We are now accepting applications for Volunteer Internet Safety Advocates and a PR Assistant

Please visit our sister site "Working to Halt Online Abuse - Kid/Teen Division" at: HaltabuseKTD.org. WHOA-KTD was developed to provide information
and assistance to Kids, Teens and Parents.

 

Working to Halt
Online Abuse logo

How to Read Headers

Thanks to the Abuse of Usenet: The Woodside Literary Agency site for allowing us to mirror their page.

Full headers that contain the entire path and the route the email or newsgroup message took are absolutely required when sending complaints about spammers, online harassers or cyberstalkers. If you do not have an email program that has the ability of showing full headers, it's highly recommended you switch to one that does. Without full headers, the ISP is unable to track down a spammer or online abuser.

There are several email programs (also known as x-mailers) that do not have this capability. Some email programs used for interoffice communications also do not have this feature available.

However, email programs such as Eudora Pro and Agent do have this capability. With Eudora Pro, there is a button icon located in the upper left part of the tool bar that reads:
BLAH
BLAH
BLAH
If you click on this button, the full headers will appear. This button must also be active if you want to forward any email and include the full headers.

Need information on getting to the headers in various email and newsreaders programs?

Here is an example of what you usually see when receiving an email or reading a post on a newsgroup -- let's use one of Woodside's email spams for the example:

From: Jffonn@aol.com
Date: Fri, 27 Dec 1996 22:39:19 -0800
Organization: Friends&Co
To: hitchcocks@geocities.com
Subject: Bandit

How can we tell the FROM and REPLY-TO addresses are false? After activating the "full headers" function on your email or newsreader program, the message will look something like this:

From: Jffonn@aol.com
[169.132.96.55]) by Mail.IDT.NET (8.8.4/8.7.3) with SMTP id VAA19099 for <hitchcocks@geocities.com>; Fri, 27 Dec 1996 21:39:19 -0500 (EST)
Message-ID: <32C4C097.41FA@aol.com>
Date: Fri, 27 Dec 1996 22:39:19 -0800
Organization: Friends&Co
X-Mailer: Mozilla 2.01 (Win16; I)
MIME-Version: 1.0
To: hitchcocks@geocities.com
Subject: Bandit

Out of the headers above, what is pasted below is the only part that is not forged, which shows that the email really came from IDT.NET and *not* aol.com.

[169.132.96.55]) by Mail.IDT.NET (8.8.4/8.7.3) with SMTP id VAA19099 for <hitchcocks@geocities.com>; Fri, 27 Dec 1996 21:39:19 -0500 (EST)

Also, the numbers in the brackets, [169.132.96.55], are actually an IP address, which verifies that this email originally came not only from IDT, but from New York City, as follows: ppp-55.ts-1.nyc.idt.net

How was that deduced? There is a web page that allows one to input an IP address and get the real location and/or ISP of the spammer/abuser, located at Sam Spade

Now, let's look at a newsgroup posting. We'll use the most recent spams Woodside has been flooding Usenet with as the example. You would normally see the following in a newsreader such as Agent if you tried to reply or forward the spam:

On Fri, 4 Jul 1997 02:49:09, hdt54@idt.net wrote:

>We are a New York based international literary agency with two branch offices, one of
>which is in Florida. We are seeking new and previously published authors, so please
>adhere to the following-- guidelines.
>All fiction: send brief synopsis, first chapter, and include a self addressed, stamped
>envelope (SASE).
>All nonfiction: brief synopsis, first chapter, SASE.
>Short-Stories: brief synopsis, 3 pages, SASE.
>Poetry: send 3 poems, SASE.
>Please do not send complete manuscript unless we ask for it.
>
>Send to: Woodside International Literary Agency<<
>=XX-XX XX Street<<<<<<<<
>=Woodside, New York<<<<<<<<
>=11377<<<<<<<
>=Phone (main office):
>=718--XXX-XXXX<<<<<<<
>

This leads the average Internet user to assume the spam came from IDT and that is where they would send their complaint to. But if they went to the OPTIONS pull-down menu in Agent and clicked on "Show Full Headers," the spam would now look like:

Date: Fri, 4 Jul 1997 02:49:09
From: hdt54@idt.net
Newsgroups: rec.arts.books.childrens
Subject: writers seeking publication
NNTP-Posting-Host: 129.37.113.108
Message-ID: <33bc9dd7.0@news1.ibm.net>
Lines: 20
Path: ix.netcom.com!enews.sgi.com!su-news-feed4.bbnplanet.com!su-news-hub1.bbnplanet.com!cpk- news-hub1.bbnplanet.com!news.bbnplanet.com!newsm.ibm.net!ibm.net!news1.ibm.net!129.37.1 13.108
--------------------------------------------------------------------------------------------
We are a New York based international literary agency with two branch offices, one of
which is in Florida. We are seeking new and previously published authors, so please
adhere to the following-- guidelines.
All fiction: send brief synopsis, first chapter, and include a self addressed, stamped
envelope (SASE).
All nonfiction: brief synopsis, first chapter, SASE.
Short-Stories: brief synopsis, 3 pages, SASE.
Poetry: send 3 poems, SASE.
Please do not send complete manuscript unless we ask for it.

Send to: Woodside International Literary Agency>>
=XX-XX XX Street<<<<<<<<
=Woodside, New York<<<<<<<<
=11377<<<<<<<
=Phone (main office):
=718--XXX-XXXX<<<<<<

The full headers now show the real ISP where the spammer is coming from, IBM, as follows:

NNTP-Posting-Host: 129.37.113.108
Message-ID: <33bc9dd7.0@news1.ibm.net>

Again, the numbers listed after "NNTP-Posting-Host" can be popped into the above-mentioned web page and voilá! Like magic, the numbers translate into "slip129-37-113-108.pa.us.ibm.net" -- NOTE the "pa" in this translation. That means the spam was sent through the Pennsylvania arm of ibm.net.

A good rule of thumb when sending complaints to ISPs is to always send the complaint to the postmaster. For example, the above spam would be sent to postmaster@ibm.net. Most ISPs also have an abuse department, so you can probably send a complaint to them, too. Some even have a spam complaints department (such as InternetMCI). All you would do is replace the word postmaster with "abuse," "spamcomplaints" or whatever address you can find that is appropriate to send a complaint to. Going to an ISPs web site/page is also helpful, as they usually have a page devoted to their posting guidelines that will have an email address to send complaints to.

Remember, where there is a will, there is a way. Don't let spammers and other online abusers get away with what they are doing! If you have any tips that you feel should be added here, some links, etc., please feel free to drop a line to Header Info.

If you're looking for a program to combat spam emails to your account, try these out:

 

Copyright © 1997-2014 WHOA. No reprints without permission. Please notify us of any problems you experience with this site.