How to Read Email Headers to Report Spam

If you find this useful please share it!


Dear Internet Patrol, How do I read the fine print in the spam’s header information to determine from where the spam really originated? I forwarded one to, and they sent me an e-mail saying it wasn’t a correct address. Thank you, Kim

You raise a number of interesting points and questions in your email. First, if you get spam which appears to be from someone at Hotmail, then pretty much the only thing which you can be certain of right off the bat is that it isn’t from Hotmail. So Hotmail was probably correct in returning the spam to you, even though you were trying to do the right thing.


In fact, if you receive spam of the real, true “Make Money Fast” variety, you can rest assured that 99.9% of the time the domain featured in the “From:” email address will belong to an ISP or other Internet site which has no connection to the spam whatsoever. This is known as “domain spoofing”, and it is now illegal under CAN-SPAM. Of course, littering is illegal too, but that doesn’t seem to stop the litterbugs either.

You are to be commended for wanting to dive into the world of reading headers, and while on some levels it can be very complicated, there is a first level on which it is not difficult at all, and can still be very useful. The first thing you will need to do is to open up an email, and then switch to the ‘full header view’. This is called many things by many different email programs, but the most common terms are “full headers”, “all headers” and “raw view”.

Now you will note that in addition to seeing the traditional headers such as “From:”, “To:”, “Subject:”, and “Reply-To:”, you will also see lots of other lines, many containing IP addresses. The answer to the question “to whom do I report this spam” lies within these lines. These lines can tell you where the spam originated (or at least what the next closest link was), where it went from there, through which Internet locations it hopped, and generally the path it took to get to your front door. You only have to know how to read the information. If you want to delve even deeper, you can learn all sorts of things, such as where the spammer was geographically when they sent the offending message, what time they sent the spam, and what sorts of resources they abused in the process. But for our purposes we just want to know the path the spam took to get to you.

(Article continues below)
Get notified of new Internet Patrol articles for free!
Or Read Internet Patrol Articles Right in Your Inbox!
as Soon as They are Published! Only $1 a Month!

Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
How to Read Email Headers to Report Spam

However, rather than tell you how to read those lines, We are going to refer you to a couple of sites which will not only tell you how to read those headers, but which will do so very well. The links are at the end of this missive.

Once you have determined the path which the email likely took, you will a) realize that indeed the email never came close to the domain which is featured in the “From:” address, and b) have a good sense of where its been (no, that doesn’t mean that you can put it in your mouth), so that you know to whom to report it.

Now, once you know the sites which were involved, how do you determine the email addresses to which you should send your complaints? Conventional wisdom holds that any responsibly administered mail server will maintain either or both of postmaster@domain and abuse@domain. These are known as role accounts, and while there can be many other role accounts (for example “root”, “webmaster” and “news”), these are the only two with which we need concern ourselves for this exercise. Of course, conventional wisdom is not always right – the recommended role accounts are not always set up, but that is not your problem. We recommend that once you determine to which sites you want to send the reports, you send them to postmaster@domain and abuse@domain. So, for example, if you have figured out that one of the domains involved in transitting the spam is “”, you may want to send email to and (note that this is a made up domain, so that if any spammer scrapes these addresses it won’t cause anybody real to get spammed).

When reporting spam, you should always assume that the site to which you are reporting the spam probably does not know that they have an embarrassing spam problem, and so should approach them with gentleness and respect (good advice for all initial encounters, online and off, we think). You should also assume, particularly with an Internet site of substantial size, that their abuse staff is horribly understaffed and overworked, and so a delay in response of a few days may not be unreasonable (in fact some sites don’t respond to the person making the report at all).

Ok, we promised you some links to sites which will teach you how to divine the information contained in the headers of your spam, and here they are:

Email Address Manager Header Reading Tutorial
Google Tutorial on How to Read Email Headers

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!

How to Read Email Headers to Report Spam

Get notified of new Internet Patrol articles!
People also searched for how to read email headers for spam

If you find this useful please share it!

5 Replies to “How to Read Email Headers to Report Spam”

  1. In the not to far future there will be a tightening up of the ship with domain registrations. Its in draft form as we speak and awaiting final approval. This will be interesting to see exactly how they enforce domain registrations which will be required to be legitimate addresses and phone numbers which supposively will be verified, plus maintaining privacy on the WhoIs, RICC, etc.

  2. Sending protests to the relaying IP domain can often help, but certain ones are totally non-responsive other than a “bot” form letter response, including MAJOR networks such as SWBELL, and lesser malingerers like, to whom I”ve sent dozens of complaints to no avail.

    The worst thing that happened to the internet was when dormain registration authority got totally fragmentated without any accountability.
    “Registrars” such as Enom, Gandi Sarl, and Joker (yes!) allow totally and OBVIOUSLY bogus data in their registration databases, with impossible or non-existant addresses, bogus telephone numbers (222-222-2222, eg.) and bad email contact addresses.
    The registrars should be REQUIRED, on pain of losing their authority, with severe fines, to VERIFY and MAINTAIN these databases. This would be a major step in stopping scam spam.

    What good does it do to be able to read the full headers, if 98% of the data is either forged or untraceable due to bogus domain registrations?

    Frankly, if certain countries don’t want to go along with valid and truthful registration processes and filtering relays from known spammers, block them out! Entirely! One could start with
    China, Korea, & Brazil, three of the worst for relaying spam. Perhaps when the LEGITIMATE businesses in those countries lose their international connectivity, they’ll clean up their countries’ act. Naive? I don’t think so. Evidence points to needing sledgehammer to kill this fly.

  3. What do you do if your domain is being spoofed? Mine is and I get tons of messages from “Postmasters” telling me they couldn’t deliver mail from *alphabetsoup* @ mydomain. I truly resent someone doing this!

  4. To heck with tracking down who actually sent the SPAM. Why not go after the website advertised in the SPAM. I mean duhhhh! The SPAM is all about the website, so you know exactly who the bad guys are. Why not some campaign to go against them directly????

  5. You forgot to mention that because “you can rest assured that 99.9% of the time the domain featured in the “From:” email address will belong to an ISP or other Internet site which has no connection to the spam whatsoever”, it serves no purpose to bounce the spam. It only adds to the traffic the spammers are clogging the net with. The OP says, “If the address isn’t correct, then it isn’t working.” This is true, but the bounce *is* sent – uselessly. Don’t bounce, just delete.

    I would like to ask the OP to give a bit more information about Mailwasher not working with Starband. It should. You can contact the author (Nick Bolton) at, I think.

    Remember, reporting good, bouncing bad!

    Dave Kelsen

Leave a Reply

Your email address will not be published. Required fields are marked *