How to Read Received Headers

February 7, 2008 – 8:15 am

Yesterday I wrote about Email Headers. Today I will zoom in on the Received headers. We will take an example header and break it down line by line. Consider the following set of received lines from an email header:

Received: from mx1.sentinare.net (lausanne [10.2.28.23])
  by mailbox01.sentinare.net (Postfix) with ESMTP id 051AE1DDA79C
  for <chris.paul@rexconsulting.net>; Thu,  7 Feb 2008 12:27:45 +0000 (GMT)
Received: from mato.luukku.com (mato.luukku.com [193.209.83.251])
  by mx1.sentinare.net (Postfix) with ESMTP id 3B0385D6484
  for <chris.paul@rexconsulting.net>; Thu,  7 Feb 2008 12:27:45 +0000 (GMT)
Received: from suksi.luukku.com (www3.i.luukku.com [10.0.1.33])
  by mta3-g.i.luukku.com (Postfix) with ESMTP id 494F57FC04
  for <chris.paul@rexconsulting.net>; Thu,  7 Feb 2008 13:44:37 +0200 (EET)
Received: from suksi.luukku.com (localhost.hard.ware.fi [127.0.0.1])
  by suksi.luukku.com (Postfix) with ESMTP id 3DE743C002
  for <chris.paul@rexconsulting.net>; Thu,  7 Feb 2008 13:44:37 +0200 (EET)
Received: from null (APointe-a-Pitre-105-1-4-28.w81-248.abo.wanadoo.fr.
  [81.248.177.28]) by www3.luukku.com (luukku.com)
  with HTTP 1.0; Thu, 7 Feb 2008 13:44:37 +0200 (EET)

Now when we read email headers, we read them from bottom to top, so we will look at the last Received header first. This Received line shows where the mail originates from.

Received: from null (APointe-a-Pitre-105-1-4-28.w81-248.abo.wanadoo.fr.
  [81.248.177.28]) by www3.luukku.com (luukku.com)
  with HTTP 1.0; Thu, 7 Feb 2008 13:44:37 +0200 (EET)

We can see that it was received from “null (APointe-a-Pitre-105-1-4-28.w81-248.abo.wanadoo.fr. [81.248.177.28])” by “www3.luuku.com”. What this demonstrates is a user using what is sitting in the Caribbean (Guadeloupe to be precise) and most probably a webmail client at “www3.luuku.com” to send mail. We know that the user is in Guadeloupe because the IP address 81.248.177.28 resolves to “APointe-a-Pitre-105-1-4-28.w81-248.abo.wanadoo.fr” and “Pointe-a-Pitre” is the concentration point for internet connections to Guadeloupe. Note also it shows that the message was sent at Thu, 7 Feb 2008 13:44:37 +0200 (EET).

The next line shows the webserver handing it off to the local mailer at “suksi.luuku.com”:

Received: from suksi.luukku.com (localhost.hard.ware.fi [127.0.0.1])
  by suksi.luukku.com (Postfix) with ESMTP id 3DE743C002
  for <chris.paul@rexconsulting.net>; Thu,  7 Feb 2008 13:44:37 +0200 (EET)

This line shows that”www3.luuku.com” is most likely also named “suksu.luuku.com”, since the mail is received from “localhost”, or suksi.luukku.com (localhost.hard.ware.fi [127.0.0.1]) by suksi.luukku.com. This is common when webservers originate mail, since the web server process (say, apache) hands it off to the local mailer (typically sendmail or postfix). In this case, we can see it is Postfix since suksi.luuku.com puts (”Postfix”) in the Received header line it adds. We can also see that the mail envelope recipient is “chris.paul@rexconsulting.net”.

The next line shows the webserver we now know as “suksi.luuku.com” relaying to what is most likely the perimeter mail relay for luuku.com, mta3-g.i.luuku.com.

Received: from suksi.luukku.com (www3.i.luukku.com [10.0.1.33])
  by mta3-g.i.luukku.com (Postfix) with ESMTP id 494F57FC04
  for <chris.paul@rexconsulting.net>; Thu,  7 Feb 2008 13:44:37 +0200 (EET)

We can see that “mta3-g.i.luuku.com” is also a Postfix server. We can see again that the mail envelope recipient is “chris.paul@rexconsulting.net”. We also see the date again and that the mail has gone this far in under a second.

The next line shows “mato.luuku.com” relaying it to the MX server responsible for “chris.paul@rexconsulting.net”, “mx1.sentinare.net”. Wait a minute though? The machine that it was at last was “mta3-g.i.luuku.com”! How did it get to “mato.luuku.com”? Probably because “mato.luuku.com” and “mta3-g.i.luuku.com” are the same machine. It is common for machines to have different names by which they are known on the inside and outside of their own network. “mato.luuku.com” is the name it is known by to the internet. That is the name of its external address, 193.209.83.251.

Received: from mato.luukku.com (mato.luukku.com [193.209.83.251])
  by mx1.sentinare.net (Postfix) with ESMTP id 3B0385D6484
  for <chris.paul@rexconsulting.net>; Thu,  7 Feb 2008 12:27:45 +0000 (GMT)

Note that now the timezone has changed from EET (+0200) to GMT (+0000). So we can expect a 2 hour difference in the localtime. The last received line shows a relay at 13:44:37 +0200 and this received line shows a relay at 12:27:45 +0000, so this relay took 7 seconds (or someone’s time is a little off).

The next line shows delivery to the final mailbox server:

Received: from mx1.sentinare.net (lausanne [10.2.28.23])
  by mailbox01.sentinare.net (Postfix) with ESMTP id 051AE1DDA79C
  for <chris.paul@rexconsulting.net>; Thu,  7 Feb 2008 12:27:45 +0000 (GMT)

mx1.sentinare.net, the relay server responsible for “rexconsulting.net” seems to have an internal route to “mailbox01.sentinare.net” which is the mailbox server for “chris.paul@rexconsulting.net”. We can see that the mail reached its destination 7 seconds after it was sent, even though it made all these hops.

Knowing how to read an email header is useful. Now you can check to see the path a mail took and, if there was any delay, where the delay was.


















				
				

			

		




	







	
			
You must be logged in to post a comment.

	

	


	
	











Email Network Security Blog is proudly powered by WordPress Entries (RSS) and Comments (RSS). Theme by Bob