Skip to main content

Cornell University

IT@Cornell

Identifying the Source of Inappropriate Email and Reporting It

This article applies to: Policy

On This Page

Identifying the source

The return address on an e-mail message may not be the real source of the e-mail. It's possible that a third party is trying to enlist your unknowing help in mail bombing the supposed sender. The third party first sends you and thousands of other people an annoying message that appears to come from the intended victim, then just sits back and waits for the victim to receive the angry responses. E-mail can be forged, and detecting a forgery can be difficult.

Finding header information

The "envelope" contains important header information. Most e-mail applications hide headers (known as SMTP or trace headers) that help identify the source of the message, but they can be displayed by issuing the appropriate commands. See How to obtain header info from various email clients.

Deciphering headers

Deciphering the headers is not easy, even for experts. Here is a typical e-mail header. Not all headers contain the same information, so you may need to check with your local computer support staff for additional help. The bolded parts are the most useful to examine.

  1. Return-Path: dork@geeks.com
  2. Received: from server1.geeks.com (SERVER1.GEEKS.COM [111.222.333.444]) by postoffice2.mail.cornell.edu (8.7.5/8.7.3) with ESMTP id JAA28319 for ; Fri, 19 Jul 1996 09:50:30 -0400 (EDT)
  3. Received: (from daemon@localhost) by server1.geeks.com (8.7.5/8.7.3) id JAA01199; Fri, 19 Jul 1996 09:50:29 -0400 (EDT)
  4. Received: from [111.222.333.999] ([111.222.333.999]) by server1.geeks.com (8.7.5/8.7.3) with SMTP id JAA01159 for ; Fri, 19 Jul 1996 09:50:24 -0400 (EDT)
  5. X-Sender: dork@server1.geeks.com
  6. Message-Id:
  7. Mime-Version: 1.0
  8. Content-Type: text/plain; charset="us-ascii"
  9. Date: Fri, 19 Jul 1996 09:50:11 -0400
  10. To: my-netid@cornell.edu
  11. From: dork@geeks.com
  12. Subject: chain mail - pass this on for luck  

To identify the sender, look at lines 1, 4, 5, and 11 in the example above.  If they exist, they should contain similar information about the e-mail address of the sender.  If the information is very different, then it's a possible forgery. The most reliable field to use to identify the actual sender is in line 5 (X-Sender).

To identify the client computer used to initiate the e-mail, look at line 4 in the header above.  It was sent from a computer with the IP address of 111.222.333.999. In some cases, this can be traced to a specific location or person.

To identify the server used to receive and deliver the e-mail, look at line 4.  In this example, the server that received the e-mail and later delivered it to postoffice2.mail.cornell.edu is shown as server1.geeks.com. If you want to complain, use the domain name from line 4  (geeks.com in this example) and follow the instructions below.

In some cases, the message may be sent via an anonymous re-mailer.  Mail from a re-mailer is usually identified as such and will often contain a disclaimer about the contents. Sometimes the message will identify an address to complain to.  However, these sites rarely take any action and will never disclose the true identity of the sender without a court order.  Often they do not know the identity of the sender. 

Who can you report the problem to once the source has been identified?

  • Postmaster Every site is supposed to have a postmaster, though some sites ignore e-mail sent to postmaster. To copy the postmaster, take the sender's e-mail address and replace the sender's user name with "postmaster". For example, if you wanted to complain about e-mail you received from dork@geeks.com, and you have verified that this is the origin by examining the headers (as described above), you would send e-mail to postmaster@geeks.com. If there is no postmaster account set up, the e-mail will bounce back to you. Then try sending to root or admin, for example, root@geeks.com or admin@geeks.com. Keep in mind that the postmaster or system administrator might be the same person you are complaining about and you may only make the situation worse.
  • Administrative Contact All Internet sites are supposed to list an official contact person for their domain.  Contact this person only for serious incidents. The easiest way to find this person is to go to the InterNIC Registration Services Center.  Use their search facility to search for the domain name of the sender's site. For example, if the sender was dork@geeks.com, then the domain to search for is geeks.com. Again, keep in mind that the administrative contact might be the same person you are complaining about and you may not get any resolution.
  • Outside agencies If a situation is serious, you may get results by reporting the incident to the appropriate outside agency.
    • Law enforcement agencies These agencies accept reports of illegal activities in their jurisdiction. Cornell University Police  255-1111 Ithaca Police 272-3245 NY State Police 273-4671
    • Federal Bureau of Investigation The FBI pursues cases of wire fraud (applicable to the Internet since communications travel over phone lines). However, note that the FBI is mainly interested in "big" cases involving large sums of money (for example, over $10,000) or large numbers of victims (perhaps more than 20).
    • Federal Trade Commission The FTC deals with consumer protection. Investigates deceptive marketing practices and scams that cross state lines.
    • US Postal Service The USPS investigates cases of mail fraud, including pyramid schemes and other money-making scams that use the Postal Service to send money via the mail. If you have done business over the Internet and received an item via US Postal Service that wasn't what you paid for or you shipped an item via US Postal Service and never received payment, this is where you should file a complaint.
    • Better Business Bureau This is a private organization dedicated to helping consumers. They accept complaints about businesses and try to assist in settling disputes.
    • Software and Information Industry Association This is an international organization of software companies and developers that pursues software piracy. They accept reports of sites of pirated software. You can also report if software you developed has been pirated.
    • Recording Industry Association of America This is a private, not-for-profit corporation whose member companies produce, manufacture, and distribute approximately 90% of all legitimately recorded music in the US. You can get more information on their web site or you can report sound recording piracy by calling 1-800-BAD-BEAT or sending e-mail to BADBEAT@RIAA.COM.

Preparing the complaint or report

  • Include a brief, concise description of the problem, and be sure to identify yourself.
  • Include copies of any communication that is relevant, including all header information.
  • Send only one message. Remember that mail bombing is a violation of Cornell policy.
  • Be polite and do not threaten.
  • Do not blame the site administrator because one of their users misbehaves.
  • Do not assume that the incident was intentional or malicious. E-mail is easily misdirected due to typos.
  • Do not expect an immediate response. Some sites, like AOL, get lots of e-mail.

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.