How to display the headers of spam/scam emails, for reporting or tracing the source.
Everybody who has an email account is plagued by the spam and scam epidemic that is polluting your inboxes. Most people simply deal with having to resort to hitting Delete over and over again. Others, like yours truly, do something about it. I report all spam that gets through my defenses to SpamCop, where I have a Reporting Member account. I also use an email screening program that automatically deletes most spam, which I will talk about later in this article.
The SpamCop reporting system requires you to be able to display, copy and paste the complete message source, including the normally hidden headers. Displaying an email's source code is what this article is about. Even if you are not a SpamCop reporting member learning how to read the headers will allow you to trace the origin of scam emails (links in extended comments) from financial fraud artists in countries like Nigeria, and to file complaints with the Internet Service Providers that provide the connections to the scammers or spammers.
I am frequently asked "how do I display email headers and source code?" The methods vary with the email client (program), but every one I have seen will offer some means of displaying the full incoming headers. The following sections cover Microsoft Outlook and Outlook Express, Hotmail and Yahoo! browser-based email.
MS Outlook
Double click the message to open it in its own window. Then click View-Options and you can view the data in the "Internet headers" pane. You can copy that data and paste it into another email or SpamCop report.
Outlook Express
If the message is not open, right-click on the message in your Inbox and select Properties > Details > Message Source (button).
If the message is already open, simply press Control and F3 (together) and the "Message Source" window will appear. Once the source code is displayed in the resizable window you can copy it and paste it into a report.
Hotmail
If you are using browser-based Hotmail, login and go to "Options." At the Options page click the link labeled "Mail Display Settings" and find the section "Message Headers." Put the dot in the option "Full." Click on "OK" at the bottom to save your changes. Now, when you get a scam email and Forward it the recipient can read the full headers.
You can reveal the complete source code of any email in Hotmail by opening the message and looking for the blue link labeled "View E-mail Message Source," just above the white email message body. The source will open in a new browser window, and can be copied and pasted.
Yahoo!
If you use Yahoo! email, login and click on "Mail Options." When the options page loads locate the section labeled Personalization and click on the link labeled "General Preferences." On the General Preferences" page scroll to "Messages" and put the dot in the radio choice labeled "Show ALL Headers."
To forward the headers with an email scam or spam, scroll down farther to "Message Actions" and find "Forwarding Messages." Select the radio choice to "Forward as Inline Text." Click the "Save" button at the bottom. After this all you have to do is Forward any scam emails and the full headers will be at the top of the message.
With the source cody copied to the Windows Clipboard you can paste it into the report text field in your SpamCop member's reporting page, or paste it into an email that you will send to an authority who can deal with tracing or reporting it, or you can paste it into a new Notepad document and save it for your own analysis.
Copying and Pasting 101
Once you have displayed the source code you will need to copy and paste it into an email or spam report. If you don't already know your Windows keyboard shortcuts for these actions they are as follows:
1: Click anywhere inside the message area and then press Control and A to Select All the text.
2: With all the text highlighted press Control and C to copy it to the "Clipboard."
3: Next, go to the email or form field into which you want to paste the source codes and click once inside that area, then press Control and V and it will be pasted into that field.
Forwarding Emails As An Attachment
Sometimes a recipient of an attempted email scam will be asked to forward the scam to an authority for analysis. The email should be forwarded as an attachment to preserve the headers and mime type details that are stripped out by standard forwarding. Just about every common actual email client has an option to do this, but a lot of browser-based email systems have no such function. ;-(
Outlook Express has a simple means of forwarding as an attachment. If the email is not open, right-click on it in your Inbox and select "Forward As Attachment." Address it to the recipient, type a subject and send it. If the message is already open, go to the menu item "Message" and select "Forward As Attachment."
Yahoo browser email has an option to Forward As Attachment when you are reading an email, by going to your Email Options > General Preferences > Message Actions > Forwarding Messages and selecting "Forward as an attachment." When you want to forward a message this option will now be available via the down arrow on the right side of the Forward button.
If your browser-based email does not provide an option to forward as an attachment (like free Hotmail), set it to display the full or advanced headers, then forward it inline, so all the headers will be sent with the message.
Tracing the origin of an email
If you want to trace the origin of spam and scam messages you will need to study the headers for IP addresses (in Received From or Originating IP details), then do Whois lookups on them until you find the likely source of the message. For this you will need tools. I recommend DNS Stuff, or Sam Spade. Both of these network lookup websites provide you with a choice of input fields where you can perfom lookups of the registered owners of the IP addresses in question. You may have to try several IP addresses until you find the originating IP. Sometimes you will reach a dead-end with AOL or Yahoo as the only traceable source IP, but more often you will find that it came from a country known to harbor Internet Fraud artists or Nigerian 419 scammers. Or, it may be spam that traces to China, Korea, Japan, or Russia. Usually the final IP in the Received From: lists will reveal the sender's location.
With DNSStuff you can click a link in the results to reveal the abuse email addresses. You would then forward the scam or spam to the ISP, to the listed abuse recipient. You will have just LARTed the asshole that sent the spam/scam. LART means Loser Attitude ReadjusTment.
Mailwasher Pro - An Email Spam Screening Solution
If you use Outlook Express and are getting a lot of spam emails and have outgrown the hopelessly simplistic rules available in that email client, there is a better solution available. Mailwasher Pro to the rescue! Mailwasher Pro (MWP) is a front-end spam filtering program that works with any real email client (not browser-based). I use it every day, all day long, to screen incoming email from 24 POP3 accounts. MWP intercepts all of your incoming POP3 email accounts, if you configure it to do so, then compares each piece to a set of user-defined rules, blacklists, blocklists, a database of known spam and it's built-in Bayesian Learning Filter.
You can setup Mailwasher to flag suspected spam for manual deletion and blacklisting of the sender, or let it happen automatically. If you make a mistake there is a recycle bin that lets you restore that email. The program does require a fair amount of user know-how, and has a slightly advanced learning curve, but once you understand it you won't go a day without it. It will definitely make a big dent in the amount of spam that gets delivered to your Inbox! There is a Mailwasher forum at CastleCops.com, where users can ask others for assistance. I happen to know that the Mailwasher programmers hang out in those forums.
You can learn all about this awesome product on my Mailwasher Pro page. It also has a link to a copy of my own custom Mailwasher filter rules, which can be used by anybody to reduce the amount of spam that gets through the default filters.