Help disecting email headers!

GadgetLover

GadgetLover

Senior Member & Tech Guru
A few of us are trying to figure out what this portion of an email header is. Can it be used to trace an email or is it simply something that states what server received/sent the email (as oppose to the actual individual(s) that actually sent/received the email). Depending on the particular ISP, the line would read something like:

"Received: from surferdude (AUTH login) at lsantx4-ar2-227-3811.isp.dsl.net (HELO ?10.2.0.0?)" or something like that. I forget the exact letters and numbers but the gist is the same. Trying to learn what this generally means.

Any clue?
 
Originally posted by GadgetLover
...
"Received: from surferdude (AUTH login) at lsantx4-ar2-227-3811.isp.dsl.net (HELO ?10.2.0.0?)" or something like that. I forget the exact letters and numbers but the gist is the same. Trying to learn what this generally means.

Any clue?
Click to expand...

Some mail servers are setup to attempt to talk back to an ident server on the originating host (this can be a cause for slow mail delivery, if the originator has that port silently blocked); on most occasions, this will fail. In this particular case, it would appear lsantx4-ar2-227-3811.isp.dsl.net has an accessible identd, which identified the sender as surferdude. Now, of course, identd could be lying, as that process is under control of the "from" server.

If there's also a "HELO whatever" string in there, that's what the originating mailserver sent as its idea of its own name. Considering your example (if slightly mistyped), it's probably the machines internal IP or something.

Most of the time, received headers will look something like
Code: 
Received: from originator.domain.com (originator.domain.com [1.2.3.4])
        by destination.domain.com (Postfix) with ESMTP id 22F7127150
        for <user@domain.com>; Mon, 18 Mar 2002 02:00:13 -0700 (MST)

This is an example of a server which doesn't attempt an identd connection back, it just logs the from (originator) and itself (destination). These should always allow you to trace back a message at least to a server, but usually not a user.
 
You must log in or register to reply here.
Back
Top