Imagine every post office putting a special stamp on each letter. The stamp would say exactly when the letter was received, where it came from and where it was forwarded to by the post office. If you got the letter, you could determine the exact path taken by the letter.
This is exactly what happens with email.
Received: Lines for Tracing
As a mail server processes a message, it adds a special line, the Received: line to the message's header. The Received: line contains, most interestingly,
- the server name and IP address of the machine the server received the message from and
- the name of the mail server itself.
The Received: line is always inserted at the top of the message headers. If we want to reconstruct an email's journey from sender to recipient we also start at the topmost Received: line (why we do this will become apparent in a moment) and walk our way down until we have arrived at the last one, which is where the email originated.
Received: Line Forging
Spammers know that we will apply exactly this procedure to uncover their whereabouts. To fool us, they may insert forged Received: lines that point to somebody else sending the message.
Since every mail server will always put its Received: line at the top, the spammers' forged headers can only be at the bottom of the Received: line chain. This is why we start our analysis at the top and don't just derive the point where an email originated from the first Received: line (at the bottom).
How to Tell a Forged Received: Header Line
The forged Received: lines inserted by spammers to fool us will look like all the other Received: lines (unless they make an obvious mistake, of course). By itself, you can't tell a forged Received: line from a genuine one.
This is where one distinct feature of Received: lines comes into play. As we've noted above, every server will not only note who it is but also where it got the message from (in IP address form).
We simply compare who a server claims to be with what the server one notch up in the chain says it really is. If the two don't match, the earlier Received: line has been forged.
In this case, the origin of the email is what the server immediately after the forged Received: line has to say about who it got the message from.
Are you ready for an example?