From the Help Desk ... how to show the full header of an e-mail for spam reporting

When you receive a strange spam or virus-attached e-mail from an unknown source, you must want to know where is the real source of it. This information can be readily revealed from the full header of the e-mail message.  The full header information of an e-mail will tell you about  its origin and the path of all the servers on-route relaying the e-mail to your e-mail server.

The Computer Centre has implemented a system for you to report spam e-mail to spam-report@hku.hk.  In reporting spam, you should ALWAYS include the "full header" of the spam e-mail in the spam-report.  Without the full header, we at the Computer Centre and people at the SpamCop cannot do anything for you.

This article will tell you the steps for showing the full header and explain how to interpret the information shown in the full header.
 

How do I get my e-mail program to reveal the full header? 

Each e-mail program has different procedures for revealing the full header of an e-mail.  The SpamCop organisation had prepared a web page with instructions for revealing the full header for a list of the most commonly used e-mail programs.  The procedures are listed at 

http://spamcop.net/fom-serve/cache/19.html

If you cannot find the name of your email program in the list provided by SpamCop and you don't know how to reveal the full header, then consult the "Help" facility in the top menu in your email program and search the help manual with the keyword "header" or "full header".
 

What information is contained in a full header?
 

Sample #1 is the full header of a spam mail from the Internet.  Notice the lines marked in red. This is the most important part of the header. This is called a RECEIVED line. Some e-mail messages have only one received line, some have more than one. Every time when the e-mail is "relayed" from one server to another on the Internet, one more received line is added. They can be used to track the e-mail back along its path to the origin. 

All the other information in the header can be faked or forged especially at the execution of the latest computer virus which contains its own SMTP engine and sends out virus-laden email independently using a  random email address. The received line always contains some truth and is what we are currently interested in. 

The received line in sample #1 shows that it was sent from the IP address (67.33.105.213) to the server "hkucc.hku.hk" directly. The return-path usually contains the sender's e-mail address which is <makemoney@quick.com>, but this could be faked. 

Sample #2 is the full header of an e-mail from the Computer Centre's bulk e-mail delivery system. 

Reading from the first received line, it shows that this mail was sent from the server "intranet.hku.hk" to the server "hkusua.hku.hk". The second received line shows that the mail was sent locally within the server "intranet.hku.hk". The third received line says that this mail was received by the program "bulk_mailer v1.5" on the server "intranet.hku.hk".  In fact, this mail was sent from the Departmental Notice Bulk E-mail Delivery System running on "intranet.hku.hk".  The requester to send this e-mail was <chaumabc@cc.hku.hk> which was shown in the "From" line.

If you are not sure of the origin of an e-mail, you can get help by sending the full header of this mail to ithelp@hku.hk.