Lesson 1

Lesson 1-- Reading the headers

I'm going to use my own headers for this. We will go line by line and I will explain each one as we go.

This is what headers look like:

From: [email protected] (Gothweasel)
Newsgroups: alt.cuddle.rebels
Subject: Just a quick note
Date: Wed, 07 Oct 1998 16:33:18 GMT
Organization: Weasel At Work
Reply-To: [email protected]
Message-ID: [email protected]>
X-Newsreader: Forte Free Agent 1.11/32.235
NNTP-Posting-Host: 209.85.113.247
X-Trace: 7 Oct 1998 16:35:56 GMT, 209.85.113.247
Lines: 6
Path: news.qnet.com!209.85.113.247
Xref: news.qnet.com alt.cuddle.rebels:3

Line by line disection

Path: news.qnet.com!209.85.113.247

This is the path that the post took to get to you. If this were somebody else's post there would be more on this line. From this one, you can see that I am posting from qnet.com

This is a path taken from one of SmokeyBehr's posts. You can see how it got to me.

Path: news.qnet.com!newsfeed.qnet.com!news-xfer.siscom.net!news-spur1.maxwell.syr.edu!
news.maxwell.syr.edu!netnews.com!howland.erols.net!news.alt.net!usenet

As you can see, I am using qnet.com and he is using alt.net

From: [email protected] (Gothweasel)

This line is one of the easiest to forge. In this case it is the right addy. This is just the email addy you would reply to if you were to email the poster. You can pretty much ignore it.

Newsgroups: alt.cuddle.rebels

This is good to use when a spammer is crossposting. You can see just who the post is being sent to. In this case it's just alt.cuddle.rebels, but you will see a few with several news groups here. When writing your complaint, you can use this to show they are crossposting. This is usually against the TOS (terms of service)

Subject: Just a quick note

This is a no brainer. You can skip it

Date: Date: Wed, 07 Oct 1998 16:33:18 GMT

This pretty much has no relevance, unless you are showing that a certain post was made several times in a certain amount of time.

Organization: Weasel At Work

Obviously, this line is easily changed as well. You can pretty much ignore it too. If it matches everything else, you have either a really dumb spammer or one that has gotten everything to match. (Which isn't often, most are too lazy)

Lines: 35

Another no brainer. It only has relevance to the postmaster.

Message-ID: [email protected]>

This line is the MOST important line in the headers. It can be forged, but it is rare that anyone ever does. Once you read this line, you can be pretty sure that if you fired off a complaint to [email protected] or [email protected] about me, you would be right on.

Reply-To: [email protected]

Another line that can be forged. Many people add spam blockers in this line. Such as "[email protected]" Again, ignore this one.

NNTP-Posting-Host: 209.85.113.247

This is the third most important line. Right after the path and message ID. For my posts, it doesn't help, unless you trace it down. Then you've pretty much got it.

(I took this from SmokeyBehr as well)
References: [email protected]>

This shows you what other ISPs have been used to post to the thread. There isn't any significance to it for this matter.

X-Newsreader: Forte Free Agent 1.11/32.235

This is the news reader that the person used to post from. In my case, I'm using Forte Free Agent. If you look up my older posts, you would see something different, because I was using Outlook Express to post. This is pretty much irrelevant, but it's sometimes interesting to see what other people are using.

Xref: news.qnet.com alt.cuddle.rebels:3

This is where I am. I am on qnet for my news feed, and I am posting in alt.cuddle.rebels

Review

Remember to check these when reading the headers Any line can be forged, but these are the least likely.

Introduction
What is spam?
Sample complaints
Spam Links