It seems so simple, doesn't it? You compose an email message using your favorite client, send it, and in a few seconds or minutes it arrives at it's destination. How on earth can this be complicated? Behind the scenes, this is actually very complex. The entire path of a message as it was routed is kept attached to the message is a header. This allows you to precisely identify who a message is from, how to got to you, and who it was for. Spammers frequently changes these fields to hide their identity. Let's look at the following email header. You can get this in Outlook Express by typing CONTROL-ALT F3. In Outlook 2000, it's a small pane in the Options selection of the View menu. Return-path: Received: from mta2.snfc21.pbi.net (mta2-pr.snfc21.pbi.net) by sims2.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.07.30.00.05.p8) with ESMTP id <0FRI0011W960HX@sims2.snfc21.pbi.net> for toname@sims-ms-daemon; Thu, 16 Mar 2000 00:06:02 -0800 (PST) Received: from sclinux01.ustsvs.com ([254.63.77.126]) by mta2.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with ESMTP id <0FRI00G8T951KP@mta2.snfc21.pbi.net> for toname@sims2.snfc21.pbi.net; Thu, 16 Mar 2000 00:05:25 -0800 (PST) Received: from tuvok (tuvok.setec.com [10.10.10.11]) by sclinux01.ustsvs.com (8.8.7/8.8.7) with ESMTP id AAA28630 for ; Thu, 16 Mar 2000 00:05:25 -0800 Date: Thu, 16 Mar 2000 00:05:24 -0800 From: Tom Anyone Subject: RE: What we talked about In-reply-to: <006991bf8f1d$6d17209a0$9a02e23f@toserver.net> X-Sender: usts-jc@linux.setec.com To: George Jungle Message-id: <4.2.2.20000316000419.00b5cd40@linux.setec.com> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Content-type: text/plain; charset="us-ascii"; format=flowed References: <4.2.2.20000315152329.00a813d0@linux.setec.com> Status: RO Here is the breakdown of what it all means. Not all of these fields appear in the message header shown above. Apparently-to: Sometimes you will see this in a message with lots of recipients. It is an attempt to show who the primary recipient is. Most modem email list software shows the recipient as a list name and not a huge list of email addresses. Bcc: Blind carbon copy. Indicates someone was copied but "blindly" meaning others are not supposed to know. This generally does not show up in legitimate email headers, as if it showed up it wouldn't be blind. Spammers seem to use this field on occasion just to confuse people. Cc: Carbon copy. Name of people to whom the message was also sent. Comments: Added by some email programs and used by many spammers to add confusion. Content-Transfer-Encoding: Used by MIME to determine how to interpret the contents of the message. Content-type: Tells MIME compliant clients how to handle the message contents. Date: The date and time of the message. From: Who sent the message. In-reply-to: The message id of the message to which this message applies to. Only appears on replies (of course). Message-id: A string of text which identifies the message. This is generally assigned by the first server to receive the message. Spammers tend to put trash in this field. MIME-version: The version of MIME being used. Priority: String of text used to indicate priority. This is not used by the servers handling the message (it doesn't make the message get t you faster or slower). Rather, the intent is to display something to the receiver showing the importance. Often used by spammers to indicate high message priority. Received: Indicates an email server that the message went through to get to the receiver. There is lots of information here including the server identification, date and time the message arrived and so on. References: A header primarily intended for Usenet postings. Shows message ids of other messages that this message refers to. Return-path: The email address of the sender of the message. Sender: More precisely identifies who sent a message. Obviously a spammer would put false information here. Status: Subject: The text subject of the message. To: Email address to which the message is addressed. X-Complaints-To: Email address to which complaints should be routed. Obviously a smart spammer would take this out or put garbage here. X-Confirm-Reading-To: Requests automated response. Ignored by most email software, although it tends to be used by Outlook and Outlook Express. X-Mailer: Free form field without much use. X-Sender: Identifies the sender with more reliability than the From field.