TR-07 - HOWTO find SMTP headers in common Email clients

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Overview

Next to the user visible part of the mail body, emails also contain a header part, normally not visible to the user. The body mainly consists of the message itself while the header contains meta informations, most of which was added by the servers that handled the email.

For attackers it is easy to modify information, which is visible to the user, like for example the “From” field, to send spoofed emails. Email is therefore not reliable.

In case of malicious activities like “phishing” or “spamming” it is essential to get the header data. The reason is that the header contains information about the attacker which he can not access and which was added to the email by the email handling servers. This information can be used to identify the attacker.

Example

With the information contained in the following header it is possible to trace back the real origin of the email.

   Received: from mailout-us.gmx.com (mailout-us.gmx.com. [74.208.5.67]) by mx.google.com with SMTP id c6si12554842qaf.84.2012.01.04.07.27.04; Wed, 04 Jan 2012 07:27:05 -0800 (PST)
   Received-SPF: pass (google.com: domain of header@gmx.us designates 74.208.5.67 as permitted sender) client-ip=74.208.5.67;
   Received: (qmail 8217 invoked by uid 0); 4 Jan 2012 15:26:45 -0000
   Received: from 83.99.17.17 by rms-us015 with HTTP

Analysis

Google provides a very simple and straight forward tool to analyse the headers. If you do not understant the output of the analyzer, please send the header to us.

As the headers were already in clear text over the network, using this tool does not disclose too much information. But depending on the case, it might.

Use with care.

Mozilla

Thunderbird

  1. From the menu “View” select “Headers/All” to the get a quick view.

    get the quick view

  2. Press the keys “CTRL” + u” or select “Message Source” from the “View” menu to open a new window containing the email including all the headers.

    Press "CTRL" + u"

  3. Select all the data then right-click and select “Copy” to copy them to the clipboard.
  4. “Paste” this data into the report.

Microsoft

Outlook 2000–2007

  1. Right-click the appropriate email and select “Options…”.

  2. Find the headers within the field “Internet headers:”.

  3. Select all the headers data then right-click and select “Copy” to copy them to the clipboard.

  4. “Paste” this headers into the report.

Outlook 2010–2013

  1. Open the appropriate Email within its own window, for example by double clicking it.
  2. Select the “File” menu and ensure that the point “Info” is selected.
  3. Click the item “Properties” in the middle pane of the window.

  4. In “Properties” find the headers within the field “Internet headers:”.

  5. Select all the header data then right-click and select “Copy” to copy them to the clipboard.

  6. “Paste” this headers into the report.

Lotus Notes

  1. Select the email you like to investigate and open it.
  2. Open the “View” menu and there choose “Show/Page Source”.
  3. Select all the header data then right-click and select “Copy” to copy them to the clipboard.

Apple Mail App

  1. Select the email you like to investigate and open it.
  2. Open the “View” menu and then choose “Message” and “Raw Source”.
  3. A new window will open containing all the raw message, select everything and copy to the clipboard.

Webmail

Gmail

  1. Open the appropriate Email.
  2. Click the “down” arrow next to the “Reply” button and select “Show Original”, to open a new window containing the email including all the headers.

  3. Select all the data then right-click and select “Copy” to copy them to the clipboard.
  4. “Paste” this data into the report.

GMX

  1. In the Inbox, select the appropriate email.
  2. In the top pane of the email click the “i” symbol on the right. This will open a new window including all the headers.

  3. Select all the data then right-click and select “Copy” to copy them to the clipboard.
  4. “Paste” this data into the report.

Hotmail / live.com

  1. Right-Click the appropriate email and select “View message source”, to open a new window containing the email including all the headers.

  2. Select all the data then right-click and select “Copy” to copy them to the clipboard.
  3. “Paste” this data into the report.

Yahoo

  1. In the Inbox, select the appropriate email.
  2. In the top pane of the email click “More actions for selected emails” and select “Full Header”, to open a new window containing the full header.

  3. Select all the data then right-click and select “Copy” to copy them to the clipboard.

  4. “Paste” this data into the report.