Email as Text
Viewing Headers and Full
(Original or Raw) Content
John Copeland
Georgia Tech ECE 6612
Jan. 28, 2015
To see the raw email & headers in Zimbra Mail, right-click the listing.
Then, click “Show Original”
to see the email headers
Return-Path: ljyoules@btinternet.com
Received: from mail8.gatech.edu (LHLO mail8.gatech.edu) (130.207.185.168) by mail1.gatech.edu with LMTP; Sun, 10 Feb 2013 11:26:02 -0500
(EST) Received: from deliverator3.gatech.edu (deliverator3.gatech.edu [130.207.165.163]) by mail8.gatech.edu (Postfix) with ESMTP id
3D2CE84067F for <jc110@mail.ecc.gatech.edu>; Sun, 10 Feb 2013 11:26:02 -0500 (EST)
Received: from deliverator3.gatech.edu (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id EB078DECA83 for <jcopeland@ece.gatech.edu>;
Sun, 10 Feb 2013 11:26:01 -0500 (EST)
Received: from nm11.bullet.mail.ird.yahoo.com (nm11.bullet.mail.ird.yahoo.com [77.238.189.64]) by deliverator3.gatech.edu (Postfix) with SMTP id
40389DECA77 for <jcopeland@ece.gatech.edu>; Sun, 10 Feb 2013 11:26:00 -0500 (EST)
What to look for in the raw (“Original”) email
Last “Received:” header shows originator IP and time:
Received: from [127.0.0.1] by smtp105.mail.ird.yahoo.com;
10 Feb 2013 16:25:59 -0000
“Return-Path:” shows the full sender’s email address:
Return-Path: ljyoules@btinternet.com
HTML links embedded in message are revealed:
http://imgc2012.cucei.udg.mx/sites/default/files/clientdisabled/
{ “.mx” is the Mexico domain registry}
Zimbra: Sending email in Plain-Text Format
4
Outlook - to see the raw email message
To view the HTML source code of messages created or received by Outlook
Express, follow these steps:
1. Click the message whose source code you want to view.
2. Press CTRL+F2. This opens Notepad with the HTML portion of the
message displayed. The header information is not displayed.
To see the entire message source code (including the headers):
1. Click the message whose source code you want to view, and then click
Properties on the File menu.
2. On the Details tab, click Message Source. You can resize or maximize
the window to see more of the information. The content you see is the exact
information sent by the originator and is viewable only in the code page in
which it was created.
The ASCII (American Standard Code for Information Interchange) character
set defines a mapping of the letters, numerals, and specified punctuation and
control characters to the numbers from zero to 127. The term "code page" is
used to refer to extensions of the ASCII character set that also map specified
symbols to the numbers from 128 through 255.
http://email.about.com/od/outlooktips/qt/How_to_View_the_Complete_Message_Source_in_Outlook.htm
5
Apple “Mail” - to see the raw email message
To see all raw text:
View > Message > Raw Source
To save raw text:
File > Save As
On drop-down menu “Raw Message Source”
To forward a message in a raw form, for investigation:
Message > Forward as Attachment
For GT received email, send to:
<phishing@gatech.edu>
6
Eudora - to see the raw email message
Click
Blah Blah
7
Return-Path: noreply@netspend.com
Received: from mail3.gatech.edu (LHLO mail3.gatech.edu) (130.207.185.163) by
mail1.gatech.edu with LMTP; Wed, 3 Feb 2010 10:45:37 -0500 (EST)
...
Received: from watroma-mail.watroma.de (watroma-mail.watroma.de [217.91.166.173])
by mail.ece.gatech.edu (8.14.0/8.13.7) with ESMTP id o13FjUBc027007;
Wed, 3 Feb 2010 10:45:31 -0500 (EST)
Received: from User ([71.245.92.36]) by watroma-mail.watroma.de with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 3 Feb 2010 16:43:25 +0100
From: "NetSpend"<noreply@netspend.com>
Subject: Notice - Account Verification #82803-J4
Date: Wed, 3 Feb 2010 10:45:24 -0500
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251”
Content-Transfer-Encoding: 7bit
To: undisclosed-recipients:;
Email origin: .de = Germany
<x-html><!x-stuff-for-pete base="" src="" id="0" charset="Windows-1251"><html>
<div align="left"><BR>
<font face="arial" size="2"><b>Dear customer,</b><br><br>
Our records show that your online session has been locked due to the<BR>
following reason.<BR><br>
1. Log on attempts with invalid information.<br><BR>
2. Inadequate update on your cc online account.<br><br>
We urge you to restore your NetSpend online account immediately to avoid final shut down of your account.<br>
Click the link below to restore your NetSpend online account:<BR><BR></font>
<a href="http://p5098c5ca.dip0.t-ipconnect.de/netspend/">
Online Account</a></font><br>
<BR><BR> <b>© 2010 NetSpend. All rights reserved.</b>
</html>
</x-html>
Click -> .de = Germany
8
What Lies Below (dun-ump dun-ump …)
Date: Tue, 14 Feb 2012 08:31:12 -0800 (PST)
From: Chancellor Old <nochance@fireworks.com>
To: copeland@ece.gatech.edu
Subject: In case you missed it
Hi Copeland,
In case our last email got lost in the shuffle, here's another link to our article on Internet
security for small business.
Click here to view ‘What Your Business Needs to Know about Internet Security.’
If you have questions, please• click here to contact us by filling out a short form, and we'll
get back to you right away.
Chancellor W. Old
If you do not wish to receive email, please Unsubscribe
-----------Net Bug - a one-pixel by one-pixel image, with 120 bytes encoded in the file name
<img src='http://tool.kutenda.com/support/emailOpen.php?b3BlbnNjb3JlLzW1lL0V
kdWNhdGlvbmFsIERvd25sb2FkX-100 bytes-RhdGEgUHJvdGVj width='1' height='1'
border=0>
<a href='http://unsubscribe.tendmail.com/unsubscribe_auto.php?Y2FtcW1lL0…NhdGlvE
d25sb2FkX0RhdGEgUHJvdGVjdGlvbl9CRFJfU3R-200 bytes-LmNvbS8vdGVtcC8x'
target='_blank'>Unsubscribe</a>
Both send Encoded data + OS + Browser type & version.
9
If your email program is configured to send messages as
“plain text”, then you can display a PGP or GnuPG
encrypted and/or signed file in a text editor (e.g., Notepad
or Wordpad, but not Word), and “Copy” and “Paste” it into
the email program.
-----BEGIN PGP MESSAGE----Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
hQEMA7wpEgSnbglrAQgAvkUKPY8fUkMh4v01Twdkbh7ip3zH3TmADls6QVAB3TGS
9QXm154gJC74bkvOu18RDYJfd6rYdmq/eJIbm+9apAw+82IMhP1YaXI752U5TCTu
rN+ZDSVmKILArUjC4uVI3lTebytwaC7D2jUoMbwI/Oo665vwyF+P3W8yNCtjSmwk
xaQBXqabTvvWrjj49jpw5byzRKraQfvYIrODlR7IK6Rlr6H8TZlE+7QPATfOZG3f
npCCvPWg3Ns+GsHf0ixZCkyXH7pi0VQ5X8cNHHYVO80LZvGjTnE1Xhmw5ELZR4+y
kLwd7HFVwBkelt0gZ9yj3cLUfXvKDXOgdnAp1G3S+NLqAZoAhqOLpOGlztBDekyo
lJx7BSS6kAIHYEQs1VMdaB7R9Pza1Vbg0DD2KhF99k60S9cnErcGG4xe219lufVJ
zj2q8C3Yh9i7mug9zoZ4s0VCuCmLP3bm7o6aOsiQO4Z+VhMr2eC3GxTyTYt2hj3q
6cw9PxPN/hK3jiwUCHWO
=A3nm
-----END PGP MESSAGE-----
10