How To Find the Full Headers When Sending Complaints to an ISP*
*ISP = Internet Service Provider
Full headers that contain the entire path and the route the SPAM took is vitally needed
when sending complaints about spammers, online harassers or cyberstalkers. If you do not have
an e-mail program that has the ability of showing full headers, it's highly recommended you
switch to one that does. Without full headers, the ISP is unable to track down a spammer or
online abuser.
There are several e-mail programs (also known as x-mailers) that do not have this
capability. Some e-mail programs used for interoffice communications also do not have this
feature available.
However, e-mail programs such as Eudora Pro and Agent do have this capability. With Eudora
Pro, there
is a button icon located in the upper left part of the tool bar that reads
BLAH
BLAH
BLAH
If you click on this button, the full headers will appear. This button must also be active if you
want to forward any e-mail and include the full headers.
Here is an example of what you usually see when receiving an e-mail or reading a post on a
newsgroup -- let's use one of Woodside's e-mail spams for the example:
From: Jffonn@aol.com
Date: Fri, 27 Dec 1996 22:39:19 -0800
Organization: Friends&Co
To: hitchcocks@geocities.com
Subject: Bandit
How can we tell the FROM and REPLY-TO addresses are false? After activating the "full
headers" function on your e-mail or newsreader program, the message will look something like
this:
From: Jffonn@aol.com
[169.132.96.55]) by Mail.IDT.NET (8.8.4/8.7.3) with SMTP id VAA19099 for
; Fri, 27 Dec 1996 21:39:19 -0500 (EST)
Message-ID: <32C4C097.41FA@aol.com>
Date: Fri, 27 Dec 1996 22:39:19 -0800
Organization: Friends&Co
X-Mailer: Mozilla 2.01 (Win16; I)
MIME-Version: 1.0
To: hitchcocks@geocities.com
Subject: Bandit
Out of the headers above, what is pasted below is the only part that is not forged, which shows
that the e-mail really came from IDT.NET and *not* aol.com.
[169.132.96.55]) by Mail.IDT.NET (8.8.4/8.7.3) with SMTP id VAA19099 for
; Fri, 27 Dec 1996 21:39:19 -0500 (EST)
Also, the numbers in the brackets, [169.132.96.55], are actually an IP address, which verifies that
this e-mail originally came not only from IDT, but from New York City, as follows:
ppp-55.ts-1.nyc.idt.net
How was that deduced? There is a web page that allows one to input an IP address and get the
real location and/or ISP of the spammer/abuser, located at
Sam Spade
Now, let's look at a newsgroup posting. We'll use the most recent spams Woodside has been
flooding Usenet with as the example. You would normally see the following in a newsreader
such as Agent if you tried to reply or forward the spam:
On Fri, 4 Jul 1997 02:49:09, hdt54@idt.net wrote:
>We are a New York based international literary agency with two branch offices, one of
>which is in Florida. We are seeking new and> previously published authors, so please
>adhere to the following-- guidelines.
>All fiction: send brief
>envelope (SASE).
>All nonfiction: brief synopsis, first chapter, SASE.
>Short-Stories: brief synopsis, 3 pages, SASE.
>Poetry: send 3 poems, SASE.
>Please do not send complete manuscript unless we ask for it.
>
>Send to: Woodside International Literary Agency>>
>=XX-XX XX Street>>>>>>>>
>=Woodside, New York>>>>>>>>
>=11377>>>>>>>
>=Phone (main office):
>=718--XXX-XXXX>>>>>>>
>
This leads the average Internet user to assume the spam came from IDT and that is where they
would send their complaint to. But if they went to the OPTIONS pull-down menu in Agent and
clicked on "Show Full Headers," the spam would now look like:
Date: Fri, 4 Jul 1997 02:49:09
From: hdt54@idt.net
Newsgroups: rec.arts.books.childrens
Subject: writers>seeking.publication
NNTP-Posting-Host: 129.37.113.108
Message-ID: <33bc9dd7.0@news1.ibm.net>
Lines: 20
Path:
ix.netcom.com!enews.sgi.com!su-news-feed4.bbnplanet.com!su-news-hub1.bbnplanet.com!cpk-
news-hub1.bbnplanet.com!news.bbnplanet.com!newsm.ibm.net!ibm.net!news1.ibm.net!129.37.1
13.108
--------------------------------------------------------------------------------------------
We are a New York based international literary agency with two branch offices, one of
which is in Florida. We are seeking new and> previously published authors, so please
adhere to the following-- guidelines.
All fiction: send brief
envelope (SASE).
All nonfiction: brief synopsis, first chapter, SASE.
Short-Stories: brief synopsis, 3 pages, SASE.
Poetry: send 3 poems, SASE.
Please do not send complete manuscript unless we ask for it.
Send to: Woodside International Literary Agency>>
=XX-XX XX Street>>>>>>>>
=Woodside, New York>>>>>>>>
=11377>>>>>>>
=Phone (main office):
=718--XXX-XXXX>>>>>>
The full headers now show the real ISP where the spammer is coming from, IBM, as follows:
NNTP-Posting-Host: 129.37.113.108
Message-ID: <33bc9dd7.0@news1.ibm.net>
Again, the numbers listed after "NNTP-Posting-Host" can be popped into the above-mentioned
web page and walla! Like magic, the numbers translate into "slip129-37-113-108.pa.us.ibm.net"
-- NOTE the "pa" in this translation. That means the spam was sent through the Pennsylvania
arm of ibm.net.
A good rule of thumb when sending complaints to ISPs is to always send the complaint to the
postmaster. For example, the above spam would be sent to postmaster@ibm.net. Most ISPs also
have an abuse department, so you can probably send a complaint to them, too. Some even have a
spam complaints department (such as InternetMCI). All you would do is replace the word
postmaster with "abuse," "spamcomplaints" or whatever address you can find that is appropriate
to send a complaint to. Going to an ISPs web site/page is also helpful, as they usually have a
page devoted to their posting guidelines that will have an e-mail address to send complaints to.
Helpful Hints on How to Show Full Headers on Other Newsreaders/Email Programs
Jump to:
AOL
Lotus Notes 4.6
Outlook Express 5
Yahoo! Mail
Hotmail
Compuserve
Free Agent/Agent (newsgroup programs)
MS Outlook 98 and Outlook 2000
Pine
Microsoft Outlook Express
Netscape Navigator/Communicator
Microsoft Internet Explorer
Microsoft Exchange
UNIX
Pegasus
Newswatcher
Eudora
Microsoft Internet News
- AOL E-mail
Thanks to ARusnak for this
"The email files are in an html format. The objective is to save the file in html format. This can
be done as
follows:
Open the e-mail message you want to save, as if you were reading it
Move mouse cursor to the top tool bar, click on "File"
Move mouse cursor to "Save as..." and click.
Identify which directory you would like to save the file in. This is done using the normal save
function
of Windows. If you are not real comfortable with directories, save the file in "Desktop". This
will have
the file icon visible on you regular desktop screen and very easy to find later on.
Provide a name of the file in the "file name" box.
Select the "type" as "html" if possible. If your browser does not show "html" type, just select
the type
as "All Files" and add " .html " to the file name generated in step 6, such as email1.html. The
"dot"
before the html extension is important. The objective of this step is to have the extension of the
file
as an "html" type file.
Press "Save".
To forward the file to someone else (law enforcement, lawyer, ISP):
Move cursor to the top tool bar and click on "Write"
Insert the e-mail address you want to forward the file to
Type any info in the body of the message, if needed
To add the html file you just generated in the above steps, click on "Attachments"
When the "Attachments Window" opens, click on "Attach"
Find the file in the directory window and highlight the file name. If you followed the "Desktop"
instructions, the directory name is "c:\desktop". If there are too many files that appear, type
*.html in
the file name. The use of the asterisk (also called a star by some) lists all files that are html.
Click on "open"
Click on "OK"
Click on "Send now"
The message and attached file have now been sent.
Please be aware that AOL only keeps messages in your INBOX for two weeks, unless you save
it
as NEW or save it in a separate folder in your AOL directory on your computer.
Additionally, a screen name of TOSEMAIL1 has been identified as a source of help for
unacceptable e-
mail in the AOL system. Just enter tosemail1 in the "send to" screen. If you are outside of the
AOL
environment, the address is tosemail1@aol.com.
Return to hints
- LOTUS NOTES 4.6 (Win 9x client)
Thanks to Cynthia for this
Open the properties box on the message (in the default installation of the Notes Client, it will be the first
smart icon on the left, but you can also right-click on the document and choose properties from that
menu)
Choose the second tab on the properties box, which is a list of fields and their contents
Scroll down to the field "$additionalheaders."
Select the contents of the field and hit Ctrl+C to copy them to your clipboard
Open a new e-mail message, put your cursor in the body of the message, and hit Ctrl+V to paste the
headers there
If Notes will not permit you to select the contents of the field, you'll have to manually copy them to a new
message - please be very careful in doing so.
Return to hints
- OUTLOOK EXPRESS 5
Thanks to Rainbow Joe for this
Here's a tip to simplify the process of getting full headers when using Outlook Express 5 and
Windows 98 (don't know about other versions of OE)
Instead of selecting the message, right-clicking properties, clicking details then message source,
simply select the message and press Ctrl-F3. Then press Ctrl-A followed by Ctrl-C.
Ctrl-F3 takes care of all the steps necessary to get to the full header.
Ctrl-A selects all the text and Ctrl-C copies it to the clipboard.
Now start a new message or just forward the original message (which takes less time than
opening a new one) to the originating ISP
Return to hints
- AGENT
"Click on MESSAGE, then "Show Full Headers." Go to the message, click inside the
message pane, COPY, then PASTE to a text file or forward the message to yourself or to the
appropriate ISP."
Return to hints
- COMPUSERVE
"The default option is that full headers appear at the BOTTOM of each received message."
Return to hints
- YAHOO!
"Go to OPTIONS
Go to MAIL PREFERENCES
Under MAIL VIEWING PREFERENCES, go to MESSAGE HEADERS, then select ALL"
Return to hints
- HOTMAIL
"Go to OPTIONS
Go to PREFERENCES
Scroll down to Headers, then click on ADVANCED HEADERS"
Return to hints
- MS OUTLOOK 98 AND OUTLOOK 2000
Thanks to Cynthia Armistead for this
"Open the message and select View, then Options from the drop-down menus.
Near the bottom of the screen you'll see a section titled INTERNET HEADERS.
You can copy the headers and paste them into an e-mail elsewhere to get them to the proper
people."
Return to hints
- PINE
Thanks to Julie Bernstein for this:
You must configure Pine to allow showing message headers. You may
skip steps 1-3 below if you have performed this configuration.
1. From the main Pine menu, type S for Setup, then C for Config.
2. Use the space bar and down arrow to scroll until you reach the
option [ ] enable-full-header-cmd, then type X in the box to toggle
the option on.
3. Type E to exit Config, and Y to save changes.
4. The next time you read a message, type H and the full headers will
be displayed at the top of the message. Type H again to hide the
headers.
Return to hints
- MS OUTLOOK EXPRESS
Thanks to Andrew Kuebler for this:
"There's an even easier solution to expanding Microsoft's Outlook Express 5 headers so that you
can copy and paste it to another window:
1) Right click on the message and select Properties.
2) Choose the Details tab and select the Message
Source Button.
3) Select All (CTRL + A) and Copy (CTRL + C).
4) Close the Message Source window and the Properties
window.
4) Select New Mail and position your cursor in the
body of the e-mail.
5) Paste (CTRL + V) the copied information.
6) Send the e-mail to the ISP where the SPAM/UCE
originated from."
Return to hints
- EUDORA PRO
Thanks to JAH for this:
"When reading an email message, look at the toolbar just above the message itself. There should
be a button that reads
BLAH
BLAH
BLAH
in black and white. Click on this and the full headers will appear. Then select all, copy and
paste into a new message to send to the offender's ISP, or click on the forward button and the full
headers will automatically be placed in the new email message."
Return to hints
- MICROSOFT EXCHANGE HEADERS
Thanks to Doug K. for this:
"To read (and copy) the header using Microsoft Exchange, do the
following:
Open the message in Exchange to view it. Choose 'File,' then
'Properties,' then 'Internet.' The header will be visible and will be
highlighted. Simply right click and copy it. Then paste on the front
of the message and forward it to your abuse department."
Return to hints
- INTERNET EXPLORER
Thanks to Meg for this:
"I just stumbled onto a way to attach the full header to a message.
Choose "Properties" under "File". Click on the "Details" tab. This will
show the full header.
Now right click and choose "Select All". Right click again and choose
"Copy". Start a new message, right click again, and choose "Paste". This
will paste the entire header into this new (and temporary) message. Copy
the header from the new message and paste it back onto the original. The
paste command doesn't work directly on the original message.
This isn't elegant, but it seems to work."
Return to hints
- NETSCAPE MESSENGER
Thanks to Ed for this:
"To read the email header in Netscape Messenger (the email reader supplied with netscape
communicator) press Ctrl-U. A new window will open with the full message including the
complete header. To copy this to a email message press Ctrl-A to highlight the entire message
then Ctrl-C to copy it. Open the email message you want to send. Using the mouse, place the
cursor in the body of the message, select edit / paste as quoted, from the menu bar."
- NETSCAPE
Thanks to Andrew for the following helpful tip:
"I found a simple way to view the headers of news spam in Netscape. Simply click View->
document source when you're looking at the offending item. The full headers are then
visible."
Return to hints
- MS INTERNET NEWS
Thanks to Ian for this:
"For those people who use Microsoft's Internet News, simply (while viewing the message) click
on File, Properties, then click on the Details tab. Sending complaints to root@someisp.com will
also work. Some other addresses are support@, webmaster@, and newsmaster@"
Return to hints
- PEGASUS E-MAIL
Thanks to Sitaram for this:
"In Pegasus, just hit Ctrl-H (or the backspace key) while reading a message. You will see the
full headers.
Do this *before* hitting "F" (for Forward), and the full headers will be forwarded, too.
(True for Pegasus 2.53, at least)"
Return to hints
- UNIX
Thanks to Marc for this:
"I think I've figured out one way of of getting the full headers on Unix. We received a spam and
the message had just the usual "from," "to," "date," "subject" headers. But when I saved the
message in a directory, then used the "type" command or printed it out, full headers magically
appeared, showing where they were really posting from."
- UNIX
Thanks to John M. for this:
"Some more header info for some UNIX mail programs.
Nearly nobody uses mail and mailx any more, but they're available on almost all UNIX systems,
so let's start with those. You can exit your current mail program without changing the mailbox
and then look at the mail message using mail or mailx.
Showing a mail message with the Print or P command displays all of the header lines. Note
capital P -- it's important.
Saving the current mail message with the saveretain command saves all of the header lines. (On
some systems, Save or S --
note the capitals! -- does this too).
There are lots of other mail readers; the one I use is ELM. In ELM, you display the headers for
the current message with
the H command."
Return to hints
- NEWSWATCHER
Thanks to Marc for this:
"If you want the full headers on Newswatcher, go to FILE, choose PREFERENCES, and
check the SHOW ARTICLE HEADERS box."
Return to hints
Remember, where there is a will, there is a way. Don't let spammers and other online abusers get
away with what they are doing! If you have any tips that you feel should be added here, some
links, etc., please feel free to drop a line to Header
Info