Analysing the mail headers to find out where are mails delayed?

Summary

In the Received: headers is stored when was the email on which server. Use the information there to find out where was an internet message delayed.

Mail dissection

Every email consist of body - which the users read, and mail headers - which include information for the mail itself. In the mail headers can be found who send when the mail, who gets a copy of it and so on.

Every mail client provides means to view the headers of the mail. Search for options like "View ->Message Source", "Show original" or "View full headers" to get access to all mail headers.

Understanding the Received: headers

When a mail is going to its destination, it passes over several server. Each server adds in the beginning of each mail header Received: stating from which server was the mail received, and what was the name of the previous server. Note that more recent headers are closer to the top of the mail.

View now all the headers that the suspicious mail contains and concentrate on the Received: ones. Within them find Received: from ... by mailgate.rz.uni-karlsruhe.de with smtp .. . This header indicates the time, when a mail passed grey listing. Look now at the time in the preceeding header (in the direction of mail's bottom). The interval indicates in the most cases the time lost to circumvent the grey listing. Checking the time in the headers before, you will learn if the mail was delayed before it came for greylisting. The time in the headers between Received: from mailgate.rz.uni-karlsruhe.de and Received: .. by test.aegee.org is spent within aegeeserv. And mail headers added afterwards (closer to the top of the mail) indicate delayes after they left the server.

Sample Mails

This are extracts from real mails, in which the orginal recepient address is masked with dots.

First Sample Mail Headers

Received: from test.aegee.org ([unix socket])
    by mail.aegee.org (Cyrus v2.3.8) with LMTPA;
    Sat, 24 Mar 2007 08:45:36 +0000
Received: from aegeeserv (test.aegee.org [129.13.131.83])
    by test.aegee.org (8.13.8/8.13.6) with ESMTP id l2O1nVFl003114;
    Sat, 24 Mar 2007 08:45:29 GMT
Received: by LISTS.AEGEE.ORG (LISTSERV-TCP/IP release 15.0) with spool id
    6501698 for ...; Sat, 24 Mar 2007 08:45:29 +0000
Received: from mailgate.rz.uni-karlsruhe.de (mailgate.rz.uni-karlsruhe.de
    [129.13.185.235]) by AEGEEserv.aegee.org (8.13.8/8.13.6) with ESMTP
    id l2O8jNom002903 for ...; Sat, 24 Mar 2007 08:45:23 GMT
Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.234])
    by mailgate.rz.uni-karlsruhe.de with esmtp (Exim 4.43 #1) id
    1HV1sF-0000to-KP for ...; Sat, 24 Mar 2007 09:45:19 +0100
Received: by wr-out-0506.google.com with SMTP id 69so1099905wra for ...; Sat, 24 Mar 2007 01:45:18 -0700 (PDT)
Received: by 10.114.60.19 with SMTP id i19mr754361waa.1174593725445; Thu, 22 Mar 2007 13:02:05 -0700 (PDT)
Received: by 10.115.91.13 with HTTP; Thu, 22 Mar 2007 13:02:05 -0700 (PDT)

Here you see that the communication between the servers 10.114.60.19 and wr-out-0506.google.com was delayed for two days. The headers are below Received: ... by mailgate.rz.uni-karlsruhe.de, so the delay appeared before grey-listing was applied.

Second Sample Mail Headers


Received: from test.aegee.org ([unix socket])
     by mail.aegee.org (Cyrus v2.3.7) with LMTPA;
     Sun, 29 Oct 2006 23:03:45 +0000
Received: from aegeeserv (test.aegee.org [129.13.131.83])
    by test.aegee.org (8.13.8/8.13.6) with ESMTP id k9TIQlSU007195;
    Sun, 29 Oct 2006 23:03:44 GMT
Received: by LISTS.AEGEE.ORG (LISTSERV-TCP/IP release 14.5) with spool id
    5146374 for ...; Sun, 29 Oct 2006 23:03:44 +0000
Received: from mailgate.rz.uni-karlsruhe.de (mailgate.rz.uni-karlsruhe.de
    [129.13.185.235]) by AEGEEserv.aegee.org (8.13.8/8.13.6) with ESMTP
    id k9TMrRS2028128 for ...; Sun, 29 Oct 2006 22:53:27 GMT
Received: from villa-kuip.kabel.utwente.nl (villa-kuip.kabel.utwente.nl
    [130.89.195.54]) by mailgate.rz.uni-karlsruhe.de with esmtp (Exim
    4.43 #1) id 1GeJWv-0007Fx-GL for ...; Sun, 29 Oct 2006 23:53:25 +0100
Received: from [192.168.48.128] (willempie.wim.kuipnet.void [192.168.48.128])
    by villa-kuip.kabel.utwente.nl (8.13.7/8.13.7) with ESMTP id
    k9TMHqO0015358 for ...; Sun, 29 Oct 2006 23:17:52 +0100

Here the delay is to be seen in the header containing by mailgate.rz.uni-karlsruhe.de and the header immediately preceeding it. This indicates a delay caused by grey-listing.

Written in April 2007 by Дилян Палаузов