E-mail forgeries are becoming more difficult to identify, but learning how to examine e-mail headers can help you separate the good from the bad. It's possible to identify forged e-mail by reading the e-mail headers.

E-mail headers, as a topic for Internet security, aren't as exciting as an exploit or the latest Internet worm. But learning how to quickly determine the authenticity of e-mail is important—especially if someone is abusing an open SMTP relay on your network.

I remember when forging e-mail was unthinkable. Now, I get so many forged e-mails that I hardly consider any subject to be valid unless I know the sender personally—with the exception of forged e-mails that claim to have come from my own e-mail account. There's nothing that can stop people from manipulating e-mail headers, and they're generally not verifiable unless you understand how to read them.

When you receive a letter via postal mail, it has a postmark. If e-mail followed the same logic, you'd be able to see where the message originated before you opened it. Encrypted e-mails are the exception to this rule, but the vast majority of e-mail travels as clear text.

While e-mail headers show the path the message took in reverse order, this doesn't conclusively identify the e-mail as genuine and sourced from the specified sender. It's no surprise that thousands of e-mail plagues continue to eat bandwidth and infest the Internet.

Every e-mail program that I've seen can display message headers. How you view the headers depends on the program that you use.

To display e-mail headers in Microsoft Outlook, right-click a message, choose Options, and scroll through the Internet Headers section that's located at the bottom of the Options dialog box. For Outlook Express, right-click the e-mail, select Properties, and choose the Details tab. If you use a different e-mail program, the Help file should provide adequate instructions.

Here are the actual headers from a forged unsolicited commercial e-mail (UCE) that I received in one of my e-mail accounts. The only thing I've altered is my actual e-mail account to somebody@someplace.com:

From collegebabe@aol.com Mon Mar 27 16:54:12 2006
Return-Path: collegebabe@aol.com
Received: from trademeca.co.kr (unknown [211.219.20.86])
by mail.someplace.com (Postfix) with SMTP id 2304964253A
for ; Mon, 27 Mar 2006 16:54:10 -0500 (EST)
Received: from smtp0422.mail.yahoo.com (80.237.200.67)
by trademeca.co.kr (211.219.20.86) with [Nmail V3.1 20010905(S)]
for from ;
Thu, 23 Mar 2006 15:55:00 +0900
Date: Thu, 23 Mar 2006 11:34:52 GMT
From: "Prendawen" collegebabe@aol.com
Subject: Hey buddie! What's going on?

The Received: headers tell the real story of this poor forgery, but you have to examine several of these to truly understand the details. This particular e-mail is identifiable because it doesn't make any sense for a person with an AOL account to use one of Yahoo's e-mail servers to relay e-mail through a server in the .kr top-level domain, which is Korea.

Furthermore, a DNS lookup failed to find smtp0422.mail.yahoo.com, so this IP address doesn't exist. Even if it did, the IP address 80.237.200.67 belongs to a network in Germany, which I discovered by checking the online American Registry for Internet Numbers (ARIN) database. So don't waste your time sending a nasty reply, because chances are that collegebabe@aol.com didn't have anything to do with it.

If it's so important to view e-mail headers, why don't all commercial e-mail programs display them by default? That's a good question, but I don't have the answer. In today's UCE-infested inboxes, companies should automatically display e-mail headers with the message. Despite the numerous e-mail filtering tools that are available, it's impossible to filter e-mail perfectly—unless you have the in-depth header information.

Since forgeries are becoming more difficult to identify, gain experience examining e-mail headers so you can differentiate the good from the bad. This knowledge will help you report junk e-mails to ISPs or reporting agencies that track junk e-mailers.

For example, Julian Haight's SpamCop service scans e-mail headers and identifies forged e-mail, plus it tells the ISP where the message originated. SpamCop's output will, at the very least, give you a better understanding of how to read e-mail headers. All mail passing through any of the Eqwebs Ltd's mail servers is scanned for inclusion in the SpamCop block list (and several other block lists) and in this way we automatically stop about 75% of all spam emails before they reach our clients, but this still leaves about 25% getting through!!