Board index » delphi » email headers

email headers

I notice that (in the spams I receive) there are:
X-From, X-To and several other lines beginning X-. Are these rubbish
inserted by spammers or are they valid alternatives to From, To and CC as in
normal emails?


Rhys Sage.

Thought of the day:
"Work saves us from three great evils -
vice, boredom and need"


(Team Zip)


Re:email headers

In article <>, Rhys Sage wrote:
> I notice that (in the spams I receive) there are:
> X-From, X-To and several other lines beginning X-. Are these rubbish
> inserted by spammers or are they valid alternatives to From, To and CC as in
> normal emails?

AFAIK, all lines in the header starting by "X-" are "user-defined". There exist /some/
collaboration with regard to some of the "X-"-lines, but that is all.

E.g. when I look at the headers of *your* message I get the following "X-" lines:

  X-Priority: 3
  X-MSMail-Priority: Normal
  X-Newsreader: Microsoft Outlook Express 5.50.4807.1700
  X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
  X-Trace: 1053532874 (21 May 2003 09:01:14 -0700)
  X-VA-Origin: Borland:borland/public.delphi.internet.winsock

I presume that at least the last line ("X-VA-Origin") is inserted by *my* newsreader,
as I am using 'Virtual Access'. The "X-MSMail-Priority", "X-Newsreader" and "X-MimeOLE"
lines are propably added by your own newsreader ("X-Priority" too?).

Regards, Ren

Re:email headers

Digging around, I discovered the appended text. I don't know how accurate it
is though.

Basically, I'm writing an email header cleaner. It downloads the email
headers only (not the poo that follows) and checks the headers to see which
are likely to be spam. Any that get through the header analysis stage are
quite likely to be genuine. There shouldn't be any false positives and most
spams should be caught.

My plan is thus:

check to see if the email has been correctly addressed to the recipient
(some ISPs offer multiple-user accounts subject to dictionary attacks).
check to see if the email comes from a whitelist sender. if it does - no
more checking
check to see whether the subject line contains:
    1. blocks of meaningless letters
    2. blocks of numbers
    3. "adv"
    4. repeated symbols - ie too many dashes as some spammers send emails
with lines such as p-r-e t-e-e-n b-a-b-e-s etc.
    5. An 're' that does not match the subject lines of emails in the
Outlook Express sent mail folder. (It's open-source so if anybody wants to
add bits they can).
    6. banned words such as 'viagra', 'debt' etc.
check to see whether the receiving email address when broken into component
parts recurs as some spammers try to break the address up.
check to see if the sender's email address matches the origin IP address.
Check to see if the I/P addresses are listed in the spammer ISP list.
    this will also have a section that checks each IP address for dns, rdns
and pings it.
A few other checks will also be used. Any email that fails any test will be
deleted automatically and the originating IP numbers recorded. Sure it'll
end up with lots of open relays being blocked but... that doesn't matter if
your pals are on the whitelist (if they use that ISP).

List of Common Headers
? Apparently-To: Messages with many recipients sometimes have a long list of
headers of the form "Apparently-To:" (one line per
recipient). These headers are unusual in legitimate mail; they are normally
a sign of a mailing list, and in recent times mailing lists have generally
used software sophisticated enough not to generate a giant pile of headers.
? Bcc: (stands for "Blind Carbon Copy") If you see this header on incoming
mail, something is wrong. It's used like Cc: (see below), but does not
appear in the headers. The idea is to be able to send copies of email to
persons who might not want to receive replies or to appear in the headers.
Blind carbon copies are popular with spammers, since it confuses many
inexperienced users to get email that doesn't appear to be addressed to
? Cc: (stands for "Carbon Copy", which is meaningful if you remember
typewriters) This header is sort of an extension of "To:"; it specifies
additional recipients. The difference between "To:" and "Cc:" is essentially
connotative; some mailers also deal with them differently in generating
? Comments: This is a nonstandard, free-form header field. It's most
commonly seen in the form "Comments: Authenticated sender is
<>". A header like this is added by some mailers
(notably the popular freeware program Pegasus) to identify the sender;
however, it is often added by hand (with false information) by spammers as
well. Treat with caution.
? Content-Transfer-Encoding: This header relates to MIME, a standard way of
enclosing non-text content in email. It has no direct relevance to the
delivery of mail, but it affects how MIME-compliant mail programs interpret
the content of the message.
? Content-Type: Another MIME header, telling MIME-compliant mail programs
what type of content to expect in the message.
? Date: This header does exactly what you'd expect: It specifies a date,
normally the date the message was composed and sent. If this header is
omitted by the sender's computer, it might conceivably be added by a mail
server or even by some other machine along the route. It shouldn't be
treated as gospel truth; forgeries aside, there are an awful lot of
computers in the world with their clocks set wrong.
? Errors-To: Specifies an address for mailer-generated errors, like "no such
user" bounce messages, to go to (instead of the sender's address). This is
not a particularly common header, as the sender usually wants to receive any
errors at the sending address, which is what most (essentially all) mail
server software does by default.
? From (without colon) This is the "envelope From" discussed above.
? From: (with colon) This is the "message From:" discussed above.
? Message-Id: (also Message-id: or Message-ID:) The Message-Id is a
more-or-less unique identifier assigned to each message, usually by the
first mailserver it encounters. Conventionally, it is of the form
"", where the "gibberish" part could be
absolutely anything and the second part is the name of the machine that
assigned the ID. Sometimes, but not often, the "gibberish" includes the
sender's username. Any email in which the message ID is malformed (e.g., an
empty string or no @ sign), or in which the site in the message ID isn't the
real site of origin, is probably a forgery.
? In-Reply-To: A Usenet header that occasionally appears in mail, the
In-Reply-To: header gives the message ID of some previous message which is
being replied to. It is unusual for this header to appear except in email
directly related to Usenet; spammers have been known to use it, probably in
an attempt to evade filtration programs.
? Mime-Version: (also MIME-Version:) Yet another MIME header, this one just
specifying the version of the MIME protocol that was used by the sender.
Like the other MIME headers, this one is usually eminently ignorable; most
modern mail programs will do the right thing with it.
? Newsgroups: This header only appears in email that is connected with
Usenet---either email copies of Usenet postings, or email replies to
postings. In the first case, it specifies the newsgroup(s) to which the
message was posted; in the second, it specifies the newsgroup(s) in which
the message being replied to was posted. The semantics of this header are
the subject of a low-intensity holy war, which effectively assures that both
sets of semantics will be used indiscriminately for the foreseeable future.
? Organization: A completely free-form header that normally contains the
name of the organization through which the sender of the message has net
access. The sender can generally control this header, and silly entries like
"Royal Society for Putting Things on Top of Other Things" are commonplace.
? Priority: An essentially free-form header that assigns a priority to the
mail. Most software ignores it. It is often used by spammers, usually in the
form "Priority: urgent" (or something similar), in an attempt to get their
messages read.
? Received: Discussed in detail above.
? References: The References: header is rare in email except for copies of
Usenet postings. Its use on Usenet is to identify the "upstream" posts to
which a message is a response; when it appears in email, it's usually just a
copy of a Usenet header. It may also appear in email responses to Usenet
postings, giving the message ID of the post being responded to as well as
the references from that post.
? Reply-To: Specifies an address for replies to go to. Though this header
has many legitimate uses (perhaps your software mangles your From: address
and you want replies to go to a correct address), it is also widely used by
spammers to deflect criticism. Occasionally a naive spammer will actually
solicit responses by email and use the Reply-To: header to collect them, but
more often the Reply-To: address in junk email is either invalid or an
innocent victim.
? Sender: This header is unusual in email (X-Sender: is usually used
instead), but appears occasionally, especially in copies of Usenet posts. It
should identify the sender; in the case of Usenet posts, it is a more
reliable identifier than the From: line.
? Subject: A completely free-form field specified by the sender, intended,
of course, to describe the subject of the message.
? To: The "message To: "described above. Note that the To: header need not
contain the recipient's address!
? X-headers is the generic term for headers starting with a capital X and a
hyphen. The convention is that X-headers are nonstandard and provided for
information only, and that, conversely, any nonstandard informative header
should be given a name starting with "X-". This convention is frequently
? X-Confirm-Reading-To: This header requests an automated confirmation
notice when the message is received or read. It is typically ignored;
presumably some software acts on it.
? X-Distribution: In response to problems with spammers using his software,
the author of Pegasus Mail added this header. Any message sent with Pegasus
to a sufficiently large number of recipients has a header added that says
"X-Distribution: bulk". It is explicitly intended as something for
recipients to filter against.
? X-Errors-To: Like Errors-To:, this header specifies an address for errors
to be sent to. It is probably less widely obeyed.
? X-Mailer: (also X-mailer:) A freeform header field intended for the mail
software used by the sender to identify itself (as advertising or whatever).
Since much junk email is sent with mailers invented for the purpose, this
field can provide much useful fodder for filters.
? X-PMFLAGS: This is a header added by Pegasus Mail; its semantics are
nonobvious. It appears in any message sent with Pegasus, so it doesn't
obviously convey any information to the recipient that isn't covered by the
X-Mailer: header.
? X-Priority: Another priority field, used notably by Eudora to assign a
priority (which appears as a graphical notation on the message).
? X-Sender: The usual email analogue to the Sender: header in Usenet news,
this header purportedly identifies the sender with greater reliability than
the From: header. In fact, it is nearly as easy ...

read more »

Other Threads