Finding Email Headers in Email Messages and Reporting Abuse-Spammers, and Scammers
Outlook (most versions)
Click the right mouse button on the message you want to view the header for, on the menu click on Options and the email header will be at the bottom of the window in a box.
Outlook Express (most versions)
Click the right mouse button on the message you want to view the header for, on the menu click on Properties, then at the top of the new window click the left mouse button on Details, you will see the header in the box.
Yahoo Mail (Web Based)
Click on the link under Subject to View the message. While viewing the message look at the top of the message on the right hand side and find the link that reads “Full Headers” and click on it. The header will be listed above the email.
- Open the email you want to check the headers for
- Next to Reply, click the Down arrow
- Click Show original
- Copy the text
- Open the Message header tool
- In “Paste email header here,” paste your header
- Click Analyze the header above
How to Analyze Scam Email Headers
It is possible for the sending address and IP address to be “spoofed” or faked but you will know that if you do some research.
Here is an Example of an Email Header
X-YPOPs-Folder: Inbox X-RocketYMUMID: AIgmvs4AAV61QrzemAAYfy95Te4 X-Apparently-To: [email protected] via 18.104.22.168; Fri, 24 Jun 2005 21:33:27 -0700 X-Originating-IP: [22.214.171.124] Return-Path: <[email protected] X-RocketTIP: 126.96.36.199 ; YAHOO Authentication-Results: mta350.mail.scd.yahoo.com from=yahoo.com; domainkeys=pass (ok) Received: from 188.8.131.52 (HELO web60916.mail.yahoo.com) (184.108.40.206) by mta350.mail.scd.yahoo.com with SMTP; Fri, 24 Jun 2005 21:33:27 -0700 Received: (qmail 16766 invoked by uid 60001); 25 Jun 2005 04:33:26 - 0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content- Type:Content-Transfer-Encoding; b=d+Aj4dDTTZY2DSTE++OZbmbgd8TaDO+kxz4y/CA6cScid4vmcSP/WO7+10b455G+ZIqt DTgDtP9z8g13rw6Xclp3EmRCX49mAYsDttna+eH+xuiJUBX7kZLDrMna Df4yoaMt92GzB bjfdBu+SjqQgK/WYubAt9y1j4bm3czqN8= ; Message-ID: <[email protected] Received: from [220.127.116.11] by web60916.mail.yahoo.com via HTTP; Fri, 24 Jun 2005 21:33:26 PDT Date: Fri, 24 Jun 2005 21:33:26 -0700 (PDT) From: kelly lizzy <[email protected] Subject: my pics To: [email protected] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-643441667- 1119674006=:15556" Content-Transfer-Encoding: 8bit Content-Length: 62927
You Read Email Headers from the Bottom Up
This part can be spoofed so you can usually ignore it.
From: kelly lizzy <[email protected]
Subject: my pics
To: [email protected]
Content-Type: multipart/mixed; boundary="0-643441667-
Then you want to look for the first Received: from line, this is the originating IP:
18.104.22.168 is the originating IP.
Received: from [22.214.171.124] by web60916.mail.yahoo.com via HTTP;
Fri, 24 Jun 2005 21:33:26 PDT
Finding Out Where The IP Address Is Located
The easiest way to find out where an email originated is to copy the entire header and then paste it into a site like here.
OR use this alternative:
Another place you can go to http://www.dnsstuff.com and paste the IP address in the IPWHOIS Lookup box to find out where this IP has come from. If you want to know who owns this IP address this is the way to do it. Here it is: COBRANET-ISP-TGB. I got this from the WHOIS look up; it is the contact person that I would imagine bought the IP block:
person: Hikmat Mardo address: Lagos-Nigeria address: Lekki Phase 1 address: rafiu babatunde street plot 8 phone: +23417767720 phone: +234802 832 2133 phone: +23415555656 phone: +9613666325 e-mail: ***@cobranet.org nic-hdl: HM1517-RIPE notify: ********@teleport-iabg.de mnt-by: IABG-MNT changed: *******@iabg.de 20040617 source: RIPE
Then we Googled it and the first of two Google Results…
419 Scam – Spam sources by IP address (Advance Fee Fraud) - Jun 25 COBRANET-ISP-TGB 126.96.36.199 - David Hart, Weartherbys Bank Limited 188.8.131.52 - [email protected] (holocaust) ... www.joewein.de/sw/419-by-ip.htm - 64k - Jun 24, 2005 - Cached - Similar pages
Reporting Abuse – Spammers, and Scammers
When we do an IP trace, it always shows where to report abuse to. If the ISPs will take action, maybe they can shut down some of the scammers on the other end. When we report them, it might be a good idea to add FTC in the email thread as well. If a bunch of people see it, a bunch of people might do something about it. Also send it to your ISP’s abuse desk.
The SEC’s Office of Internet Enforcement Complaint Center
SEC indicates that investment-related scam spam can be forwarded to SEC.
Attempts to Unlawfully Sell Prescription Medications Online
If people attempt to sell you prescription medications online without requiring a physician’s prescription, the Food and Drug Administration would like to know about it. You can report emails promoting illegal medical products by forwarding those emails. (see FDA).
US Customs Service CyberSmuggling Center, Child Exploitation Unit
Occasionally you may receive spam related to child pornography. As noted at US Customs you should immediately report this to the US Customs Service at 1-800-BE-ALERT or the National Center for Missing and Exploited Children at 1-800-843-5678, or contact the ICE Cybersmuggling Center.
Please note that you should not download any child pornographic materials under any circumstances, since the mere possession of this type of material is a violation of federal and state laws. Let trained law enforcement officers conduct their own investigation when it comes to child porn spam.
Internet Fraud in General
Internet fraud complaints may be filed with the FBI .
4-1-9 Nigerian Advance Fee Fraud Spam
This type of scam spam, in which overseas, often Nigerian, con men typically offer you a share in millions of dollars worth of “over-invoiced contracts” (if only you will “temporarily” cover the cost of some “advance fees”) can be reported to the United States Secret Service by faxing a copy of the 4-1-9 solicitation to (202) 406-5031, as noted the Secret Service also has jurisdiction over online credit card fraud, among other scams.
Pyramid Schemes or Chain Letters Using the U.S. Mail
If you receive spam that’s a pyramid or chain-letter scheme and it uses the United States mail at any step along the way (for example, if it instructs you to send money to an address via the mail), it is illegal and should be reported to the U.S. Postal Service. As noted you should turn over a copy of the chain letter or pyramid scheme advertisement to your local postmaster or nearest postal inspector. The nearest Postal Inspection Service office for Oregonians is:
POSTAL INSPECTION SERVICE
UNITED STATES POSTAL SERVICE
PO BOX 400
SEATTLE WA 98111-4000
Phone : 206-442-6300
Fax : 206-442-6304
Unsolicited Commercial Email (Spam) In General
According to its Consumer Complaint Form site at the FTC enters Internet, telemarketing, identity theft and other fraud-related complaints into a secure, online database available to hundreds of civil and criminal law enforcement agencies worldwide.
If you wish to report unsolicited commercial email to the FTC, you should forward that spam.
State Agencies and Spam
The Oregon Attorney General’s Office indicates that consumers can report email scams to the State Department of Justice Consumer Hotline. However, there is no indication what will be done with spam that gets forwarded to that address.
Some states, such as California, have been faulted for establishing spam reporting channels but then failing to follow through. Pointers to all states with anti-spam laws
Reporting Spam Directly to an ISP Spam Source: Get Help from SpamCop
If you decide to complain directly to the ISP that’s hosting spammers–or is itself the source of spam, SpamCop can help you find the right ISP.
IP Address Resource Links
The ARIN database search; whois IP numbers here: https://www.arin.net/index.shtml
Regional Internet Registry; also an IP lookup: https://www.ripe.net/index.html
What is my IP Address?: http://www.showip.net/
IP Address Lookups