Email as Text Viewing Headers and Full (Original or Raw) Content John Copeland Georgia Tech ECE 6612 Jan. 28, 2015 To see the raw email & headers in Zimbra Mail, right-click the listing. Then, click “Show Original” to see the email headers Return-Path: ljyoules@btinternet.com Received: from mail8.gatech.edu (LHLO mail8.gatech.edu) (130.207.185.168) by mail1.gatech.edu with LMTP; Sun, 10 Feb 2013 11:26:02 -0500 (EST) Received: from deliverator3.gatech.edu (deliverator3.gatech.edu [130.207.165.163]) by mail8.gatech.edu (Postfix) with ESMTP id 3D2CE84067F for <jc110@mail.ecc.gatech.edu>; Sun, 10 Feb 2013 11:26:02 -0500 (EST) Received: from deliverator3.gatech.edu (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id EB078DECA83 for <jcopeland@ece.gatech.edu>; Sun, 10 Feb 2013 11:26:01 -0500 (EST) Received: from nm11.bullet.mail.ird.yahoo.com (nm11.bullet.mail.ird.yahoo.com [77.238.189.64]) by deliverator3.gatech.edu (Postfix) with SMTP id 40389DECA77 for <jcopeland@ece.gatech.edu>; Sun, 10 Feb 2013 11:26:00 -0500 (EST) What to look for in the raw (“Original”) email Last “Received:” header shows originator IP and time: Received: from [127.0.0.1] by smtp105.mail.ird.yahoo.com; 10 Feb 2013 16:25:59 -0000 “Return-Path:” shows the full sender’s email address: Return-Path: ljyoules@btinternet.com HTML links embedded in message are revealed: http://imgc2012.cucei.udg.mx/sites/default/files/clientdisabled/ { “.mx” is the Mexico domain registry} Zimbra: Sending email in Plain-Text Format 4 Outlook - to see the raw email message To view the HTML source code of messages created or received by Outlook Express, follow these steps: 1. Click the message whose source code you want to view. 2. Press CTRL+F2. This opens Notepad with the HTML portion of the message displayed. The header information is not displayed. To see the entire message source code (including the headers): 1. Click the message whose source code you want to view, and then click Properties on the File menu. 2. On the Details tab, click Message Source. You can resize or maximize the window to see more of the information. The content you see is the exact information sent by the originator and is viewable only in the code page in which it was created. The ASCII (American Standard Code for Information Interchange) character set defines a mapping of the letters, numerals, and specified punctuation and control characters to the numbers from zero to 127. The term "code page" is used to refer to extensions of the ASCII character set that also map specified symbols to the numbers from 128 through 255. http://email.about.com/od/outlooktips/qt/How_to_View_the_Complete_Message_Source_in_Outlook.htm 5 Apple “Mail” - to see the raw email message To see all raw text: View > Message > Raw Source To save raw text: File > Save As On drop-down menu “Raw Message Source” To forward a message in a raw form, for investigation: Message > Forward as Attachment For GT received email, send to: <phishing@gatech.edu> 6 Eudora - to see the raw email message Click Blah Blah 7 Return-Path: noreply@netspend.com Received: from mail3.gatech.edu (LHLO mail3.gatech.edu) (130.207.185.163) by mail1.gatech.edu with LMTP; Wed, 3 Feb 2010 10:45:37 -0500 (EST) ... Received: from watroma-mail.watroma.de (watroma-mail.watroma.de [217.91.166.173]) by mail.ece.gatech.edu (8.14.0/8.13.7) with ESMTP id o13FjUBc027007; Wed, 3 Feb 2010 10:45:31 -0500 (EST) Received: from User ([71.245.92.36]) by watroma-mail.watroma.de with Microsoft SMTPSVC(6.0.3790.3959); Wed, 3 Feb 2010 16:43:25 +0100 From: "NetSpend"<noreply@netspend.com> Subject: Notice - Account Verification #82803-J4 Date: Wed, 3 Feb 2010 10:45:24 -0500 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251” Content-Transfer-Encoding: 7bit To: undisclosed-recipients:; Email origin: .de = Germany <x-html><!x-stuff-for-pete base="" src="" id="0" charset="Windows-1251"><html> <div align="left"><BR> <font face="arial" size="2"><b>Dear customer,</b><br><br> Our records show that your online session has been locked due to the<BR> following reason.<BR><br> 1. Log on attempts with invalid information.<br><BR> 2. Inadequate update on your cc online account.<br><br> We urge you to restore your NetSpend online account immediately to avoid final shut down of your account.<br> Click the link below to restore your NetSpend online account:<BR><BR></font> <a href="http://p5098c5ca.dip0.t-ipconnect.de/netspend/"> Online Account</a></font><br> <BR><BR> <b>© 2010 NetSpend. All rights reserved.</b> </html> </x-html> Click -> .de = Germany 8 What Lies Below (dun-ump dun-ump …) Date: Tue, 14 Feb 2012 08:31:12 -0800 (PST) From: Chancellor Old <nochance@fireworks.com> To: copeland@ece.gatech.edu Subject: In case you missed it Hi Copeland, In case our last email got lost in the shuffle, here's another link to our article on Internet security for small business. Click here to view ‘What Your Business Needs to Know about Internet Security.’ If you have questions, please• click here to contact us by filling out a short form, and we'll get back to you right away. Chancellor W. Old If you do not wish to receive email, please Unsubscribe -----------Net Bug - a one-pixel by one-pixel image, with 120 bytes encoded in the file name <img src='http://tool.kutenda.com/support/emailOpen.php?b3BlbnNjb3JlLzW1lL0V kdWNhdGlvbmFsIERvd25sb2FkX-100 bytes-RhdGEgUHJvdGVj width='1' height='1' border=0> <a href='http://unsubscribe.tendmail.com/unsubscribe_auto.php?Y2FtcW1lL0…NhdGlvE d25sb2FkX0RhdGEgUHJvdGVjdGlvbl9CRFJfU3R-200 bytes-LmNvbS8vdGVtcC8x' target='_blank'>Unsubscribe</a> Both send Encoded data + OS + Browser type & version. 9 If your email program is configured to send messages as “plain text”, then you can display a PGP or GnuPG encrypted and/or signed file in a text editor (e.g., Notepad or Wordpad, but not Word), and “Copy” and “Paste” it into the email program. -----BEGIN PGP MESSAGE----Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0 hQEMA7wpEgSnbglrAQgAvkUKPY8fUkMh4v01Twdkbh7ip3zH3TmADls6QVAB3TGS 9QXm154gJC74bkvOu18RDYJfd6rYdmq/eJIbm+9apAw+82IMhP1YaXI752U5TCTu rN+ZDSVmKILArUjC4uVI3lTebytwaC7D2jUoMbwI/Oo665vwyF+P3W8yNCtjSmwk xaQBXqabTvvWrjj49jpw5byzRKraQfvYIrODlR7IK6Rlr6H8TZlE+7QPATfOZG3f npCCvPWg3Ns+GsHf0ixZCkyXH7pi0VQ5X8cNHHYVO80LZvGjTnE1Xhmw5ELZR4+y kLwd7HFVwBkelt0gZ9yj3cLUfXvKDXOgdnAp1G3S+NLqAZoAhqOLpOGlztBDekyo lJx7BSS6kAIHYEQs1VMdaB7R9Pza1Vbg0DD2KhF99k60S9cnErcGG4xe219lufVJ zj2q8C3Yh9i7mug9zoZ4s0VCuCmLP3bm7o6aOsiQO4Z+VhMr2eC3GxTyTYt2hj3q 6cw9PxPN/hK3jiwUCHWO =A3nm -----END PGP MESSAGE----- 10