About Spam

There are around 100 known spam gangs in existence that account for the majority of spam sent to North America and Europe according to spamhaus.org.

One way to avoid spam is get a few new email addresses. Gmail,  Yahoo, Hotmail and countless others offer free email addresses.

Use that new address whenever you need to give your email address to a website club that you don’t want email from or a business that you don’t trust. If this email address gets spammed,  so what? You won’t be looking at it that often.

If you suspect an email is spam, or worse it is a scam and you’re not sure, here are few tips to possibly  prove the person he or she says they are, is actually real.

There are a few email fields you should be familiar with:

  • From address – Some email programs will hide the email address from you (for convenience). You may need to click on the From address to see the sender’s actual email address.
  • To address – It should be your email address.
  • BCC address – This is the Blind Carbon Copy address. This is used to mask or hide the recipients.  People do this to protect the list of an email’s recipients. Many spammers and scammers use this field as a shot gun approach.  They send the same message to many people and want to hide it from the recipients.
  • Reply to address – Should match the From address.  Spammers and scammers will often use a different email address for replies. Not all email clients will show this field, but some will display the Reply to address (if it is different than the From address) if you click on the From address.

Other things to check:

  • Look at the to line and from lines – People don’t often have strange email addresses.  If your email displays a name but the email address is something impossible to remember, it’s most likely spam.
  • Reply address is different than the from address – this should raise a flag.
  • Check the sender domain – Many spammers or scammers will use domains that don’t exist.  They also find an email server that is open (one that has been hacked or is virus ridden).  Checking the domain is easy. Copy the domain (www.whatever.extension) into a web browser URL field and see if there is a web site that corresponds to their email address.
  • If you are not dealing with a company, looking at the domain name won’t help. As mentioned earlier, if it is a nonsensical From address, then the email address wont yield much information.
  • Look at the header information. Many email applications will let you see the original header information. This is the information servers put into the message for hopefully tracking it back to its source.  In Outlook you will find the header by right clicking the email in the list and selecting message options.  Gmail uses a gear icon and then select show the original source.

Article Contents


This guide is provided to learn how to read and understand an email header. To understand an email header, we need to analyze the life of the email. Most of the time, it appears that email is passed directly from the sender directly to the recipient. This isn’t necessarily true: A typical email passes through at least four computers.To begin you will need to find your full email header. You can find instructions at: How to View Email Headers.

Viewing an email header

In this example, the “Sender” mt.kb.user@gmail.com wants to send an email to the “Receiver” user@example.com. The sender composes the email at gmail.com, and user@example.com receives it in the email client Apple Mail.

Here is the example header:

From: Media Temple user (mt.kb.user@gmail.com)
Subject: article: How to Trace a Email
Date: January 25, 2011 3:30:58 PM PDT
To: user@example.com
Return-Path: <mt.kb.user@gmail.com>
Envelope-To: user@example.com
Delivery-Date: Tue, 25 Jan 2011 15:31:01 -0700
Received: from po-out-1718.google.com ([]:54907) by cl35.gs01.gridserver.com with esmtp (Exim 4.63) (envelope-from <mt.kb.user@gmail.com>) id 1KDoNH-0000f0-RL for user@example.com; Tue, 25 Jan 2011 15:31:01 -0700
Received: by po-out-1718.google.com with SMTP id y22so795146pof.4 for <user@example.com>; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Received: by with SMTP id t17mr3929916rvm.251.1214951458741; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Received: by with HTTP; Tue, 25 Jan 2011 15:30:58 -0700 (PDT)
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=+JqkmVt+sHDFIGX5jKp3oP18LQf10VQjAmZAKl1lspY=; b=F87jySDZnMayyitVxLdHcQNL073DytKRyrRh84GNsI24IRNakn0oOfrC2luliNvdea LGTk3adIrzt+N96GyMseWz8T9xE6O/sAI16db48q4Iqkd7uOiDvFsvS3CUQlNhybNw8m CH/o8eELTN0zbSbn5Trp0dkRYXhMX8FTAwrH0=
Domainkey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=wkbBj0M8NCUlboI6idKooejg0sL2ms7fDPe1tHUkR9Ht0qr5lAJX4q9PMVJeyjWalH 36n4qGLtC2euBJY070bVra8IBB9FeDEW9C35BC1vuPT5XyucCm0hulbE86+uiUTXCkaB 6ykquzQGCer7xPAcMJqVfXDkHo3H61HM9oCQM=
Message-Id: <c8f49cec0807011530k11196ad4p7cb4b9420f2ae752@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=”—-=_Part_3927_12044027.1214951458678″
X-Spam-Status: score=3.7 tests=DNS_FROM_RFC_POST, HTML_00_10, HTML_MESSAGE, HTML_SHORT_LENGTH version=3.1.7
X-Spam-Level: ***
Message Body: This is a KnowledgeBase article that provides information on how to find email headers and use the data to trace a email.

Understanding the email header


It is important to know that when reading an email header every line can be forged, so only the Received: lines that are created by your service or computer should be completely trusted.


  • This displays who the message is from, however, this can be easily forged and can be the least reliable.


  • This is what the sender placed as a topic of the email content.


  • This shows the date and time the email message was composed.


  • This shows to whom the message was addressed, but may not contain the recipient’s address.


  • The email address for return mail. This is the same as “Reply-To:”.


  • This header shows that this email was delivered to the mailbox of a subscriber whose email address is user@example.com.

Delivery Date

  • This shows the date and time at which the email was received by your (mt) service or email client.


  • The received is the most important part of the email header and is usually the most reliable. They form a list of all the servers/computers through which the message traveled in order to reach you.The received lines are best read from bottom to top. That is, the first “Received:” line is your own system or mail server. The last “Received:” line is where the mail originated. Each mail system has their own style of “Received:” line. A “Received:” line typically identifies the machine that received the mail and the machine from which the mail was received.

Dkim-Signature & Domainkey-Signature


  • A unique string assigned by the mail system when the message is first created. These can easily be forged.



  • Generally, this will tell you the format of the message, such as html or plaintext.


  • Displays a spam score created by your service or mail client.


  • Displays a spam score usually created by your service or mail client.

Message Body

  • This is the actual content of the email itself, written by the sender.

Finding the Original Sender

The easiest way for finding the original sender is by looking for the X-Originating-IP header. This header is important since it tells you the IP address of the computer that had sent the email. If you cannot find the X-Originating-IP header, then you will have to sift through the Received headers to find the sender’s IP address. In the example above, the originating IP Address is

Once the email sender’s IP address is found, you can search for it at http://www.arin.net/. You should now be given results letting you know to which ISP (Internet Service Provider) or webhost the IP address belongs. Now, if you are tracking a spam email, you can send a complaint to the owner of the originating IP address. Be sure to include all the headers of the email when filing a complaint.





Leave a Reply