The Network Violations team can assist you with information on how to prevent Internet abuse and network violations. If you have received unsolicited e-mail (e.g. spam) or feel you have been the victim of Internet abuse, then call the Network Violations Team toll free at 1.866.285.6208

The Network Violations Team will be able to further assist your claim if you can provide more detailed information about the source of the email or newsgroup post. This information can be found below.

  • Description of email headers
  • Description of newsgroup headers

Description of Email Headers

An email header is a section of an email message, which is usually hidden by most email programs, that contains detailed information about the origination of the message. This section describes the contents of email headers and how to use the information to determine from where the email originated. Each computer that the email passes through will attach identifying information in a received line, such as where the email came from, the computer machine's name, date, and time the email passed through it. There can be one received line or there can be many, the newest one is always placed on top. Since newer headers are placed on top the first 'Received' line will usually show the message origin. Take a look at the sample header below:

Return-Path:
Received: from mail4.sample.net
     (mail4.sample.net )
     by morse.concentric.net
     (8.8.7/(97/09/12 5.12))
     id IAA10673; 
     Tue, 4 Nov 1997 08:15:37 -0500 (EST)
    Errors-To:
Received: from mai1.test.com
     (mai1.test.com )
     by mail4.sample.net
     (8.8.5/8.8.5) with SMTP id IAA21240
     for ; 
     Tue, 4 Nov 1997 08:15:35 -0500 (EST)
Message-Id: <9711048786.AA878649490@mai1.test.com>
X-Mailer: ccMail Link to SMTP R6.00.02
Date: Tue, 04 Nov 97 07:18:09 -0600
From: "Administrator"
To:
Subject: NVAM
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

 

The first Received line indicates that the email was sent from (mail.test.com [200.238.107.3]) on Tue, 4 Nov 1997 08:15:35 -0500 (EST). Check this line against forgeries by doing a NSLOOKUP on the IP address. From the UNIX shell you would type:

nslookup 200.238.107.3

And get the following response (Note: the domains and IP addresses used in this document are false, so you won't really get the following response):

Name: mail.test.com
Address: 200.238.107.3

The name should match what is in the parentheses. If it does not, then that header was forged. The IP address is very difficult to forge, and will point back to the originating domain. Once you know where the e-mail came from you can file a complaint to the postmaster of the domain (postmaster@test.com). In the complaint you will need to include full header information, so the sender can be tracked down.

Description of Newsgroup Headers

A newsgroup header is a section of an newsgroup post that contains detailed information about the origination of the message. This section describes the contents of newsgroup headers and how to use the information to determine from where the post originated. Usenet or Newsgroup headers are the easiest type of headers to understand, but also the easiest type to forge. There are only three lines in Usenet headers that are very difficult to forge; Path, Date, and NNTP-Posting-Host. The sample header below will help identify what to look for in a Newsgroup header.

ath: news!global-news-master
from: abuse@xo.com
Newsgroups: XO.test
Subject: test
Date: Tue, 27 Jan 1998 16:27:10 GMT
Organization: XO Internet Services
Lines: 1
Message-ID: <34cd7e34.19687615@news.concentric.net>
NNTP-Posting-Host: ts008d15.phm-pa.concentric.net
X-Newsreader: Forte Free Agent 1.11/32.235
Xref: news XO.test:2248

The Path section is very similar to the 'Received' section in e-mail headers, and will show what path the message took to reach you. This line is very difficult to forge, because it is placed into the header by all the machines that received this email. The Date line is inserted by the posting server, and is not always 100% accurate due to possible lag time associated with Usenet. This is usually not too much of a problem since there are usually other clues within the message that point to the account that posted the message.

The final reliable line is the NNTP-Posting-Host, which is placed into the header by the server that is posting the message. With this information we can determine that this message originated from ts008d15.phm-pa.concentric.net, an XO Dial-up/Login.