This is a follow up of yesterday’s post. The following trick, discussed in IRW newsletter, helps you to mining email headers from even automatic responders and failed delivery emails.
The trick is to read email headers from the bottom up. The last “Received” is more trusted than the others which are forgeable. The line corresponds to the original sender.
Here is a technique discussed in IRW that you can use to identify which headers are inserted by your ISP. Send an email to yourself through your ISP account and check the email headers of both documents. If your ISP is not using an SMTP proxy masquerade, chances it might leak the name of the workstation used to create the email in the HELO command along with your ISP name, IP, and possibly other interesting information.
Armed with this information, analyze the headers of emails you receive from automatic responders and “failed to deliver” email messages. Now you know which headers are from your ISP and which are inserted as the email traveled from servers to servers before reaching your inbox.
For instance, I recently got an automatic response wherein the HELO says
Received: from unknown (HELO UKMAIL.sportex.com) (18.104.22.168)
by server-3.tower-157.messagelabs.com with SMTP; 6 Jan 2009 05:04:59 -0000
An IP lookup reveals additional information. The rest of the headers also leaks interesting stuff.