Skip to content. Skip to navigation

ICTP Portal

You are here: Home FAQ Where does this e-mail really come from?
Personal tools
Document Actions

Where does this e-mail really come from?

Checking whether a message is real or spoofed

It is usually possible to find out the address of the originating computer by examining the full header of an e-mail. This information is usually not displayed by the e-mail client application. How to have it shown depends on the program you are using. E.g. in Pine you have to press the H key to switch between reduced and full header display.

Here is an example of a full header:

Return-Path: <>
Received: from ( [])
        by (8.12.10+Sun/8.12.9) with ESMTP id
        for <>; Tue, 27 Jul 2004 09:49:08 +0200 (MEST)
Received: from ([])
        by (8.12.9-20030917/8.12.9) with SMTP id
        for <>; Tue, 27 Jul 2004 09:47:25 +0200
Received: from [] by with bursitis SMTP;
        Mon, 26 Jul 2004 22:45:33 -0600
X-Authentication-Warning: alphameric contractor alcott easternmost
Date: Mon, 26 Jul 2004 22:45:33 -0600
From: "Noemi Martinez" <>
Reply-To: "Noemi Martinez" <>
Message-ID: <8797742143.808872903709168412@regretful>
References: <081806488540513393818@exact>
In-Reply-To: <428536800758268438224@savoy>
X-Mailer: antiquary nabla
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-ASICTP-MailScanner-Information: Please see
X-ASICTP-MailScanner: Found to be clean
X-ASICTP-MailScanner-SpamCheck: not spam, SpamAssassin (score=3.8,
        required 5, BAYES_99 3.01, DATE_IN_PAST_03_06 0.27, IN_REP_TO -0.37,
        MIME_HTML_ONLY 0.10, RCVD_IN_ORBS 0.11, RCVD_IN_RFCI 1.09,
        REFERENCES -0.00, X_AUTH_WARNING -0.40)
X-ASICTP-MailScanner-SpamScore: sss
Status: O
X-UID: 48185
Content-Length: 5795

while the normal header display would be:

Date: Mon, 26 Jul 2004 22:45:33 -0600
From: Noemi Martinez <>
Reply-To: Noemi Martinez <>

So it is understandable that usually you are not presented with the full header. However, it can be useful to find out where it really came from. The last Received: from line tells you to which computer the message can be traced back. In this case it is If a message is sent from within the ICTP, you would see something like

Received: from sv17 ( [])

as last Received: line. In any case, the domains of the From: address and the last Received: host should match, otherwise it is unlikely that the sender is really who he pretends to be.

Powered by Plone This site conforms to the following standards: