon, 07 Apr 2008 00:40:02 +0100
To: richard.copestake@serco.com
From: order.system@mobilefun.co.uk
Subject: Mobile Fun Order Acknowledgement - MF1325379
Message-Id: <E1JieSw-0008KI-FB@mail.mobilefun.co.uk>
Date: Mon, 07 Apr 2008 00:40:02 +0100
X-Processed-ID: 85.158.139.163
X-STA-Metric: 0 (engine=028)
X-STA-NotSpam: 0870 acknowledgement by: subject:Acknowledgem -------------
X-STA-Spam: 6pm url:customer account, sim cost:
X-BTI-AntiSpam: score:0,sta:0/028,dcc:passed,dnsbl:passed,sw:off,bsn:50/passed,spf:off,dk:off,pbmf:none,ipr:none,trusted:n o,ts:no,bs:no,ubl:passed
Return-Path: email.bounces@mobilefun.co.uk
X-OriginalArrivalTime: 06 Apr 2008 23:40:16.0459 (UTC) FILETIME=[911679B0:01C8983F]