就因为你的收件箱里出现了一封标有比尔。史密斯@somehost.com，并不意味着比尔真的与此事有关。请继续阅读，我们将探索如何挖掘并查看可疑电子邮件的实际来源。

今天的问答环节是由SuperUser提供的，SuperUser是Stack Exchange的一个分支，它是一个由Q&a网站组成的社区驱动分组。

问题

超级用户读者Sirwan想知道如何找出电子邮件的真正来源：

How can I know where an Email really came from? Is there any way to find it out? I have heard about email headers, but I don’t know where can I see email headers for example in Gmail.

让我们看看这些邮件头。

答案

超级用户贡献者Tomas提供了一个非常详细和深刻的回应：

See an example of scam that has been sent to me, pretending it is from my friend, claiming she has been robbed and asking me for financial aid. I have changed the names — suppose that I am Bill, the scammer has send an email to [email protected], pretending he is [email protected]. Note that Bill has forward to [email protected].

First, in Gmail, use show original:

Then, the full email and its headers will open:

Delivered-To: [email protected] Received: by 10.64.21.33 with SMTP id s1csp177937iee; Mon, 8 Jul 2013 04:11:00 -0700 (PDT) X-Received: by 10.14.47.73 with SMTP id s49mr24756966eeb.71.1373281860071; Mon, 08 Jul 2013 04:11:00 -0700 (PDT) Return-Path: <[email protected]> Received: from maxipes.logix.cz (maxipes.logix.cz. [2a01:348:0:6:5d59:50c3:0:b0b1]) by mx.google.com with ESMTPS id j47si6975462eeg.108.2013.07.08.04.10.59 for <[email protected]> (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 08 Jul 2013 04:11:00 -0700 (PDT) Received-SPF: neutral (google.com: 2a01:348:0:6:5d59:50c3:0:b0b1 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=2a01:348:0:6:5d59:50c3:0:b0b1; Authentication-Results: mx.google.com; spf=neutral (google.com: 2a01:348:0:6:5d59:50c3:0:b0b1 is neither permitted nor denied by best guess record for domain of [email protected]) **[email protected] Received: by maxipes.logix.cz (Postfix, from userid 604) id C923E5D3A45; Mon, 8 Jul 2013 23:10:50 +1200 (NZST) X-Original-To: [email protected] X-Greylist: delayed 00:06:34 by SQLgrey-1.8.0-rc1 Received: from ela**tp-curtail.atl.sa.earthlink.net (ela**tp-curtail.atl.sa.earthlink.net [209.86.89.64]) by maxipes.logix.cz (Postfix) with ESMTP id B43175D3A44 for <[email protected]>; Mon, 8 Jul 2013 23:10:48 +1200 (NZST) Received: from [168.62.170.129] (helo=laurence39) by ela**tp-curtail.atl.sa.earthlink.net with e**tpa (Exim 4.67) (envelope-from <[email protected]>) id 1Uw98w-0006KI-6y for [email protected]; Mon, 08 Jul 2013 06:58:06 -0400 From: "Alice" <[email protected]> Subject: Terrible Travel Issue.....Kindly reply ASAP To: [email protected] Content-Type: multipart/alternative; boundary="jtkoS2PA6LIOS7nZ3bDeIHwhuXF=_9jxn70" MIME-Version: 1.0 Reply-To: [email protected] Date: Mon, 8 Jul 2013 10:58:06 +0000 Message-ID: <E1Uw98w-0006KI-6y@ela**tp-curtail.atl.sa.earthlink.net> X-ELNK-Trace: 52111ec6c5e88d9189cb21dbd10cbf767e972de0d01da940e632614284761929eac30959a519613a350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 168.62.170.129 [... I have cut the email body ...]

The headers are to be read chronologically from bottom to top — oldest are at the bottom. Every new server on the way will add its own message — starting with Received. For example:

Received: from maxipes.logix.cz (maxipes.logix.cz. [2a01:348:0:6:5d59:50c3:0:b0b1]) by mx.google.com with ESMTPS id j47si6975462eeg.108.2013.07.08.04.10.59 for <[email protected]> (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 08 Jul 2013 04:11:00 -0700 (PDT)

This says that mx.google.com has received the mail from maxipes.logix.cz at Mon, 08 Jul 2013 04:11:00 -0700 (PDT).

Now, to find the real sender of your email, your goal is to find the last trusted gateway — last when reading the headers from top, i.e. first in the chronological order. Let’s start by finding the Bill’s mail server. For this, you query MX record for the domain. You can use some online tools, or on Linux you can query it on command line (note the real domain name was changed to domain.com):

~$ host -t MX domain.com domain.com MX 10 broucek.logix.cz domain.com MX 5 maxipes.logix.cz

So you see the mail server for domain.com is maxipes.logix.cz or broucek.logix.cz. Hence, the last (first chronologically) trusted “hop” — or last trusted “Received record” or whatever you call it — is this one:

You can trust this because this was recorded by Bill’s mail server for domain.com. This server got it from 209.86.89.64. This could be, and very often is, the real sender of the email — in this case the scammer! You can check this IP on a blacklist. — See, he is listed in 3 blacklists! There is yet another record below it:

Received: from [168.62.170.129] (helo=laurence39) by ela**tp-curtail.atl.sa.earthlink.net with e**tpa (Exim 4.67) (envelope-from <[email protected]>) id 1Uw98w-0006KI-6y for [email protected]; Mon, 08 Jul 2013 06:58:06 -0400

but you cannot actually trust this, because that could just be added by the scammer to wipe out his traces and/or lay a false trail. Of course there is still the possibility that the server 209.86.89.64 is innocent and only acted as a relay for the real attacker at 168.62.170.129, but then the relay is often c***idered to be guilty and is very often blacklisted. In this case, 168.62.170.129 is clean so we can be almost sure the attack was done from 209.86.89.64.

And of course, as we know that Alice uses Yahoo! and ela**tp-curtail.atl.sa.earthlink.netisn’t on the Yahoo! network (you may want to re-check its IP Whois information), we may safely conclude that this email was not from Alice, and that we should not send her any money to her claimed vacation in the Philippines.

另外两位贡献者，Ex Umbris和Vijay，分别推荐了以下帮助解码邮件头的服务：SpamCop和Google的邮件头分析工具。

有什么要补充的解释吗？在评论中发出声音。想从其他精通技术的Stack Exchange用户那里了解更多答案吗？在这里查看完整的讨论主题。